Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Nmap 6: Network Exploration and Security Auditing Cookbook

You're reading from   Nmap 6: Network Exploration and Security Auditing Cookbook Want to master Nmap and its scripting engine? Then this book is for you – packed with practical tasks and precise instructions, it's a comprehensive guide to penetration testing and network monitoring. Security in depth.

Arrow left icon
Product type Paperback
Published in Nov 2012
Publisher Packt
ISBN-13 9781849517485
Length 318 pages
Edition 1st Edition
Languages
Tools
Concepts
Arrow right icon
Toc

Table of Contents (18) Chapters Close

Nmap 6: Network Exploration and Security Auditing Cookbook
Credits
About the Author
Acknowledgement
About the Reviewers
www.PacktPub.com
Preface
1. Nmap Fundamentals FREE CHAPTER 2. Network Exploration 3. Gathering Additional Host Information 4. Auditing Web Servers 5. Auditing Databases 6. Auditing Mail Servers 7. Scanning Large Networks 8. Generating Scan Reports 9. Writing Your Own NSE Scripts References
Index

Running NSE scripts


NSE scripts are very powerful and have become one of Nmap's main strengths, performing tasks from advanced version detection to vulnerability exploitation.

The following recipe describes how to run NSE scripts, and the different options available for this engine.

How to do it...

To include the title of the index document of a web server in your scan results, open your terminal and type the following command:

$ nmap -sV --script http-title scanme.nmap.org 

How it works...

The argument --script sets which NSE scripts should be run with the scan. In this case, when the service scan detects the web server, a parallel thread is initialized for the selected NSE script.

There are more than 230 scripts available, which perform a wide variety of tasks. The NSE script http-title returns the title of the root document if a web server is detected.

There's more...

You can run multiple scripts at once:

$ nmap --script http-headers,http-title scanme.nmap.org
Nmap scan report for scanme.nmap.org (74.207.244.221) 
Host is up (0.096s latency). 
Not shown: 995 closed ports 
PORT     STATE    SERVICE 
22/tcp   open     ssh 
25/tcp   filtered smtp 
80/tcp   open     http 
| http-headers: 
|   Date: Mon, 24 Oct 2011 07:12:09 GMT 
|   Server: Apache/2.2.14 (Ubuntu) 
|   Accept-Ranges: bytes 
|   Vary: Accept-Encoding 
|   Connection: close 
|   Content-Type: text/html 
|   
|_  (Request type: HEAD) 
|_http-title: Go ahead and ScanMe! 
646/tcp  filtered ldp 
9929/tcp open     nping-echo 

Additionally, NSE scripts can be selected by category, expression, or folder:

  • Run all the scripts in the vuln category:

    $ nmap -sV --script vuln <target>
    
  • Run the scripts in the categories version or discovery:

    $ nmap -sV --script="version,discovery" <target>
    
  • Run all the scripts except for the ones in the exploit category:

    $ nmap -sV --script "not exploit" <target>
    
  • Run all HTTP scripts except http-brute and http-slowloris:

    $ nmap -sV --script "(http-*) and not(http-slowloris or http-brute)" <target>
    

To debug scripts use --script-trace. This enables a stack trace of the executed script to help you to debug the session. Remember that sometimes you may need to increase the debugging level with the flag -d[1-9] to get to the bottom of the problem:

$ nmap -sV –-script exploit -d3 --script-trace 192.168.1.1 

NSE script arguments

The flag --script-args is used to set arguments of NSE scripts. For example, if you would like to set the HTTP library argument useragent, you would use:

$ nmap -sV --script http-title --script-args http.useragent="Mozilla 999" <target>

You can also use aliases when setting the arguments for NSE scripts. For example, you could use

$ nmap -p80 --script http-trace --script-args path <target>

Instead of:

$ nmap -p80 --script http-trace --script-args http-trace.path <target>  

Adding new scripts

To test new scripts, you simply need to copy them to your /scripts directory and run the following command to update the script database:

# nmap --script-update-db

NSE script categories

  • auth: This category is for scripts related to user authentication.

  • broadcast: This is a very interesting category of scripts that use broadcast petitions to gather information.

  • brute: This category is for scripts that help conduct brute-force password auditing.

  • default: This category is for scripts that are executed when a script scan is executed (-sC).

  • discovery: This category is for scripts related to host and service discovery.

  • dos: This category is for scripts related to denial of service attacks.

  • exploit: This category is for scripts that exploit security vulnerabilities.

  • external: This category is for scripts that depend on a third-party service.

  • fuzzer: This category is for NSE scripts that are focused on fuzzing.

  • intrusive: This category is for scripts that might crash something or generate a lot of network noise. Scripts that system administrators may consider intrusive belong to this category.

  • malware: This category is for scripts related to malware detection.

  • safe: This category is for scripts that are considered safe in all situations.

  • version: This category is for scripts that are used for advanced versioning.

  • vuln: This category is for scripts related to security vulnerabilities.

See also

  • The Managing different scanning profiles with Zenmap recipe

  • The Monitoring servers remotely with Nmap and Ndiff recipe

  • The Fingerprinting services of a remote host recipe

  • The Finding live hosts in your network recipe

  • The Gathering network information with broadcast scripts recipe in Chapter 2, Network Exploration

  • The Collecting valid e-mail accounts recipe in Chapter 3, Gathering Additional Host Information

  • The Discovering hostnames pointing to the same IP recipe in Chapter 3, Gathering Additional Host Information

  • The Brute forcing DNS records recipe in Chapter 3, Gathering Additional Host Information

You have been reading a chapter from
Nmap 6: Network Exploration and Security Auditing Cookbook
Published in: Nov 2012
Publisher: Packt
ISBN-13: 9781849517485
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime