Skip to content

Nmap

NSE - Nmap Script Engine

Written in lua and available in /usr/share/nmap/scripts.

  • safe : Won't affect the target.
  • intrusive : Not safe: likely to affect the target.
  • vuln : Scan for vulnerabilities.
  • exploit : Attempt to exploit a vulnerability.
  • auth : Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously).
  • brute : Attempt to bruteforce credentials for running services.
  • discovery : Attempt to query running services for further information about the network (e.g. query an SNMP server).

Display help :

  • nmap --script-help <script-name>

Using script arguments :

  • nmap -p 80 --script http-put --script-args http-put.url='/dav/shell.php',http-put.file='./shell.php'

Find a NSE :

$ cd /usr/share/nmap/scripts
$ grep smb script.db
Entry { filename = "smb-brute.nse", categories = { "brute", "intrusive", } }
Entry { filename = "smb-double-pulsar-backdoor.nse", categories = { "malware", "safe", "vuln", } }
Entry { filename = "smb-enum-domains.nse", categories = { "discovery", "intrusive", } }
Entry { filename = "smb-enum-groups.nse", categories = { "discovery", "intrusive", } }
Entry { filename = "smb-enum-processes.nse", categories = { "discovery", "intrusive", } }
Entry { filename = "smb-enum-services.nse", categories = { "discovery", "intrusive", "safe", } }
[...]

Ping sweep (IMCP scan)

nmap -sn 192.168.0.0/24