Nmap And Useful NSE scripts

In this article we are going to see about what is Nmap and What are NSE scripts and how they work together.

Before talking about NSE scripts, we’ve to understand what is Nmap and how it works?

What is Nmap?

Nmap banner

So, What is Nmap?

Nmap is is a very popular Network mapping tool used to scan the networks for open ports and vulnerabilities.

It is the most popular free security scanner developed by Gordon Lyon (f.f. Fyodor Vaskovich).

Nmap (“Network Mapper”) is a free and open-source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. It uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

If you want to know about what are ports and some basic of network hacking, I will recommend you this article.

How Nmap works?

It comes Preinstalled in Kali Linux. You have to install it in the windows to make it work.

Installation guide -> click here

Here we will use Kali Linux.

Basic Syntax – nmap [ <Scan Type> ...] [ <Options> ] { <targe specification> }

You can type nmap -h for the help menu, there you can see all of the scan types and options.

Help menu

Nmap 5.51 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, 192.168.0.1; 10.0.0-255.1-254
  -iL : Input from list of hosts/networks
  -iR : Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile : Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags : Customize TCP scan flags
  -sI : Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b : FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p : Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports : Scan  most common ports
  --port-ratio : Scan ports more common than 
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity : Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=:  is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take 

Example scan will look like this

# nmap -A -T4 scanme.nmap.org 
Nmap scan report for scanme.nmap.org (74.207.244.221) 
Host is up (0.029s latency).
rDNS record for 74.207.244.221:
li86-221.members.linode.com Not shown:
995 closed ports 
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0) 
| ssh-hostkey: 1024 8d:60:f1:7c:ca:b7:3d:0a:d6:67:54:9d:69:d9:b9:dd (DSA) 
|_2048 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec (RSA) 80/tcp open http Apache httpd 2.2.14 ((Ubuntu)) 
|_http-title: Go ahead and ScanMe! 646/tcp filtered ldp 1720/tcp filtered H.323/Q.931 9929/tcp open nping-echo Nping echo Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6.39 OS details: Linux 2.6.39 Network Distance: 11 hops Service Info: OS: Linux; CPE: cpe:/o:linux:kernel TRACEROUTE (using port 53/tcp) HOP RTT ADDRESS [Cut first 10 hops for brevity] 11 17.65 ms li86-221.members.linode.com (74.207.244.221) Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds

Now you know what is Nmap Let’s talk about NSE scripts.

What is NSE Scripts?

The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap.

Now, What are some good NSE scripts you must use while looking for vulnerabilities or even recon.

1. dns-brute.nse

Attempts to enumerate DNS hostnames by brute force guessing of common subdomains.

The dns-brute script tries to find as many subdomains as the host is being tested using the most frequently used subdomain names.

(Result)

nmap -p 80 --script dns-brute.nse vulnweb.com
Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 19:58 EST
Nmap scan report for vulnweb.com (176.28.50.165)
Host is up (0.34s latency).
rDNS record for 176.28.50.165: rs202995.rs.hosteurope.de
PORT   STATE SERVICE
80/tcp open  http
Host script results:
| dns-brute: 
|   DNS Brute-force hostnames: 
|     admin.vulnweb.com - 176.28.50.165
|     firewall.vulnweb.com - 176.28.50.165
|_    dev.vulnweb.com - 176.28.50.165
Nmap done: 1 IP address (1 host up) scanned in 28.41 seconds

2. http-enum.nse

Enumerates directories used by popular web applications and servers.

This parses a fingerprint file that’s similar in format to the Nikto Web application scanner. This script, however, takes it one step further by building in advanced pattern matching as well as having the ability to identify specific versions of Web applications.

(Result)

nmap -sV --script=http-enum 
Interesting ports on test.skullsecurity.org (208.81.2.52): PORT   STATE SERVICE REASON 80/tcp open  http    syn-ack | http-enum: |   /icons/: Icons and images |   /images/: Icons and images |   /robots.txt: Robots file |   /sw/auth/login.aspx: Citrix WebTop |   /images/outlook.jpg: Outlook Web Access |   /nfservlets/servlet/SPSRouterServlet/: netForensics |_  /nfservlets/servlet/SPSRouterServlet/: netForensics

3. ssh-brute.nse

Simply putting this script Performs brute-force password guessing against ssh servers

(Result)

nmap -p 22 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst  --script-args ssh-brute.timeout=4s 
22/ssh open  ssh 
|  ssh-brute:
|  Accounts 
|  username:password 
|  Statistics 
|_   Performed 32 guesses in 25 seconds.

