Preface
Nmap is a powerful open source scanning tool. At the same time, nmap provides a powerful scripting engine (nmap scripting Engine), which supports extending the function of nmap through Lua scripting language. In the distribution of nmap, hundreds of extended scripts have been included. In addition to assisting in the four basic functions of nmap, i.e. host discovery, port scanning, service detection and operating system detection, other scanning capabilities have also been added: detailed detection of HTTP services, brute force cracking of simple passwords, and vulnerability information checking Wait.
Script classification and use
classification
Nmap scripts are mainly divided into the following categories, which are quoted from: nmap script Usage Summary:
auth: 负责处理鉴权证书(绕开鉴权)的脚本
broadcast: 在局域网内探查更多服务开启状况,如dhcp/dns/sqlserver等服务
brute: 提供暴力破解方式,针对常见的应用如http/snmp等
default: 使用-sC或-A选项扫描时候默认的脚本,提供基本脚本扫描能力
discovery: 对网络进行更多的信息,如SMB枚举、SNMP查询等
dos: 用于进行拒绝服务攻击
exploit: 利用已知的漏洞入侵系统
external: 利用第三方的数据库或资源,例如进行whois解析
fuzzer: 模糊测试的脚本,发送异常的包到目标机,探测出潜在漏洞 intrusive: 入侵性的脚本,此类脚本可能引发对方的IDS/IPS的记录或屏蔽
malware: 探测目标机是否感染了病毒、开启了后门等信息
safe: 此类与intrusive相反,属于安全性脚本
version: 负责增强服务与版本扫描(Version Detection)功能的脚本
vuln: 负责检查目标机是否有常见的漏洞(Vulnerability),如是否有MS08_067
Command line options
Some commands provided by nmap are as follows:
-sC/--script=default:使用默认的脚本进行扫描。
--script=<Lua scripts>:使用某个脚本进行扫描
--script-args=x=x,y=y: 为脚本提供参数
--script-args-file=filename: 使用文件来为脚本提供参数
--script-trace: 显示脚本执行过程中发送与接收的数据
--script-updatedb: 更新脚本数据库
--script-help=<Lua scripts>: 显示脚本的帮助信息
Script
Targeted script
Some more targeted nmap scripts on GitHub are collected:
- MS15-034、LFI、Nikto、ShellShock、tenda
https://github.com/s4n7h0/NSE
- Enumerate ICs programs and devices
https://github.com/digitalbond/Redpoint
- Some NSE script collections
https://github.com/cldrn/nmap-nse-scripts
- Router information collection:
https://github.com/DaniLabs/scripts-nse
- brute force
https://github.com/lelybar/hydra.nse
- Cassandra、WebSphere
https://github.com/kost/nmap-nse
- Scada
https://github.com/drainware/nmap-scada
- NSE development tools
https://github.com/s4n7h0/Halcyon
- Hadoop、Flume
https://github.com/b4ldr/nse-scripts
- WordPress
https://github.com/peter-hackertarget/nmap-nse-scripts
- VNC
https://github.com/nosteve/vnc-auth
- Phantom JS check HTTP header information
https://github.com/aerissecure/nse
- WebServices detection
https://github.com/c-x/nmap-webshot
- SSL heart drop
https://github.com/takeshixx/ssl-heartbleed.nse
- OpenStack
https://github.com/sicarie/nse
- Apache、Rails-xml
https://github.com/michenriksen/nmap-scripts
- Gateway, DNS
https://github.com/ernw/nmap-scripts
- MacOS
https://github.com/ulissescastro/ya-nse-screenshooter
- Directory scanning, whatcams, vulnerability detection
https://github.com/Cunzhang/NseScripting
- Redis
https://github.com/axtl/nse-scripts
- Huawei equipment testing
https://github.com/vicendominguez/http-enum-vodafone-hua253s
- Axis
https://github.com/bikashdash/Axis_Vuln_Webcam
Intranet Penetration
Recommendation from milsec official account
Nmap provides many effective scripts that do not need to rely on other third-party tools to perform penetration tests on Intranet machines:
- smb-enum-domains.nse
Domain controller information collection, host information, user, password policy, etc
- smb-enum-users.nse
Domain controller scan
- smb-enum-shares.nse
Traverse the shared directory of the remote host
- smb-enum-processes.nse
Traverse the system process of the host through SMB
- smb-enum-sessions.nse
Obtain the user login session of the host in the domain through SMB to view the current user login status
- smb-os-discovery.nse
Collect the operating system, computer name, domain name, full name domain name, domain forest name, NetBIOS machine name, NetBIOS domain name, workgroup, system time, etc. of the target host through SMB protocol
- Smb-ls.nse
List the files in the shared directory and use with SMB enum share
- smb-psexec.nse
When obtaining the SMB user password, the command can be executed on the remote host through SMB psexec
- smb-system-info.nse
Obtain the operating system information, environment variables, hardware information and browser version of the target host through SMB protocol
- ms-sql-brute.nse
Collect the combination dictionary and crack the MSSQL machine in the domain
- ms-sql-xp-cmdshell.nse
When obtaining the SA permission user name and password of MSSQL, you can execute the specified command through the nmap script, or through the SMB protocol or MSSQL
- Redis.nse
Burst the user password of redis. You can obtain the server permission by writing SSH key
- oracle-sid-brute.nse
Mounting a dictionary and exploding Oracle's sid
- oracle-enum-users
Traverse the available users of Oracle through the mount dictionary
- oracle-brute.nse
After obtaining SID, Oracle's user password can be exploded
- pgsql-brute.nse
PostgreSQL user password guessing script, password blasting for PgSQL, appropriate permissions can read and write files, execute commands, so as to further obtain server control permissions.
