Nmap Scripting Engine (NSE)

Hello everyone,

In this article we will learn about Nmap Scripting Engine (NSE) after knowing this you will get to know about the real power of Nmap. So let’s get started

1. Nmap Installation

If you are using Kali Linux then you don’t need to install Nmap. It comes preinstalled with Kali Linux and if you are using a different flavor of Linux just open a terminal and run the following command

sudo apt-get update
Sudo apt-get install nmap 

Enter the root password, hit enter and then Nmap will be installed

2. Port States Terminologies:

Before starting with Nmap you need to know some terminologies related to the scan results:

• Open: This indicates that an application is listening for connections on this port.

• Closed: Response was received but there is no application listening on this port.

• Filtered: Response was not received and it also shows that packets are being dropped by some packet filtering system such as WAF (Web Application Firewall) and IDS (Intrusion Detection System).

• Unfiltered: Response was received but the state couldn’t be established.

• Open/Filtered: Port was filtered or open but Nmap couldn’t establish the state.

• Closed/Filtered: Port filtered or closed but Nmap couldn’t establish the state.

3. Update NSE Database.

Now before starting it is a good thought to update the script database because new scripts are added and it is good to keep things update to date,  so just open the terminal and run the following command:

nmap  --script-updatedb

4. Nmap Help

When you are using a new tool and you know nothing about that tool then its a very good idea to see the help menu of the program. To know more about Nmap just enter the following command:

 Nmap -h

You can use also the manual page:

man nmap

5. Script Scanning

Scroll down and see the section SCRIPT SCAN as shown below

Now, in this section, you will get to know about how to use NSE scripts and much more. 

If you want to use the default scripts just use the option  -Sc 

Example 

nmap -sV -sC <target ip>

 In the above example, I am scanning another virtual machine Metasploitable which is intentionally vulnerable. So as you can see, the following arguments were used for the scan: 

-sV: Used for version detection it is a good idea to use this argument with other scripts the accuracy of result increases.

-sC: Run all the scripts under the category default. NSE scripts are having a different category at the last of the article I will include some resources link and explore more category.

6. NSE Scripts Arguments

If you want to know about particular NSE  script what it is doing and the different arguments should be passed just run the command 

nmap --script-help=<name of script>

As you can see in the above example the http-unsafe-output-escaping script is used to find XSS vulnerability in websites.

7. Nmap XSS Vulnerability Detection

Now we will use the two scripts to demonstrate to you the two most common vulnerabilities in web application first XSS. To identify the website is vulnerable to XSS we will use the NSE script name http-unsafe-output-escaping for this just hit the command 

Nmap -sV --script=http-unsafe-output-escaping <target>

As you can see the result it is showing perfectly with the details and the proof of XSS vulnerable website.

8. Nmap SQL Injection Vulnerability Detection

In the second example, we will use the NSE script which shows the website is vulnerable to SQL injection name http-sql-injection 

For that just run the command 

nmap -sV --script=http-sql-injection <target>

Now you can see all possible SQL injections in particular websites with  the details 

9. Using Different Scripts at Once

You can use different scripts at a time by separating them with a comma ‘,’

Example 

nmap -sV --script=<name of first script>,<name of second script> <target>
nmap -sV --script=http-unsafe-output-escaping,http-sql-injection <target>

Note: This is time-consuming to use multiple scripts at a time.

Second, some of the scripts will accept some arguments 

Example 

nmap -sV --script=<name of script> --script-args=<arguments to be passed as string> <target>

10. Intrusion Detection Systems (IDS) & Packet Filtering

At last, I want to tell you one thing nowadays web servers are using packet filtering mechanism such as WAF or IDS that will filter the malicious packet and we will not get expected result so that is my advice to use the NSE script 

Bypassing Firewalls

https://nmap.org/nsedoc/scripts/firewall-bypass.html

Note: Sometimes it will bypass firewall sometimes not but my experience is to use this firewall-bypass script with the combination of other script separated with coma at a time it will give the best result 

References

• https://nmap.org/nsedoc/
• https://nmap.org/book/

Thanks for reading 😉