Packt+ | Advance your knowledge in tech

You're reading from Nmap 6: Network Exploration and Security Auditing Cookbook Want to master Nmap and its scripting engine? Then this book is for you – packed with practical tasks and precise instructions, it's a comprehensive guide to penetration testing and network monitoring. Security in depth.

Product type Paperback

Published in Nov 2012

Publisher Packt

ISBN-13 9781849517485

Length 318 pages

Edition 1st Edition

Languages

Lua

Tools

Nmap

Concepts

Networking

Table of Contents (18) Chapters

Nmap 6: Network Exploration and Security Auditing Cookbook

Credits

About the Author

Acknowledgement

About the Reviewers

www.PacktPub.com

Preface

1. Nmap Fundamentals FREE CHAPTER

2. Network Exploration

3. Gathering Additional Host Information

4. Auditing Web Servers

5. Auditing Databases

6. Auditing Mail Servers

7. Scanning Large Networks

8. Generating Scan Reports

9. Writing Your Own NSE Scripts

References

Index

Running NSE scripts

NSE scripts are very powerful and have become one of Nmap's main strengths, performing tasks from advanced version detection to vulnerability exploitation.

The following recipe describes how to run NSE scripts, and the different options available for this engine.

How to do it...

To include the title of the index document of a web server in your scan results, open your terminal and type the following command:

$ nmap -sV --script http-title scanme.nmap.org

How it works...

The argument --script sets which NSE scripts should be run with the scan. In this case, when the service scan detects the web server, a parallel thread is initialized for the selected NSE script.

There are more than 230 scripts available, which perform a wide variety of tasks. The NSE script http-title returns the title of the root document if a web server is detected.

There's more...

You can run multiple scripts at once:

$ nmap --script http-headers,http-title scanme.nmap.org
Nmap scan report for scanme.nmap.org (74.207.244.221) 
Host is up (0.096s latency). 
Not shown: 995 closed ports 
PORT     STATE    SERVICE 
22/tcp   open     ssh 
25/tcp   filtered smtp 
80/tcp   open     http 
| http-headers: 
|   Date: Mon, 24 Oct 2011 07:12:09 GMT 
|   Server: Apache/2.2.14 (Ubuntu) 
|   Accept-Ranges: bytes 
|   Vary: Accept-Encoding 
|   Connection: close 
|   Content-Type: text/html 
|   
|_  (Request type: HEAD) 
|_http-title: Go ahead and ScanMe! 
646/tcp  filtered ldp 
9929/tcp open     nping-echo

Additionally, NSE scripts can be selected by category, expression, or folder:

Run all the scripts in the vuln category:
```
$ nmap -sV --script vuln <target>
```
Run the scripts in the categories version or discovery:
```
$ nmap -sV --script="version,discovery" <target>
```
Run all the scripts except for the ones in the exploit category:
```
$ nmap -sV --script "not exploit" <target>
```

Run all HTTP scripts except http-brute and http-slowloris:

$ nmap -sV --script "(http-*) and not(http-slowloris or http-brute)" <target>

To debug scripts use --script-trace. This enables a stack trace of the executed script to help you to debug the session. Remember that sometimes you may need to increase the debugging level with the flag -d[1-9] to get to the bottom of the problem:

$ nmap -sV –-script exploit -d3 --script-trace 192.168.1.1

NSE script arguments

The flag --script-args is used to set arguments of NSE scripts. For example, if you would like to set the HTTP library argument useragent, you would use:

$ nmap -sV --script http-title --script-args http.useragent="Mozilla 999" <target>

You can also use aliases when setting the arguments for NSE scripts. For example, you could use

$ nmap -p80 --script http-trace --script-args path <target>

Instead of:

$ nmap -p80 --script http-trace --script-args http-trace.path <target>

Adding new scripts

To test new scripts, you simply need to copy them to your /scripts directory and run the following command to update the script database:

# nmap --script-update-db

NSE script categories

auth: This category is for scripts related to user authentication.
broadcast: This is a very interesting category of scripts that use broadcast petitions to gather information.
brute: This category is for scripts that help conduct brute-force password auditing.
default: This category is for scripts that are executed when a script scan is executed (-sC).
discovery: This category is for scripts related to host and service discovery.
dos: This category is for scripts related to denial of service attacks.
exploit: This category is for scripts that exploit security vulnerabilities.
external: This category is for scripts that depend on a third-party service.
fuzzer: This category is for NSE scripts that are focused on fuzzing.
intrusive: This category is for scripts that might crash something or generate a lot of network noise. Scripts that system administrators may consider intrusive belong to this category.
malware: This category is for scripts related to malware detection.
safe: This category is for scripts that are considered safe in all situations.
version: This category is for scripts that are used for advanced versioning.
vuln: This category is for scripts related to security vulnerabilities.