I know that almost all of you may already know that Nmap provides the use of scripts for doing analysis of the target. Many of us just add the option "-sC" and go, right? no.
These runs only the default scripts, a subcategory of them, that are roughly 120.
These runs only the default scripts, a subcategory of them, that are roughly 120.
Every one of us uses Nmap but not everyone knows the full potential of the Nmap' scripts.
In this article, we will take a deeper look at the scripts and the full potential of nmap.
First of all, where are the scripts stored, and what type of scripts we have at disposal.
This command will show you the different category:
grep -r categories /usr/share/nmap/scripts/*.nse | cut -d ":" -f 2 | grep -oP '"(.*?)"' | sort -u
If you're against a smb service like often happens, and you run the -sC option, you'll never see if it is vulnerable to MS17-010 or better known as eternal blue. Its script falls under the category of "vuln" and "safe", not the "default".
This option can take :
1. script name
2. NSE category
3. Path to an NSE file
4. Folder containing scripts
5. An expression
Expressions allow incredible flexibility when selecting scripts, as we will see in the following sections.
> Selecting by script name or category
To select a whole category, simply use the name of the category as the argument.
For example to run the exploit category use the following command:
nmap --script exploit <target>
You can also run several categories by separating them with a comma:
nmap --script discovery,intrusive <target>
> Selecting by filename or folder
In order to execute an NSE script file, we can use this syntax:
nmap --script /path/to/script.nse <target>
Similarly, with categories you can execute several scripts by separating paths with a comma:
nmap --script /path/to/script.nse,/another/path/script2.nse <target>
To execute all the scripts contained in a folder, we only need to pass the folder name as an argument:
nmap --script /path/to/folder/ <target>
> Advanced script selection with expressions
Expressions are used to describe set of scripts. We'll go now through different scenarios where we can take advantage of script selection.
In this example the not exploit expression will match any script that does not belong to the exploit category:
nmap -sV --script "not exploit" <target>
The OR and AND operators allow constructing more complex and logic expressions. The following expression will match any script that is not inside the intrusive, dos or exploit categories:
nmap --script "not(intrusive or dos or exploit)" -sV <target>
If we would like to execute all scripts within the broadcast and discovery categories, we'll use:
nmap --script "broadcast and discovery" <target>
If you are selecting scripts, you can also use the wildcard character, *:
nmap --script "snmp-*" <target>
Of course, we can combine wildcards and expressions. For example, let's run all the scripts whose names contain http, but exclude some kind of scripts like http-slowloris, http-brute, http-form-fuzzer or http-enum:
nmap --script "*http* and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" <target>
nmap --script "http-* and not(exploit)" <target>
> NSE script arguments
The --script-args Nmap option is used to set arguments in NSE scripts. For example, if we would like to set the http library argument "user agent", we can run:
nmap -sV --script http-title --script-args http.useragent="Mozilla 1337" <target>
nmap -p80 --script http-trace --script-args path <target>
nmap -p80 --script http-trace --script-args http-trace.path <target>
> Loading script arguments from a file
The arguments contained in the file must be separated by commas or new lines:
If we want to force the execution of the only http-title NSE script against the service running on port 1212, thus saving a lot of time, we can run :
Without the "+" sign, the script will not run but, since we added it, the report comes back with the following:
nmap --script "discovery,broadcast" --script-args-file nmap-args.txt <target>
nmap-args.txt
_____________________________________________________
1 |http.useragent=Not Nmap
2 |http.max-connections=50
3 |userdb=/path/to/usernames.lst
4 |passdb=/path/to/dictionary.lst
_____________________________________________________
> Forcing the execution of NSE scripts
Let's talk about how to force the execution of particular scripts.
Nmap can force the execution of a NSE script by pretending a "+" to the script name:
nmap --script +<script selection> <<arg1, arg2, …>>
nmap --script +http-title -p1212 192.168.1.210
_____________________________________________________
1 |Nmap scan report for 192.168.1.210
2 |Host is up (0.00026s latency).
3 | PORT STATE SERVICE
4 | 1212/tcp open lupa
5 ||_http-title: W00t!
_____________________________________________________
> Debugging NSE scripts
nmap --script exploit --script-trace <target>
nmap -sV –-script exploit -d4 <target>
nmap -O --script myscript.nse --packet-trace <target>
-G4d4r3L-