• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Nmap for Scriptors

Nmap for Scriptors



null Mumbai Chapter October 2013 Meet

null Mumbai Chapter October 2013 Meet



Total Views
Views on SlideShare
Embed Views



2 Embeds 319

http://null.co.in 313
http://staging.null.co.in 6


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Nmap for Scriptors Nmap for Scriptors Presentation Transcript

    • Nmap for Scriptors Sanoop Thomas @s4n7h0
    • Disclaimer • This is very small session to accommodate some coding concept (I agree it’s a bad try) • We will try to cover up some very important points required • A kick start session for security researchers to know how NSE can be build and use to create PoCs
    • Some Wrong Questions I’m sure many of you must be familiar with Nmap; but still for those who are new…. • How many of you used Nmap ? • What about –A option ? • What are Nmap scripts ?
    • Nmap Script Scan
    • Script Path • Windows – C:Program Files (x86)Nmapscripts • Linux – /usr/share/nmap/scripts • In Backtrack – /usr/local/share/nmap/scripts
    • Nmap Script Engine [NSE] • • • • • Network Discovery Version Detection Vulnerability Detection Malware Detection Exploitation
    • Anatomy of NSE require metadata categories portrule action
    • NSE Skelton description =[[ Just to show the Skelton of an NSE script ]] author = “Mr. X” categories = {"safe", "discovery"} require "shortport" portrule = shortport.port_or_service({80,8080,443},{"http"},{"tcp"}) action = function(host,port) return "Webserver found on port "..port.number end
    • require • Import libraries • require "shortport“ • local shortport = require "shortport"
    • metadata • Includes description of script, author name, license information, etc. • Not much relevant; but will help the user to know what your script does
    • categories • Defines the type of your script – auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln • Because you can run scripts with categories
    • Scan Smartly • • • • • • nmap --script “http-*” nmap --script “http-* and ftp-*” nmap --script “not brute” nmap --script “vuln,safe” nmap --script “vuln or safe” nmap --script “(vuln or safe) and not http-*”
    • portrule • Script executions are conditional • portrule = shortport.http • portrule = shortport.port_or_service(21, “ftp”)
    • action • The actual code to execute based of the portrule • A combination of LUA code and NMAP library calls action = function(host, port) -- code to execute end
    • Some Practical Approach • It’s coding – Means – giving life to a code snippet – So, • You need to know how, what, why etc.
    • Tips for Scriptors • Specify the script directory (--datadir) • Use debugging mode when running script (-d) • Update the script database once you are done with final make (--script-updatedb) • Use script trace (--script-trace)
    • References • nmap.org/nsedoc/ • lua.org/docs.html
    • Any Questions ? Thanks Sanoop Thomas @s4n7h0