Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


some nmap nse script recommendations

Posted by barkins at 2020-04-17


Nmap is a powerful open source scanning tool. At the same time, nmap provides a powerful scripting engine (nmap scripting Engine), which supports extending the function of nmap through Lua scripting language. In the distribution of nmap, hundreds of extended scripts have been included. In addition to assisting in the four basic functions of nmap, i.e. host discovery, port scanning, service detection and operating system detection, other scanning capabilities have also been added: detailed detection of HTTP services, brute force cracking of simple passwords, and vulnerability information checking Wait.

Script classification and use


Nmap scripts are mainly divided into the following categories, which are quoted from: nmap script Usage Summary:

auth: 负责处理鉴权证书(绕开鉴权)的脚本 broadcast: 在局域网内探查更多服务开启状况,如dhcp/dns/sqlserver等服务 brute: 提供暴力破解方式,针对常见的应用如http/snmp等 default: 使用-sC或-A选项扫描时候默认的脚本,提供基本脚本扫描能力 discovery: 对网络进行更多的信息,如SMB枚举、SNMP查询等 dos: 用于进行拒绝服务攻击 exploit: 利用已知的漏洞入侵系统 external: 利用第三方的数据库或资源,例如进行whois解析 fuzzer: 模糊测试的脚本,发送异常的包到目标机,探测出潜在漏洞 intrusive: 入侵性的脚本,此类脚本可能引发对方的IDS/IPS的记录或屏蔽 malware: 探测目标机是否感染了病毒、开启了后门等信息 safe: 此类与intrusive相反,属于安全性脚本 version: 负责增强服务与版本扫描(Version Detection)功能的脚本 vuln: 负责检查目标机是否有常见的漏洞(Vulnerability),如是否有MS08_067

Command line options

Some commands provided by nmap are as follows:

-sC/--script=default:使用默认的脚本进行扫描。 --script=<Lua scripts>:使用某个脚本进行扫描 --script-args=x=x,y=y: 为脚本提供参数 --script-args-file=filename: 使用文件来为脚本提供参数 --script-trace: 显示脚本执行过程中发送与接收的数据 --script-updatedb: 更新脚本数据库 --script-help=<Lua scripts>: 显示脚本的帮助信息


Targeted script

Some more targeted nmap scripts on GitHub are collected:

Intranet Penetration

Recommendation from milsec official account

Nmap provides many effective scripts that do not need to rely on other third-party tools to perform penetration tests on Intranet machines:

Domain controller information collection, host information, user, password policy, etc

Domain controller scan

Traverse the shared directory of the remote host

Traverse the system process of the host through SMB

Obtain the user login session of the host in the domain through SMB to view the current user login status

Collect the operating system, computer name, domain name, full name domain name, domain forest name, NetBIOS machine name, NetBIOS domain name, workgroup, system time, etc. of the target host through SMB protocol

List the files in the shared directory and use with SMB enum share

When obtaining the SMB user password, the command can be executed on the remote host through SMB psexec

Obtain the operating system information, environment variables, hardware information and browser version of the target host through SMB protocol

Collect the combination dictionary and crack the MSSQL machine in the domain

When obtaining the SA permission user name and password of MSSQL, you can execute the specified command through the nmap script, or through the SMB protocol or MSSQL

Burst the user password of redis. You can obtain the server permission by writing SSH key

Mounting a dictionary and exploding Oracle's sid

Traverse the available users of Oracle through the mount dictionary

After obtaining SID, Oracle's user password can be exploded

PostgreSQL user password guessing script, password blasting for PgSQL, appropriate permissions can read and write files, execute commands, so as to further obtain server control permissions.

The SVN server is blasted. Through the content on the SVN server, we can download the source code and find some useful information


Nmap NSE script search engine

================================================ _ _ _____ _____ _ | \ | |/ ___|| ___| | | | \| |\ `--. | |__ __ _ _ __ ___ | |__ | . ` | `--. \| __| / _` || '__| / __|| '_ | | |\ |/\__/ /| |___ | (_| || | | (__ | | | | \_| \_/\____/ \____/ \__,_||_| \___||_| |_| ================================================ Version 0.4b @jjtibaquira Email: [email protected] | ================================================ nsearch> search name:http author:calderon category:vuln *** Name Author [+] http-vuln-cve2012-1823.nse Paulino Calderon, Paul AMAR [+] http-phpself-xss.nse Paulino Calderon [+] http-wordpress-enum.nse Paulino Calderon [+] http-adobe-coldfusion-apsa1301.nse Paulino Calderon [+] http-vuln-cve2013-0156.nse Paulino Calderon [+] http-awstatstotals-exec.nse Paulino Calderon [+] http-axis2-dir-traversal.nse Paulino Calderon [+] http-huawei-hg5xx-vuln.nse Paulino Calderon [+] http-tplink-dir-traversal.nse Paulino Calderon [+] http-trace.nse Paulino Calderon [+] http-litespeed-sourcecode-download.nse Paulino Calderon [+] http-majordomo2-dir-traversal.nse Paulino Calderon [+] http-method-tamper.nse Paulino Calderon


Scanning often triggers IDs or other security devices, so you should choose the appropriate script according to the actual environment.

Reference resources