nmap scripting engine

10 06 2010

An interesting tidbit of information that I was recently shown – figured it was too good not to share.

Quoted from “http://nmap.org/book/nse.html

“The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.”

Details of the scripts are here: http://nmap.org/nsedoc/

example uses:

banner grabbing
Download: http://nmap.org/svn/scripts/banner.nse

User Summary

A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.

The banner will be truncated to fit into a single line, but an extra line may be printed for every increase in the level of verbosity requested on the command line.
Example Usage

nmap -sV –script=banner <target>

Script Output

21/tcp open ftp
|_ banner: 220 FTP version 1.0\x0D\x0A

Download: http://nmap.org/svn/scripts/smb-check-vulns.nse

User Summary

Check for vulnerabilities:

* MS08-067, a Windows RPC vulnerability
* Conficker, an infection by the Conficker worm
* Unnamed regsvc DoS, a denial-of-service vulnerability I accidentically found in Windows 2000
* SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)

WARNING: These checks are dangerous, and are very likely to bring down a server. These should not be run in a production environment unless you (and, more importantly, the business) understand the risks!

Example Usage

nmap –script smb-check-vulns.nse -p445 <host>
sudo nmap -sU -sS –script smb-check-vulns.nse -p U:137,T:139 <host>

Script Output

Host script results:
| smb-check-vulns:
| | Conficker: Likely CLEAN
| | regsvc DoS: NOT VULNERABLE
|_ |_ SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE

Download: http://nmap.org/svn/scripts/smb-enum-shares.nse

User Summary

Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked.

Example Usage

nmap –script smb-enum-shares.nse -p445 <host>
sudo nmap -sU -sS –script smb-enum-shares.nse -p U:137,T:139 <host>

Script Output

Host script results:
| smb-enum-shares:
| | ADMIN$
| | | Comment: Remote Admin
| | | Users: 0, Max: <unlimited>
| | | Path: C:\WINNT
| | | Anonymous access: <none>
| | |_ Current user (‘administrator’) access: READ/WRITE
| | C$
| | | Comment: Default share
| | | Users: 0, Max: <unlimited>
| | | Path: C:\
| | | Anonymous access: <none>
| | |_ Current user (‘administrator’) access: READ
| | IPC$
| | | Comment: Remote IPC
| | | Users: 1, Max: <unlimited>
| | | Path:
| | | Anonymous access: READ <not a file share>
|_ |_ |_ Current user (‘administrator’) access: READ <not a file share>




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: