关于 Nmap 的 NSE 脚本引擎

Outline

Mastering the Nmap Scripting Engine
by Fyodor and David Fifield

1 NES Intro & Usage
2 Large-scale Scan #1 SMB/MSRPC
3 Large-scale Scan #2 Favicon
4 Writing NSE Scripts
5 Live Script Writing Demo
6 Nmap News
7 Final Notes & Q/A

parse nse script output

NSE 案例

http-webcam

description = [[
    Finds a webcam.
]]

categories = {"safe", "discovery"}

require("http")

function portrule(host, port)
    return port.number == 80
end

-- nmap -n -Pn -p80 --open --script http-webcam 192.168.1.1/24 -oN webcam.nmap -d
function action(host, port)
    local response
    response = http.get(host, port, "/cam.jpg")

    if response.status and response.stauts ~= 404
                       and response.header["server"]
                       and string.match(response.header["server"], "^thttpd") then
                        return "Webcam found."
    end
end

http-brute

description = [[
    Guesses HTTP passwords
]]

categoroes = {"intrusive", "auth"}

require("http")
require("unpwdb")

-- nmap -n -Pn -p80 --script http-brute 192.168.1.6 -d
function action(hsot, port)
    local usernames, passwords
    local status

    status, usernames = unpwdb.usernames()
    status, passwords = unpwdb.passwords()

    for password in passwords do
        for username in usernames do
            local response
            response = http.get(host, port, "/cam.jpg", {
                auth = { username = username, password = password }
            })

            if response .status and response.status ~= 401 then
                return username .. ":" .. password
            end
        end
        usernames("reset")
    end
end

doc

http://nmap.org/nsedoc/
http://nmap.org/nsedoc/scripts/http-methods.html

NSE script categories

auth
broadcast
brute
default
discovery
dos
exploit
external
fuzzer
intrusive
malware
safe
version
vuln

nmap -A -T4 scanme.nmap.org

Skype nmap 普通 version detection 模式无法发现，但用 nse 的 version 模块可以。

smb

Infomational
smb-os-discovery
smb-server-stats
smb-system-info
smb-security-mode

Detailed Enumeration
smb-enum-users
smb-enum-domains
smb-enum-groups
smb-enum-processes
smb-enum-sessions
smb-enum-shares

More intrusive
smb-brute
smb-check-vulns
smb-psexec

Large-scale Scan #1 SMB/MSRPC

ARIN DB
American Registry for Internet Numbers (ARIN)

• Step 1: Find target IP addresses. 1,004,632 located in ARIN DB.
• Step 2: Start broad version detection scan.
  nmap -T4 –top-ports 50 -sV -O –osscanlimit –osscan-guess –min-hostgroup 128 –host-timeout 10m -oA ms-vscan -iL ms.ips.lst
  Found 74,293 hosts up out of 1M IPs in 26 hours
• Step 3: Examine results

# 统计大范围扫描的端口开放情况
grep " open " ms-vscan.nmap | sed -r 's/ +/ /g' | sort | uniq -c | sort -rn | less

nmap -v -O -sV -T4 –osscanguess -oA ms-smbscan –script=smbenum-domains,smb-enum-processes,smbenum-sessions,smb-enum-shares,smbenum-users,smb-os-discovery,smbsecurity-mode,smb-system-info [Target Ips]

Large-scale Scan #2 Favicon

Alexa top one million sites favicon visualization
https://nmap.org/favicon/

http-favcon.nse

Writing NSE Scripts

why we choose lua.
NSE system docs http://nmap.org/book/nse.html
更多 nse-api 参考：https://nmap.org/book/nse-api.html
更多 lua 语法参考：http://www.runoob.com/lua/lua-tutorial.html

Capabilities Added by Nmap

1 Protocol/helper libraries
– 45, including DNS, HTTP, MSRPC, Packet, SNMP, unpwdb, etc.
2 Protocol brute forcer
3 Easy SSL
4 Dependencies

• Script Example #1: rpcinfo
• Script Example #2: smb-enum-users
• Live Script Demonstration

zenmap -> profile -> profile editor -> script
使用 zenmap 辅助构建 nmap script 命令

nmap -n -Pn -p 80 --open --script http-webcam -oN webcam.nmap -d 192.168.1.1/24

Ndiff, Ncat , Nping and Ncrack

Ndiff
Ncat
Nping
Ncrack
Rainmap
DNmap

参考资料

1 Nmap Network Scanning

2 《Nmap 渗透测试指南》 商广明

3 python-nmap
https://xael.org/norman/python/python-nmap/

4 python-libnmap
https://github.com/savon-noir/python-libnmap

5 【渗透神器系列】nmap
https://thief.one/2017/05/02/1/

• #Network Engineering
• #Network Security
• #Nmap
• #Penetration Testing
• #渗透测试
• #网络工程