Nmap Scripting Engine

---

💡

• Overview:

  • NSE allows creation and execution of Lua scripts to interact with various services.

  • It is divided into 14 categories based on the type of tasks the scripts perform.

---

Script Categories

Category	Description
auth	Determination of authentication credentials.
broadcast	Scripts for host discovery via broadcasting; discovered hosts can be added automatically to scans.
brute	Executes scripts that attempt to log in by brute-forcing credentials.
default	Default scripts executed using the -sC option.
discovery	Evaluates accessible services.
dos	Checks services for denial-of-service vulnerabilities (used sparingly as they can harm services).
exploit	Tries to exploit known vulnerabilities on the scanned port.
external	Uses external services for further processing.
fuzzer	Sends varied fields to detect vulnerabilities and unexpected packet handling (can be time-consuming).
intrusive	Intrusive scripts that might negatively affect the target system.
malware	Checks if the target system is infected with malware.
safe	Defensive scripts that do not perform intrusive or destructive actions.
version	Extensions for service detection.
vuln	Identifies specific vulnerabilities.

---

Defining Scripts in Nmap

1. Default Scripts

• Command Example:

  sudo nmap <target> -sC
  

2. Specific Scripts Category

• Command Example:

  sudo nmap <target> --script <category>
  

3. Defined Scripts (Multiple Specific Scripts)

• Command Example:

  sudo nmap <target> --script <script-name>,<script-name>,...
  

---

Example: Specifying Scripts on an SMTP Port

• Scenario: Use two defined scripts (banner and smtp-commands) against the SMTP port (25).

• Command:

  sudo nmap 10.129.2.28 -p 25 --script banner,smtp-commands
  

• Sample Output:

  Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 23:21 CEST
  Nmap scan report for 10.129.2.28
  Host is up (0.050s latency).
  
  PORT   STATE SERVICE
  25/tcp open  smtp
  |_banner: 220 inlane ESMTP Postfix (Ubuntu)
  |_smtp-commands: inlane, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
  MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
  

• Scanning Options Explanation:

  • 10.129.2.28: Target IP.

  • p 25: Scan only port 25.

  • -script banner,smtp-commands: Run the specified NSE scripts.

• Key Observations:

  • The banner script reveals the SMTP server banner (shows Ubuntu distribution).

  • The smtp-commands script displays available SMTP commands, which can help identify existing users on the target.

---

Aggressive Scan Option (-A)

• Purpose: Combines multiple scanning options:

  • Service detection (sV)

  • OS detection (O)

  • Traceroute (-traceroute)

  • Default NSE scripts (sC)

• Example Command:

  sudo nmap 10.129.2.28 -p 80 -A
  

• Sample Output (Partial):

  Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-17 01:38 CEST
  Nmap scan report for 10.129.2.28
  Host is up (0.012s latency).
  
  PORT   STATE SERVICE VERSION
  80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
  |_http-generator: WordPress 5.3.4
  |_http-server-header: Apache/2.4.29 (Ubuntu)
  |_http-title: blog.inlanefreight.com
  MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
  Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  Aggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), ...
  No exact OS matches for host (test conditions non-ideal).
  Network Distance: 1 hop
  
  TRACEROUTE
  HOP RTT      ADDRESS
  1   11.91 ms 10.129.2.28
  
  OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 11.36 seconds
  

• Scanning Options Explanation:

  • 10.129.2.28: Target IP.

  • p 80: Scan only port 80.

  • A: Performs aggressive scan combining multiple options.

• Key Findings:

  • Identifies the web server (Apache 2.4.29 on Ubuntu).

  • Detects the web application (WordPress 5.3.4) and webpage title.

  • Provides OS detection (likely Linux, 96% confidence).

---

Vulnerability Assessment Using NSE (vuln Category)

• Goal: To check the HTTP service (port 80) for known vulnerabilities.

• Command:

  sudo nmap 10.129.2.28 -p 80 -sV --script vuln
  

• Sample Output (Partial):

  Nmap scan report for 10.129.2.28
  Host is up (0.036s latency).
  
  PORT   STATE SERVICE VERSION
  80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
  | http-enum:
  |   /wp-login.php: Possible admin folder
  |   /readme.html: Wordpress version: 2
  |   /: WordPress version: 5.3.4
  |   /wp-includes/images/rss.png: Wordpress version 2.2 found.
  |   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
  |   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
  |   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
  |   /wp-login.php: Wordpress login page.
  |   /wp-admin/upgrade.php: Wordpress login page.
  |_  /readme.html: Interesting, a readme.
  |_http-server-header: Apache/2.4.29 (Ubuntu)
  |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
  | http-wordpress-users:
  | Username found: admin
  |_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
  | vulners:
  |   cpe:/a:apache:http_server:2.4.29:
  |     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
  |     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
  |     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715
  <SNIP>
  

• Scanning Options Explanation:

  • 10.129.2.28: Target IP.

  • p 80: Scan only port 80.

  • sV: Performs service version detection.

  • -script vuln: Runs all vulnerability-related NSE scripts.

• What the Scripts Do:

  • Interact with the webserver and its application to gather version details.

  • Query vulnerability databases to identify known vulnerabilities.

  • Examples include enumerating web directories (http-enum), checking server headers, and listing potential exploits (via the vulners script).

---

Additional Resources

• For more details on NSE scripts and categories, visit:NSE Documentation

---