nmap scripting engine

2011-Apr-27, Wednesday 11:38 am
chebe: (GoldenMask)
[personal profile] chebe
You know nmap? It's a really helpful tool for auditing your networks, and probing your machines to check for vulnerabilities.

Aside: you should only ever use this on your own network, or one on which you have the permission of the administrator. Not everyone minds a little exploration, but you don't want to annoy the wrong people. In case you don't happen to have a network handy, nmap provides scanme.nmap.org so you can try out all but the most aggressive techniques.

I'm not going to go into a lot of detail here, so if you're interested there is info in the man pages, on the nmap website, and there is even an nmap book. Here are some very basic commands;

Host Discovery;
nmap -sn 192.168.1.0/24
Is known as a 'ping sweep'. It will check 256 possible addresses (192.168.1.0-255) and tell you which hosts/ips are up, and their MACs.

nmap -PS -PA 192.168.1.0/24
Is a kind of ping sweep, but using TCP SYN packets (-PS), and ACK packets (-PA). This will return the same information as above, but also some info on open ports and what service those ports are running.

nmap -Pn -n 192.168.1.1
Once you know a host is up you can skip the host discovery (-Pn), and if you wish skip the DNS lookup (-n). This may be a little faster on one machine, but it's slower on a range as nmap will scan every ip, even if there's no host up, because you told it to assume it's online.


Port Scanning;
nmap -sS -sU -F 192.168.1.1
Scans a machines ports with TCP SYN (-sS) and UDP (-sU) packets to try and find running services on open ports. Because of the nature of UDP, the -sU scan can take quite a long time, so I use -F option to speed it up. -F denotes fast, and only scans the 100 most popular ports. There are six states a port can be in; open, closed, filtered, unfiltered, open|filtered, closed|filtered. Open and closed are good for nmap, but highlight possible vulnerabilities for the machine/network admin. Some ports need to be open for services to run properly, e.g. port 22 is you want to use ssh, or port 80 on a webserver. Filtered generally implies some sort of protection on the port, like a firewall. Open|filtered generally means nmap isn't sure which state the port is in, and the others are less common.


Service Version and OS Detection;
nmap -sV -O 192.168.1.1
-sV scans a machine (by default with TCP packets, you can specify others) and reports back on the version of each service that is running, if it can. As well as any additional information the machine offers up, like the workgroup name of a samba share.
-O (that's capital-o, not zero), asks to try and determine the OS. nmap requires one open and one closed port to do this properly, and will then report back on the likely operating systems. By default it is quite cautious, but you can encourage it to make a guess with -O --fuzzy.


NSE;
nmap has it's own scripting engine, and many scripts are included in the default install. You can take a look at what you have in /usr/share/nmap/scripts (the libraries are in /usr/share/nmap/nselib). They are written in the Lua language, which so far seems quite easy to understand (except that not-equals is ~=). If you want to run the default set of scripts you can use either;
-sC or --script=default. Scripts tend to be quite targeted, and will only run when it finds a specific port open or a specific service running. Some of these scripts are classified as intrusive, so again be careful. You'll find categories and documentation here.

nmap -sS -sC 192.168.1.1
So this runs the default set of scripts with a TCP SYN scan on one machine. If you have ssh open ssh-hostkey.nse will be run, and will return the keys. Before you panic, if you're using ssh2 there's no reason for alarm. At worst this can be used as a means of identifying your specific machine/user in an environment where your ip is likely to change frequently.
If this is run against a server or router it is likely port 80 is open, and group of http* scripts will be run. Some just grab the header, fav icon, report back on what methods are allowed, and if authentication is required what type (also returning the realm). But, well, I saw something in a video of the nmap talk at DefCon, and want to try it.

http-brute.nse. Will attempt to brute-force http passwords. This is definitely intrusive. This script is not included in nmap by default (I think it's still under development), but it is on the website. You can grab the source, but it's unlikely to work straight off; it requires different versions of libraries and scripts than the ones you have (most likely). Here's what I had to do to get it working;
- Make backups of /usr/share/nmap/nselib/ http.lua and stdnse.lua libraries
- Download the newer versions from the website, as well as get the brute.lua library
- Download the http-brute.nse script
- nmap -sS --script=http-brute --script-args='http-brute.path=/' 192.168.1.1
- add -d for debug info if it doesn't work, -v for verbose output
- and don't blame me if it takes down your router and deprives you of internets.

It doesn't work as is for me, I keep getting this error:
"NSE: http-brute against 192.168.1.1:80 threw an error!
/usr/share/nmap/scripts/http-brute.nse:79: attempt to compare nil with number
"
followed by a stack-trace.

So, I opened up the script and added an additional error check:
if ( response.status == nil ) then
	return false, brute.Error:new( "Response status is nil" )
end


There could be an error in the script I'm not seeing, but, basically, it doesn't work against my router. Which, all in all, actually makes me happy! Good secure router *pets* As is the script/library is quite limited, but in future it might become something more formidable. Mind, nmap isn't trying to become an exploitation framework, so maybe the scripts true implementation will be left as an exercise to the reader.

A couple other places to take a look for nmap scripting;
http://www.indepthdefense.com/2008/06/first-stab-at-nse-scripting.html
http://www.attackvector.org/favorite-nmap-nse-scripts/


On a related note; are you running BackTrack in VirtualBox, have enabled the network connections and everything, but still no internet? Try;
/etc/init.d/networking restart
When complete check ifconfig. I found my wireless connection hiding in eth1!

They say a little knowledge is a dangerous thing. Let's prove them wrong.
From:
Anonymous (will be screened)
OpenID (will be screened if not validated)
Identity URL: 
User
Account name:
Password:
If you don't have an account you can create one now.
Subject:
HTML doesn't work in the subject.

Message:

If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org


 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.
Page generated 2017-Jun-26, Monday 07:02 am
Powered by Dreamwidth Studios