Shulou(Shulou.com)06/01 Report--

It is believed that many inexperienced people don't know what the Nmap penetration test script is like. Therefore, this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

01. Experience root@kali:~# nmap-sV-sC scanme.nmap.org first

The previous command runs a SYN scan with operating system detection (- O), that is, service detection (- sV), and most importantly NSE on (- sC). The-sC option enables NSE and runs any script in the default category. This set of scripts is safe by default and does not perform any operations that may interfere with the target host of the service running on the service. However, some scripts execute alerts in intrusion detection systems (IDS) and intrusion prevention systems (IPS) that may be triggered.

02. In-depth understanding of script classification

First of all, we need to know the classification information of the scripts, so that we can better classify and utilize our custom scripts.

Script category description auth NSE scripts related to user authentication broadcast uses broadcasts to collect network information brute brute force to crack default defaults Execute scripts (- sC) discovery scripts related to host and service discovery dos scripts related to denial of service attacks exploit scripts for exploiting security vulnerabilities this category of scripts for third-party services fuzzerNSE scripts focus on fuzzy testing intrusive intrusion scripts malware script categories related to malware detection safe is a secure script by default in all cases vuln is used to detect and exploit security vulnerabilities Off script version Advanced system script NSE script selection

Nmap uses the-- script option for script selection. This option can be followed by a script name, NSE category, path to the NSE file, folder containing the script, or even an expression. Use-- script to select a script by its name or category. The Nmap option executes the script by name. Separate several scripts with commas when executing:

Add the script name directly

The following screenshot shows the output of the http-huawei-hg5xx-vuln script. This script takes advantage of remote vulnerabilities in Huawei devices to retrieve information including PPPoE credentials and wireless network security configuration:

To select the entire category, simply use the name of the category (see script as a parameter. For example, to run vulnerability categories, use the following command: you can also run multiple categories by separating them with commas: the-option is simply an alias for the default option. To select a script file to execute by file name or folder, use the following command: similar to categories, multiple scripts can be executed by detaching paths separated by commas: to execute all scripts contained in the folder, just pass the folder name to give a chestnut: advanced script selection and expressions are used to describe a set of scripts. We can use the script to select the scenario of the expression: take a chestnut: (no expression will match any script) use scripts that don't belong to categories: or and operators allow us to construct more complex expressions. The following expression will match any script that is not in, or, or category. -if we want to execute all the category scripts in and. We use:

You can even use the wildcard character *: of course, we can use a combination of wildcards and expressions. For example: let's run all scripts whose names begin with, but exclude, and script:) the next command will execute all scripts that begin with but are not in the category: "* ()" NSE script parameter

The-- script-args option is used to set parameters in the NSE script.

Or take a chestnut, set the parameter useragent of the http-title script, and use this expression:

Nmap-sV-script http-title-script-args http.useragent = "Mozilla 1337"

Of course, sometimes you can set parameters by ignoring the name of the script (the following two expressions are consistent):

Nmap-p80-- script http-trace-- script-args path

Nmap-p80-- script http-trace-- script-args http-trace.path

If you use scripts that share parameter names, you must avoid parameter conflicts. For example, the uri parameter below, if you need to make additional settings, you must add the full script name to avoid conflicts between parameters.

$, =, = $, = = 03. Be prepared for everything with language

To write NSE scripts, we need to have the foundation of the lua programming language, so we can go back and learn by ourselves. Here is a brief list of some syntax that you must know before writing a script. The rest go back to study on your own. Reproduced in the rookie tutorial: http://www.runoob.com/lua/lua-tutorial.html

Lua characteristics

Lightweight: it is written in standard C language and open in source code. After compilation, it is only more than 100 K, and can be easily embedded in other programs.

Extensibility: Lua provides very easy-to-use extension interfaces and mechanisms: these functions are provided by the host language (usually C or C++) and can be used by Lua as if they were built-in functionality.

