1 of 48

Advanced Nmap Scripting

Make Nmap work for you!

2 of 48

Me!

  • Ron Bowes
  • Tenable Network Security
  • SkullSpace Winnipeg

Who I am

  • Slide 1

3 of 48

Tenable

  • Vulnerability Research Engineer
  • Reverse engineering, plugin development

4 of 48

SkullSpace

  • Winnipeg's first and only hackerspace
  • Founded in January/2011
  • Moved into our space June/2011

5 of 48

Urban exploration

  • Hacking the physical world
  • Cuz really, who needs sleep at a con?

6 of 48

Climbing down drains...

7 of 48

Abandoned factories...

8 of 48

And even a boat!

9 of 48

Vulnerability scanning

  • Plenty of tools
    • Nessus, Nmap, nCircle, Foundstone, etc
  • What are the differences?
    • Why does Tenable let me talk about Nmap at all? :-)
      • Nmap and Nessus are complementary
    • Safe vs intrusive
    • Automated vs manual
    • Offensive vs defensive

10 of 48

What is Nmap scripting?

  • Nmap's traditional features...
    • Portscanning
    • Version detection
    • OS detection
  • Good, but static

11 of 48

History

  • Decided to use Lua
  • Written as a Google Summer of Code project

12 of 48

Scripts!

  • Currently 244 scripts, 65 libraries

13 of 48

Categories

  • Discovery
  • Safe
  • Intrusive
  • Default
  • Auth
  • Vuln
  • Broadcast
  • External
  • Exploit
  • Version
  • Malware
  • DoS
  • Fuzzer

14 of 48

Categories - Safe vs Intrusive

  • Safe
    • Scripts that probably won't break anything, trigger IDS, etc
    • eg:
      • asn-query.nse
      • xmpp-info.nse
      • nbstat.nse
      • p2p-conficker.nse
      • gopher-ls.nse
  • Intrusive
    • Scripts that aren't “safe”

    • eg:
      • broadcast-avahi-dos.nse
      • dns-random-txid.nse
      • ssl-enum-ciphers.nse
      • sniffer-detect.nse

15 of 48

Categories: Default

  • Scripts that will run with -A
  • Valuable, not verbose, safe
  • eg:
    • ftp-bounce.nse
    • finger.nse
    • http-default-accounts.nse
    • snmp-netstat.nse
    • backorifice-info.nse
    • ssh-hostkey.nse

16 of 48

Categories: Auth

  • Scripts that involve passwords
    • bruteforce, default accounts
  • Eg:
    • http-wordpress-brute.nse
    • oracle-brute.nse
    • cvs-brute-repository.nse
    • pop3-brute.nse
    • creds-summary.nse
    • http-barracuda-dir-traversal.nse

17 of 48

Categories: Broadcast

  • Scripts that do checks on the current subnet
  • Eg:
    • broadcast-avahi-dos.nse
    • broadcast-db2-discover.nse
    • broadcast-upnp-info.nse
    • targets-ipv6-multicast-info.nse
    • broadcast-listener.nse

18 of 48

Categories: External

  • Scripts that use external resources
  • Eg:
    • asn-query.nse
    • ip-geolocation-geobytes.nse
    • smtp-open-relay.nse
    • http-open-proxy.nse
    • dns-random-txid.nse
    • smtp-enum-users.nse

19 of 48

Categories: Malware

  • Scripts that detect malware
    • ftp-proftpd-backdoor.nse
    • irc-unrealircd-backdoor.nse
    • http-malware-host.nse
    • smtp-strangeport.nse
    • ftp-vsftpd-backdoor.nse
    • http-google-malware.nse

20 of 48

More info

  • http://nmap.org/nsedoc

21 of 48

Running scripts

  • Scripts are run with --script=xxx
    • xxx can be...
      • Name
      • Category
        • Eg: --script='auth'
      • Pattern
        • Eg: --script='brute-*'
        • Eg: --script='safe and not *brute*'
      • Arbitrarily complex expression
        • Eg: --script='brute-* and (not auth or *user*) and safe'

22 of 48

Getting scripts

  • Most scripts come with Nmap
  • Some didn't make the cut for various reasons
    • Not useful enough
    • Depends on too much user input
    • Etc
  • https://secwiki.org/w/Nmap/Script_Vault

23 of 48

Zenmap

  • Nmap's gui integrates with NSE now

24 of 48

Scripts/libraries

  • Let's look at some of the coolest!

