By now it is evident that nmap plays a very important role right from IP discovery. Nmap also has a vulnerability assessment functionality, which is achieved via the Nmap Scripting Engine (NSE). It allows the user to run vulnerability detection scripts. The NSE contains a very large set of scripts that range right from discovery to exploitation. These scripts are available in the nmap
folder, and are segregated by their categories. These categories can be better understood by reading the scripts.db
file, located in the nmap
folder. However, in this chapter we will limit ourselves to vulnerability detection.
In order to begin this chapter, we will be using nmap to check the NSE scripts located in nmap under the scripts
folder. For demonstration purposes, we will be using Metasploitable 2 and Windows XP SP1.
The steps for this recipe are as follows:
ls /usr/share/nmap/scripts/
The output will be as shown in the following screenshot:
cat /usr/share/nmap/scripts/script.db | grep "vuln"
The output will be as shown in the following screenshot:
vuln
. We will be working mainly with this category. To run a simple vuln
category scan, use the following command on your terminal window:nmap -sT --script vuln <IP Address>
vuln
assessment scan:nmap -sT -p <ports> --script vuln <IP Address>
The output will be as shown in the following screenshot:
We can see that it revealed a lot of information, and showed us many possible attack vectors; it even detected the SQL injection for a potential attack:
vuln
does. We can simply check that by typing the following command in the terminal:nmap --script-help vuln
The output will be as shown in the following screenshot:
nmap -sT -p 139,445 <IP address>
The output will be as shown in the following screenshot:
smb
vulnerability detection script, shown as follows:nmap -sT -p 139,445 --script smb-vuln-ms08-067 <IP address>
The output will be as shown in the following screenshot:
So, one can use the various scripts available in nmap with the category of vuln
to perform an assessment over the target IP and find vulnerabilities based on the port and services running.
Understanding all the parameters is rather easy; we have been toying with the scripts available in the NSE engine. Let's understand a few of the commands used in this method:
scripts.db
file contains all the NSE categorizing information that it uses to specify which scripts can be considered a particular kind of vulnerability. There are different categories, such as auth
, broadcast
, brute
, default
, dos
, discovery
, exploit
, external
, fuzzer
, intrusive
, malware
, safe
, version
, and vuln
.nmap
command with the vuln
parameter along for the script. We were simply instructing nmap to use the vuln
category and run all the scripts that are categorized under vuln
.vuln
category scan. This just makes sure that the script only runs for the specified ports and not the other ones, thereby saving us a lot of time.--script-help <filename>|<category>|<directory>|<expression>|all[,...]
command is the help feature for the NSE engine. The help
command should always be accompanied by the category or a specific filename of the NSE script, or an expression. For example, to check for all SMB-related help, one can simply use the expression *smb*
.--script-args=unsafe=1
command, the script-args
syntax is similar to the additional parameters to be passed to the script that we just selected; in this scenario, we are passing an additional unsafe
parameter with the value 1
, stating that the script has permission to run dangerous scripts that could cause a service crash.We have learned how to use the NSE for vulnerability assessment. The script-args
parameter is used for many purposes, such as providing the file for username and passwords, specifying the credentials for a given service so that the NSE can extract information, post authentication, and so on. This is recommended so that you have a deeper insight of the script-args
feature.
3.139.79.59