Nmap for Scriptors

2,406 views
2,255 views

Published on

null Mumbai Chapter October 2013 Meet

Published in: Education, Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,406
On SlideShare
0
From Embeds
0
Number of Embeds
361
Actions
Shares
0
Downloads
42
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Nmap for Scriptors

  1. 1. Nmap for Scriptors Sanoop Thomas @s4n7h0
  2. 2. Disclaimer • This is very small session to accommodate some coding concept (I agree it’s a bad try) • We will try to cover up some very important points required • A kick start session for security researchers to know how NSE can be build and use to create PoCs
  3. 3. Some Wrong Questions I’m sure many of you must be familiar with Nmap; but still for those who are new…. • How many of you used Nmap ? • What about –A option ? • What are Nmap scripts ?
  4. 4. Nmap Script Scan
  5. 5. Script Path • Windows – C:Program Files (x86)Nmapscripts • Linux – /usr/share/nmap/scripts • In Backtrack – /usr/local/share/nmap/scripts
  6. 6. Nmap Script Engine [NSE] • • • • • Network Discovery Version Detection Vulnerability Detection Malware Detection Exploitation
  7. 7. Anatomy of NSE require metadata categories portrule action
  8. 8. NSE Skelton description =[[ Just to show the Skelton of an NSE script ]] author = “Mr. X” categories = {"safe", "discovery"} require "shortport" portrule = shortport.port_or_service({80,8080,443},{"http"},{"tcp"}) action = function(host,port) return "Webserver found on port "..port.number end
  9. 9. require • Import libraries • require "shortport“ • local shortport = require "shortport"
  10. 10. metadata • Includes description of script, author name, license information, etc. • Not much relevant; but will help the user to know what your script does
  11. 11. categories • Defines the type of your script – auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln • Because you can run scripts with categories
  12. 12. Scan Smartly • • • • • • nmap --script “http-*” nmap --script “http-* and ftp-*” nmap --script “not brute” nmap --script “vuln,safe” nmap --script “vuln or safe” nmap --script “(vuln or safe) and not http-*”
  13. 13. portrule • Script executions are conditional • portrule = shortport.http • portrule = shortport.port_or_service(21, “ftp”)
  14. 14. action • The actual code to execute based of the portrule • A combination of LUA code and NMAP library calls action = function(host, port) -- code to execute end
  15. 15. Some Practical Approach • It’s coding – Means – giving life to a code snippet – So, • You need to know how, what, why etc.
  16. 16. Tips for Scriptors • Specify the script directory (--datadir) • Use debugging mode when running script (-d) • Update the script database once you are done with final make (--script-updatedb) • Use script trace (--script-trace)
  17. 17. References • nmap.org/nsedoc/ • lua.org/docs.html
  18. 18. Any Questions ? Thanks Sanoop Thomas @s4n7h0

×