Open in app

Sign in

Write

Sign in

[Lesson 10] Network Vulnerability and Scanning: Explanation of Nmap Script Engine(NSE) in Theory

Koay Yong Cett
6 min readMay 26, 2020

--

Photo by Glenn Carstens-Peters on Unsplash

Let’s deep dive into Nmap ⚡️ Nmap Scripting Engine (NSE) is one of the Nmap’s most powerful and flexible features. It allow users to write simple scripts to automate a wide variety of networking tasks. Then, those scripts are executed in parallel with speed and efficiency that you would expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap or write their own to meet the custom needs.

Nmap Scripting Engine (NSE):

  • Scripts are written in the embedded Lua programming language version 5.3
  • NSE is activated with the -sC option (or --script if you wish to specify a custom set of scripts) and results are integrated into Nmap normal and XML output
  • The default place of Nmap embedded scripts is/usr/share/nmap/scripts.

NSE was designed to be versatile with the following tasks in mind:

  • Network Discovery which is the most powerful part of Nmap.

For instance, include the looking up whois data based on target domain, querying RIPE for the target IP to determine the ownership, SNMP queries, and listing the available SMB shares and services.

  • More sophisticated version detection. Nmap version detection is able to recognize thousands of different services through its probe and regular expression signature based matching system. However, it can’t recognize everything.

For instance, identifying the skype version 2 service requires two independent probes which version detection isn’t flexible enough to handle it. In addition, nmap could also recognizes more SNMP services if it tried a few hundred of different community names by brute force. Nevertheless neithere of these tasks are well suited to traditional Nmap version detection but both are easily accomplished with NSE.

  • Vulnerability Detection is when a new vulnerability is discovered and you want to scan your network quickly. Identify vulnerable systems before any malicious person do. While Nmap isn’t a comprehensive vulnerability scanner, NSE is powerful enough to handle the demanding vulnerability checks.

For instance, heartbleed bug/virus infected hundreds of thousand of systems worldwide and Nmap developers responded with the SSL Heartbleed detection script within hours under two days.

  • Backdoor Detection. Many attackers used the automated worms to leave back-doors to enable later entry. Some of these can be detected by Nmap’s regular expression based version detection. However, more complex worms and back-doors require NSE’s advanced capabilities to be reliably detected.
  • Vulnerability Exploitation. As a general scripting language NSE can even used to exploit vulnerabilities rather than just find them. However, of course that it’s not as powerful as exploit frameworks such as Metasploit.

There are four types of NSE scripts:

  • Prerule scripts — are scripts that run before any of Nmap’s scan operations, they are executed when Nmap hasn’t gathered any information about a target yet.
  • Host scripts — are scripts executed after Nmap has performed normal operations such as host discovery, port scanning, version detection, and OS detection against a target host.
  • Service scripts — are scripts run against specific services listening on a target host.
  • Postrule scripts — are scripts run after Nmap has scanned all of its target hosts.

Script Scanning in Details:

sC ( --script) is used to perform a script scan using the default set of scripts. It is equivalent to --script=default. 😧Now wait a second what is this “default”? Well it is one of the categories of Nmap scripts. Let’s dive into the categories of Nmap scripts😉

Nmap Scripting Engine and NSE script define a list of categories that they belong to. Currently defined categories are:

  • default (-sC) 👉 Default scripts are the default set and are run with “-sC” parameter rather than listing scripts with “--script” parameter. This category can also be specified explicitly like any other category using “--script=default”.
  • auth (Authorization bypass) 👉Auth scripts deal with authentication credentials or coincidentally bypassing them on the target system. For example, oracle-enum-users.
  • brute (Brute force attacks) 👉 Brute script use brute force attacks to guess authentication credentials of a remote server. Nmap contains many type of brute force scripts for dozens of protocols including http--brute, oracle--brute, snmp--brute, etc.
  • dos (Denial of Service) 👉 Dos scripts may cause a denial of services. Sometimes this is done to test the vulnerability of a system to a denial of service method. However, more commonly it’s an undesired with necessary side effect of testing for a traditional vulnerability. These tests sometimes crash the vulnerable services.
  • exploit (Exploit a known vulnerability) 👉 Exploit scripts aim to actively exploit some vulnerability. Example, http--shellshock.
  • safe (Safe to run) 👉 A scripts which weren’t designed to crash services and use large amount of network bandwidth/other resources/exploit security hole that are usually categorized as safe.
  • intrusive (Scripts not in safe category) 👉 Intrusive scripts or any other scripts that cannot be classified in the safe category as the risks are too high that these scripts are going to crash the target system. Using up a significant resources on a target host such as bandwidth or CPU time or otherwise will be perceived as malicious by target system administrators.
  • malware (Look for malware in destination hosts) 👉Malware script test whether the target system is infected by malware or back-doors.
  • version (Version detection scripts) 👉 Version scripts are an extension to the version detection feature and cannot be selected explicitly. They are selected to run only if version detection which are -sV parameter is used.
  • vuln (Vulnerability scanning scripts) 👉Vuln scripts check for specific known vulnerabilities and generally only report results if they are found.

☝️ Category names are not case sensitive.

Using boolean expressions:

You can also select scripts using boolean expressions which you can build using the and, or, and not operators. In addition, the names in a Boolean expression may vary from a range of selection such as the script categories, list of file names and directories. Each element in the list may also be a boolean expression for describing a more complex set script.

For instance,

The default or safe expression scripts used in the nmap query which are in both default or safe categories.

You can also alternatively use --script parameter to run a script scan associated with the comma for separated list of file names.

Updating the Script Database:

This updatedb option update the script database found in scripts/script.db which is used by Nmap to determine the available default scripts and categories. It is only necessary to update the database if you have added /removed NSE scripts from the default scripts directory or change the categories of any scripts. This option is use by it self without argument.

More information about NSE: https://nmap.org/book/nse.html

More Nmap query and command line will be discussed with example in terminal in next lesson. In this lesson, I am trying my best to bring out the idea and theory of the NSE 💭

Thanks for reading 😃

Nmap
Networking
Scanning
Nse
Education

--

--

Koay Yong Cett
Koay Yong Cett

Written by Koay Yong Cett

112 Followers
4 Following

Every stories I shared is based on my personal opinion. Interest in ethical hacking and penetration testing. Thank you.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams