Performing basic scans with NMAP is rather simple, but did you know that there are over 300 scripts that extend the already awesome scanner? That’s right, there are several hundred unique NSE scripts included with every install of NMAP in “/usr/local/share/nmap/scripts” in BackTrack, that are written in the lua programming language that are waiting to explored by you. NSE stands for NMAP Scripting Engine and provides significant extensibility to NMAP such as vulnerability detection, vulnerability exploitation, discovery, and sophisticated version detection. Some popular NSE scripts can find hosts infected with Conficker, identify DNS servers that allow unauthenticated zone additions and modifications, heck, you can even scan for stuxnet infection.
To learn more about a script there are a couple of options. First, all script documentation is available online at NMAP.org/nsedoc/, simply click on a category or scripts to see the 340 currently available scripts. The second option is to use the cli and use the –script-help option.
Script Help Example: nmap –script-help script_name
Some scripts will provide argument info from the help output, for those that do not, using the online documentation may be best. If you feel like reading coder comments, sometimes using vi or vim to open the script will provide more details on the script usage.
Here are some usage examples that you can try to begin the exploration of the powerful NSE scripts.
SMB Vulns (MS08-067, Conficker Test) (Xem Video)
MS-SQL Discovery
HTTP HEADERS
Spend some time on the nsedoc site and ‘ls’ in the scripts directory to explore available NSE scripts. Don’t see what you are looking for? Well, learn lua and you can write your own NSE scripts too! Here is an excellent video from Defcon 18, a little old but still great info including a walk through of writing a NSE script.
NMAP is truly a versatile tool that I know I leverage almost daily. Don’t hesitate to experiment and find all the cool things you can do with NMAP. The greatest hackers are life long learners, always curious, and do not accept limitations. Stretch yourself and the tools you use to the fullest, you never know, you may stumble onto something new.
Script smb-check-vulns
Checks for vulnerabilities: - MS08-067, a Windows RPC vulnerability
- Conficker, an infection by the Conficker worm
- Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000
- SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
- MS06-025, a Windows Ras RPC service vulnerability
- MS07-029, a Windows Dns Server RPC service vulnerability
nmap --script smb-check-vulns.nse -p445 <host>
sudo nmap -sU -sS --script smb-check-vulns.nse -p U:137,T:139 <host>
Script Output
Host script results:
| smb-check-vulns:
| MS08-067: NOT VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: regsvc DoS: NOT VULNERABLE
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
| MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
Script smb-vuln-ms10-054
Tests whether target machines are vulnerable to the ms10-054 SMB remote memory corruption vulnerability. The vulnerable machine will crash with BSOD.
The script requires at least READ access right to a share on a remote machine. Either with guest credentials or with specified username/password.
Example Usage
nmap -p 445 <target> --script=smb-vuln-ms10-054 --script-args unsafe
Script Output
Host script results:
| smb-vuln-ms10-054:
| VULNERABLE:
| SMB remote memory corruption vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2010-2550
| Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
| Description:
| The SMB Server in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2,
| Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7
| does not properly validate fields in an SMB request, which allows remote attackers
| to execute arbitrary code via a crafted SMB packet, aka "SMB Pool Overflow Vulnerability."
|
| Disclosure date: 2010-08-11
| References:
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2550
|_ http://seclists.org/fulldisclosure/2010/Aug/122
Script distcc-cve2004-2687
Detects and exploits a remote code execution vulnerability in the distributed compiler daemon distcc. The vulnerability was disclosed in 2002, but is still present in modern implementation due to poor configuration of the service.Example Usage
nmap -p 3632 <ip> --script distcc-exec --script-args="distcc-exec.cmd='id'"
Script Output
PORT STATE SERVICE
3632/tcp open distccd
| distcc-test:
| VULNERABLE:
| distcc Daemon Command Execution
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2004-2687
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Description:
| Allows executing of arbitrary commands on systems running distccd 3.1 and
| earlier. The vulnerability is the consequence of weak service configuration.
