Nmap - NSE Scripts



Scripts info

Get help for a script

nmap --script-help=ssl-heartbleed

updating scripts

nmap --script-updatedb

Location and finding of scripts

Locate *.nse     - Will find all NSE Scripts on machine
/user/share/nmap/scripts/      -Default script location

Nmap

Top Scripts

SMB subnet discovery

nmap -sS -sV --script smb-enum-shares.nse,smb-os-discovery.nse -p445,139 192.168.1.0/24

Dump SAM database remotely

nmap -p 135,139,445 --script smb-pwdump --script-args-smbuser=USERNAME,smbpass=PASSWORD <Target>

Nmap

Nmap NSE script to detect MS17-010 vuln used by WannaCry - [Download] (https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse)

nmap -v --script smb-vuln-ms17-010 -p445 <target>

Nmap

Scan with all smb NSE scripts

nmap -sV --script smb* <Target>

Scan with all MS SQL NSE scripts

nmap -sV --script ms-sql* <Target>

Scan with all MYSQL NSE scripts

nmap -sV --script mysql* <Target>

Scan with all HTTP NSE scripts (Messy)

nmap -sV --script http* <Target>

Http NSE scripts

Detect Heartbleed SSL Vulnerability

nmap -sV -p 443 –script=ssl-heartbleed.nse <Target>

Gather page titles from HTTP services

nmap --script http-title <Target>

Get HTTP headers of web services

nmap --script http-headers <Target>

Http Enumeration - Find web apps from known paths

nmap --script http-enum <Target>

Http Sitemap Generator

nmap --script http-sitemap-generator <target> <port>

Nmap

http Methods

nmap --script http-methods <target>

Nmap

SMB NSE Scripts

Enumerate SMB shares

nmap --script smb-enum-shares <Target>

Enumerate SMB Users

nmap --script smb-enum-users <Target>

Brute force SMB service with password list

nmap --script smb-brute -p445 <Target>

Brute force SMB service with hashes (Hashes and usernames kept in .txt files)

nmap --script smb-brute --script-args=userdb=usernames.txt,passdb=passwords.txt <Target>

Discover SMB OS

nmap --script smb-os-discovery <Target>

Dump hashes remotely - Needs valid credentials

nmap -p 135,139,445 --script smb-pwdump --script-args-smbuser=USERNAME,smbpass=PASSWORD <Target>

Shows logged in sessions - Needs valid credentials

nmap --script smb-enum-sessions -p445  <Target>

SQL Servers

MSSQL Server info

nmap -p1433 --script ms-sql-info <Target>

Nmap

MSSQL - Bruteforce

nmap -p1433 --script ms-sql-brute <Target>

Nmap

MSSQL - Bruteforce With custom list

nmap -p1433 –script ms-sql-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>

MSSQL - Bruteforce With empty/null password

nmap -p1443 --script ms-sql-empty-password <Target>

Nmap

MSSQL - Discover which user has access to which db (Credentials Needed)

nmap -p1443 --script ms-sql-haddbaccess --script-args mssql.username=USERNAME <target>

Nmap

MSSQL - List Tables (Credentials Needed)

nmap -p1443 --script ms-sql-tables --script-args mssql.username=USERNAME <Target>

Nmap

MSSQL - SQL Server xp_cmdshell (Run OS command via xp_cmdshell) This will just print the CMD output default (Ipconfig)

nmap -p1433 --script ms-sql-xp-cmdshell --script-args mssql.username=USERNAME <Target>

Nmap

To Specify the command to use you need to us the arg “–script-args=ms-sql-xp-cmdshell.cmd=‘COMMAND’” As shown as an example bellow

nmap -p1433 --script ms-sql-xp-cmdshell --script-args=ms-sql-xp-cmdshell.cmd='net users',mssql.username=USERNAME <Target>

Nmap

Recon

Find Information about IP address

nmap --traceroute --script traceroute-geolocation.nse -p 80 <Target>

Nmap

DNS Brute Force

nmap -p 80 --script dns-brute.nse <Target>

Nmap

Find Hosts on IP

nmap -p 80 --script hostmap-bfk.nse <Target>

Firewalk - Tries to discover firewall rules using an IP TTL expiration technique.

nmap --script firewalk --traceroute --script-args=firewalk.max-retries=1 <Target>

Nmap

whois domain

nmap --script whois-domain <target>

Nmap

Shodan API - API Key can be specieid in args or by editing the NSE script itself (Shown in video)

nmap --script shodan-api --script-args 'shodan-api.target=x.y.z.a,shodan-api.apikey=SHODANAPIKEY'

Custom NSE Script repositories

Paulino Calderon (cldrn) - Network security specialist | Open Source contributor | @nmap NSE developer | Chapter leader of @owasp_riviera

https://github.com/cldrn/nmap-nse-scripts/tree/master/scripts

John Bond - b4ldr https://www.linkedin.com/in/john-bond-189887a/

https://github.com/b4ldr/nse-scripts

Peter - peter-hackertarget https://hackertarget.com

https://github.com/peter-hackertarget/nmap-nse-scripts

Sanoop Thomas - s4n7h0 " Let the passion be your purpose. " Security guy, Researcher, Speaker, Creator of Halcyon IDE

https://github.com/s4n7h0/NSE

Aeris Secure - Open source projects from Aeris Secure, mostly relating to information security and security testing

https://github.com/aerissecure/nse
KSEC Labs
comments powered by Disqus