HakTip 105 – NMap 101: The Nmap Scripting Engine
This week on HakTip Shannon covers some troubleshooting options for NMap.
Welcome to HakTip — the show where we breakdown concepts, tools and techniques for hackers, gurus and IT ninjas. I’m Shannon Morse and today we’re checking out the Nmap Scripting Engine.
We know that NMap comes with a TON of handy commands and options pre-installed for you, but what if you want to write your own script to do some sort of special scan? This is when the NMap Scripting Engine comes in handy. Scripts are written in the Lua programming language, and come with several options to start off. There are over 400 available, so I’m just going to give you a few examples today of some of the ones I have available. You can find all of these at http://nmap.org/nsedoc/ and if you want to download any of them, do so by clicking on the file name and saving it. Mine are saved into the /use/share/nmap/scripts folder under my home folder, so I first had to move over to that folder to get them to run in my terminal. All of these can run in Nmap 5.0 or higher, so make sure you have an updated copy of nmap. Remember last week where I showed you how to check the version? 🙂
Try this simple command: nmap –script banner 10.73.31.145. This will scan the target and give you back a banner grab by connecting to an open TCP port and printing out whatever it finds.. You can also use: nmap –script “http*” 10.73.31.74 to give you back all the output for any scripts containing http (or any other code word from your script library).
If you want to just do a default script output, use: nmap –scripts default 10.73.31.74. This is also the same as using -sC instead. Other than just default, you can also use “all, auth, discovery, external, intrusive, malware, safe, and vuln” as category options in your command.
If you’re having trouble with a script, which I found to be a bit common, you can use this command to troubleshoot it: nmap –script ftp-anon –script-trace -p 21 10.73.31.74. This will open nmap with the script command, using the ftp-anon.nse script, running a trace on it while connecting to port 21 on my target.
Lastly, you can update your script database with nmap –script-updatedb.
What would you like to see next about NMAP? We’re almost done! Did I miss anything? I’ll be covering Zenmap in an upcoming episode. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.