HomeNmapNmap scripts - complete tutorial

Nmap scripts – complete tutorial

The complete guide for Nmap scripts

Nmap scripts – The best tool for port scanning is Nmap only, and this Nmap tool is also good for some services other than port scanning. Advanced information can be obtained using Nmap scripts and used for enumeration.

NMAP has about 600 scripts serving different purposes. In Kali Linux, the scripts can be found at /usr/share/nmap/scripts.

What are Nmap scripts?

Nmap Scripting Engine (NSE) is one of the most powerful and flexible features of Nmap. It allows users to write simple scripts to automate a variety of networking tasks. Those scripts will be executed in parallel with the speed and performance you expect from Nmap.

All Nmap Scripts for enumeration

HTTP Enumeration

HTTP is a top-level domain that is commonly used by all hosts. This is the default port 80 that can be run. NMAP has a script for enumerating HTTP services. It can be invoked using the command below

				
					nmap --script http-enum <target IP address>
				
			
Nmap scripts – complete tutorial

The output of the HTTP-enum script shows various interesting directories hosted on the webserver that may be useful in building further attacks.

HTTP Methods

HTTP supports the use of various methods such as GET, POST, DELETE, and so on. Sometimes these methods are left open on the web server unnecessarily. you can use the NMAP script HTTP-methods, as shown in the below image to enumerate HTTP methods allowed on the target system.

				
					nmap --script http-methods <target ip address>
				
			
Nmap scripts – complete tutorial

The following are some additional NMAP scripts for HTTP enumeration:

  1. http-title
  2. http-method-tamper
  3. http-trace
  4. http-fetch
  5. http-wordpress-enum
  6. http-devframework
  7. http NSE Library

SMB Enumeration

An extension of SMB is the server message block. SMB is very helpful for network file sharing, port 445 where SMB can be run, and if you find that port 445 on your target is open you can use Nmap scripts to enumerate and collect more information.

You can invoke the SMB enumeration by using the command nmap -p 445 –script-smb-­os-discovery . The -p 445 parameter triggers the script to run against port 445 on the target.

				
					nmap -p 445 –script-smb-­os-discovery <target IP address>
				
			
Nmap scripts – complete tutorial

The following are some additional NMAP scripts for SMB enumeration:

  1. smb-enum-shares
  2. smb-vuln-ms17-010
  3. smb-protocols
  4. smb-mbenum
  5. smb-enum-users
  6. smb-enum-processes
  7. smb-enum-services

DNS Enumeration

The Domain Name System is indeed the backbone of the Internet as it does the crucial job of translating hostnames to IP addresses and vice versa. It runs on port 53 by default. Enumerating a DNS server can give a lot of interesting and useful information. NMAP has several scripts for enumerating a DNS service.

				
					nmap -p 53 -A -v <target IP address>
				
			
Nmap scripts – complete tutorial

The following are some additional NMAP scripts for DNS enumeration:

  1. dns-cache-snoop
  2. dns-service-discovery
  3. dns-recursion
  4. dns-brute
  5. dns-zone-transfer
  6. dns-nsid
  7. dns-nsec-enum
  8. dns-fuzz
  9. dns-srv-enum

FTP Enumeration

The extension of FTP is the file transfer protocol. This protocol is mostly used to transfer a file between one system and another. This is the default port 21 that can be run, Nmap contains a lot of FTP enumeration scripts. The below image shows the output of two scripts.

  1. ftp-syst
  2. ftp-anon

The output shows the FTP server version details and reveals that the server is accepting anonymous connections.

				
					nmap --scripts ftp-syst (Target IP Address) --scripts ftp-anon
				
			
Nmap scripts – complete tutorial

Since the target is running the vsftpd server, you can try another NMAP script, which will check whether the FTP server is vulnerable. The script ftp-vsftpd-backdoor can be used, as shown in the below image.

