Nmap Scripting Engine and http-enumeration

Uploaded on

I cover some basics of the nmap scripting engine, focusing on http-enumeration.

I cover some basics of the nmap scripting engine, focusing on http-enumeration.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. NMAP Scripting Engine [NSE] Teaching an old dog new tricks
  • 2. NMAP Scans host/network for open ports. Nmap scan report for Host is up (0.054s latency). Not shown: 994 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 515/tcp open printer 631/tcp open ipp 9100/tcp open jetdirect
  • 3. [NSE] Auth Discovery DOS Exploit External Fuzzer Intrusive Safe Version Vuln Lets you add more checks to the same old scans.
  • 4. afp-brute.nse gopher-ls.nse ms-sql-info.nse smb-enum-shares.nse afp-path-vuln.nse hddtemp-info.nse ms-sql-query.nse smb-enum-users.nse afp-serverinfo.nse hostmap.nse ms-sql-tables.nse smb-flood.nse afp-showmount.nse http-auth.nse ms-sql-xp-cmdshell.nse smb-os-discovery.nse asn-query.nse http-brute.nse mysql-brute.nse smb-psexec.nse auth-owners.nse http-date.nse mysql-databases.nse smb-security-mode.nse auth-spoof.nse http-domino-enum-passwords.nse mysql-empty-password.nse smb-server-stats.nse banner.nse http-enum.nse mysql-info.nse smb-system-info.nse broadcast-dns-service-discovery.nse http-favicon.nse mysql-users.nse smbv2-enabled.nse broadcast-dropbox-listener.nse http-form-brute.nse mysql-variables.nse smtp-commands.nse broadcast-ms-sql-discover.nse http-headers.nse nat-pmp-info.nse smtp-enum-users.nse broadcast-upnp-info.nse http-iis-webdav-vuln.nse nbstat.nse smtp-open-relay.nse broadcast-wsdd-discover.nse http-malware-host.nse netbus-auth-bypass.nse smtp-strangeport.nse citrix-brute-xml.nse http-methods.nse netbus-brute.nse sniffer-detect.nse citrix-enum-apps.nse http-open-proxy.nse netbus-info.nse snmp-brute.nse citrix-enum-apps-xml.nse http-passwd.nse netbus-version.nse snmp-interfaces.nse citrix-enum-servers.nse http-php-version.nse nfs-ls.nse snmp-netstat.nse citrix-enum-servers-xml.nse http-robots.txt.nse nfs-showmount.nse snmp-processes.nse couchdb-databases.nse http-title.nse nfs-statfs.nse snmp-sysdescr.nse couchdb-stats.nse http-trace.nse nrpe-enum.nse snmp-win32-services.nse daap-get-library.nse http-userdir-enum.nse ntp-info.nse snmp-win32-shares.nse daytime.nse http-vhosts.nse ntp-monlist.nse snmp-win32-software.nse db2-das-info.nse http-vmware-path-vuln.nse oracle-brute.nse snmp-win32-users.nse db2-discover.nse iax2-version.nse oracle-enum-users.nse socks-open-proxy.nse dhcp-discover.nse imap-capabilities.nse oracle-sid-brute.nse sql-injection.nse dns-cache-snoop.nse informix-brute.nse p2p-conficker.nse ssh2-enum-algos.nse dns-fuzz.nse informix-query.nse path-mtu.nse ssh-hostkey.nse dns-random-srcport.nse informix-tables.nse pgsql-brute.nse sshv1.nse dns-random-txid.nse ipidseq.nse pjl-ready-message.nse ssl-cert.nse dns-recursion.nse irc-info.nse pop3-brute.nse ssl-enum-ciphers.nse dns-service-discovery.nse irc-unrealircd-backdoor.nse pop3-capabilities.nse sslv2.nse dns-zone-transfer.nse iscsi-brute.nse pptp-version.nse stuxnet-detect.nse domcon-brute.nse iscsi-info.nse qscan.nse svn-brute.nse domcon-cmd.nse jdwp-version.nse realvnc-auth-bypass.nse targets-traceroute.nse domino-enum-users.nse ldap-brute.nse resolveall.nse telnet-brute.nse drda-brute.nse ldap-rootdse.nse rmi-dumpregistry.nse upnp-info.nse drda-info.nse ldap-search.nse rpcinfo.nse vnc-brute.nse finger.nse lexmark-config.nse script.db vnc-info.nse firewalk.nse modbus-discover.nse skypev2-version.nse wdb-version.nse ftp-anon.nse mongodb-databases.nse smb-brute.nse whois.nse ftp-bounce.nse mongodb-info.nse smb-check-vulns.nse wsdd-discover.nse ftp-brute.nse ms-sql-brute.nse smb-enum-domains.nse x11-access.nse ftp-libopie.nse ms-sql-config.nse smb-enum-groups.nse ftp-proftpd-backdoor.nse ms-sql-empty-password.nse smb-enum-processes.nse giop-info.nse ms-sql-hasdbaccess.nse smb-enum-sessions.nse Scripts that exist Brute Force MySQL VNC SVN Discovery Whois Stuxnet SMB Malware Http-malware-host Smtp-strangeport Version Socks SSL X11
  • 5. Get on the bleeding edge Get yourself the newest, latest and greatest version of NMAP first. 5.36TEST3 svn co --username guest --password "" svn://svn.insecure.org/nmap/
  • 6. The basic basics description = [[ Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack.. ]] require('url') – … and/or dependencies of other NSE scripts author = "Eddie Bell" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"intrusive", "vuln"} --- -- @args sql-injection.start The path at which to start spidering; default <code>/</code>. -- @args sql-injection.maxdepth The maximum depth to spider; default 10. -- -- @output -- PORT STATE SERVICE -- 80/tcp open http -- | sql-injection: Host might be vulnerable -- | /a_index.php?id_str=1'%20OR%20sqlspider -- | /a_index.php?id_str=1'%20OR%20sqlspider -- | /a_index.php?id_str=2'%20OR%20sqlspider
  • 7. That wasn't C ...
  • 8. Lua whoa? Scripting engine. http://www.lua.org/ ✔ World of warcraft ✔ Nmap ✔ Snort ✔ Wireshark
  • 9. HTTP Enumeration Enumerates directories used by popular web applications and servers. -- @args http-enum.basepath The base path to prepend to each request. -- @args http-enum.displayall Set this argument to display all status codes. -- @args http-enum.fingerprintfile Specify a different file to read fingerprints from. -- @args http-enum.category Set to a category (as defined in the fingerprints file). -- -- @output -- Interesting ports on test.skullsecurity.org ( -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack -- | http-enum: -- | | /icons/: Icons and images -- | | /images/: Icons and images -- | | /robots.txt: Robots file -- | | /sw/auth/login.aspx: Citrix WebTop -- | | /images/outlook.jpg: Outlook Web Access -- | | /nfservlets/servlet/SPSRouterServlet/: netForensics -- |_ |_ /nfservlets/servlet/SPSRouterServlet/: netForensics author = "Ron Bowes, Andrew Orr, Rob Nicholls" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"discovery", "intrusive", "vuln"}
  • 10. Fingerprints .../nselib/data/http-fingerprints.lua table.insert(fingerprints, { category='general', probes={ {path='/', method='GET'} }, matches={ {match='<title>Index of .*(Apache.*) Server at', output='Root directory w/ listing on '1''}, {match='<title>Index of', output='Root directory w/ directory listing'} } })
  • 11. Making it better Starting Nmap 5.36TEST3 ( http://nmap.org ) PORT STATE SERVICE 80/tcp open http | http-enum: | /wordpress/wp-login.php: WordPress 3.0.x found | /pligg/readme.html: Pligg version 1.1.1 | /xoda/README: XODA 0.1.1 | /statusnet/README: StatusNet README version 0.9.5 | /comic/: comiccms | /wordpress/: wordpress 3.0.4 | /openx/www/admin/index.php: openx v2.8.7 - http://www.openx.org | /splashfrog/: Splash Frog WMS v4.1 | /vanilla/: Vanilla Forums v2.0.16 | /statusnet/: StatusNet v0.9.5 | /trac/: Trac version 0.11.1 | /lime/: limesurvey http://www.limesurvey.org | /getsimple/: getsimple - 2.03
  • 12. And beyond! More tricks … Vulnerability detection Exploit scanner Malware detection Hardware detection?
  • 13. The bounty hunt The reward only credit … ---HTTP Fingerprint files, compiled by Ron Bowes with a special thanks to... -- o Kevin Johnson (@secureideas) for the fingerprints that come with Yokoso -- http://yokoso.inguardians.com -- o Jason H. (@jhaddix) for helping out with a whole pile of fingerprints he's -- collected -- o Bob Dooling -- o Robert Rowley for the awesome open source cms and README checks -- http://www.irvineunderground.org
  • 14. LINKS! ● http://nmap.org/book/nse.html ● http://www.lua.org/