Advanced Nmap: NMap Script Scanning

Nmap scripts

In previous articles, we have studied NMap in great detail, including live scanning a firewall and verifying the recommendations. Now, it’s time to study NMap script scanning.

Nmap.org describes the Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts in the Lua programming language, to automate a wide variety of networking tasks. Those scripts are executed in parallel, with the speed and efficiency you expect from Nmap. Users can rely on the growing, diverse set of scripts distributed with Nmap, or write their own to meet custom needs.

To my amusement, Nmap features are growing day by day. It was introduced just as a port scanner, and now it has reached a stage where you can even use it for basic vulnerability analysis. The vulnerability (script) database is increasing day by day, version by version. Precisely 177 scripts are available with version 5.50, which is the latest NMap release.

Before script-scanning networks, let’s try to understand a few ready-made scripts that let us detect various vulnerabilities in the network and devices at one go, in a very short time. Please remember, once you find vulnerabilities, you should immediately take corrective action to close them. These corrective measures may be as simple as changing passwords, disabling unused accounts, or as time-consuming and crucial as applying security patches or removing detected worms.

Table 1: Some useful Nmap scripts
No. Script Function
1. dhcp-discover Discovers DHCP servers on the network; the UDP discover request is sent from port 67, and the response is received on port 68.
2. ftp-bounce Checks whether there are FTP servers that allow an FTP bounce attack to other hosts on the network. (Please refer to earlier articles, where we have discussed FTP bounce attacks.)
3. http-iis-webdav-vuln Checks whether hosts with vulnerabilities listed in Microsoft security bulletin MS09-020 (IIS 5.1/IIS 6.0) are present on the network.
4. ms-sql-info Identifies Microsoft SQL Server details.
5. mysql-info Identifies MySQL Server details.
6. p2p-conficker Checks whether a host is infected by the conficker.c worm.
7. smb-enum-shares A very interesting script, which identifies all SMB shares within the specified address range.
8. smb-enum-users Will identify all SMB user names within the specified address range.
9. sniffer-detect Finds hosts with pcap libraries installed.
10. sshv1 Lists all hosts with SSH version 1. As most of you will be aware, this version has documented vulnerabilities.

The various command line options for script scanning are as follows:

  • -sC — basic script scan
  •  --script-updatedb — will update the script database.

Some of the scripts may ask for the --script-args=unsafe option to be set to 1. Please remember, this is a destructive test; these scripts will almost surely crash a system with the corresponding vulnerability. Be careful you do not use this option in a live production environment.

The actual scans

To start with, create a file IPList.txt, listing all the active hosts on the network, to specify target hosts to Nmap. Next, try to analyse the results of a few scans performed in a live environment. When you wish to try these scans, don’t forget to take written permission from the management.

Checking for SSHv1

Table 2: sshv1 scan
Command/details Explanation
nmap-script sshv1 -iL IPList.txt -osshv1.txt The command line, running only one script, sshv1.
Masked output of sshv1.txt:
Nmap scan report for 192.168.1.4
Host is up (0.00011s latency).
Not shown: 984 closed ports

PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
|_sshv1: Server supports SSHv1
80/tcp    open  http
111/tcp   open  rpcbind
113/tcp   open  auth
  • The output identifies that a host with IP address 192.168.1.4 is running SSHv1.
  • On further probing, the host identified it to be running a very old version of Red Hat Linux.
  • Recommendation: Upgrade SSHv1 to the latest version.

Sniffer detection

Table 3: sniffer-detect scan
Command/details Explanation
nmap-script sniffer-detect -iL IPList.txt -osniffer-detect.txt Initiating sniffer detection
Masked output of sniffer-detect.txt
Nmap scan report for 192.168.1.26
Host is up (0.00012s latency).
Not shown: 992 closed ports

PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2967/tcp open  symantec-av
5101/tcp open  admdog
5225/tcp open  unknown
5226/tcp open  unknown
8008/tcp open  http

MAC Address: 00:XX:XX:XX:XX:2D (Intel Corporate)

Host script results:

|_sniffer-detect: Windows with libpcap installed; may or may not be sniffing (tests: “1_1___1_”)

  • The detection of host 192.168.1.26 informs you that it is running Windows, with libpcap installed. It further states that the sniffer may not be sniffing.
  • After discussion with the management, it became clear that for testing their environment, pcap libraries were indeed installed on this host.

smb-enum-users

This is a very interesting script. In one go, you can identify all the users present on the entire network, and their status. You may wish to identify which of them have left the organisation, and disable/delete the corresponding account, as per company policy.

Table 4: smb-enum-users scan
Command/details Explanation
nmap-script smb-enum-users -iL IPList.txt -osmb-enum-users.txt To scan all hosts listed in IPList.txt for SMB users
Masked output of smb-enum-usrs.txt
Nmap scan report for 192.168.1.109
Host is up (0.00015s latency).
Not shown: 989 closed ports

PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1000/tcp open  cadlock
1145/tcp open  unknown
1720/tcp open  H.323/Q.931
2401/tcp open  cvspserver
2967/tcp open  symantec-av
5060/tcp open  sip
5061/tcp open  sip-tls
5101/tcp open  admdog

MAC Address: 00:XX:XX:XX:XX:04 (G-pro Computer)

Host script results:

| smb-enum-users:
|   TESTCOMPANY\A--------y (RID: 1228)
|   TESTCOMPANY\accounts_user (RID: 1125)
|   TESTCOMPANY\Administrator (RID: 500)
|  TESTCOMPANY\a---------r (RID: 1168)
|   TESTCOMPANY\a---------g (RID: 1224)
|   TESTCOMPANY\a---------r (RID: 1122)
|   TESTCOMPANY\A---------D$ (RID: 1249)
|   TESTCOMPANY\a---------e (RID: 1199)
|   TESTCOMPANY\A---------r (RID: 1231)
|   TESTCOMPANY\a---------e (RID: 1186)
|   TESTCOMPANY\A---------S$ (RID: 1218)
|   TESTCOMPANY\A---------S2$ (RID: 1227)
|   TESTCOMPANY\c---------r (RID: 1120)
|   TESTCOMPANY\c---------r (RID: 1120)
|   TESTCOMPANY\cvsserver$ (RID: 1176)
|   TESTCOMPANY\d---------e (RID: 1174)
|   TESTCOMPANY\d---------y (RID: 1212)
  • Though the scan was performed on a live installation, to preserve confidentiality, the company name and user names are masked.
  • When the script result was shown to TESTCOMPANY management, they were shocked to see active accounts of many past employees! Suspending all further tests and network audits, they first disabled the unwanted accounts.

The power of NMap script scans doesn’t end here. By using various scanning options, you can run combinations of various script categories (SMB scans, HTTP scans, etc) at one go.

References and further reading

All published articles are released under Creative Commons Attribution-NonCommercial 3.0 Unported License, unless otherwise noted.
Open Source For You is powered by WordPress, which gladly sits on top of a CentOS-based LEMP stack.

Creative Commons License.