NMAP Scripting Engine
[NSE]
Teaching an old dog new tricks
NMAP
Scans host/network for open ports.
Nmap scan report for 10.0.0.2
Host is up (0.054s latency).
Not shown: 994 closed p...
[NSE]
Auth
Discovery
DOS
Exploit
External
Fuzzer
Intrusive
Safe
Version
Vuln
Lets you add more checks to the same old
scan...
afp-brute.nse gopher-ls.nse ms-sql-info.nse smb-enum-shares.nse
afp-path-vuln.nse hddtemp-info.nse ms-sql-query.nse smb-en...
Get on the bleeding edge
Get yourself the newest, latest and greatest
version of NMAP first. 5.36TEST3
svn co --username g...
The basic basics
description = [[
Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL
injectio...
That wasn't C ...
Lua whoa?
Scripting engine.
http://www.lua.org/
✔ World of warcraft
✔ Nmap
✔ Snort
✔ Wireshark
HTTP Enumeration
Enumerates directories used by popular web applications and servers.
-- @args http-enum.basepath The base...
Fingerprints
.../nselib/data/http-fingerprints.lua
table.insert(fingerprints, {
category='general',
probes={
{path='/', me...
Making it better
Starting Nmap 5.36TEST3 ( http://nmap.org )
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /wordpress...
And beyond!
More tricks …
Vulnerability detection
Exploit scanner
Malware detection
Hardware detection?
The bounty hunt
The reward only credit …
---HTTP Fingerprint files, compiled by Ron Bowes with a special thanks to...
-- o...
LINKS!
● http://nmap.org/book/nse.html
● http://www.lua.org/
Upcoming SlideShare
Loading in …5
×

Nmap Scripting Engine and http-enumeration

2,364 views

Published on

I cover some basics of the nmap scripting engine, focusing on http-enumeration.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,364
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Nmap Scripting Engine and http-enumeration

  1. 1. NMAP Scripting Engine [NSE] Teaching an old dog new tricks
  2. 2. NMAP Scans host/network for open ports. Nmap scan report for 10.0.0.2 Host is up (0.054s latency). Not shown: 994 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 515/tcp open printer 631/tcp open ipp 9100/tcp open jetdirect
  3. 3. [NSE] Auth Discovery DOS Exploit External Fuzzer Intrusive Safe Version Vuln Lets you add more checks to the same old scans.
  4. 4. afp-brute.nse gopher-ls.nse ms-sql-info.nse smb-enum-shares.nse afp-path-vuln.nse hddtemp-info.nse ms-sql-query.nse smb-enum-users.nse afp-serverinfo.nse hostmap.nse ms-sql-tables.nse smb-flood.nse afp-showmount.nse http-auth.nse ms-sql-xp-cmdshell.nse smb-os-discovery.nse asn-query.nse http-brute.nse mysql-brute.nse smb-psexec.nse auth-owners.nse http-date.nse mysql-databases.nse smb-security-mode.nse auth-spoof.nse http-domino-enum-passwords.nse mysql-empty-password.nse smb-server-stats.nse banner.nse http-enum.nse mysql-info.nse smb-system-info.nse broadcast-dns-service-discovery.nse http-favicon.nse mysql-users.nse smbv2-enabled.nse broadcast-dropbox-listener.nse http-form-brute.nse mysql-variables.nse smtp-commands.nse broadcast-ms-sql-discover.nse http-headers.nse nat-pmp-info.nse smtp-enum-users.nse broadcast-upnp-info.nse http-iis-webdav-vuln.nse nbstat.nse smtp-open-relay.nse broadcast-wsdd-discover.nse http-malware-host.nse netbus-auth-bypass.nse smtp-strangeport.nse citrix-brute-xml.nse http-methods.nse netbus-brute.nse sniffer-detect.nse citrix-enum-apps.nse http-open-proxy.nse netbus-info.nse snmp-brute.nse citrix-enum-apps-xml.nse http-passwd.nse netbus-version.nse snmp-interfaces.nse citrix-enum-servers.nse http-php-version.nse nfs-ls.nse snmp-netstat.nse citrix-enum-servers-xml.nse http-robots.txt.nse nfs-showmount.nse snmp-processes.nse couchdb-databases.nse http-title.nse nfs-statfs.nse snmp-sysdescr.nse couchdb-stats.nse http-trace.nse nrpe-enum.nse snmp-win32-services.nse daap-get-library.nse http-userdir-enum.nse ntp-info.nse snmp-win32-shares.nse daytime.nse http-vhosts.nse ntp-monlist.nse snmp-win32-software.nse db2-das-info.nse http-vmware-path-vuln.nse oracle-brute.nse snmp-win32-users.nse db2-discover.nse iax2-version.nse oracle-enum-users.nse socks-open-proxy.nse dhcp-discover.nse imap-capabilities.nse oracle-sid-brute.nse sql-injection.nse dns-cache-snoop.nse informix-brute.nse p2p-conficker.nse ssh2-enum-algos.nse dns-fuzz.nse informix-query.nse path-mtu.nse ssh-hostkey.nse dns-random-srcport.nse informix-tables.nse pgsql-brute.nse sshv1.nse dns-random-txid.nse ipidseq.nse pjl-ready-message.nse ssl-cert.nse dns-recursion.nse irc-info.nse pop3-brute.nse ssl-enum-ciphers.nse dns-service-discovery.nse irc-unrealircd-backdoor.nse pop3-capabilities.nse sslv2.nse dns-zone-transfer.nse iscsi-brute.nse pptp-version.nse stuxnet-detect.nse domcon-brute.nse iscsi-info.nse qscan.nse svn-brute.nse domcon-cmd.nse jdwp-version.nse realvnc-auth-bypass.nse targets-traceroute.nse domino-enum-users.nse ldap-brute.nse resolveall.nse telnet-brute.nse drda-brute.nse ldap-rootdse.nse rmi-dumpregistry.nse upnp-info.nse drda-info.nse ldap-search.nse rpcinfo.nse vnc-brute.nse finger.nse lexmark-config.nse script.db vnc-info.nse firewalk.nse modbus-discover.nse skypev2-version.nse wdb-version.nse ftp-anon.nse mongodb-databases.nse smb-brute.nse whois.nse ftp-bounce.nse mongodb-info.nse smb-check-vulns.nse wsdd-discover.nse ftp-brute.nse ms-sql-brute.nse smb-enum-domains.nse x11-access.nse ftp-libopie.nse ms-sql-config.nse smb-enum-groups.nse ftp-proftpd-backdoor.nse ms-sql-empty-password.nse smb-enum-processes.nse giop-info.nse ms-sql-hasdbaccess.nse smb-enum-sessions.nse Scripts that exist Brute Force MySQL VNC SVN Discovery Whois Stuxnet SMB Malware Http-malware-host Smtp-strangeport Version Socks SSL X11
  5. 5. Get on the bleeding edge Get yourself the newest, latest and greatest version of NMAP first. 5.36TEST3 svn co --username guest --password "" svn://svn.insecure.org/nmap/
  6. 6. The basic basics description = [[ Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL injection attack.. ]] require('url') – … and/or dependencies of other NSE scripts author = "Eddie Bell" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"intrusive", "vuln"} --- -- @args sql-injection.start The path at which to start spidering; default <code>/</code>. -- @args sql-injection.maxdepth The maximum depth to spider; default 10. -- -- @output -- PORT STATE SERVICE -- 80/tcp open http -- | sql-injection: Host might be vulnerable -- | /a_index.php?id_str=1'%20OR%20sqlspider -- | /a_index.php?id_str=1'%20OR%20sqlspider -- | /a_index.php?id_str=2'%20OR%20sqlspider
  7. 7. That wasn't C ...
  8. 8. Lua whoa? Scripting engine. http://www.lua.org/ ✔ World of warcraft ✔ Nmap ✔ Snort ✔ Wireshark
  9. 9. HTTP Enumeration Enumerates directories used by popular web applications and servers. -- @args http-enum.basepath The base path to prepend to each request. -- @args http-enum.displayall Set this argument to display all status codes. -- @args http-enum.fingerprintfile Specify a different file to read fingerprints from. -- @args http-enum.category Set to a category (as defined in the fingerprints file). -- -- @output -- Interesting ports on test.skullsecurity.org (208.81.2.52): -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack -- | http-enum: -- | | /icons/: Icons and images -- | | /images/: Icons and images -- | | /robots.txt: Robots file -- | | /sw/auth/login.aspx: Citrix WebTop -- | | /images/outlook.jpg: Outlook Web Access -- | | /nfservlets/servlet/SPSRouterServlet/: netForensics -- |_ |_ /nfservlets/servlet/SPSRouterServlet/: netForensics author = "Ron Bowes, Andrew Orr, Rob Nicholls" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"discovery", "intrusive", "vuln"}
  10. 10. Fingerprints .../nselib/data/http-fingerprints.lua table.insert(fingerprints, { category='general', probes={ {path='/', method='GET'} }, matches={ {match='<title>Index of .*(Apache.*) Server at', output='Root directory w/ listing on '1''}, {match='<title>Index of', output='Root directory w/ directory listing'} } })
  11. 11. Making it better Starting Nmap 5.36TEST3 ( http://nmap.org ) PORT STATE SERVICE 80/tcp open http | http-enum: | /wordpress/wp-login.php: WordPress 3.0.x found | /pligg/readme.html: Pligg version 1.1.1 | /xoda/README: XODA 0.1.1 | /statusnet/README: StatusNet README version 0.9.5 | /comic/: comiccms | /wordpress/: wordpress 3.0.4 | /openx/www/admin/index.php: openx v2.8.7 - http://www.openx.org | /splashfrog/: Splash Frog WMS v4.1 | /vanilla/: Vanilla Forums v2.0.16 | /statusnet/: StatusNet v0.9.5 | /trac/: Trac version 0.11.1 | /lime/: limesurvey http://www.limesurvey.org | /getsimple/: getsimple - 2.03
  12. 12. And beyond! More tricks … Vulnerability detection Exploit scanner Malware detection Hardware detection?
  13. 13. The bounty hunt The reward only credit … ---HTTP Fingerprint files, compiled by Ron Bowes with a special thanks to... -- o Kevin Johnson (@secureideas) for the fingerprints that come with Yokoso -- http://yokoso.inguardians.com -- o Jason H. (@jhaddix) for helping out with a whole pile of fingerprints he's -- collected -- o Bob Dooling -- o Robert Rowley for the awesome open source cms and README checks -- http://www.irvineunderground.org
  14. 14. LINKS! ● http://nmap.org/book/nse.html ● http://www.lua.org/

×