[Lesson 11] Network Vulnerability and Scanning: Explanation of Nmap Script Engine (NSE) with Hands on Practice 😄
Let’s dive into some of these scripts found in the Nmap and try to execute it in the terminal 😄
Open the Kali Linux terminal to start the lesson: 😄
Locate the scripts:
In order to find out the scripts use the “locate” Linux command. Since the file extension of Nmap scripts are very unique which is .nse file, then we are able to find the scripts easily with the locate command. The locate command help us to locate the file which end with the “.nse”.
“usr/share/nmap/scripts/” is where the Nmap scripts are located in the Kali Linux by default.
Navigate to the folder where the scripts are located using the “cd” command.
> Here is one trick to copy and paste in Kali Linux: 😉select the path then press the middle button of the mouse to copy and paste it. This is so easy right? Try it yourself ✌️
Let’s look at the script.db file first, which is a script database used by Nmap which is in the folder called the “script.db”. Use less command to look at the content of the file.
Every row contains a script file name and its categories. Press q to exit.
Try to run the scripts:
I want to try SSH scripts on my Metasploitable VM. First, with the help of Linux “grep” command, I want to list the ssh scripts. Here is the list for scripts that related to the SSH.
in addition, ls -l is used to display the result in long listing command.
To analyze the content of the scripts, I use the “less” command.
In the script file, there has a description/usage section and many other lines that provide tons of information related to the scripts.
Let’s look for the categories in the content of the nse scripts that we opened just now. In the less command, you can use a “/” key to search a word. Press “/categor” and hit enter. If there is more than one categories, you can navigate to all the related word with “n” button for next word.
Alternatively, you can use the “--script-help” parameter with the target script to get the help/simple description of the Nmap script.You will be able to find out the name, categories, link and the description section as shown in the result.
Let’s run some Nmap Scripts:
If you are planning to use a SYN scan (-sS), switch into the root user with sudo su root.
First, run the default SSH scripts using the “-sC” parameter. In the mean time, the ssh--hostkey is the default script for SSH service. In the results, we found the target machine SSH server’s key fingerprints. In the description of the script, we know that if the verbosity level is high enough then the script will show the public key itself.
Here, we run the Nmap command again but this time we will use the “-vvv” to increase the verbosity level.
Now, we have the key fingerprints (highlighted with yellow color) and the public keys for SSH.
Script Scanning with Version Detection:
👉The script scans will be performed for the default ports entered unless running with version detection option.
👉 As you know, if you don’t run the version detection, then Nmap will assume/suppose that the default service is running on that port.
👉In Script scan, Nmap supposes the default services running on that port. Thus, it runs the scripts as if they are suitable for that service.
⭐️I really need to emphasize the importance of the service and version detection when using the scripts to scan the target machine and this is easy to understand with the example of a Nmap query in the Kali terminal ⭐️
Before that:
Change the default port 22 to 443 for the proof of concept test.
First, we start the SSH service. Then, we will use netstat command to see the listening ports. As you can see, the SSH service is running but it’s not running on port 22. Instead, it’s running on port 443 and you probably know that 443 is default port of HTTPS service.
Nmap shows that the port is running HTTPS service. Now if I had the SSH scripts in this query using “--script ssh-*” without the version detection, not any of the scripts run. This is because Nmap thinks that this service is HTTPS and not SSH , then it does not run the SSH scripts.
Now, I use the latest Nmap query and version detection “-sV” this time. Like that SSH scripts are started with the version detection option. With the version detection, Nmap finds that the port 443 service is SSH not HTTPS. By the way, SSH brute script takes a long time to run. Thus, you all got the time then no need to wait for the results 😆
🌟Add on (Wildcard):
This is useful when you want to select scripts with a specific/given script name pattern. For instance, the Nmap query will load all the scripts that start with names starting from “ssh-*” ✌️
Some handy scripts ✋:
Here, we have some scripts which are helpful in penetration testing 👊
- “-brute.nse” 👉 This scripts perform brute-force password guessing against the named services.
- “-info” 👉 This scripts gets the information about the names services.
- “dns-recursion” 👉 This script checks if a DNS server allows queries for the third-party names
- “dns-zone-transfer” 👉 This script requests zone transfer request zone transfer AXFR from a DNS server. If the query is successful, all the domain types are returned along with common type-specific data like SOA,MX,NS,PTR or A which the list of DNS record types.
- “http-slowloris-check” 👉 This script test a web server for vulnerability to the Sloworis Dos attack without actually launching a Dos attack.
- “ms-sql-info” 👉 this script attempts to determine configuration and version information for Microsoft SQL server instances.
- “ms-sql-dump-hashes” 👉 This scripts dumps the password hashes froma na MSSQL server in a format that suitable for cracking with tools like John-the-ripper.
- “nbstat” 👉 This script attempts to retrieve the target NETBIOS names and MAC address. By default, this script displays the name of the computer and the logged-in user. If the verbosity is tuned up, it displays all the names that the system thinks it owns.
- “smb-enum-users” 👉 This script attempts to enumerate the users on a remote window system with as much information as possible. The purpose of this script is to discover all the user accounts that exist on a remote system. This could be helpful for administration by seeing who has an account on a server/for the penetration testing purpose/network foot- printing by determining which accounts exist on a system.
- “smb-enum-shares” 👉 This script attempts to list the shares. Finding open shares is useful to penetration tester as there maybe private files shared/it is writable then it could be a good place to drop a Trojan or infect a file that is already there. In addition, knowing where the share is could make the penetration testing more useful. Except for determining where the shares is requires administrative privileges.
In a penetration testing, you should try to pass the hash method to compromise the system. The last three scripts will be very helpful for pass the hash attacks 😈
What is Pass-the-Hash attack?
- A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems.
- The threat actor doesn’t need to decrypt the hash to obtain a plain text password. PtH attacks exploit the authentication protocol, as the passwords hash remains static for every session until the password is rotated.
- Attackers commonly obtain hashes by scraping a system’s active memory and other techniques.
Here is some useful brute force or dictionary attacks scripts for FTP, Databases such as MYSQL, Oracle or MSSQL, SNMP, Telnet etc:
