2. Disclaimer
• This is very small session to accommodate
some coding concept (I agree it’s a bad try)
• We will try to cover up some very important
points required
• A kick start session for security researchers
to know how NSE can be build and use to
create PoCs
3. Some Wrong Questions
I’m sure many of you must be familiar with Nmap; but still for
those who are new….
• How many of you used Nmap ?
• What about –A option ?
• What are Nmap scripts ?
9. NSE Skelton
description =[[
Just to show the Skelton of an NSE script
]]
author = “Mr. X”
categories = {"safe", "discovery"}
require "shortport"
portrule = shortport.port_or_service({80,8080,443},{"http"},{"tcp"})
action = function(host,port)
return "Webserver found on port "..port.number
end
11. metadata
• Includes description of script, author name,
license information, etc.
• Not much relevant; but will help the user to
know what your script does
12. categories
• Defines the type of your script
– auth, broadcast, brute, default, discovery, dos,
exploit, external, fuzzer, intrusive, malware,
safe, version, vuln
• Because you can run scripts with
categories
13. Scan Smartly
•
•
•
•
•
•
nmap --script “http-*”
nmap --script “http-* and ftp-*”
nmap --script “not brute”
nmap --script “vuln,safe”
nmap --script “vuln or safe”
nmap --script “(vuln or safe) and not http-*”
15. action
• The actual code to execute based of the
portrule
• A combination of LUA code and NMAP library
calls
action = function(host, port)
-- code to execute
end
16. Some Practical Approach
• It’s coding
– Means – giving life to a code snippet
– So,
• You need to know how, what, why etc.
17. Tips for Scriptors
• Specify the script directory (--datadir)
• Use debugging mode when running script (-d)
• Update the script database once you are
done with final make (--script-updatedb)
• Use script trace (--script-trace)