- svn-brute.nse
The SVN server is blasted. Through the content on the SVN server, we can download the source code and find some useful information
tool
Nmap NSE script search engine
- https://github.com/JKO/nsearch ================================================ _ _ _____ _____ _ | \ | |/ ___|| ___| | | | \| |\ `--. | |__ __ _ _ __ ___ | |__ | . ` | `--. \| __| / _` || '__| / __|| '_ | | |\ |/\__/ /| |___ | (_| || | | (__ | | | | \_| \_/\____/ \____/ \__,_||_| \___||_| |_| ================================================ Version 0.4b http://goo.gl/8mFHE5 @jjtibaquira Email: [email protected] | www.dragonjar.org ================================================ nsearch> search name:http author:calderon category:vuln *** Name Author [+] http-vuln-cve2012-1823.nse Paulino Calderon, Paul AMAR [+] http-phpself-xss.nse Paulino Calderon [+] http-wordpress-enum.nse Paulino Calderon [+] http-adobe-coldfusion-apsa1301.nse Paulino Calderon [+] http-vuln-cve2013-0156.nse Paulino Calderon [+] http-awstatstotals-exec.nse Paulino Calderon [+] http-axis2-dir-traversal.nse Paulino Calderon [+] http-huawei-hg5xx-vuln.nse Paulino Calderon [+] http-tplink-dir-traversal.nse Paulino Calderon [+] http-trace.nse Paulino Calderon [+] http-litespeed-sourcecode-download.nse Paulino Calderon [+] http-majordomo2-dir-traversal.nse Paulino Calderon [+] http-method-tamper.nse Paulino Calderon
https://github.com/JKO/nsearch
================================================
_ _ _____ _____ _
| \ | |/ ___|| ___| | |
| \| |\ `--. | |__ __ _ _ __ ___ | |__
| . ` | `--. \| __| / _` || '__| / __|| '_ |
| |\ |/\__/ /| |___ | (_| || | | (__ | | | |
\_| \_/\____/ \____/ \__,_||_| \___||_| |_|
================================================
Version 0.4b http://goo.gl/8mFHE5 @jjtibaquira
Email: [email protected] | www.dragonjar.org
================================================
nsearch> search name:http author:calderon category:vuln
*** Name Author
[+] http-vuln-cve2012-1823.nse Paulino Calderon, Paul AMAR
[+] http-phpself-xss.nse Paulino Calderon
[+] http-wordpress-enum.nse Paulino Calderon
[+] http-adobe-coldfusion-apsa1301.nse Paulino Calderon
[+] http-vuln-cve2013-0156.nse Paulino Calderon
[+] http-awstatstotals-exec.nse Paulino Calderon
[+] http-axis2-dir-traversal.nse Paulino Calderon
[+] http-huawei-hg5xx-vuln.nse Paulino Calderon
[+] http-tplink-dir-traversal.nse Paulino Calderon
[+] http-trace.nse Paulino Calderon
[+] http-litespeed-sourcecode-download.nse Paulino Calderon
[+] http-majordomo2-dir-traversal.nse Paulino Calderon
[+] http-method-tamper.nse Paulino Calderon
summary
Scanning often triggers IDs or other security devices, so you should choose the appropriate script according to the actual environment.
Reference resources
- Summary of nmap script usage
- The use of nmap loading NSE script in Intranet penetration
- The use of nmap loading NSE script in Intranet penetration