Other characteristics

Support for process oriented (procedure-oriented) programming and functional programming (functional programming)

Automatic memory management; only one common type of table (table) is provided, which can be used to implement arrays, hash tables, collections, and objects

Language built-in pattern matching; closure; function can also be seen as a value; provides multithreading (collaborative processes, not threads supported by the operating system)

Closures and table can easily support some key mechanisms needed for object-oriented programming, such as data abstraction, virtual functions, inheritance and overloading, etc.

The identifier identifier is used to define a variable, and the function gets other user-defined items. The marker begins with a letter to or underscore, followed by one or more letters, underscores, numbers (to). It is best not to use underscores to overwrite letters, because the same is true of reserved words. Special characters such as @, $, and% are not allowed to define identifiers. Is a case-sensitive programming language. Therefore, there are two different identifiers in and. Here are some correct identifiers: keywords the reserved keywords listed below. Reserved keywords cannot be used as constants or variables or other user-defined identifiers: it is a general convention that names that begin with an underscore and begin with a string of uppercase letters (for example) are reserved for internal global variables. The data type is a dynamically typed language, variables are not type definitions, only variables need to be assigned values. The value can be stored in a variable, passed as a parameter or returned as a result. The basic types in are:, and. The data type describes this most simply, and only the value belongs to this class, representing an invalid value (equivalent in a conditional expression). Contains two values: and. A real floating point numeric string representing a double precision type is represented by a pair of double quotation marks or single quotation marks. The function written by or represents an independent line of execution represented by any data structure stored in a variable. The table () used to execute the collaborative program is actually a (), and the index of the array can be a number or a string. In, the creation is done by, the simplest construction expression is {}, which is used to create an empty table. The (null) type represents a variable that does not have any valid value and has only one value variable that must be declared in the code, that is, to create the variable before it can be used. Before the compiler executes the code, the compiler needs to know how to open up a storage area for statement variables to store the values of the variables. There are three types of variables: global variables, local variables, and fields in tables. All variables in are global variables, even in statement blocks or functions, unless explicitly declared as local variables. The scope of a local variable is from the declaration position to the end of the statement block. The default values for all variables are. = () = () (,) = = (,); (,) the output of the above example is: $to understand the writing rules of NSE script

Directory structure of Nmap

We just need to simply understand its structure, and understand its directory structure in order to know where the Nse scripts are stored. Here are a few points to note:

1. The script is written with the suffix nse

two。 The written NSE script is stored in the script folder so that the script can take effect

3. You must use the-- script option to invoke the Nse script

The process of writing NSE script

Before writing a NSE script, we must understand its writing steps. In order to make it easier for you to understand, I divided the writing of a NSE script into four steps.

1. Import libraries required for scripting

two。 Write scripts to describe information

3. Determine the type of Rule

4. Write Action

Maybe you are still a little confused at this time, it doesn't matter, let's take a look at the picture and the train of thought will be clear.

The Namp nse script template structure is shown in the figure:

When you see this article, you must want to start writing NSE scripts next. Not yet, let's give a few chestnuts to talk about the difference between the four Rule types.

Four types of Rule

Rule: used to describe the trigger rules of the script. Only true and false are returned. The return value determines whether the function corresponding to the subsequent action executes. Note: true (execute), flase (not executed). There are four types of it: Prerule,Hostrule,Portrule,Postrule.

The environment of the following chestnuts is:

1.Window2.phpstudy3.nmap-7.64.zzcms8.2 (corresponding to zzcms.im)

Basic parameter extension

The ip corresponding to the HOSTTABLE type host.os operating system information host.iptagret (target host), such as the name of the following 127.0.0.1host.nametagert on the command line, for example, the following zzcms.imhost.targetname is the same as the above host.name I personally think that host.directly_connected determines whether the target host is in the same subnet host.mac_addrmac address as the local machine (it must be a device in the same subnet to be valid) porttable type port number port.protocol protocol port.service service http or httpsport.version version information port.state port status

Prerule

Prerule triggers before the Namp is scanned.

For example, Chestnut: we create a new prerule.nse file, and then we store it in the script folder. As long as "RongRi AnQuan NSE script Prerule test" is printed before the Namp scan, it can be proved that the Prerule will trigger before the Namp is not scanned.

