We're getting to probably one of the most interesting parts—the script execution. The Nmap Scripting Engine is one of its most powerful and best-known features that Nmap itself has to offer. Nmap offers a ton of user-written codes available to use worldwide. NSE aims to provide highly sophisticated network discovery, vulnerability, and backdoor detection, and obviously also its exploitation.
Many of the scripts that Nmap has to offer have obviously also been ported and can be used in the zANTI2 app on your Android device, which provides you with a great way to perform penetration tests without need of a computer—all your tools now are available in your pocket.
Script execution in zANTI2 is a really easy thing to do. Select a host, tap on scan (just the way you did to perform an OS scan), and instead of pulling a ping, ICMP, traceroute scan, OS detection, simply tap the Execute scan button.
Every executable script in Nmap belongs to its own category. There are nine main categories available through zANTI2 with loads of scripts contained in each of these.
The categories are AUTH, BROADCAST, BRUTE, CITRIX, DATABASE, DISCOVERY, DNS, GEOLOCATION, and INFO. The Nmap Scripting Engine offers a fine amount of scripts, where some are meant for general discovery, gathering more information about a particular host, and some used to remotely detect vulnerability and possibly even exploit it. Let's have a closer look at each of these categories.
As mentioned earlier, each category covers a particular task performed on the target. NSE supports four types of scripts, distinguished by the kind of targets they are executed on and the scanning phase in which the scripts are run. The types are:
- Prerule scripts
- Host scripts
- Service scripts
- Postrule scripts
Prerule scripts run before any of Nmap's scan phases. These scripts can be useful for tasks such as performing network broadcast requests because they don't depend on specific scan targets.
Host scripts are run after Nmap has performed host discovery, port scanning, version detection and OS detection on the host. An example would be whois, which looks up additional information for a target IP.
Service scripts run against specific services listening on a target host. For instance, Nmap includes over 15 HTTP service scripts to run against web servers. If a host has web servers running on multiple ports, those scripts can be executed and run multiple times for each port.
Postrule scripts run after Nmap has scanned the entire target. A potential use of these scripts is printing a reverse index of the output, showing which hosts run a particular service (rather than only listing the services on each host).
Let's have a look at categories. Nmap Scripting Engine divides each script into its appropriate category, making it easy to find, distinguish, and execute the script you're looking for. Currently, there are fourteen defined categories, but zANTI2 shows fifteen of them, some of which are not even listed in the Nmap index. Let's take a look at them and see what zANTI2 has to offer.
These scripts deal with authentication credentials on the target. A typical example is the x11-access script, which checks whether you're allowed to connect to a server. If this server is listening on a specific TCP port, it's possible to check whether you're able to get connected to the remote display by sending an initial connection request. Basically, these scripts do not attempt to brute-force the credentials, instead they try to bypass them. Scripts that use the brute-force method are listed in the Brute category instead.
Scripts in this category discover hosts that are not listed on the command line by broadcasting on the local network. For instance, broadcast-dropbox-listener prints all the discovered client IP addresses, names, and version numbers of Dropbox accounts by listening for the information broadcasts sent on the local area network that is being done every 20 seconds.
As the title Brute suggests, these scripts use brute-force attacks to guess authentication credentials of a server. Nmap contains scripts for brute-forcing dozens of protocols, including http-brute or oracle-brute. Scripts in this category are logically intrusive, as they are attempting to directly hack into a server. A typical example is http-brute script, which performs password auditing against basic HTTP authentication.
If we have a look at the output of pop3-brute script, which tries to log into a POP3 account (POP3 is a Post Office Protocol and is used for grabbing e-mail messages from a remote client, working through a TCP/IP connection.), we could see something like this:
PORT STATE SERVICE 110/tcp open pop3 | pop3-brute-ported: | Accounts: | user:pass => Login correct | Statistics: |_ Performed 8 scans in 1 seconds, average tps: 8
This script lists the port (typically 110 for a POP3 service), state, and service along with the final output carrying the results. Statistics for the attack are listed as well showing the number of performed scans and average number of TPS.
Citrix scans are used mainly against Citrix XML services. Citrix Systems is a software company providing server, application, and desktop virtualization and cloud computing technologies. Scripts such as citrix-enum-servers attempts to extract the name of the server along with member servers from the Citrix XML service. There also is a script called citrix-brute-xml that attempts to brute-force and find valid credentials for the Citrix PN Web Agent XML Service. This category isn't listed in the default Nmap index, but it was created in zANTI2 because all of the scripts included in this category are used against Citrix services. Most of the scripts (citrix-enum) listed in this category are otherwise included in the Discovery category as they mostly attempt to discover further information about the host.
