Nmap Scripting Engine (NSE)
A few days ago, I found myseld playing with the NSE again, and got to thinking about how many people actually know about NSE, and how to use it. This really is one of my favourite features that has been added to nmap over the years, and it really does make your life easier when doing a lot of scanning.
So, what is the NSE, I hear you ask? Well, instead of me trying to come up with a better way to explain, I’ve taken the following from the nmap online book, which can be found here.
“The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.”
Some of the new scripts that were added recently were the following, and from the descriptions, you can see just how beneficial these are:
asn-query—Maps IP addresses to autonomous system (AS) numbers.
auth-spoof—Checks for an identd (auth) server which is spoofing its replies.
banner—A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.
dns-random-srcport—Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
dns-random-txid—Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
ftp-bounce—Checks to see if an FTP server allows port scanning using the FTP bounce method.
http-iis-webdav-vuln—Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020.
http-passwd—Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd using various traversal methods such as requesting ../../../../etc/passwd.
imap-capabilities—Retrieves IMAP email server capabilities.
mysql-info—Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.
pop3-brute—Tries to log into a POP3 account by guessing usernames and passwords.
pop3-capabilities—Retrieves POP3 email server capabilities.
rpcinfo—Connects to portmapper and fetches a list of all registered programs.
snmp-brute—Attempts to find an SNMP community string by brute force guessing.
socks-open-proxy—Checks if an open socks proxy is running on the target.
upnp-info—Attempts to extract system information from the UPnP service.
whois—Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.
All NSE scripts are written in the Lua Programming Language, for the NSE side of things, this languiage is easy enough to pick up, and come up with some decent scripts, and then share them with others. The more people that write these add-on scripts the better it is for everyone.
I hope that this was useful to someone, and if you’d like to see any other articles on tools, etc, then let me know via the comments and I’ll see what I can do to accomodate.