= {,} = (,)

We all know that we will inevitably make mistakes in the testing phase, so what should we do if we make a mistake? At this point, we need to debug with the help of Nmap debug mode. The old rule is to take a chestnut: I'll create a new preruleDebug.nse file here and let it print system information to deliberately let it go wrong (as to why it went wrong will be explained later), and then debug it to show you. We only need to add the-d option to enter the debug mode, then generally my side is-d 3prime3 represents the level, the higher the level, the more detailed. The debugging information printed by-d 3 is detailed enough, so I am used to choosing-d 3.

= {,} = (,)

The error interface is shown in the figure:

Debug mode is shown in the figure:

We can see from the figure that the reason for the error is prerule threw an error! The reason for seeing the details is that attempt to index a nil value (local 'host') means that host is an invalid value. The reason: we know that prerule triggers the script before the Nmap scan. That means we can't print out the operating system information in action. Well, everyone should know how to debug errors at this point.

It is said that comparison produces beauty.

We all know that comparison produces beauty, so let's change the rule on this wrong template to hostrule and see what happens.

Hostrule

Hostrule performs host discovery or probe in Namp to trigger.

Take Chestnut: create a new hostrule.nse file. Copy the preruleDebug.nse code above, but with one change, the type of Rule is changed to Hostrule. Then run whether we can print the system information we want (hee hee, the result is a successful print, of course).

= {,} = (,)

Portrule

Portrule triggers the script when Namp performs a port scan.

For example, Chestnut: create a new portrule.nse file with the following code, and then we scan a few ports and see if we print out "Hongri Anquan yumu" and host.ip when scanning the ports.

= {,} = (,) = (,) = {} = (,)

The results are as follows:

Take another chestnut: let's write a Nse script to get the customer service number on zzcms8.2.

Parameter knowledge expansion

The HTTP library get () initiates a get request, and the result of the request returns the path to be retrieved by the host path to be requested by the host in the form of a table. Options is optional, allowing the caller to control the socket, and the port to be retrieved by the tableport of the request header.

Post () initiates a post request, and the result of the request returns ignored for backward use in the form of a table. Generally, fill in nil, ignore postdatapost data, string or table format host the path to be retrieved by the host path is optional, allowing the caller to control the socket, request header, and the port to be retrieved by the timeout tableport

Pay attention to small details

-1. Method interpretation

-- string.match (str, pattern, init)

-- string.match () looks for only the first pair in the source string str. The parameter init is optional and specifies the starting point of the search process. The default is 1.

On successful pairing, the function returns all capture results in the pairing expression; if no capture flag is set, the entire pairing string is returned. Nil is returned when there is no successful pairing.

-- 2. Solution to the problem of garbled code

Printed response.body (response body) may display garbled codes in cmder. The solution is as follows:

-- cmd command line window character encoding is switched to UTF-8, and execute on the command line: chcp 65001 = = {,} = (,), = = (,) = (,) ~ =..

Postrule

The Portrule triggers the script at the end of the Namp and is usually used to extract and collate the data from the scan results.

Take a chestnut: print "Hongri Anquan test postrule" when triggered

= {,} = (,)

As a fledgling player, write scripts to detect zzcms8.2 reflective XSS

For detailed zzcms8.2 code audit, please go to: https://bbs.ichunqiu.com/thread-36147-1-1.html

Then I have set up a local environment here, and then I will simply use Firefox to test whether there is a reflective xss. Don't talk nonsense, typing is tiring, look at the operation.

Well, anyone who has played with web penetration should know that alert (1) must be inserted into the source code at this time, which must be clear, because this is the idea of writing Nse scripts later.

good. Let's take a look at the picture and determine the writing idea.

After reading the four steps, you should know very well how to write our script, so let's do it. I create a new zzcmsxss.nse here with the following code:

= {,} = (,) = (,) = {} = (.. ) = {= {[] =, [] = ., [] =,}} = {[] =, [] =, [] =} = (,) ~ = (,) (,) (, (,)) (,)

The result is as follows (the output format of xml is saved):

After reading the above, have you mastered the method of Nmap penetration test script? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.