Write For Us

Submit Tips

Subscribe to Print Edition

Contact Us

Search

HOME

REVIEWS

HOW-TOS

CODING

INTERVIEWS

FEATURES

OVERVIEW

BLOGS

SERIES

IT ADMIN

Advanced Nmap: NMap Script Scanning

By Rajesh Deodhar on April 1, 2011 in How-Tos, Sysadmins, Tools / Apps 0 Comments

Search for:

Search

Get Connected RSS Feed Twitter

In previous articles, we have studied NMap in great detail, including live scanning a firewall and verifying the recommendations. Now, its time to study NMap script scanning.
Nmap.org describes the Scripting Engine (NSE) is one of Nmaps most powerful and flexible features. It allows users to write (and share) simple scripts in the Lua programming language, to automate a wide variety of networking tasks. Those scripts are executed in parallel, with the speed and efficiency you expect from Nmap. Users can rely on the growing, diverse set of scripts distributed with Nmap, or write their own to meet custom needs. To my amusement, Nmap features are growing day by day. It was introduced just as a port scanner, and now it has reached a stage where you can even use it for basic vulnerability analysis. The vulnerability (script) database is increasing day by day, version by version. Precisely 177 scripts are available with version 5.50, which is the latest NMap release. Before script-scanning networks, lets try to understand a few ready-made scripts that let us detect various vulnerabilities in the network and devices at one go, in a very short time. Please remember, once you find vulnerabilities, you should immediately take corrective action to close them. These corrective measures may be as simple as changing passwords, disabling unused accounts, or as time-consuming and crucial as applying security patches or removing detected worms. Table 1: Some useful Nmap scripts No. 1. Script
d h c p d i s c o v e r

Function Discovers DHCP servers on the network; the UDP discover request is sent from port 67, and the response is received on port 68. Checks whether there are FTP servers that allow an FTP bounce attack to other hosts on the network. (Please refer to earlier articles, where we have discussed FTP bounce attacks.)

2.

f t p b o u n c e

3.

h t t p i i s - Checks whether hosts with vulnerabilities listed in Microsoft security w e b d a v v u l n

bulletin MS09-020 (IIS 5.1/IIS 6.0) are present on the network.

4.

m s s q l i n f o

Identifies Microsoft SQL Server details.

LINUX For You on

Identifies MySQL Server details.

Follow

5.

m y s q l i n f o

+2,530
Checks whether a host is infected by the c o n f i c k e r . cworm.

6.

p 2 p c o n f i c k e r

7.

s m b e n u m - A very interesting script, which identifies all SMB shares within the s h a r e s

specified address range.

Find us on Facebook

8.

s m b e n u m - Will identify all SMB user names within the specified address range. u s e r s

Open Source For You

Like

9.

s n i f f e r d e t e c t

Finds hosts with p c a plibraries installed. Lists all hosts with SSH version 1. As most of you will be aware, this version has documented vulnerabilities.

256,372 people like Open Source For You.

10.

s s h v 1

The various command line options for script scanning are as follows:
s C basic script scan s c r i p t u p d a t e d b will update the script database.
F acebook social plugin

Some of the scripts may ask for the s c r i p t a r g s = u n s a f eoption to be set to 1. Please remember, this is a destructive test; these scripts will almost surely crash a system with the corresponding vulnerability. Be careful you do not use this option in a live production environment.

Popular

Comments

Tag cloud

August 13, 2013 46 Comments Diksha P Gupta

India has immense under-utilised talent in the cloud security space

June 20, 2013 5 Comments sophie-samuel

The actual scans

To start with, create a file I P L i s t . t x t , listing all the active hosts on the network, to specify target hosts to Nmap. Next, try to analyse the results of a few scans performed in a live environment. When you wish to try these scans, dont forget to take written permission from the management.

New and amazing features of Linux

June 20, 2013 3 Comments Priyanka Sarkar

What it Takes to be an Open Source Expert

August 24, 2013 3 Comments Priyanka Sarkar

Secure Your Career with Ethical Hacking!