Nmap scripts – complete tutorial

The following are some additional NMAP scripts for FTP enumeration:

  1. ftp-brute
  2. ftp NSE
  3. ftp-bounce
  4. ftp-vuln-cve2010-4221
  5. ftp-libopie

MySQL Enumeration

MySQL is an excellent open-source related database management system. Its default port is 3306. Nmap has many scripts for enumerating the MySQL service. The more information you get when enumerating the MySQL service, the more helpful it will be to continue your attack.

				
					nmap --script mysql-info (Target IP Address)
				
			
Nmap scripts – complete tutorial

The output of the mysql-info script. It shows the protocol version details, server capabilities, and the salt value in use.

The following are some additional NMAP scripts for MySQL enumeration:

  1. mysql-databases
  2. mysql-enum
  3. mysql-brute
  4. mysql-query
  5. mysql-empty-password
  6. mysql-vuln-cve2012-2122
  7. mysql-users
  8. mysql-variables

SSH Enumeration

SSH is an extension of the secure shell. This secure shell is used for secure remote logins and administration. Unlike Telnet, SSH encrypts the traffic, making the communication secure. Its default port is 22. Nmap has numerous scripts for enumerations of the ssh service.

				
					nmap --script ssh2-enum-algos (Target IP Address)
				
			
Nmap scripts – complete tutorial

The following are some additional NMAP scripts for SSH enumeration:

  1. ssh-brute
  2. ssh-auth-methods
  3. ssh-run
  4. ssh-hostkey
  5. sshv1
  6. ssh-publickey-acceptance

SMTP Enumeration

Simple Mail Transfer Protocol (SMTP) is used for the transmission of electronic mail. It runs on port 25 by default. NMAP has several scripts for enumerating the SMTP service. These NMAP scripts could reveal several weaknesses in the SMTP server such as open relays, acceptance of arbitrary commands, and so on.

				
					nmap --script smtp-commands (Target IP address)
				
			
Nmap scripts – complete tutorial

Many SMTP servers mistakenly enable open relay. This allows anyone to connect to the SMTP server without authentication and to send mails.This is indeed a critical flaw. NMAP has a script called smtp-open-relay that checks whether the target SMTP server allows for open relays, as shown in the below image.

Nmap scripts – complete tutorial

The following are some additional NMAP scripts for SMTP enumeration:

  1. smtp-enum-users
  2. smtp-commands
  3. smtp-brute
  4. smtp-ntlm-info
  5. smtp-strangeport
  6. smtp-vuln-cve2011-1764

VNC Enumeration

The full form of VNC is Virtual Network Computing, it’s commonly used for remote graphical desktop sharing. Its default port is 5900. Nmap contains numerous VNC service enumeration scripts. the below image shows the output of the vnc-info script. It shows the protocol version details along with the authentication type.

				
					nmap --script vnc-info (Target IP Address)
				
			
Nmap scripts – complete tutorial

The following are some additional scripts for VNC enumeration:

  1. vnc-brute
  2. realvnc-auth-bypass
  3. vnc-title

Service Banner Grabbing

Any service running on a system usually has a banner associated with it. A banner normally contains server version information and may even contain organization-specific information such as disclaimers, warnings, or some corporate e-mail addresses. It is certainly worthwhile to grab service banners to get more information about the target.

				
					nmap --script banner (Target IP Address)
				
			
Nmap scripts – complete tutorial

Detecting Vulnerability

So far we have seen how to do port scanning and enumeration in Nmap, Now you’ll see how NMAP can be used for conducting vulnerability assessments. Though not as comprehensive as vulnerability scanners like Nessus and OpenVAS, NMAP can certainly do basic vulnerability detection. NMAP does this with the help of Common Vulnerabilities and Exposure (CVE) IDs. It searches for matching CVEs against the services running on the target.

So first you need to install some additional scripts. So navigate to directory /usr/share/nmap/scripts and then clone two git directories, as shown here:

  1. https://github.com/vulnersCom/nmap-vulners.git
  2. https://github.com/scipag/vulscan.git
Nmap scripts – complete tutorial

Once you have downloaded the required scripts, you are all set to execute them against the target.

				
					nmap -sV --script nmap-vulners <target IP address>
				
			

Conclusion

I hope I have explained everything clearly in this post, let me know by command if I miss anything you know and I want to share this post with your friends.

RELATED ARTICLES

Leave A Reply

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular