I cannot say enough good things about NSE (Nmap Scripting Engine). I’ve written a couple of posts about it and why I find it so useful, but in this post I’m going to cover some of my favorite scripts that come with the most recent Nmap release (5.35 DC1 (The DefCon release.. oooh. 
).
The first one is ‘http-enum’. This is a pretty simple directory enumeration, but the information obtained through the use of this script can be priceless. Here’s an example:
# nmap -sS -p80 –script=http-enum www.blah.com
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-08-25 11:11 CDT
Nmap scan report for www.blah.com (1.2.3.4)
Host is up (0.00024s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /icons/: Icons and images
|_ /_private/: Private (401 Unauthorized)
…snip…Nmap done: 1 IP address (1 host up) scanned in 28.78 seconds
Often times you’ll encounter directories named ‘backup’, or ‘test’, or whatever that contain all sorts of unprotected goodies that the web”master” wasn’t expecting anyone to find.
The second one that I use a lot is “dns-zone-transfer.nse”. The amount of information that can be obtained through a zone transfer is huge. You can basically dissect a targets network in short order once you understand how the DNS is laid out.
# nmap -p53 –script dns-zone-transfer –script-args dnszonetransfer.domain=lamecompany.com ns.lamecompany.info
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-08-25 11:24 CDT
Nmap scan report for ns.lamecompany.info (1.2.3.200)
Host is up (0.0070s latency).
PORT STATE SERVICE
53/tcp open domain
| dns-zone-transfer:
| lamecompany.com SOA ns.lamecompany.info hostmaster.lamecompany.info
| lamecompany.com A 192.168.254.0
| lamecompany.com A 1.2.3.106
| lamecompany.com NS ns2.lamecompany.info
| lamecompany.com NS ns.lamecompany.info
| lamecompany.com MX ipmail.lamecompany.com
| lamecompany.com TXT
| ns2.lamecompany.info A 1.2.3.201
| access.lamecompany.com A 3.2.1.137
| activewatch.lamecompany.com A 1.2.3.131
| apps.lamecompany.com A 1.2.3.133
| awfiles.lamecompany.com A 1.2.3.164
| blog.lamecompany.com A 1.2.3.224
| blogs.lamecompany.com A 1.2.3.224
| cbt.lamecompany.com A 1.2.3.112
| citrix.lamecompany.com A 1.2.3.178
| cortex.lamecompany.com A 1.2.3.222
| cortex1.lamecompany.com A 1.2.3.222
| cortex2.lamecompany.com A 1.2.3.221
…big snip…
Huge amounts of information given up here. Just specify the domain name and the nameserver that’s responsible for the domain. The easiest way to determine this is by checking the ‘whois’ of the domain.
Another favorite is the “smb-check-vulns.nse” script. I like this script because it’s fast. I use this heavily if I’m in a hurry and just need an opportunistic target.
# nmap -p445 –script=smb-check-vulns 192.168.0.*
Nmap scan report for box.local (192.168.0.5)
Host is up (0.00011s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:11:22:33:44:55 (Atari)Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add ‘–script-args=unsafe=1′ to run)
|_ SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add ‘–script-args=unsafe=1′ to run)
..snip..
My only issue with this script is that there is a ton of output. I just want to see a simple, clean list of vulnerable targets…
nmap -p445 --script=smb-check-vulns 192.168.0.*|perl -le 'while(<STDIN>){if(/^.*?\((\d+.\d+.\d+.\d+)\)$/) { $i = $1;} if(/^\|\s+(.*?)\:\s+VULNERABLE$/ && $i ne ""){ print "$i is vulnerable to $1"; }}' 192.168.0.5 is vulnerable to MS08-067 192.168.0.11 is vulnerable to MS08-067 192.168.0.24 is vulnerable to MS08-067 |
In a more clear script format..
$eth = $ARGV[0]; if($eth eq "") { print "Usage: smb-check.pl eth< #>\n"; exit(0); } @ifconfig = `ifconfig $eth`; foreach $line (@ifconfig) { if($line =~ /^.*?inet\s+addr\:(\d+.\d+.\d+).\d+.*/) { $range = $1; } } open(NMAP, "nmap -p445 --script=smb-check-vulns $range.*|") || die "$!"; while(<NMAP>) { if(/^.*?\((\d+.\d+.\d+.\d+)\):$/) { $i = $1; } if(/^\|\_\s+(.*?)\:\s+VULNERABLE$/ && $i ne "") { print "$i is vulnerable to $1\n"; $vuln++; } } if($vuln eq "") { print "No vulnerable hosts found\n"; exit(0); } |
Another incredibly useful one is “smb-enum-users”…
# nmap -sT -p445 –script=smb-enum-users 192.168.0.5
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-08-25 11:57 CDT
Nmap scan report for box.local (192.168.0.5)
Host is up (0.00017s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:11:22:33:44:55 (Atari)Host script results:
| smb-enum-users:
| SRINC\Administrator (RID: 500)
| SRINC\audit (RID: 1164)
| SRINC\Backupexec (RID: 1146)
| SRINC\keb (RID: 1114)
| SRINC\joe (RID: 1119)
| SRINC\bgates (RID: 1115)
..snip..
If you want to create a userlist to feed to THC Hydra for brute force purposes….
nmap --script=smb-enum-users 192.168.0.5 -p445|perl -le 'while(<STDIN>){if(/^.*?\\(\w+)\s+.*/) { print "$1"; }}' Administrator audit Backupexec keb joe bgates ..snip.. |
An example of using this with THC Hydra can be found here
Nmap comes with “smb-brute”, which works in a pinch, but I prefer Hydra because of the available options.
# nmap -sT -p445 –script=smb-brute 192.168.0.5
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-08-25 12:37 CDT
Nmap scan report for box.local (192.168.0.5)
Host is up (0.00014s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:11:22:33:44:55 (Atari)Host script results:
| smb-brute:
|_ guest:qwerty => Login was successfulNmap done: 1 IP address (1 host up) scanned in 412.45 seconds
There are quite a few smb related scripts that provide incredibly useful information when doing a pen test.. I suggest playing with them.
Here are a couple more that I use pretty often..
# nmap -sU -p161 –script=snmp-netstat 192.168.0.5
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-08-25 12:10 CDT
Nmap scan report for box.local (192.168.0.5)
Host is up (0.00018s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-netstat:
| TCP 0.0.0.0:25 0.0.0.0:53489
| TCP 0.0.0.0:53 0.0.0.0:28798
| TCP 0.0.0.0:80 0.0.0.0:2176
| TCP 0.0.0.0:88 0.0.0.0:10493
| TCP 0.0.0.0:135 0.0.0.0:28890
..snip..
# nmap -sU -p161 –script=snmp-processes 192.168.0.5|more
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-08-25 12:12 CDT
Nmap scan report for box.local (192.168.0.5)
Host is up (0.00016s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-processes:
| System Idle Process
| PID: 1
| System
| PID: 4
| smss.exe
| Path: \SystemRoot\System32\
| PID: 276
| csrss.exe
| Path: C:\WINDOWS\system32\
| Params: ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserS
| PID: 324
| winlogon.exe
| PID: 348
..snip..
# nmap -sU -p161 –script=snmp-win32-services -n 192.168.0.5
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-08-25 12:14 CDT
Nmap scan report for 192.168.0.5
Host is up (0.00026s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-win32-services:
| Application Experience Lookup Service
| Application Layer Gateway Service
| Application Management
| Automatic Updates
| Background Intelligent Transfer Service
..snip..
# nmap -sU -p161 –script=snmp-win32-shares -n 192.168.0.5
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-08-25 12:15 CDT
Nmap scan report for 192.168.0.5
Host is up (0.00016s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-win32-shares:
| Main
| D:\User Directories
| Canon
| Canon iR C5185 PCL5c,LocalsplOnly
| HP4100
| HP LaserJet 4100 Series PCL,LocalsplOnly
| SYSVOL
| C:\WINDOWS\sysvol\sysvol
..snip..
# nmap -sU -p161 –script=snmp-win32-users -n 192.168.0.5
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-08-25 12:17 CDT
Nmap scan report for 192.168.0.5
Host is up (0.00038s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-win32-users:
| Administrator
| Backupexec
| audit
| keb
| joe
| bgates
..snip..
Hopefully this opens your eyes to the wonderful tool that NSE is. These are just some of the scripts that I use on a regular basis, but the script directory has a total of 115 scripts. So, go play with them. If you find something useful that I didn’t cover here, please comment and I’ll update this post. Also, you can find the complete list of scripts & descriptions here.
Related posts:
@Matt: I’m so glad you covered the NSE. It’s definitely a great way to push development and i’ve been researching a lot about it, just haven’t had time to sit down and play too much yet. This definitely sparked my interest again though!
@Erik: Yeah, NSE is pretty much an amazing feature added to Nmap. I plan on writing a few scripts for it once I get to spend some time with Lua. I don’t particularly care for the language, but I think I’m going to have to force myself to tolerate it because of NSE (Wireshark also uses Lua scripts).
Hello,
I may suggest two of my nmap nse scripts:
* vulscan – http://www.computec.ch/mruef/?s=software&l=x
The nmap project provides the possibility of enhancing the enumeration techniques of the utility by using the nmap scripting engine (NSE) based on the scripting language Lua. The nmap nse vulscan script helps to identify vulnerabilities within services – published by osvdb.org – which has been identified by version detection of nmap.
* httprecon – http://www.computec.ch/projekte/httprecon/?s=download
httprecon provides an open-source utility of enhanced web server fingerprinting. By using traditional and new techniques the provided httpd implementation can be detected which is very important for further enumeration and attacks. Some of these techniques were introduced in the book ‘Die Kunst des Penetration Testing’. Furthermore, new fingerprints can be saved within the database and results exported into html reports.
Regards,
Marc
@Marc: Both of those sound fricken awesome. I’ll check them out when I get a chance here and I’ll post my findings. Thanks!
@Marc:
Am I missing something? Getting similar errors with 'vulscan'.
[...] Favorite nmap NSE scripts – attackvector.org I’ve written a couple of posts about it and why I find it so useful, but in this post I’m going to cover some of my favorite scripts that come with the most recent Nmap release. [...]
@Matt: Sorry for my *very* dalayed response. Haven’t seen your reply
Is /usr/share/nmap/scripts the default path for your nmap scripts? It looks like nmap isn’t able to find the scripts Because none of the script code is run yet, this should not be a problem of the scripts. Perhaps you are linking to another nse repository in your home directory?