August 24, 2013 0 Comments Shashwat Pant

Checking for SSHv1

Table 2: sshv1 scan Command/details
n m a p s c r i p ts s h v 1i L I P L i s t . t x to s s h v 1 . t x t

Get Fit With Android

Explanation The command line, running only one script, sshv1.

Masked output of sshv1.txt: Nmap scan report for 192.168.1.4 Host is up (0.00011s latency). Not shown: 984 closed ports
P O R T S T A T ES E R V I C E 2 1 / t c p o p e n f t p 2 2 / t c p o p e n s s h | _ s s h v 1 :S e r v e rs u p p o r t sS S H v 1 8 0 / t c p o p e n h t t p 1 1 1 / t c p o p e n r p c b i n d 1 1 3 / t c p o p e n a u t h

The output identifies that a host with IP address 192.168.1.4 is running SSHv1. On further probing, the host identified it to be running a very old version of Red Hat Linux. Recommendation: Upgrade SSHv1 to the latest version.

Sniffer detection
Table 3: sniffer-detect scan Command/details
n m a p s c r i p ts n i f f e r d e t e c t i LI P L i s t . t x to s n i f f e r d e t e c t . t x t

Explanation Initiating sniffer detection

Masked output of sniffer-detect.txt Nmap scan report for 192.168.1.26 Host is up (0.00012s latency). The detection of host 192.168.1.26 informs you that it is running Windows, with l i b p c a pinstalled. It further states that the sniffer may not be sniffing.

Not shown: 992 closed ports

P O R T S T A T ES E R V I C E 1 3 5 / t c p o p e n m s r p c 1 3 9 / t c p o p e n n e t b i o s s s n 4 4 5 / t c p o p e n m i c r o s o f t d s 2 9 6 7 / t c po p e n s y m a n t e c a v 5 1 0 1 / t c po p e n a d m d o g 5 2 2 5 / t c po p e n u n k n o w n 5 2 2 6 / t c po p e n u n k n o w n 8 0 0 8 / t c po p e n h t t p

After discussion with the management, it became clear that for testing their environment, p c a plibraries were indeed installed on this host.

MAC Address: 00:XX:XX:XX:XX:2D (Intel Corporate) Host script results: |_sniffer-detect: Windows with libpcap installed; may or may not be sniffing (tests: 1_1___1_)

smb-enum-users
This is a very interesting script. In one go, you can identify all the users present on the entire network, and their status. You may wish to identify which of them have left the organisation, and disable/delete the corresponding account, as per company policy. Table 4: smb-enum-users scan Command/details
n m a p s c r i p ts m b e n u m u s e r si L I P L i s t . t x to s m b e n u m u s e r s . t x t

Explanation To scan all hosts listed in I P L i s t . t x tfor SMB users

Masked output of smb-enum-usrs.txt Nmap scan report for 192.168.1.109 Host is up (0.00015s latency). Not shown: 989 closed ports
P O R T S T A T ES E R V I C E 1 3 5 / t c p o p e n m s r p c 1 3 9 / t c p o p e n n e t b i o s s s n 4 4 5 / t c p o p e n m i c r o s o f t d s 1 0 0 0 / t c po p e n c a d l o c k 1 1 4 5 / t c po p e n u n k n o w n 1 7 2 0 / t c po p e n H . 3 2 3 / Q . 9 3 1 2 4 0 1 / t c po p e n c v s p s e r v e r 2 9 6 7 / t c po p e n s y m a n t e c a v 5 0 6 0 / t c po p e n s i p 5 0 6 1 / t c po p e n s i p t l s 5 1 0 1 / t c po p e n a d m d o g

Though the scan was performed on a live installation, to preserve confidentiality, the company name and user names are masked. When the script result was shown to TESTCOMPANY management, they were shocked to see active accounts of many past employees! Suspending all further tests and network audits, they first disabled the unwanted accounts.