25 of 48

http-enum.nse

  • Detects Web pages
  • Uses various URLs + patterns (“signatures”)
    • nselib/data/http-fingerprints.nse
  • Inspired by Yokoso (from Kevin Johnson)
  • eg,
    • Try ../../../etc/passwd, look for “root”
    • Try / and look for “Index of”
    • Try /level/15 and look for “cisco-IOS”

26 of 48

http-enum.nse

  • Sample signature:

table.insert(fingerprints, {

category='general',

probes={

{path='/level/15', method='HEAD'},

{path='/exec/show/log/CR', method='HEAD'},

{path='/level/15/exec/-/configure/http', method='HEAD'},

{path='/level/15/exec/-', method='HEAD'}

},

matches= {

{match='cisco-IOS', output='Cisco 2811'}

}

})

27 of 48

“Target” scripts

  • Discovers new targets to scan
  • eg:
    • broadcast-dropbox-listener.nse
    • broadcast-ms-sql-discover.nse
    • db2-discover.nse
    • dns-brute.nse
    • dns-zone-transfer.nse
    • hostmap.nse
    • iscsi-info.nse
    • etc

28 of 48

“Target” scripts

  • Running them...

$ sudo nmap --traceroute --script=targets-traceroute \

--script-args=newtargets scanme.insecure.org

[...]

Host script results:

|_targets-traceroute: successfully added 14 new targets.

29 of 48

“Broadcast” scripts

  • Simple to use:

$ sudo ./nmap --script=broadcast-dhcp-discover

Starting Nmap 5.59BETA3 ( http://nmap.org ) at 2011-09-18 20:16 CDT

Pre-scan script results:

| broadcast-dhcp-discover:

| IP Offered: 192.168.1.112

| Server Identifier: 192.168.1.1

| Subnet Mask: 255.255.255.0

| Router: 192.168.1.1

|_ Domain Name Server: 206.220.194.18, 8.8.8.8

30 of 48

broadcast-listener.nse

  • Listens for 30 seconds
  • Parses protocols it sees
  • Similar to Wireshark
  • Can be used to find new targets (eg, IPv6)

31 of 48

broadcast-listener.nse

$ sudo ./nmap --script=broadcast-listener

Starting Nmap 5.59BETA3 ( http://nmap.org ) at 2011-09-18 20:22 CDT

Pre-scan script results:

| broadcast-listener:

| udp

| Netbios

| ip query

| 192.168.0.60 \x01\x02__MSBROWSE__\x02\x01

| DHCP

| srv ip cli ip mask gw dns

| 192.168.0.1 192.168.0.5 255.255.255.0 192.168.0.1 192.168.0.18, 192.168.0.19

| DropBox

| displayname ip port version host_int namespaces

| 39000860 192.168.0.107 17500 1.8 39000860 28814673, 29981099

| HSRP

| ip version op state prio group secret virtual ip

| 192.168.0.254 0 Hello Active 110 1 cisco 192.168.0.253

| ether

| CDP

| ip id platform version

| ? Router cisco 7206VXR 12.3(23)

| ARP Request

| sender ip sender mac target ip

| 192.168.0.101 00:04:30:26:DA:C8 192.168.0.60

|_ 192.168.0.1 90:24:1D:C8:B9:AE 192.168.0.60

32 of 48

“creds” library

  • All scripts that detect credentials save them using a standard API
  • creds-summary.nse displays them

| creds-summary:

| 10.10.10.10

| 22/ssh

| lisbon:jane - Account is valid

| 10.10.10.20

| 21/ftp

| jane:redjohn - Account is locked

| 22/ssh

| cho:secret11 - Account is valid

| 23/telnet

| rigsby:pelt - Account is valid

| pelt:rigsby - Password needs to be changed at next logon

| 80/http

| lisbon:jane - Account is valid

| jane:redjohn - Account is locked

|_ cho:secret11 - Account is valid

33 of 48

address-info.nse

  • Information about the given IPv6 address

Nmap scan report for fe80::a8bb:ccff:fedd:eeff

Host script results:

|_address-info: IPv6 EUI-64; MAC address: aa:bb:cc:dd:ee:ff

Nmap scan report for 64:ff9b::c000:221

Host script results:

|_address-info: IPv4-embedded IPv6 address; IPv4 address: 192.0.2.33

Nmap scan report for ::ffff:0:c0a8:101

Host script results:

|_address-info: IPv4-translated IPv6 address; IPv4 address: 192.168.1.1

34 of 48

backorifice-info.nse

31337/udp open|filtered BackOrifice

| backorifice-info:

| SYSTEM INFO

| System info for machine 'HAL9000'

| Current user: 'Dave'