|
| Disclosure date: 2002-02-01
| Extra information:
|
| uid=118(distccd) gid=65534(nogroup) groups=65534(nogroup)
|
| References:
| http://distcc.googlecode.com/svn/trunk/doc/web/security.html
| http://http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2687
| http://http://www.osvdb.org/13378
|_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
Script http-dlink-backdoor
Detects a firmware backdoor on some D-Link routers by changing the User-Agent to a "secret" value. Using the "secret" User-Agent bypasses authentication and allows admin access to the router. The following router models are likely to be vulnerable: DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240
In addition, several Planex routers also appear to use the same firmware: BRL-04UR, BRL-04CW
Example Usage
nmap -sV --script http-dlink-backdoor <target>
Script Output
PORT STATE SERVICE REASON
80/tcp open http syn-ack
| http-dlink-backdoor:
| VULNERABLE:
| Firmware backdoor in some models of D-Link routers allow for admin password bypass
| State: VULNERABLE
| Risk factor: High
| Description:
| D-Link routers have been found with a firmware backdoor allowing for admin password bypass using a "secret" User-Agent string.
|
| References:
|_ http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
Script http-huawei-hg5xx-vuln (Video)
Detects Huawei modems models HG530x, HG520x, HG510x (and possibly others...) vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values. Attackers can query the URIs "/Listadeparametros.html" and "/wanfun.js" to extract sensitive information including PPPoE credentials, firmware version, model, gateway, dns servers and active connections among other values.
Example Usage
nmap -p80 --script http-huawei-hg5xx-vuln <target>
nmap -sV http-huawei-hg5xx-vuln <target>
Script Output
PORT STATE SERVICE VERSION
80/tcp open http Huawei aDSL modem EchoLife HG530 (V100R001B122gTelmex) 4.07 -- UPnP/1.0 (ZyXEL ZyWALL 2)
| http-huawei-hg5xx-vuln:
| VULNERABLE:
| Remote credential and information disclosure in modems Huawei HG5XX
| State: VULNERABLE (Exploitable)
| Description:
| Modems Huawei 530x, 520x and possibly others are vulnerable to remote credential and information disclosure.
| Attackers can query the URIs "/Listadeparametros.html" and "/wanfun.js" to extract sensitive information
| including PPPoE credentials, firmware version, model, gateway, dns servers and active connections among other values
| Disclosure date: 2011-01-1
| Extra information:
|
| Model:EchoLife HG530
| Firmware version:V100R001B122gTelmex
| External IP:xxx.xxx.xx.xxx
| Gateway IP:xxx.xx.xxx.xxx
| DNS 1:200.33.146.249
| DNS 2:200.33.146.241
| Network segment:192.168.1.0
| Active ethernet connections:0
| Active wireless connections:3
| BSSID:0xdeadbeefcafe
| Wireless Encryption (Boolean):1
| PPPoE username:xxx
| PPPoE password:xxx
| References:
| http://routerpwn.com/#huawei
|_ http://websec.ca/advisories/view/Huawei-HG520c-3.10.18.x-information-disclosu
Script http-phpmyadmin-dir-traversal
Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to retrieve remote files on the web server. Script http-tplink-dir-traversal (Video)
Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication. This vulnerability was confirmed in models WR740N, WR740ND and WR2543ND but there are several models that use the same HTTP server so I believe they could be vulnerable as well. I appreciate any help confirming the vulnerability in other models.
Script dns-zeustracker
Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @ abuse.ch. Please review the following information before you start to scan: Example Usage
nmap -sn -PN --script=dns-zeustracker <ip>
Script Output
Host script results:
| dns-zeustracker:
| Name IP SBL ASN Country Status Level Files Online Date added
| foo.example.com 1.2.3.4 SBL123456 1234 CN online Bulletproof hosted 0 2011-06-17
|_ bar.example.com 1.2.3.5 SBL123456 1234 CN online Bulletproof hosted 0
Script dns-fuzz
Launches a DNS fuzzing attack against DNS servers. The script induces errors into randomly generated but valid DNS packets. The packet template that we use includes one uncompressed and one compressed name.
