Nmap Scripting Engine (NSE)

A few days ago, I found myseld playing with the NSE again, and got to thinking about how many people actually know about NSE, and how to use it. This really is one of my favourite features that has been added to nmap over the years, and it really does make your life easier when doing a lot of scanning.

So, what is the NSE, I hear you ask? Well, instead of me trying to come up with a better way to explain, I’ve taken the following from the nmap online book, which can be found here.
“The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.”

Some of the new scripts that were added recently were the following, and from the descriptions, you can see just how beneficial these are:

asn-query—Maps IP addresses to autonomous system (AS) numbers.
auth-spoof—Checks for an identd (auth) server which is spoofing its replies.
banner—A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.
dns-random-srcport—Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
dns-random-txid—Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
ftp-bounce—Checks to see if an FTP server allows port scanning using the FTP bounce method.
http-iis-webdav-vuln—Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020.
http-passwd—Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd using various traversal methods such as requesting ../../../../etc/passwd.
imap-capabilities—Retrieves IMAP email server capabilities.
mysql-info—Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.
pop3-brute—Tries to log into a POP3 account by guessing usernames and passwords.
pop3-capabilities—Retrieves POP3 email server capabilities.
rpcinfo—Connects to portmapper and fetches a list of all registered programs.
snmp-brute—Attempts to find an SNMP community string by brute force guessing.
socks-open-proxy—Checks if an open socks proxy is running on the target.
upnp-info—Attempts to extract system information from the UPnP service.
whois—Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.

All NSE scripts are written in the Lua Programming Language, for the NSE side of things, this languiage is easy enough to pick up, and come up with some decent scripts, and then share them with others. The more people that write these add-on scripts the better it is for everyone.

I hope that this was useful to someone, and if you’d like to see any other articles on tools, etc, then let me know via the comments and I’ll see what I can do to accomodate.

  • http://www.scip.ch Marc Ruef


    Nice article. If you are interested in NSE, you might also be interested in two scripts I have published recently:

    * http://www.computec.ch/mruef/software/nmap_nse_vulscan-0.6.tar.gz
    The nmap nse vulscan script helps to identify vulnerabilities within services – published by osvdb.org – which has been identified by version detection of nmap.

    * http://www.computec.ch/projekte/httprecon/download/nse/httprecon-1.0nse.tar.gz
    httprecon provides an open-source utility of enhanced web server fingerprinting. By using traditional and new techniques the provided httpd implementation can be detected which is very important for further enumeration and attacks.



  • Jason

    In my opinion, NSE is the single greatest feature added to nmap in recent history.

    I think it rivals the impact of the creation of a native win32 version and the addition of Zenmap to replace NmapFE.

    Some people just haven’t realized it yet.

  • Sunny

    Is fragmentation the only way to bypass firewalls/IPS or are there any other methods as well. How can a novice user protect himself/herself against ways to bypass firewall/IPS??

  • Sunny

    By firewall/IPS I mean host based software firewall and in built IPS…

  • http://actroncp9190.com/ greg

    Thank you very much for the post. I enjoyed it.
    And its quite informative too. Anyway,
    all posts in blogs.securiteam.com are definitely attractive,
    informative and marvellous!