| Processor: I586

| Win32 on Windows 95 v4.10 build 2222 - A

| Memory: 63M in use: 30% Page file: 1984M free: 1970M

| C:\ - Fixed Sec/Clust: 64 Byts/Sec: 512, Bytes free: 2147155968/21471

| ...155968

| D:\ - CD-ROM

| PROCESS LIST

| PID - Executable

| 4293872589 C:\WINDOWS\SYSTEM\KERNEL32.DLL

| 4294937581 C:\WINDOWS\SYSTEM\MSGSRV32.EXE

| 4294935933 C:\WINDOWS\SYSTEM\MPREXE.EXE

| 4294843869 C:\WINDOWS\SYSTEM\MSTASK.EXE

| 4294838549 C:\WINDOWS\SYSTEM\ .EXE

| NETWORK RESOURCES - NET VIEW

| (null) '(null)' - Microsoft Network - UNKNOWN! (Network root?):CONTAINER

| (null) 'WORKGROUP' - (null) - DOMAIN:CONTAINER

| (null) '\\HAL9000' - - SERVER:CONTAINER

| SHARELIST

| 'DOCUMENTS'-C:\WINDOWS\DESKTOP\DOCUMENTS 'sample comment 2' RO:'' RW:'

| ...'' Disk PERSISTANT READONLY

|_ 'IPC$'- 'Remote Inter Process Communication' RO:'' RW:'' IPC FULL

35 of 48

Quick NSE tutorial

  • Write your own scripts!
  • Every script requires:
    • Some documentation (description, etc)
    • A “rule”
    • An “action” function

36 of 48

“rule” function

  • portrule
    • Runs against ports that match a rule
      • eg, “port == 80”
  • hostrule
    • Runs against hosts that match a rule
      • eg, “port 139 == open or port 445 == open”
      • eg, “host is Windows”
  • prerule/postrule
    • Runs once (at the beginning or end of the scan)

37 of 48

“action” function

  • Where the logic happens
  • Return value is displayed to the user

38 of 48

--script-args

  • How do you read --script-args=name1=value1,name2=value2 ?
    • Use the get_script_args() function!
    • (there are other, less clean ways)

require 'stdnse'

local a, b = stdnse.get_script_args(“name1”, “name2”)

39 of 48

Registry

  • How do scripts pass information to each other?
    • Using the registry!

  • nmap.registry.a will be available from all scripts
  • Dependencies can be used to make sure scripts run in order

nmap.registry.a = 'Hello!'

40 of 48

Output formatting

  • Return value from action function is displayed
  • stdnse.format_output() should be used for multiline output
  • 'table' nselib should be used for tabular output

41 of 48

Output formatting

action = function()

local domains = {}

domains['name'] = "DOMAINS"

table.insert(domains, 'Domain 1')

table.insert(domains, 'Domain 2')

local response = {}

table.insert(response, "Apple pie")

table.insert(response, domains)

table.insert(response, names)

return stdnse.format_output(true, response)

end

Host script results:

| smb-enum-domains:

| Apple pie

| DOMAINS

| Domain 1

|_ Domain 2

42 of 48

Template script

  • nmap/docs/sample-script.nse
  • A skeleton script
  • Implements best practices
  • Has comments to tell you what's going on

43 of 48

Testing

  • “nmap -iR xxx” can be fun
  • xxx = the number of random ip addresses to generate
  • Let's take a quick look at some stats :)
    • My friend Bob scanned 10,000,000 addresses

44 of 48

Testing

  • Most popular operating systems according to smb-os-discovery.nse:

1242 Windows XP (Windows 2000 LAN Manager)

606 Windows Server 2003 3790 Service Pack 2 (Windows Server 2003 5.2)

383 Windows 7 Ultimate 7600 (Windows 7 Ultimate 6.1)

261 Windows Server 2003 R2 3790 Service Pack 2 (Windows Server 2003 R2 5.2)

257 Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)

209 Windows 7 Home Premium 7601 Service Pack 1 (Windows 7 Home Premium 6.1)

207 Windows 7 Home Premium 7600 (Windows 7 Home Premium 6.1)

181 Unix (Samba 3.0.27a)

144 Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)

125 Windows Vista (TM) Home Premium 6002 Service Pack 2 (Windows Vista (TM) Home Premium 6.0)

45 of 48

Testing

46 of 48

Testing

  • Most popular computer names according to smb-os-discovery.nse:

22 server

16 localhost

12 discus

12 customer

10 user-PC

10 pc

10 desktop

10 TRAFFICBOSS04

8 webserver

8 user

47 of 48

How can you help?

  • Writing scripts
  • Testing scripts
  • Coming up with script proposals
    • https://secwiki.org/w/Nmap

48 of 48

That's it for me!

  • Ron Bowes
    • http://www.skullsecurity.org
    • ron@skullsecurity.net
    • @iagox86