Use the
dns-fuzz.timelimit argument to control how long the fuzzing lasts. This script should be run for a long time. It will send a very large quantity of packets and thus it's pretty invasive, so it should only be used against private DNS servers as part of a software development lifecycle.Example Usage
nmap --script dns-fuzz --script-args timelimit=2h <target>
Script Output
Host script results:
|_dns-fuzz: Server stopped responding... He's dead, Jim.
Script rdp-vuln-ms12-020
Checks if a machine is vulnerable to MS12-020 RDP vulnerability.Example Usage
nmap -sV --script=rdp-ms12-020 -p 3389 <target>
Script Output
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server?
| rdp-ms12-020:
| VULNERABLE:
| MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0152
| Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
| Description:
| Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|
| Disclosure date: 2012-03-13
| References:
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|
| MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0002
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Description:
| Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|
| Disclosure date: 2012-03-13
| References:
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
Script samba-vuln-cve-2012-1182
Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182. Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the "root" user from an anonymous connection.
CVE-2012-1182 marks multiple heap overflow vulnerabilities located in PIDL based autogenerated code. This check script is based on PoC by ZDI marked as ZDI-CAN-1503. Vulnerability lies in ndr_pull_lsa_SidArray function where an attacker is under control of num_sids and can cause insuficient memory to be allocated, leading to heap buffer overflow and posibility of remote code execution.
Script builds a malitious packet and makes a SAMR GetAliasMembership call which triggers the vulnerability. On the vulnerable system, connection is droped and result is "Failed to receive bytes after 5 attempts". On patched system, samba throws an error and result is "MSRPC call returned a fault (packet type)".
Example Usage
nmap --script=samba-vuln-cve-2012-1182 -p 139 <target>
Script Output
PORT STATE SERVICE
139/tcp open netbios-ssn
Host script results:
| samba-vuln-cve-2012-1182:
| VULNERABLE:
| SAMBA remote heap overflow
| State: VULNERABLE
| IDs: CVE:CVE-2012-1182
| Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
| Description:
| Samba versions 3.6.3 and all versions previous to this are affected by
| a vulnerability that allows remote code execution as the "root" user
| from an anonymous connection.
|
| Disclosure date: 2012-03-15
| References:
| http://www.samba.org/samba/security/CVE-2012-1182
|_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182
Script ftp-vuln-cve2010-4221
Checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. By sending a large number of TELNET_IAC escape sequence, the proftpd process miscalculates the buffer length, and a remote attacker will be able to corrupt the stack and execute arbitrary code within the context of the proftpd process (CVE-2010-4221). Authentication is not required to exploit this vulnerability.Example Usage
nmap --script ftp-vuln-cve2010-4221 -p 21 <host>
Script Output
PORT STATE SERVICE
21/tcp open ftp
| ftp-vuln-cve2010-4221:
| VULNERABLE:
| ProFTPD server TELNET IAC stack overflow
| State: VULNERABLE
| IDs: CVE:CVE-2010-4221 BID:44562 OSVDB:68985
| Risk factor: High CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
| Description:
| ProFTPD server (version 1.3.2rc3 through 1.3.3b) is vulnerable to
| stack-based buffer overflow. By sending a large number of TELNET_IAC
| escape sequence, a remote attacker will be able to corrup the stack and
| execute arbitrary code.
| Disclosure date: 2010-11-02
| References:
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4221
| http://osvdb.org/68985
| http://www.metasploit.com/modules/exploit/freebsd/ftp/proftp_telnet_iac
| http://bugs.proftpd.org/show_bug.cgi?id=3521
|_ http://www.securityfocus.com/bid/44562
