Mastodon Hillbilly StoryTime: Tool Review - Nmap NSE Scripts

Monday, January 29, 2018

Tool Review - Nmap NSE Scripts



Originally written by Gordon Lyon (Fyodor Vaskovich)
As Nmap is opensource, many other people have contributed to it over the years.


Nmap is probably one of, if not the most, recognized and used security tool.  Among Nmaps features are, host discovery, port scanning, service version detection, OS detection, and the Nmap Scripting Engine (NSE).


Custom License based on GPLv2

How to Install

On most Linux systems, there will be a prepackaged bundle for it.  For example, on  Kali Linux, it is easy to install it from apt:
apt-get install nmap 
However, if the user wishes to have the latest and greatest version of Nmap, they will need to download it and install it from source:
git clone
and then they will need to configure and build the binaries:
cd nmap ./configure
make install

A very in-depth installation guide can be found here.

Sample NSE Usage

It is the NSE that we will be looking at today.  As I stated above, many people know of and have used Nmap and as such, I do not plan on covering all of the standard uses and features of it; there are plenty of other blogs, videos, and books out there already for that.  Instead, I want to focus on the NSE and how it can be used in a penetration assessment.

At the time of writing this article, there are 586 NSE scripts.  Those are associated with 14 (15 if you include the "all" category) script categories:
  • all
  • auth
  • broadcast
  • brute
  • default
  • discovery
  • dos
  • exploit
  • external
  • fuzzer
  • intrusive
  • malware
  • safe
  • version
  • vuln

To use any of the scripts, the user will need to specify them on the command line using the "--script" flag.  For example, if they wished to execute the smb-security-mode.nse script, they would type:
nmap --script smb-security-mode.nse -p 445 <target IP>
Multiple scripts can be specified at one time by separating them with a comma:
nmap --script smb-security-mode.nse,smb-os-discovery.nse -p 445 <target IP>
Similarly, an entire category can be specified:
nmap --script discovery <target IP>
A more complicated selection of scripts can be determined using the and, or, and not operators. For example, if the user wished to run every script except those in the dos category:
nmap --script "not dos" <target IP>
Or possibly all scripts that are in the vuln category but also the safe category:
nmap --script "vuln and safe" <target IP>
By utilizing the script categories, boolean operators, and single script selections, it is possible to be very specific in determining the script selections.

Yes that was a lot of information there and yes I could probably write an entire book on just that (and I am sure someone probably already has), but for this article, I wish to focus mostly on the vuln script category.

First, let's try to find any windows/smb vulnerabilities on a target system:
nmap --script vuln -p445 <target IP>

So, this particular host appears to be missing a few critical patches which we would likely be able to exploit and gain access.

But that was just for port 445/tcp, what does this look like for other ports, like 5432/TCP (postgresql)?
nmap --script (vuln and safe) <target IP>

This was just a sampling of the types of findings that Nmap is able to identify.

That will be enough for this article.  I may do another article on Nmap in the future, but for now, this should be enough to get people interested in looking into the other items that Nmap can do.  Now go out and try it out on your own test network.


No comments: