NSE (Scripting Engine)
with the scripting engine you are able to write powerful plugin-scripts for nmap
or use a wide set of ready to use scripts for nmap.
standardscripts can be found here: /usr/local/share/nmap/scripts
or here on some distros: /usr/share/nmap/scripts
you can find a book on how to write scripts (in LUA) for nmap 5 here: NSE Writing Scripts
you can execute these scripts easy by specifying them with –script
or use a set of scripts by specifying one of the script-categories (e.g. default, vuln, intrusive etc.) find categories HERE.
nmap -sV --mtu=512 --script=default,vuln VICTIM-HOST-OR-IPhere are the script-related parameters:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.Script Categories
actual categories can be found here…
the actual (per creation date of this page) list is:
auth
These scripts deal with authentication credentials (or bypassing them) on
the target system.
Examples include x11-access, ftp-anon, and oracle-enum-users. Scripts which
use brute force attacks
to determine credentials are placed in the brute category instead.
broadcast
Scripts in this category typically do discovery of hosts not listed on the
command line by
broadcasting on the local network. Use the newtargets script argument to
allow these scripts
to automatically add the hosts they discover to the Nmap scanning queue.
brute
These scripts use brute force attacks to guess authentication credentials of
a remote server.
Nmap contains scripts for brute forcing dozens of protocols, including http-
brute, oracle-brute, snmp-brute, etc.
default
These scripts are the default set and are run when using the -sC or -A
options rather than listing scripts with
--script. This category can also be specified explicitly like any other
using --script=default. Many factors are
considered in deciding whether a script should be run by default:
Speed
A default scan must finish quickly, which excludes brute force
authentication crackers, web spiders, and any
other scripts which can take minutes or hours to scan a single service.
Usefulness
Default scans need to produce valuable and actionable information. If
even the script author has trouble
explaining why an average networking or security professional would find
the output valuable, the script should not
run by default. The script may still be worth including in Nmap so that
administrators can run for those occasions
when they do need the extra information.
Verbosity
Nmap output is used for a wide variety of purposes and needs to be
readable and concise. A script which frequently
produces pages full of output should not be added to the default
category. When there is no important information to
report, NSE scripts (particularly default ones) should return nothing.
Checking for an obscure vulnerability may be OK
by default as long as it only produces output when that vulnerability
discovered.
Reliability
Many scripts use heuristics and fuzzy signature matching to reach
conclusions about the target host or service.
Examples include sniffer-detect and sql-injection. If the script is
often wrong, it doesn't belong in the default
category where it may confuse or mislead casual users. Users who specify
a script or category directly are generally more
advanced and likely know how the script works or at least where to find
its documentation.
Intrusiveness
Some scripts are very intrusive because they use significant resources
on the remote system, are likely to crash the
system or service, or are likely to be perceived as an attack by the
remote administrators. The more intrusive a script
is, the less suitable it is for the default category. Default scripts
are almost always in the safe category too, though
we occasionally allow intrusive scripts by default when they are only
mildly intrusive and score well in the other factors.
Privacy
Some scripts, particularly those in the external category described
later, divulge information to third parties by
their very nature. For example, the whois script must divulge the target
IP address to regional whois registries.
We have also considered (and decided against) adding scripts which check
target SSH and SSL key fingerprints against
Internet weak key databases. The more privacy-invasive a script is, the
less suitable it is for default category inclusion.
We don't have exact thresholds for each of these criteria, and many of
them are subjective. All of these factors are considered
together when making a decision whether to promote a script into the
default category. A few default scripts are identd-owners
(determines the username running remote services using identd),
http-auth (obtains authentication scheme and realm of web sites
requiring authentication), and
ftp-anon (tests whether an FTP server allows anonymous access).
discovery
These scripts try to actively discover more about the network by
querying public registries, SNMP-enabled devices,
directory services, and the like. Examples include html-title
(obtains the title of the root path of web sites),
smb-enum-shares (enumerates Windows shares), and
snmp-sysdescr (extracts system details via SNMP).
dos
Scripts in this category may cause denial of service, usually because
they crash a service as a side effect of testing it for a vulnerability.
exploit
These scripts aim to actively exploit some vulnerability.
external
Scripts in this category may send data to a third-party database or
other network resource. An example of this is whois,
which makes a connection to whois servers to learn about the address
of the target. There is always the possibility
that operators of the third-party database will record anything you
send to them, which in many cases will include your IP address
and the address of the target. Most scripts involve traffic strictly
between the scanning computer and the client; any that
do not are placed in this category.
fuzzer
This category contains scripts which are designed to send server
software unexpected or randomized fields in each packet. While
this technique can useful for finding undiscovered bugs and
vulnerabilities in software, it is both a slow process and bandwidth
intensive. An example of a script in this category is dns-fuzz,
which bombards a DNS server with slightly flawed domain requests until
either the server crashes or a user specified time limit elapses.
intrusive
These are scripts that cannot be classified in the safe category
because the risks are too high that they will crash the
target system, use up significant resources on the target
host (such as bandwidth or CPU time), or otherwise be
perceived as malicious by the target's system administrators.
Examples are http-open-proxy (which attempts to use the
target server as an HTTP proxy) and
snmp-brute (which tries to guess a device's SNMP community string by
sending common values such as public, private, and cisco).
Unless a script is in the special version category, it should
be categorized as either safe or intrusive.
malware
These scripts test whether the target platform is infected by malware or
backdoors. Examples include smtp-strangeport, which watches
for SMTP servers running on unusual port numbers, and auth-spoof, which
detects identd spoofing daemons which provide a fake answer
before even receiving a query. Both of these behaviors are commonly
associated with malware infections.
safe
Scripts which weren't designed to crash services, use large
amounts of network bandwidth or other resources, or exploit security
holes are categorized as safe. These are less likely to offend remote
administrators, though (as with all other Nmap features)
we cannot guarantee that they won't ever cause adverse reactions.
Most of these perform general network discovery.
Examples are ssh-hostkey (retrieves an SSH host key) and html-title
(grabs the title from a web page). Scripts in the version
category are not categorized by safety, but any other scripts
which aren't in safe should be placed in intrusive.
version
The scripts in this special category are an extension to the
version detection feature and cannot be selected explicitly.
They are selected to run only if version detection (-sV) was requested.
Their output cannot be distinguished from version detection
output and they do not produce service or host script results.
Examples are skypev2-version, pptp-version, and iax2-version.
vuln
These scripts check for specific known vulnerabilities and
generally only report results if they are found.
Examples include realvnc-auth-bypass and afp-path-vuln.