Shulou(Shulou.com)06/01 Report--

Nmap Network Security Audit (6) Nmap script engine NSE

Scripts in NSE are written in Lua. NSE is designed to provide the flexibility of Nmap, the version of NSE contains 14 major categories of scripts, a total of more than 500. the functions of these scripts include the audit of various network password strength, the audit of various server security configurations, the audit of various server vulnerabilities, and so on.

The running of NSE script

We use the NSE script to test a host. Let's take a look at the parameters used in this instruction,-O for operating system detection, and-sV for testing the services of the target system. Here we do not use the parameters of the script. All the default scripts use the default script, which uses the-sC parameter. Default scripts generally do not cause harm to the target system, but other scripts may cause alarms from security defenses.

Nmap-sV-sC-O 192.168.126.139

Scripts in the default category:

Banner.NSE: this is a script to collect target banner information, which connects to an open TCP port of the target and then outputs any information received within 5 seconds. (banner message means welcome or identity.) broadcast-ping.NSE: this script uses broadcast ping to discover hosts on the network. Dns-recursion.NSE: this script is used to detect whether a DNS server allows third-party queries, which may cause the server to be magnified by DNS GJ. Upnp-info.NSE: this script attempts to extract system information through the UPnP service. Firewalk.NSE: this script does the discovery of firewall devices by using the TTL expiration mechanism in the IP protocol. Auth of scripts in NSE: this category contains scripts responsible for handling authentication certificates (bypass permissions) broadcast: this category includes sniffing more services on the LAN, such as DNS, SQL Server and other services brute: these are for common applications, such as HTTP, SSH, FTP and other scripts that crack passwords default: this is a script when scanning with-sC or-A parameters Provide basic scanning capability discovery: collect more information on the network, such as SMB enumeration, SNMP query, etc. Dos: script used to initiate a denial of service GJ exploit: script used to complete security vulnerabilities on the target system external: script for third-party services fuzzer: script for ambiguity testing, sending abnormal packets to the target host Detect potential vulnerabilities intrusive: scripts that may cause the target system to crash or impose a great burden on the target network, such scripts can be easily detected by firewalls or IPS malware: scripts used to detect malware safe: safe and harmless scripts version: scripts responsible for enhancing version scanning: responsible for checking target hosts for common vulnerabilities

This is the choice of NSE's 14 categories of scripts, NSE scripts.

We can select the script by typing the-script option on the command line,-- script followed by the name of the script, the type of script, or the path where the script is stored, or a directory containing multiple scripts.

I use one here casually to check whether the host has common vulnerabilities (if you directly use the category name of the script as a parameter, all the scripts under that category are called to scan)

Nmap-script vuln 192.168.126.139

You can use the http-methods method to enumerate the services running on the target web server

Nmap-p 80443-script http-methods www.*.com

As can be seen from the test results, the methods supported by the target server are GET, HEAD, POST, OPTIONS, and TRACE.

You can also scan using scripts from multiple categories at the same time.

Nmap-- script exploit,malware 192.168.126.139

Use the specified path to execute the NSE script, which is in the nmap directory, / nmap/scripts/xxx.nse

Nmap-- script D:/Nmap/scripts/banner.nse 192.168.126.139

If you can write a scan script, you can put it in a folder after it has been created. If there are multiple scripts in this folder, you can only write the path to the directory, so that all the scripts in this directory will be used for scanning. You can also specify the path to the script in the file, so you can use a single script for scanning.

Use operators to select the script to use:

Scan using a script other than the exploit classification

Nmap-script "not exploit" 192.168.126.139

Scan using scripts other than intrusive, dos, and exploit categories

Nmap-script "not (intrusive or dos or exploit)" 192.168.126.139

Scan using only safe and vuln

Nmap-script "safe and vuln" 192.168.126.139

In addition, the wildcard * is also supported in NSE to detect a computer running the SNMP service, using all SNMP-related scripts

Nmap-script "snmp-*" 192.168.126.139

These classifications and operators can be combined with operations

Nmap-- how does script "ftp-* and not (intrusive)" 192.168.126.139 pass parameters to NSE scripts

Use-- script-args in Nmap to specify parameters at run time of NSE scripts

Nmap-p80-- script http-methods www.***.com

When the script is executed, Nmap sends a packet to the target server, the default client information contained in the packet of Nmap.

This kind of client is usually intercepted by the security mechanism. We can use-- script-args to change the client information to Mozilla 50.

Nmap-p 80-- script http-methods-- script-args http.useragent= "Mozilla 50" www.***.com

NSE script debugging

If you want to see the specific operation of the nmap scan, this may make the operation process clearer. As we said before, we can use-- script-trace to check.

Nmap-p 80-script-trace-script http-methods-script-args "http.useragent=Mozilla 50" www.***.com

You can also use-d [1-9] to switch debug mode, using-d parameter 1-9. The larger the number, the more detailed the output information.