These scripts are used against two databases: MS SQL and MySQL. Scripts such as ms-sql-brute performs password guessing against the Microsoft SQL server. Another script, mysql-databases, for example, attempts to list all databases on a MySQL server. In other words, this section lets you play and investigate on these two databases. Again, this category isn't listed in the Nmap index by default, but zANTI2 has it probably for the sake of clarity. In case you don't know what these two databases mean, MS SQL (or Microsoft SQL Server) is a database system developed by Microsoft. Its primary function is to store and retrieve data requested by other software applications. MySQL is again, a database system, currently the world's second most used one. MySQL is currently a very popular choice of database for use in a web application and is widely used among many companies, including YouTube, Twitter, Facebook, and Google.
Discovery scripts, in general, try to discover more about the network by querying public registries, SNMP-enabled devices, directory services, and more. Scripts in this category are not intrusive and they don't try to exploit or find any vulnerability in the system. Most of these scripts are marked default, which means they are being executed during one of the scans I've covered several pages ago (for instance, OS detection scripts are executed during the Intense scan). Examples include the html-title script, that obtains the title of the root path of websites or snmp-sysdecr, that extracts system details via SNMP (Simple Network Management Protocol).
The DNS category deals with DNS check scans, brute-force attacks, client subnet scans, and more. Examples include the dns-blacklist script that checks target IP addresses against multiple DNS anti-spam and open proxy blacklists and returns a list of services for which an IP has been flagged. In case you don't know, DNS stands for Domain Name System. If you want to visit Google, you can type google.com into your browser's address bar. However, the browser doesn't quite know where google.com is, for this IP addresses are used (in our case, this would be 173.194.39.78 for Google). DNS can be explained like a phone book, DNS matches names to numbers for easier interaction with items listed in it.
Geolocation contains a category of scripts that are, based on IP addresses, trying to determine the location of the host using available services such as Geobytes or Geoplugin. Scripts such as ip-geolocation-geobytes uses http://www.geobytes.com/ to identify the physical location of an IP address, the ip-geolocation-geoplugin script uses http://www.geoplugin.com/. While this might not sound like a big deal, geolocation is generally used by companies mainly for analytics and statistics for determining the location of a viewer or visitor. In case you're curious about how geolocation works, services that use this have access to a number of databases that provide them the information for locating someone online through an IP address. A primary source for IP address data is the Regional Internet Registries. These are very large organizations responsible for managing IP addresses in specific regions of the world. There are five Regional Internet Registries in the world: ARIN for American Registry, RIPE NCC for Europe, APNIC for Asia, LACNIC for South America, and AfriNIC for Africa. The geolocation services then simply narrow down the area finally ending up with your exact location.
The Protocol category lets you execute a script to a wide variety of protocols: AFP (Apple Filing Protocol), APJ (Apache JServ Protocol), FTP (File Transfer Protocol), HTTP, IPv6, LDAP (Lightweight Directory Access Protocol), RDP (Remote Desktop Protocol), SIP (Session Initiation Protocol), SMTP (Simple Mail Transfer Protocol), and SNMP (Simple Network Management Protocol). Simply put, if you're looking for a script performing actions on a particular protocol, this is the category you would choose to quickly search for the script. Scripts in these under-categories might be safe (meaning they are not intrusive and will not crash any services during the investigation) but they may also be intrusive and actively searching for vulnerabilities, such as the afp-path-vuln script, which detects the Mac OS X AFP directory traversal vulnerability.
Info includes a wide variety of various scripts that retrieve usable information about targets. The Acarsd-info script, for instance, uses the ACARS (Aircraft Communication Addressing and Reporting System) and decodes the data in real time. Information retrieved from this script includes the daemon version, API version, admin e-mail, and listening frequency (yes, we're talking about airplanes). Generally speaking, scripts in this category provide additional information about hosts in every possible way.
Then, there are a few more categories with more or less usable scripts. For example, bitcoin-getaddr.nse lists known as Bitcoin nodes or skypev2-version.nse, detects the Skype version 2 service. Irrespective of whether it is useful or not, these examples clearly show that anybody can code a custom Nmap script that will do its thing, whatever that might be.
However, the Nmap index of script categories lists several more categories with interesting scripts, and some of them appear to be available through zANTI2. Categories such as intrusive, exploit, or vuln are clearly used for penetration test purposes, as their primary task is to detect vulnerabilities in the system and possibly even exploit it, printing out all the information that the exploited vulnerability has to offer to us.
Let's have a look directly at the scripts that are available in zANTI2 that you can execute right from your Android device.