4. vulscan.nse

Vulscan is a Nmap Scripting Engine script which helps Nmap to find vulnerabilities on targets based on services and version detections to estimate vulnerabilities depending on the software listening on the target.

(Results)

# nmap -sV --script=vulscan/vulscan.nse google.com
Starting Nmap 7.70 ( https://nmap.org ) at 2020-01-29 20:14 -03
Nmap scan report for google.com (172.217.165.142)
Host is up (0.23s latency).

And this will give you all the possible vulnerability on the given domain.

5. smb-brute.nse

Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. Every attempt will be made to get a valid list of users and to verify each username before actually using them.

This script just tries to brute force local account against smb services.

(results)

#nmap --script smb-brute.nse -p445 
sudo nmap -sU -sS --script smb-brute.nse -p U:137,T:139 
Host script results: 
| smb-brute: 
|   bad name:test => Valid credentials 
|   consoletest:test => Valid credentials, password must be changed at next logon 
|   guest: => Valid credentials, account disabled 
|   mixcase:BuTTeRfLY1 => Valid credentials 
|   test:password1 => Valid credentials, account expired 
|   this:password => Valid credentials, account cannot log in at current time 
|   thisisaverylong:password => Valid credentials 
|   thisisaverylongname:password => Valid credentials 
|   thisisaverylongnamev:password => Valid credentials 
|_  web:TeSt => Valid credentials, account disabled

So, These are some NSE scripts that are widely used by the community.

There are lots and lots of NSE scripts from Nmap, Listing every one of them is not possible here. Although, Nmap has uploaded the detailed version of each of the scripts just follow the link to see the detailed version of all the NSE scripts provided by Nmap. CLICK HERE

Conclusion

Nmap is most basic tool of every pentester or hacker, A person who wants to start career or learn few things about sec must know all the basic tools and Nmap is one of them. NSE scripts in Nmap make them providing a variety of features to scan in a website without need of any other tool.

 

To see more articles like this go to our blog page.

Share the Post...
WhatsApp

About Cybervie

Cybervie provides best cyber security training program in hyderabad, India.This cyber security course enables you to detect vulnerablities of a system, wardoff attacks and manage emergency situations. Taking a proactive approach to security that can help organisations to protect their data, Cybervie has designed its training module based on the cyber security industry requirements with three levels of training in both offensive and defensive manner, and use real time scenarios which can help our students to understand the market up-to its standard certification which is an add on advantage for our students to stand out of competition in an cyber security interview.

More Info – Click Here

Recent Posts

Follow Us on Youtube

CSEP : Certified Security Engineer Professional

Certified Security Engineer Professional (CSEP) certification is a comprehensive program designed for individuals aspiring to become cybersecurity engineers. It equips candidates with hands-on knowledge across various in-demand cybersecurity domains, ensuring they are well-prepared for current and future industry needs.

Organizations today seek candidates with a diverse set of skills beyond just one tool or area of expertise. The CSEP certification addresses this need by providing essential hands-on experience, making you proficient in multiple cybersecurity domains.

The program includes live classes featuring practical exercises, followed by a real-time project that offers valuable industrial knowledge.

Domains covered in the CSEP certification:

  • Cybersecurity Essentials
  • Penetration Testing
  • Application Security
  • Security Operations
  • AI in Cybersecurity
  • Multi-Cloud Security
  • Threat Intelligence

 

This certification is ideal for those looking to secure a role as a cybersecurity engineer and want to gain a competitive edge in the cybersecurity field.

For Further kindly feel free to fill out the profile form  for relevant information on our counselor will get in touch with you

Sign up for our Newsletter

Interested in Cyber Security Training Program 2024 – Click Here
Open chat
1
Hello 👋
How can we help you?