MAC Address: 00:XX:XX:XX:XX:04 (G-pro Computer) Host script results:

|s m b e n u m u s e r s : | T E S T C O M P A N Y \ A y( R I D :1 2 2 8 ) | T E S T C O M P A N Y \ a c c o u n t s _ u s e r( R I D :1 1 2 5 ) | T E S T C O M P A N Y \ A d m i n i s t r a t o r( R I D :5 0 0 ) | T E S T C O M P A N Y \ a r( R I D :1 1 6 8 ) | T E S T C O M P A N Y \ a g( R I D :1 2 2 4 ) | T E S T C O M P A N Y \ a r( R I D :1 1 2 2 ) | T E S T C O M P A N Y \ A D $( R I D :1 2 4 9 ) | T E S T C O M P A N Y \ a e( R I D :1 1 9 9 ) | T E S T C O M P A N Y \ A r( R I D :1 2 3 1 ) | T E S T C O M P A N Y \ a e( R I D :1 1 8 6 ) | T E S T C O M P A N Y \ A S $( R I D :1 2 1 8 ) | T E S T C O M P A N Y \ A S 2 $( R I D :1 2 2 7 ) | T E S T C O M P A N Y \ c r( R I D :1 1 2 0 ) | T E S T C O M P A N Y \ c r( R I D :1 1 2 0 ) | T E S T C O M P A N Y \ c v s s e r v e r $( R I D :1 1 7 6 ) | T E S T C O M P A N Y \ d e( R I D :1 1 7 4 ) | T E S T C O M P A N Y \ d y( R I D :1 2 1 2 )

The power of NMap script scans doesnt end here. By using various scanning options, you can run combinations of various script categories (SMB scans, HTTP scans, etc) at one go.

References and further reading

Lua programming language Listing of NMap scripts

Related Posts:
Advanced Nmap: Scanning Firewalls Continued Advanced Nmap: FIN Scan & OS Detection Advanced Nmap: Scanning Techniques Continued Advanced Nmap: A Recap Advanced Nmap: Scanning Firewalls
Tags: Advanced Nmap Series, corrective action, corrective measures, dhcp servers, firewall, ftp servers, IP address, LFY April 2011, Lua, MAC address, Microsoft SQL Server, Microsoft Windows, MySQL, network security, networking tasks, NMap, OpenSSH, p2p, port scanner, Red Hat Linux, scripting, scripting engine, scripting language, Security, security patches, TCP, UDP, unused accounts, vulnerabilities, vulnerability analysis

Article written by:

Rajesh Deodhar
The author is BE (Industrial Electronics), CISA (Certified Information Systems Auditor) and DCL (Diploma in Cyber Law). He has more than 15 years of experience in the field of computer hardware, networking, firewalls and IS auditing. He is a director at Omega Systems and Services, Pune. Connect with him: Website

Previous Post

Next Post

Saving Private GRUB: Remotely Restoring MBR on an Enterprise Server

Layer 7 Load Balancers

AROUND THE WEB

ALSO ON LINUX FOR YOU

What's this?

Billionaires Dump Stocks, Prepare for Collapse Moneynews Don't Get Alzheimer's: Here's What May Cause It Newsmax Health Don't Let Your Kids Read This: Paying Teens for Citi Women & Co. An Interview with Elizabeth and the Catapult ComplexTV

India has immense under-utilised talent in the cloud 46 comments Secure Your Career with Ethical Hacking! 3 comments Cyber Attacks Explained: The Botnet Army 1 comment GNOME Extensions Spicing Up the Desktop Experience 1 comment

0 comments Leave a message...

Newest Community Share

No one has commented yet.

C o m m e n t fe e d

Su b s cri b e vi a e m a i l

Reviews

How-Tos

Coding

Interviews

Features

Overview

Blogs

Search
Popular tags
Linux , ubuntu, Java, MySQL, Google, python, Fedora, Android, PHP, C, html, w eb applications , India, Microsoft, unix , Window s , Red Hat, Oracle, Security , Apache, xml, LFY April 2012, FOSS, GNOME, http, JavaScript, LFY June 2011, open source, RAM, operating systems

For You & Me Developers Sysadmins Open Gurus CXOs Columns

All published articles are released under Creative Commons Attribution-NonCommercial 3.0 Unported License, unless otherw ise noted. LINUX For You is pow ered by WordPress, w hich gladly sits on top of a CentOS-based LEMP stack.