Syntax and examples of Nmap Scripting Engine scripts
Although the Nmap scripting engine has a complex implementation for increased efficiency, it is amazingly easy to use.
So, use the “--script” option with the category, folder name or the name of a specific script file to select the necessary group of scripts, all scripts of a certain category, or run individual scripts, including your own. The syntax for running scripts is as follows:
--script <file name> | <category> | <directory> | <expression> [, ...] target
This expression starts scanning scripts using a comma-separated list of file names, categories, and directories. When processing the command line interpreter, each element treats immediately as an expression, then as a category, and finally, as a file name or directory. Everything else will be considered as the purpose of the scan. In the simplest case, the scan uses the IP address or network name of the target machine.
Please note that you can form a group of scripts to start scanning by separating the list of file names, category names and / or directories by commas. For example, the line “nmap --script default, banner, / home / user / customscripts scanme.nmap.org” will run the scripts from the “default” category, the “banner” script, as well as all files with the “.nse” extension from the directory "/ Home / user / customscripts". The goal in this case is “scanme.nmap.org”.
In addition, it is allowed to use boolean expressions to form more complex sets of scripts using the operators “and”, “or” and “not”. Operators have the same priority as Lua: “not” is the highest, followed by “and”, followed by “or”. You can change the priority using parentheses. In addition, since such expressions contain whitespace, they must be enclosed in quotes. For example, the string “nmap --script" default and safe "scanme.nmap.org" will load only those scripts that simultaneously belong to both the "default" category and the "safe" category.
Also, when you refer to scripts from the script.db database file by name, instead of part of the name, you can use the wildcard "*". Thus, for example, the string “nmap --script" http- * "scanme.nmap.org" will allow you to load all the scripts whose name starts with "http-", such as "http-auth" and "http-open- proxy ". Note that in this case the argument is also taken in quotes.
To perform a scan based on all the most common scripts from the default category, simply specify “–sC” (the action of this command is similar to “--script = default” or “--script default”).
You can also customize some scripts by passing arguments to them via the “--script-args” and “--script-args-file” options. The following example will demonstrate how to pass arguments to scripts with the "--script-args" parameter: "nmap -p 3306 --script mysql-audit --script-args" mysql-audit.username = 'root', \ mysql-audit. password = 'password_here', mysql-audit.filename = 'nselib / data / mysql-cis.audit' "” (use the Nmap parameter “-p” to send the port number). This command audits the security configuration of the MySQL database server in comparison with the CIS standards MySQL v1.0.2.
The option "--script-help" will tell you what the selected script does.
The two remaining options, “--script-trace” and “--script-updatedb”, are mainly used only for debugging and script development, so we will not cover them in detail in this review article.
Script scanning is usually performed in combination with port scanning, as the scripts may or may not run depending on the port status detected during the scan by the scanner. With the "-sn" option, it is possible to start scanning using scripts without the need for port scanning (port scan), but only with performing host discovery. In this case, only host scripts will be run. To start scanning both without detecting the host and without scanning the port, use the “-Pn -sn” option along with the “-sC” or “--script” options. This method is useful for “whois-ip” scripts that use only the address of the remote system and do not require it to be enabled.
Important: Before you start working with scripts, make sure they are secure: Do not run scripts created by third parties without thorough scrutiny (unless, of course, you have no reason to trust the author of these scripts). This is due to the fact that these scripts do not run in the sandbox and, therefore, there is a risk that third-party scripts could accidentally or maliciously damage your system or violate your privacy.
PExamples of using NSE scripts
Below we offer you a couple of interesting examples of what you can do with the help of NSE scripts.
Get the TLS ciphers used by the target site using the "ssl-enum-ciphers" script
Look at the WordPress site and find out what plugins and themes are running on it using the http-wordpress-enum script.
Find information about the GEO, ASN and organization data for the object you specified using the "asn-query" script
Look with the help of the http-enum script on the web server software, the robots.txtindex file , as well as some “interesting content”, like if you used nikto web scanner
Look at all the headers sent by the target web server using the http-headers script
Existing SMB Scripts
Existing HTTP Scripts
Existing DNS scripts
Existing scripts for MySQL database management system.
BConclusion
Nmap is a really powerful and useful tool that is needed by any system or network administrator in his basic set of information security tools.
Nmap may not be the fastest port scanner, but it is the most versatile. And NSE makes it even more efficient by blurring the boundaries between the port scanner and the vulnerability scanner. Therefore, the next time when you need to do something normal with the service, check if there is an available NSE script for this task. Allow Nmap to do your work for you.
Commentaires