RSS

Nmap Scripting Engine – Basic Usage

08 Mar

Nmap is not only a port scanner that could be used for scanning ports on a machine but also contains a script engine that offers the ability to execute scripts that could be used for more in-depth discovery of a target.

Nmap includes a variety of ready-made scripts that could be used for that reason.You can run scripts one at a time or you can execute scripts by category.Of course Nmap offers the option to execute multiple scripts at a time.

Currently the Nmap has the following Script Categories:

Execute Scripts Related to Authentication

As you can see from the image below we have selected to execute the Auth scripts against a target in our network.From the results we can see that Nmap has successfully discover the users accounts on the remote machine and the Domain name.

Run Default Scripts

The default scripts category will expose information about the operating system,the workgroup name, the netbios names etc.You can see the image below for more details:

Running Scripts that contacting external sources

There is a category of scripts called external that performs an automatic Web Whois to the target and discovers additional information like the geographical location,the name of the organization and the net range.

Executing the Discovery Scripts

This category of scripts is ideal when we need to have as much information as possible for a specific target.The next two images are a sample of what kind of information could be delivered to us when we run the Discovery Scripts.

Scanning with Safe Scripts

This category could be used when we want to run scripts that are less intrusive to the target so it will be less likely to cause any disruption to the remote system.As we can see in the next two images the scripts have discovered the router IP address,the domain name of the network and the master browser.

Check targets for common vulnerabilities

Another category of scripts is the vuln.These kind of scripts will check your target host for common vulnerabilities.In the example below the target is running Windows XP.

Identify Vulnerabilties

As we can see the Nmap scripts have successfully discovered the vulnerability that affects Windows XP operating systems.With those kind of scripts we can have an early indication of vulnerable targets and what exploits we should use as a start.

Update the Script Database

You can use the command nmap –script-updatedb in order to update the scripts database.

Have in mind that you can browse the database scripts in order to find the ones you need.The default storage location of the scripts in Windows is at:

C:\Program Files\Nmap\scripts

and in Unix Versions

/usr/share/nmap/scripts or

/usr/local/share/nmap/scripts

Conclusion

The drawback of executing scripts by category is that the scan will take longer because the Nmap Scripting Engine will run all the scripts in the category.From the other hand this is the easiest way and you will not tangle with hundreds of scripts.

However the best option is to know what kind of information you want to retrieve in order to select the appropriate scripts from each category.Also it is always good to know how to produce your own scripts that will cover exactly your needs.

About these ads
 
7 Comments

Posted by on March 8, 2012 in Information Gathering

 

Tags: , , ,

7 responses to “Nmap Scripting Engine – Basic Usage

  1. Superm@n

    March 8, 2012 at 6:00 pm

    Excellent article

     
  2. koRnolio

    March 9, 2012 at 12:16 pm

    Pretty useful article, this one goes to my favs for sure, thanks!

     
  3. danielweis

    March 14, 2012 at 8:18 pm

    awesome post mate, keep up the good work

     
    • Mihir

      March 28, 2013 at 11:21 am

      Hi, useful article this one…..I am currently using nmap 6.25 for testing some features on IPv6 networks…It seems I cannot get the discovery script to run for an ipv4 and ipv6 address which is on another subnet… For example say my host is 2001:3::21( Ipv4 address 10.0.3.21) and I need to scan 2001:1::28 (Ipv4 address 10.0.1.28 ). when i run the script it returns all the ipv6 hosts of 2001:3 but not for 2001:1 which is the intended target. I need to find available Ipv6 hosts of another subnet from my machine.Is there some way to do that? Can someone help please?

       

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 686 other followers

%d bloggers like this: