In this article we will learn about Nmap Scripting Engine (NSE) after knowing this you will get to know about the real power of Nmap. So let’s get started
1. Nmap Installation
If you are using Kali Linux then you don’t need to install Nmap. It comes preinstalled with Kali Linux and if you are using a different flavor of Linux just open a terminal and run the following command
sudo apt-get update
Sudo apt-get install nmap
Enter the root password, hit enter and then Nmap will be installed
2. Port States Terminologies:
Before starting with Nmap you need to know some terminologies related to the scan results:
- Open: This indicates that an application is listening for connections on this port.
- Closed: Response was received but there is no application listening on this port.
- Filtered: Response was not received and it also shows that packets are being dropped by some packet filtering system such as WAF (Web Application Firewall) and IDS (Intrusion Detection System).
- Unfiltered: Response was received but the state couldn’t be established.
- Open/Filtered: Port was filtered or open but Nmap couldn’t establish the state.
- Closed/Filtered: Port filtered or closed but Nmap couldn’t establish the state.
3. Update NSE Database.
Now before starting it is a good thought to update the script database because new scripts are added and it is good to keep things update to date, so just open the terminal and run the following command:
4. Nmap Help
When you are using a new tool and you know nothing about that tool then its a very good idea to see the help menu of the program. To know more about Nmap just enter the following command:
You can use also the manual page:
5. Script Scanning
Scroll down and see the section SCRIPT SCAN as shown below
Now, in this section, you will get to know about how to use NSE scripts and much more.
If you want to use the default scripts just use the option -Sc
nmap -sV -sC <target ip>
In the above example, I am scanning another virtual machine Metasploitable which is intentionally vulnerable. So as you can see, the following arguments were used for the scan:
-sV: Used for version detection it is a good idea to use this argument with other scripts the accuracy of result increases.
-sC: Run all the scripts under the category default. NSE scripts are having a different category at the last of the article I will include some resources link and explore more category.
6. NSE Scripts Arguments
If you want to know about particular NSE script what it is doing and the different arguments should be passed just run the command
nmap --script-help=<name of script>
As you can see in the above example the http-unsafe-output-escaping script is used to find XSS vulnerability in websites.
7. Nmap XSS Vulnerability Detection
Now we will use the two scripts to demonstrate to you the two most common vulnerabilities in web application first XSS. To identify the website is vulnerable to XSS we will use the NSE script name http-unsafe-output-escaping for this just hit the command
Nmap -sV --script=http-unsafe-output-escaping <target>
As you can see the result it is showing perfectly with the details and the proof of XSS vulnerable website.
8. Nmap SQL Injection Vulnerability Detection
In the second example, we will use the NSE script which shows the website is vulnerable to SQL injection name http-sql-injection
For that just run the command
nmap -sV --script=http-sql-injection <target>
Now you can see all possible SQL injections in particular websites with the details
9. Using Different Scripts at Once
You can use different scripts at a time by separating them with a comma ‘,’
nmap -sV --script=<name of first script>,<name of second script> <target> nmap -sV --script=http-unsafe-output-escaping,http-sql-injection <target>
Note: This is time-consuming to use multiple scripts at a time.
Second, some of the scripts will accept some arguments
nmap -sV --script=<name of script> --script-args=<arguments to be passed as string> <target>
10. Intrusion Detection Systems (IDS) & Packet Filtering
At last, I want to tell you one thing nowadays web servers are using packet filtering mechanism such as WAF or IDS that will filter the malicious packet and we will not get expected result so that is my advice to use the NSE script
Note: Sometimes it will bypass firewall sometimes not but my experience is to use this firewall-bypass script with the combination of other script separated with coma at a time it will give the best result
Thanks for reading 😉