Nmap-d3-- script-trace-- script http-methods www.***.com

Application of common scripts in NSE

The basic functions of Nmap include only host discovery, port scanning, operating system and service detection, while NSE further implements a large number of advanced functions.

Information collection class script

A large number of scripts in NSE implement this function, and these scripts use different techniques to collect all kinds of information about the target. Use the script http-methods to view the HTTP methods supported by the target server.

For the audit purpose of script http-methods, web servers need to support the HTTP method in order to provide HTTP services correctly. The common ones are as follows:

GET: request specified page information HEAD: get header POST: submit data to the specified resource for processing PUT: data transferred from the client to the server replace the specified document content DELETE: request the server to delete the specified page OPTIONS: allow the client to view the performance of the server

TRACE: echoes requests received by the server

At present, the TRACE, CONNECT, PUT and DELETE methods of HTTP may be potential security risks for web servers, especially when the server supports TRACE methods, which may be subject to XSTGJ. The malicious code is embedded into the web file of a host that has been controlled, and the malicious code is executed in the browser when the visitor browses, and then the visitor's cookie, HTTP basic authentication and other information will be transmitted to the controlled host, and the Trace request will be sent to the target server, resulting in cookie deception or man-in-the-middle GJ.

Advanced host discovery class script

Script broadcast-ping.NSE

Audit purpose: to find active hosts in the local network

Audit method: this script sends broadcast packets to all IP addresses in the entire local network, targeting your own network

Audit orders:

Nmap-script broadcast-ping

Audit results:

Script targets-sniffer

Audit purpose: to find active hosts in the local network

Audit method: this script will sniff your local network, and then find all the hosts in the network, targeting your own network

Audit orders:

Nmap-sL-- script=target-sniffer-e xxx

Audit results:

You can use-e to monitor the network card device

Password audit script

The services provided on the network generally have certain authentication measures. at present, the most widely used authentication measures are username and password. The advantage of this authentication measure is that it is simple and easy, but the disadvantage is that many users do not realize the importance of password strength, and generally choose some passwords that are relatively simple and easy to remember, and these passwords are easy to guess. Therefore, network managers need an effective tool to audit the password strength of various services in their network.

Script mysql-brute.NSE

Audit purpose: to find the MySQL database of weak passwords in the network

Audit method: the audit method of the script mysql-brute.NSE is very simple. There are two data files in Nmap, which are common user names and passwords. This script combines the two files and tries to log in.

Audit orders:

Nmap-p 3306-packet-trace-- script mysql-brute 192.168.126.141

There is no password cracked here, the success rate of cracking depends on the size of the dictionary, you can try if you are interested, and there is also an explosive dictionary on github that can be used.

two。 Script smtp-brute.NSE

The smtp-brute.NSE script is used to detect whether the password of the target mail server SMTP service is compliant.

Audit purpose: some very important information is often stored in the mail server, and the way to authenticate users is the user and password, there are some simple account names and passwords, they can easily become objects by GJ, so you need to check the weak password on the server first. .

Audit method: adopt the method of exhaustive solution to the method of password audit. This script can solve the problem of SMTP password. It supports four login methods: LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 and NTLM. By default, smtp-brute.NSE uses the contents of the / NSElib/data/username.lst file as the user name and the contents of the / NSElib/data/passwords.lst file as the password.

Audit orders:

Nmap-p 25-- script smtp-brute 192.168.0.1

Audit result: I will not do the demonstration without building smtp here. If you have conditions, you can try it yourself.

Vulnerability scanning script

NSE scripts extend the vulnerability scanning capabilities, using these scripts, you can use Nmap to scan targets.

1. Script http-slowloris.NSE

Slowloris is a GJ method that sends http requests to the server at a very low speed. Because web server has an upper limit on the number of concurrent connections, if malicious connections are not released, all connections to web server will be occupied by malicious connections, resulting in a denial of service.

Audit method: use the http-slowloris script to send the connection to the target and maintain the connection, constructing a malformed http request, which is an incomplete http request. Audit order: nmap-p 80-- script http-slowloris-- max-parallelism 300 www.xxx.com

Audit results: no experiments are done here, do not test the website at will

Audit extension: we can change the scanning process by adjusting the http-slowloris.send_interval parameters. This parameter can specify the interval between sending http header datas. The default is 100. let's modify it.

Nmap-p 80-script http-slowloris-script-args http-slowloris.send_interval=200-max-parallelism 300

The http-slowloris.timeklimit parameter specifies the duration of the Dos. The default is 30 minutes, and we modify it to 10 minutes.

Nmap-p 80-- script http-slowloris-- script-args http-slowloris.timelimit=10m www.***.com

The http-slowloris.runforever parameter always launches DoSGJ against the specified target. The default value is false

Nmap-p 80-- script http-slowloris-- script-args http-slowloris.runforever www.***.com

There is also a script for http-slowloris-check.NSE in Nmap, which does not initiate DoS GJ, but instead tests whether the target is resistant to DOS GJ.

Nmap-p 80-- script http-slowloris-check www.***.com

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.