After talking with some friends last week, I realized that the Nmap Scripting Engine (NSE) is an unappreciated and underutilized Nmap component. That is unfortunate, since NSE has easily become my favorite Nmap feature. According to the Nmap 6 release notes, the number of available NSE scripts is nearly 350! This seems like a good time for a long overdue blog post. This post talks about using the built in Nmap 5 scripts. It's intended to introduce NSE and assumes at least some Nmap exposure.
If you are using Backtrack 5, the NSE scripts are located in /usr/local/share/nmap/scripts/. Each file ends with a .nse extension and is plain text. The scripts cover a variety of areas including vulnerabilities, information gathering, and exploitation. If you are uncertain of what a script does, simply open it in a text editor.
I'll walk you through a few examples of using NSE scripts. The first will show running the smb-enum-shares.nse script. This script connects to a Windows or Samba file server and enumerates the shares. The syntax is:
nmap -Pn --script=smb-enum-shares 192.168.1.136
You will obviously need to replace 192.168.1.136 with the IP address of your file server. Here is the output:
You can see there are four shares: ADMIN$, C$, IPC$, and "Documents and Settings". Another simple script is http-headers which does exactly what it says, retrieves HTTP headers. Here is the syntax:
nmap -Pn -p80 --script=http-headers slashdot.org
Again, replace "slashdot.org" with the server you wish to retrieve the HTTP headers from. And here is the output:
Those are some pretty simple examples. Here is a little more complex one using smb-check-vulns.
nmap -Pn -p445 --script=smb-check-vulns 192.168.1.136
While this command may not appear more complex than the previous examples, the checks performed are more powerful. This command checks for the MS08-067 vulnerability and if the host is infected with Conficker. Here is the output:
You can try running the unsafe checks with the command below. I have had limited luck with this, usually resulting in an SMB server crash (not good in a production environment!).
nmap -Pn -p445 --script=smb-check-vulns --script-args=unsafe=1 192.168.1.136
The previous commands all demonstrated running a single NSE script. Another method of invoking scripts is to use NSE script categories. This link lists all of the available categories, http://nmap.org/book/nse-usage.html#nse-categories. One of my favorites is the broadcast category. This is a very safe category that can be run on a production network with virtually no concerns. The syntax is very similar to the previous examples:
nmap -Pn --script=broadcast
Notice how this example does not specify a target host. These scripts find hosts and services that advertise themselves to the network broadcast address. The output format looks a little different than the previous examples. Each script name will be listed followed by the script output. Warning: these scripts can output a significant amount of data! Here is some sample output:
This scan produced output from these scripts: broadcast-wpad-discover, targets-ipv6-multicast-slaac (are you sure you aren't running IPv6?), broadcast-ping, and broadcast-netbios-master-browser. Broadcast-wpad-discover only returned that it could not discover a WPAD DNS or DHCP entry.
To get an idea of what broadcast checks are performed, check the broadcast scripts in /usr/local/share/nmap/scripts/ (ls /usr/local/share/nmap/scripts/broadcast*). Here's a sampling of things I have discovered using the broadcast category: Dropbox clients, shared iTunes libraries, TiVo beacons, mDNS/Avahi/Bonjour services, MS SQL servers, UPnP capable hosts, Netbios hosts, and proxy servers (via WPAD discovery). The TiVo actually discloses the TiVo Service Number (sort of like a serial number). It seems like each time I run this script, I find a new service. While writing this article, I learned from the broadcast-upnp-info script that the Roku runs an embedded web server on TCP port 8060! However, I think the real power of the broadcast scripts is the ability to enumerate network hosts and services in virtual silence, never requiring a direction connection to the discovered host or service.