Initially, Nmap was just a port scanner, but on 10th December 2006, Nmap launched the NSE (Nmap scripting engine) which changed the entire thing about how people looked at Nmap, now it was not just a port scanner but a port scanner with so much more.
Nmap contains a total number of 589 scripts (Version 7.70), there are a lot of scripts that are useful but not all of them works perfectly, it’s like other tools a better for that particular task, so we’ll look at how we can use the powerful NSE and what scripts to use.
To see all the scripts, navigate to
/usr/share/nmap/scripts
According to Nmap manual
-sC performs a script scan using the default set of scripts. It is equivalent to --script=default
. Some of the scripts in this category are considered intrusive and should not be run against a target network without permission.
So, kindly take permission before running this type of scan against a target .
SYNTAX:
nmap -sC nmap.scanme.org
For manually specifying script we use
Using this option we specify a script, and use other options like help to understand what the script is used for.
The best way to find out a script according to your need is to use the locate command, so let’s suppose if we want to search for all SSH scripts, we’ll write
locate *ssh*.nse
Result:
We can see that we have total seven script for SSH, to understand what does a script do, we can write:
SYNTAX:
nmap --script-help script_name.nse
Example:
nmap --script-help ssh-brute.nse
Result:
So let’s see it in action
Scanning the target for SSH
nmap -sS nmap.scanme.org -p 22
Result:
From the result we can conclude that port 22 is open, now let’s find what version of SSH the target host is running.
nmap -sS -sV nmap.scanme.org -p 22
Result:
So the target system is running OpenSSH 6.6.1p1 we can look out for exploits for this version of SSH on the internet, but for now we’ll only use the script.
Brute forcing SSH login using NSE:
nmap --script ssh-brute.nse nmap.scanme.org -vv -p 22
Nmap will try every possible username-password combination present in it’s word list to brute force the target.
In brief:
- Scan the target and find out the services running
- Look for exploits for the running service on the internet.
- Try to exploit the target ( using any tool from plethora of different tools )
- If the exploit fails, try another exploit
- If it fails again , try again, until you successfully exploit the target.
Remember:
“The master has failed more times than the beginner has even tried.”
― STEPHEN MCCRANIE
Few more script:
--script banner #grab banner
--script broadcast #reveals broadcast information--script vuln #will use default scripts to report vulnerabilities if any.##Looking for specific scripts#Basic syntax:
locate *service name*.nseexamples:
locate *smb*.nse #will list all SMB related scripts
locate *http*.nse #list all web related scripts
That’s it for this blog, try to play around the NSE scripts, you can even install new scripts from the internet using wget and don’t forget to update the NSE engine using
nmap --script-updatedb
In next blog we’ll cover how to work upon the timing and performance of Nmap scans, till then keep practicing !