# Nmap Scripting Engine

***

💡

* **Overview:**
  * NSE allows creation and execution of Lua scripts to interact with various services.
  * It is divided into **14 categories** based on the type of tasks the scripts perform.

***

### Script Categories

| **Category**  | **Description**                                                                                       |
| ------------- | ----------------------------------------------------------------------------------------------------- |
| **auth**      | Determination of authentication credentials.                                                          |
| **broadcast** | Scripts for host discovery via broadcasting; discovered hosts can be added automatically to scans.    |
| **brute**     | Executes scripts that attempt to log in by brute-forcing credentials.                                 |
| **default**   | Default scripts executed using the `-sC` option.                                                      |
| **discovery** | Evaluates accessible services.                                                                        |
| **dos**       | Checks services for denial-of-service vulnerabilities (used sparingly as they can harm services).     |
| **exploit**   | Tries to exploit known vulnerabilities on the scanned port.                                           |
| **external**  | Uses external services for further processing.                                                        |
| **fuzzer**    | Sends varied fields to detect vulnerabilities and unexpected packet handling (can be time-consuming). |
| **intrusive** | Intrusive scripts that might negatively affect the target system.                                     |
| **malware**   | Checks if the target system is infected with malware.                                                 |
| **safe**      | Defensive scripts that do not perform intrusive or destructive actions.                               |
| **version**   | Extensions for service detection.                                                                     |
| **vuln**      | Identifies specific vulnerabilities.                                                                  |

***

### Defining Scripts in Nmap

### 1. **Default Scripts**

* **Command Example:**

  ```bash
  sudo nmap <target> -sC

  ```

### 2. **Specific Scripts Category**

* **Command Example:**

  ```bash
  sudo nmap <target> --script <category>

  ```

### 3. **Defined Scripts (Multiple Specific Scripts)**

* **Command Example:**

  ```bash
  sudo nmap <target> --script <script-name>,<script-name>,...

  ```

***

### Example: Specifying Scripts on an SMTP Port

* **Scenario:** Use two defined scripts (`banner` and `smtp-commands`) against the SMTP port (25).
* **Command:**

  ```bash
  sudo nmap 10.129.2.28 -p 25 --script banner,smtp-commands

  ```
* **Sample Output:**

  ```
  Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 23:21 CEST
  Nmap scan report for 10.129.2.28
  Host is up (0.050s latency).

  PORT   STATE SERVICE
  25/tcp open  smtp
  |_banner: 220 inlane ESMTP Postfix (Ubuntu)
  |_smtp-commands: inlane, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
  MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

  ```
* **Scanning Options Explanation:**
  * **`10.129.2.28`**: Target IP.
  * **`p 25`**: Scan only port 25.
  * **`-script banner,smtp-commands`**: Run the specified NSE scripts.
* **Key Observations:**
  * The `banner` script reveals the SMTP server banner (shows Ubuntu distribution).
  * The `smtp-commands` script displays available SMTP commands, which can help identify existing users on the target.

***

### Aggressive Scan Option (-A)

* **Purpose:** Combines multiple scanning options:
  * Service detection (`sV`)
  * OS detection (`O`)
  * Traceroute (`-traceroute`)
  * Default NSE scripts (`sC`)
* **Example Command:**

  ```bash
  sudo nmap 10.129.2.28 -p 80 -A

  ```
* **Sample Output (Partial):**

  ```
  Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-17 01:38 CEST
  Nmap scan report for 10.129.2.28
  Host is up (0.012s latency).

  PORT   STATE SERVICE VERSION
  80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
  |_http-generator: WordPress 5.3.4
  |_http-server-header: Apache/2.4.29 (Ubuntu)
  |_http-title: blog.inlanefreight.com
  MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
  Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  Aggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), ...
  No exact OS matches for host (test conditions non-ideal).
  Network Distance: 1 hop

  TRACEROUTE
  HOP RTT      ADDRESS
  1   11.91 ms 10.129.2.28

  OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 11.36 seconds

  ```
* **Scanning Options Explanation:**
  * **`10.129.2.28`**: Target IP.
  * **`p 80`**: Scan only port 80.
  * **`A`**: Performs aggressive scan combining multiple options.
* **Key Findings:**
  * Identifies the web server (Apache 2.4.29 on Ubuntu).
  * Detects the web application (WordPress 5.3.4) and webpage title.
  * Provides OS detection (likely Linux, 96% confidence).

***

### Vulnerability Assessment Using NSE (vuln Category)

* **Goal:** To check the HTTP service (port 80) for known vulnerabilities.
* **Command:**

  ```bash
  sudo nmap 10.129.2.28 -p 80 -sV --script vuln

  ```
* **Sample Output (Partial):**

  ```
  Nmap scan report for 10.129.2.28
  Host is up (0.036s latency).

  PORT   STATE SERVICE VERSION
  80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
  | http-enum:
  |   /wp-login.php: Possible admin folder
  |   /readme.html: Wordpress version: 2
  |   /: WordPress version: 5.3.4
  |   /wp-includes/images/rss.png: Wordpress version 2.2 found.
  |   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
  |   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
  |   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
  |   /wp-login.php: Wordpress login page.
  |   /wp-admin/upgrade.php: Wordpress login page.
  |_  /readme.html: Interesting, a readme.
  |_http-server-header: Apache/2.4.29 (Ubuntu)
  |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
  | http-wordpress-users:
  | Username found: admin
  |_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
  | vulners:
  |   cpe:/a:apache:http_server:2.4.29:
  |     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
  |     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
  |     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715
  <SNIP>

  ```
* **Scanning Options Explanation:**
  * **`10.129.2.28`**: Target IP.
  * **`p 80`**: Scan only port 80.
  * **`sV`**: Performs service version detection.
  * **`-script vuln`**: Runs all vulnerability-related NSE scripts.
* **What the Scripts Do:**
  * **Interact with the webserver and its application** to gather version details.
  * **Query vulnerability databases** to identify known vulnerabilities.
  * Examples include enumerating web directories (`http-enum`), checking server headers, and listing potential exploits (via the `vulners` script).

***

## Additional Resources

* For more details on NSE scripts and categories, visit:[NSE Documentation](https://nmap.org/nsedoc/index.html)

***