Nmap Scripting Engine (NSE)

Hello everyone,

In this article we will learn about Nmap Scripting Engine (NSE) after knowing this you will get to know about the real power of Nmap. So let’s get started

1. Nmap Installation

If you are using Kali Linux then you don’t need to install Nmap. It comes preinstalled with Kali Linux and if you are using a different flavor of Linux just open a terminal and run the following command

sudo apt-get update
Sudo apt-get install nmap

Enter the root password, hit enter and then Nmap will be installed

2. Port States Terminologies:

Before starting with Nmap you need to know some terminologies related to the scan results:

Open: This indicates that an application is listening for connections on this port.

Closed: Response was received but there is no application listening on this port.

Filtered: Response was not received and it also shows that packets are being dropped by some packet filtering system such as WAF (Web Application Firewall) and IDS (Intrusion Detection System).

Unfiltered: Response was received but the state couldn’t be established.

Open/Filtered: Port was filtered or open but Nmap couldn’t establish the state.

Closed/Filtered: Port filtered or closed but Nmap couldn’t establish the state.

3. Update NSE Database.

Now before starting it is a good thought to update the script database because new scripts are added and it is good to keep things update to date, so just open the terminal and run the following command:

nmap  --script-updatedb

4. Nmap Help

When you are using a new tool and you know nothing about that tool then its a very good idea to see the help menu of the program. To know more about Nmap just enter the following command:

 Nmap -h

You can use also the manual page:

man nmap

5. Script Scanning

Scroll down and see the section SCRIPT SCAN as shown below

Now, in this section, you will get to know about how to use NSE scripts and much more.

If you want to use the default scripts just use the option -Sc

Example

nmap -sV -sC <target ip>

In the above example, I am scanning another virtual machine Metasploitable which is intentionally vulnerable. So as you can see, the following arguments were used for the scan:

-sV: Used for version detection it is a good idea to use this argument with other scripts the accuracy of result increases.

-sC: Run all the scripts under the category default. NSE scripts are having a different category at the last of the article I will include some resources link and explore more category.

6. NSE Scripts Arguments

If you want to know about particular NSE script what it is doing and the different arguments should be passed just run the command

nmap --script-help=<name of script>

As you can see in the above example the http-unsafe-output-escaping script is used to find XSS vulnerability in websites.

7. Nmap XSS Vulnerability Detection

Now we will use the two scripts to demonstrate to you the two most common vulnerabilities in web application first XSS. To identify the website is vulnerable to XSS we will use the NSE script name http-unsafe-output-escaping for this just hit the command

Nmap -sV --script=http-unsafe-output-escaping <target>

As you can see the result it is showing perfectly with the details and the proof of XSS vulnerable website.

8. Nmap SQL Injection Vulnerability Detection

In the second example, we will use the NSE script which shows the website is vulnerable to SQL injection name http-sql-injection

For that just run the command

nmap -sV --script=http-sql-injection <target>

Now you can see all possible SQL injections in particular websites with the details

9. Using Different Scripts at Once

You can use different scripts at a time by separating them with a comma ‘,’

Example

nmap -sV --script=<name of first script>,<name of second script> <target>
nmap -sV --script=http-unsafe-output-escaping,http-sql-injection <target>

Note: This is time-consuming to use multiple scripts at a time.

Second, some of the scripts will accept some arguments

Example

nmap -sV --script=<name of script> --script-args=<arguments to be passed as string> <target>

10. Intrusion Detection Systems (IDS) & Packet Filtering

At last, I want to tell you one thing nowadays web servers are using packet filtering mechanism such as WAF or IDS that will filter the malicious packet and we will not get expected result so that is my advice to use the NSE script

Bypassing Firewalls

https://nmap.org/nsedoc/scripts/firewall-bypass.html

Note: Sometimes it will bypass firewall sometimes not but my experience is to use this firewall-bypass script with the combination of other script separated with coma at a time it will give the best result

References

Thanks for reading 😉

Most Popular

Network Hacking Continued – Intermediate to Advanced

Penetration Testing

Consulting

Code Review

One on one Training

Online Courses

VPN

Most Popular

Network Hacking Continued – Intermediate to Advanced

Penetration Testing

Consulting

Code Review

One on one Training

Online Courses

VPN

Nmap Scripting Engine (NSE)

1. Nmap Installation

2. Port States Terminologies:

3. Update NSE Database.

4. Nmap Help

5. Script Scanning

6. NSE Scripts Arguments

7. Nmap XSS Vulnerability Detection

8. Nmap SQL Injection Vulnerability Detection

9. Using Different Scripts at Once

10. Intrusion Detection Systems (IDS) & Packet Filtering

Bypassing Firewalls

References

How I Discovered a Remote Code Execution in rConfig v3.9.2 (CVE-2019-16663) & (CVE-2019-16662)

How To Start a Fake Access Point (Fake WIFI)

Leave A Reply Cancel reply

Contribute

Most Popular

Most Popular

1. Nmap Installation

2. Port States Terminologies:

3. Update NSE Database.

4. Nmap Help

5. Script Scanning

6. NSE Scripts Arguments

7. Nmap XSS Vulnerability Detection

8. Nmap SQL Injection Vulnerability Detection

9. Using Different Scripts at Once

10. Intrusion Detection Systems (IDS) & Packet Filtering

Bypassing Firewalls

References

You may also like

Leave A Reply Cancel reply

Contribute