HWInternally, scripts are divided into four types: prerule scripts, host scripts, service scripts and postrule scripts.
Prerule and postrule scripts run before and after Nmap has scanned all of its targets.
NSE Scripts Categories
Host scripts are executed after Nmap has performed normal operations such as host discovery, port scanning, version detection. Service scripts are scripts that run against specific services listening on the target hosts. NSE scripts are also categorized. We have categories like discovery, DOS, intrusive, auth, brute and a special category called default, which includes specially selected scripts which are safe and most commonly used. Let’s see how scripts work in our lab.
Scripts vs Different Services
We’ll just start from the web server. I have here some files that are published using Apache http server. I will also publish them using Python module and let’s, for a start, run a normal version detection scan. Hope this will not last long … All right. We have different services like SSH, DNS, Apache web server. Also MySQL server and our Python module. Let’s narrow down our scans only to web services and use the first script called http-enumeration, enum. Http-enum.
This script gives us more information about what’s going on, on the web server part. Like what commonly used files are there, maybe locations and also we have here something interesting. We have different behavior because Apache web server gives us server status location and also responded with Authorization Required for separate location. Let’s see.
The first one is obvious. This is a feature from Apache web server that has a purpose of giving us some statistical information for Apache.
But the second one, let’s see. Yep. It’s here. It’s getting a pop up for credentials and on port 8000 we have directory listing. So this is it. This is actually happening here. Why? Because separate location has the PHP script inside and Apache is using PHP interpreter. This script is actually using authentication to just gather some credentials and ask for credentials. Let’s use an additional interesting script. This script potentially will give us more information on big sites.
Using Brute Forcing Scripts
Right now we have one HTA file, one PNG. Some other file maybe, no extension. This is not useful for us in this particular case. But what about this authorization required here? Can we do something about it using scripts? Of course. We have some brute forcing scripts. For brute forcing scripts, we will need additional parameter. Parameters are starting with a script name, dot and name of the parameter. This parameter will be “Support”. “Support”, because only this location asked us for authorization. Any other file was served without authorization.
We’ll try to brute force this service. Right now, Nmap is trying a different combination of username and password. This will take some time … Yeah. Success. We have tried over 45,000 combinations and found one working username and password combination, so we successfully brute forced our service.
As you can imagine, this is very useful if you want to find, for example, default credentials in a big network full of different web services. Okay, if you want to find out more information about some script you can use script help like this.
MySQL Nmap Scripts
Now let’s focus on another service. We had here MySQL server. What else can we get from this MySQL service using only Nmap scripts? MySQL info, just the starting point. We have more information like capabilities of the server. Also, we have some salt, maybe useful in cracking. Another interesting module is the enumeration. Yep. Successfully enumerated different usernames. These are valid usernames without credentials. Without passwords. This is pretty interesting, and what is super cool about Nmap scripting engine and running the scripts using different categories is that you can use the logic between them.
For example, if we found out we want to enumerate all the services regarding of service type. So we can just run something like this. This will run every enumeration script against this target. Possibly gives us a lot of information in one scan, exactly, so we have something more about DNS service. We have already discovered the http service and MySQL. Let’s focus then on SSH. Let’s perform something different. Let’s find out everything about SSH without intrusive attacks, let’s say.
It was very fast scan, and we have here host keys. I should also narrow the port number not to try to run the scripts against different services. What about intrusive? Yeah, again we have something like SSH brute. Right now, Nmap is trying to brute force my SSH service using some well-known, pretty obvious usernames and passwords.
I will kill it and believe me, that is not all for NSE power because if you want you can write your own scripts using Lua language. For starters, I would recommend reading one of the built-in scripts to understand what’s going on.
For more information how to write NSE scripts, I would recommend this site.
This is Nmap documentation website. There is a plenty of reading here. Remember that you can find also useful scripts on the internet, but please be aware and double check the contents of the scripts as they can be a handful for your computer. They run on your computer using privileged accounts, so they can do bad things. As you can see from these quick and simple examples, Nmap is a really powerful tool that every administrator or penetration tester needs in his security arsenal. NSE simply adds more efficiency to it.
Thank you for watching and reading! If you have some questions or need ideas how to use NSE, leave a comment below. Stay secure, and see you on the next episode of Hacks Weekly.