Wednesday, May 23, 2012

Getting Started With NSE, The Nmap Scripting Engine

After talking with some friends last week, I realized that the Nmap Scripting Engine (NSE) is an unappreciated and underutilized Nmap component. That is unfortunate, since NSE has easily become my favorite Nmap feature. According to the Nmap 6 release notes, the number of available NSE scripts is nearly 350! This seems like a good time for a long overdue blog post. This post talks about using the built in Nmap 5 scripts. It's intended to introduce NSE and assumes at least some Nmap exposure.
If you are using Backtrack 5, the NSE scripts are located in /usr/local/share/nmap/scripts/. Each file ends with a .nse extension and is plain text. The scripts cover a variety of areas including vulnerabilities, information gathering, and exploitation. If you are uncertain of what a script does, simply open it in a text editor.

I'll walk you through a few examples of using NSE scripts. The first will show running the smb-enum-shares.nse script. This script connects to a Windows or Samba file server and enumerates the shares. The syntax is:
nmap -Pn --script=smb-enum-shares

You will obviously need to replace with the IP address of your file server. Here is the output:

You can see there are four shares: ADMIN$, C$, IPC$, and "Documents and Settings". Another simple script is http-headers which does exactly what it says, retrieves HTTP headers. Here is the syntax:
nmap -Pn -p80 --script=http-headers

Again, replace "" with the server you wish to retrieve the HTTP headers from. And here is the output:

Those are some pretty simple examples. Here is a little more complex one using smb-check-vulns.
nmap -Pn -p445 --script=smb-check-vulns

While this command may not appear more complex than the previous examples, the checks performed are more powerful. This command checks for the MS08-067 vulnerability and if the host is infected with Conficker. Here is the output:

You can try running the unsafe checks with the command below. I have had limited luck with this, usually resulting in an SMB server crash (not good in a production environment!).
nmap -Pn -p445 --script=smb-check-vulns --script-args=unsafe=1

The previous commands all demonstrated running a single NSE script. Another method of invoking scripts is to use NSE script categories. This link lists all of the available categories, One of my favorites is the broadcast category. This is a very safe category that can be run on a production network with virtually no concerns. The syntax is very similar to the previous examples:
nmap -Pn --script=broadcast

Notice how this example does not specify a target host. These scripts find hosts and services that advertise themselves to the network broadcast address. The output format looks a little different than the previous examples. Each script name will be listed followed by the script output. Warning: these scripts can output a significant amount of data! Here is some sample output:

This scan produced output from these scripts: broadcast-wpad-discover, targets-ipv6-multicast-slaac (are you sure you aren't running IPv6?), broadcast-ping, and broadcast-netbios-master-browser. Broadcast-wpad-discover only returned that it could not discover a WPAD DNS or DHCP entry.

To get an idea of what broadcast checks are performed, check the broadcast scripts in /usr/local/share/nmap/scripts/ (ls /usr/local/share/nmap/scripts/broadcast*). Here's a sampling of things I have discovered using the broadcast category: Dropbox clients, shared iTunes libraries, TiVo beacons, mDNS/Avahi/Bonjour services, MS SQL servers, UPnP capable hosts, Netbios hosts, and proxy servers (via WPAD discovery). The TiVo actually discloses the TiVo Service Number (sort of like a serial number). It seems like each time I run this script, I find a new service. While writing this article, I learned from the broadcast-upnp-info script that the Roku runs an embedded web server on TCP port 8060! However, I think the real power of the broadcast scripts is the ability to enumerate network hosts and services in virtual silence, never requiring a direction connection to the discovered host or service.

I hope you enjoyed this intro to NSE scripts. Thanks for reading!