Thursday, December 31, 2020

Nmap' scripts categories - full potential unleashed

I know that almost all of you may already know that Nmap provides the use of scripts for doing analysis of the target. Many of us just add the option "-sC" and go, right? no.
These runs only the default scripts, a subcategory of them, that are roughly 120

Every one of us uses Nmap but not everyone knows the full potential of the Nmap' scripts.
In this article, we will take a deeper look at the scripts and the full potential of nmap.

First of all, where are the scripts stored, and what type of scripts we have at disposal.

This command will show you the different category:

grep -r categories /usr/share/nmap/scripts/*.nse | cut -d ":" -f 2 | grep -oP '"(.*?)"' | sort -u

If you're against a smb service like often happens, and you run the -sC option, you'll never see if it is vulnerable to MS17-010 or better known as eternal blue. Its script falls under the category of "vuln" and "safe", not the "default".

Nmap allows the use of scripts simply adding the "--script" option. 
This option can take : 

1. script name
2. NSE category
3. Path to an NSE file
4. Folder containing scripts
5. An expression

Expressions allow incredible flexibility when selecting scripts, as we will see in the following sections.

> Selecting by script name or category

To select a whole category, simply use the name of the category as the argument. 
For example to run the exploit category use the following command:

nmap --script exploit <target>

You can also run several categories by separating them with a comma:

nmap --script discovery,intrusive <target>

> Selecting by filename or folder

In order to execute an NSE script file, we can use this syntax:

nmap --script /path/to/script.nse <target>

Similarly, with categories you can execute several scripts by separating paths with a comma:

nmap --script /path/to/script.nse,/another/path/script2.nse <target>

To execute all the scripts contained in a folder, we only need to pass the folder name as an argument:

nmap --script /path/to/folder/ <target>

> Advanced script selection with expressions

Expressions are used to describe set of scripts. We'll go now through different scenarios where we can take advantage of script selection.

In this example the not exploit expression will match any script that does not belong to the exploit category:

nmap -sV --script "not exploit" <target>

The OR and AND operators allow constructing more complex and logic expressions. The following expression will match any script that is not inside the intrusive, dos or exploit categories:

nmap --script "not(intrusive or dos or exploit)" -sV <target>

If we would like to execute all scripts within the broadcast and discovery categories, we'll use:

nmap --script "broadcast and discovery" <target>

If you are selecting scripts, you can also use the wildcard character, *:

nmap --script "snmp-*" <target>

Of course, we can combine wildcards and expressions. For example, let's run all the scripts whose names contain http, but exclude some kind of scripts like http-slowloris, http-brute, http-form-fuzzer or http-enum:

nmap --script "*http* and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" <target>

We can also combine wildcarded filters with expressions when selecting categories. The next command executes all scripts whose names begin with http- that are not in the exploit category:

nmap --script "http-* and not(exploit)" <target>

> NSE script arguments

The --script-args Nmap option is used to set arguments in NSE scripts. For example, if we would like to set the http library argument "user agent", we can run:

nmap -sV --script http-title --script-args http.useragent="Mozilla 1337" <target>

Not a lot of Nmap users know this but we can also omit the script name when setting arguments:

nmap -p80 --script http-trace --script-args path <target>

We can use the preceding expression instead of using this:

nmap -p80 --script http-trace --script-args http-trace.path <target>

> Loading script arguments from a file

If you are planning to run several scans, it is probably a good idea to write down your script arguments in a file to save some typing. NSE supports loading NSE arguments from an absolute or relative path with the --script-args-file option. 

The arguments contained in the file must be separated by commas or new lines:

nmap --script "discovery,broadcast" --script-args-file nmap-args.txt <target>


1 |http.useragent=Not Nmap
2 |http.max-connections=50
3 |userdb=/path/to/usernames.lst
4 |passdb=/path/to/dictionary.lst

> Forcing the execution of NSE scripts

Let's talk about how to force the execution of particular scripts.

Nmap can force the execution of a NSE script by pretending a "+" to the script name:

nmap --script +<script selection> <<arg1, arg2, …>>

If we want to force the execution of the only http-title NSE script against the service running on port 1212, thus saving a lot of time, we can run : 

nmap --script +http-title -p1212

Without the "+" sign, the script will not run but, since we added it, the report comes back with the following:


1 |Nmap scan report for
2 |Host is up (0.00026s latency).
4 | 1212/tcp open  lupa
5 ||_http-title: W00t!

> Debugging NSE scripts

If you need to analyze the traffic sent and received by NSE, use the --script-trace option. For example, if you would like to see the payloads sent by the NSE scripts in the exploit category, you can use this expression:

nmap --script exploit --script-trace <target>

You can also turn on the debug mode of Nmap with the -d[1-9] flag. This flag can be followed by an integer that denotes the debug level and should be between 1 and 9. The higher the level, the more verbose is the output. Here an example with a mid level :

nmap -sV –-script exploit -d4 <target> 

The --packet-trace option includes all the packets sent and received, not only the traffic generated by NSE. Useful when it comes to analyzing what we're actually doing :

nmap -O --script myscript.nse --packet-trace <target>

See you next time with an article on an awesome smb exploit using all nmap' potential!


Location: Glasgow, Regno Unito


Post a Comment

Contact us


Email *

Message *

Theme Support