Nmap 6 Scripting Engine with 400+ scripts

It was 1st of September of 1997, when Gordon Lyon released the article “The Art of Scanning” on the Phrack Magazine. This was the first release of the well known open source tool for network exploration and security auditing called Nmap. 15 Years later we have Nmap 6, NSE (Nmap Scripting Engine) and a bunch of books about the this powerfull tool.

Basically, I would like to introduce you to some of the Nmap Scripting Engine scripts available. The latest version bring more than 430 scripts. Let’s first install Nmap 6 and then use the NSE scripts. Using a Linux system, download the latest version of Nmap 6 from the official source code repository. To accomplish this task gcc, openssl and make should be part of your system. Subversion control versioning system is the best way to download the version and stay up2date.

$ cd /tmp/
$ mkdir nmap
$ svn co –username guest https://svn.nmap.org/nmap

Then you can use the configure script to set up the different variables and parameters. Then run make to compile the code and generate the binary files. When building Nmap from source you can use ./configure –help to see a complete list of directives available

$ cd nmap/
$/tmp/nmap# ./configure
$/tmp/nmap# make
$/tmp/nmap# install
$ nmap -V
Nmap version 6.20BETA1 ( http://nmap.org )

Now that the latest version of Nmap is installed you should have around 430 scripts made with NSE under /usr/local.share/nmap/scripts. Among them you have scripts that allow you to check if a particular system is vulnerable to CVE-2012-1823, CVE-2012-2122, CVE-2012-1182 for PHP, MySQL and Samba services respectively.

Other ones are related to GeoIP and one particular interesting is called ip-geolocation-maxmind. This one gives you the ability to retrieve the Geo location of the IP you are scanning using the Maxmind database. To be able to run this script you first need to download the GeoLiteCity into /usr/local/share/nmap/nselib/data folder.

$cd /usr/local/share/nmap/nselib/data
$ wget -N -q http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
$ gunzip GeoLiteCity.dat.gz

$nmap –script ip-geolocation-maxmind  -p 80
Host script results:
| ip-geolocation-maxmind:
|   coordinates (lat,lon): 47.3667,8.55
|_  city: Zurich, Switzerland

Other than the GeoIP you can also retrieve the Whois Information Records without running a port scan.
$ nmap –script whois -v -Pn -sn
Host script results:
| whois: Record found at whois.arin.net
| netrange: –
| netname: LVLT-STATIC-4-4-16
| orgname: Level 3 Communications, Inc.
| orgid: LVLT
| country: US stateprov: CO
| orgtechname: ipaddressing
|_orgtechemail: ipaddressing@level3.com

You can even further extend the use of Maxmind free services and download the GeoIPCountry.csv file. Then feed it into Nmap to scan a range of IP addresses for a particular Country.
$wget http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
unzip GeoIPCountryCSV.zip
Looking at the contents of the file we can easily grep for the IP addresses for a particular country.
head GeoIPCountryWhois.csv

Next, cat the file, grep for the string you want in this case Portugal. Then use AWK with “,” as delimiter, print field 1 and 2. Pipe that into tr and delete the character ‘. Write the output into the file IP.Addresses.PT.

$cat GeoIPCountryWhois.csv | grep Portugal | awk -F “,” ‘{print $1 “-” $2}’ | tr -d ‘”‘ > IP.Addresses.PT
root@bt:/tmp/nmap/nselib/data# head IP.Addresses.PT

Now, we need to change the format of the file in order to be readable by Nmap. We need to change from “” to “2-2.80-80.0-18.0-255”.
To do that we use Awk with the split arguments. From the man page of Awk :

split(string, array, fieldsep)
This divides string into pieces separated by fieldsep, and stores the pieces in array. The first piece is stored in array[1], the second piece in array[2], and so forth. The string value of the third argument, fieldsep, is a regexp describing where to split string (much as FS can be a regexp describing where to split input records). If the fieldsep is omitted, the value of FS is used. split returns the number of elements created. The split function, then, splits strings into pieces in a manner similar to the way input lines are split into fields.

If you want to understand better this command I recommend to read carefull the previous paragraph .
$cat IP.Addresses.PT | awk -F “.” ‘{split($4,array,”-“); print $1”-“array[2]”.”$2″-“$5 “.” $3″-“$6″.”array[1]”-“$7}’  > IP.Addresses.PT.nmap

The output will be:
head IP.Addresses.PT.nmap

Now that we have the information parsed according to the Nmap expected format you can use another NSE script. This time the http-open-proxy which tries to identtify systems that will allow you to proxy connections. We can now scan per country ! The -Pn will scan the hosts even if they dont respond to icmp requests. and the -iL is to specify a list of hosts. The -p specifies the ports.

$nmap -Pn –script=http-open-proxy -iL IP.Addresses.PT.nmap -p 8080,3128

Another cool script is http-google-malware which checks if hosts are on Google’s blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google’s Safe Browsing service. To be able to run this script you need to sign up for the Safe Browsing API. You can check manually the Safe Browsing functionality with the URL : http://www.google.com/safebrowsing/diagnostic?site=google.com . Replace the site=google.com with the site you want to check.

After you have your API key you can run the following command :

$nmap -Pn -p80  –script http-google-malware –script-args http-google-malware.api= http://www.site.com
80/tcp open  http
|_http-google-malware.nse: Host is known for distributing malware

For each NSE script there are additional arguments that you can run with –script-args prefix. The best source of information about them is the .nse file itself  under /usr/local.share/nmap/scripts.

Tagged , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: