Four nmap NSE scripts for penetration testing.

Today, I write simple blog post to my go-to four nmap NSE scripts for penetration testing. Maybe it’s something everyone knows, but I hope you have fun.

Let’s start!

dns-brute.nse

First. Subdomain search script dns-brute.nse this nse script is found subdomain with bruteforce.

nmap -p 80 --script dns-brute.nse hahwul.com
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for hahwul.com (183.111.174.31)
Host is up (0.0088s latency).

PORT   STATE SERVICE
80/tcp open  http

Host script results:
| dns-brute:
|   DNS Brute-force hostnames:
|     test.hahwul.com - 127.0.0.1
|     www.hahwul.com - 172.217.161.179
|     www.hahwul.com - 2404:6800:4005:80f:0:0:0:2013
|_    *A: 183.111.174.31

http-enum & http-title

This scripts in the http * series are very helpful in identifying http services, and banner

nmap --script http-enum 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00076s latency).
Not shown: 975 closed ports
PORT      STATE    SERVICE
32/tcp    filtered unknown
80/tcp    open     http
| http-enum:
|   /test/: Test page
|   /test.html: Test page
|   /robots.txt: Robots file
|_  /index/: Potentially interesting folder
801/tcp   filtered device
1037/tcp  filtered ams
1110/tcp  filtered nfsd-status
1122/tcp  filtered availant-mgr
1148/tcp  filtered elfiq-repl
1163/tcp  filtered sddp
1503/tcp  filtered imtc-mcs
1658/tcp  filtered sixnetudr
2170/tcp  filtered eyetv
3000/tcp  open     ppp
4005/tcp  filtered pxc-pin

Vulscan & vulners

Third, these scripts(vuldb,vulners) can identify known vulnerabilities. This NSE Scripts vulnerability information by querying vulnerability db sites.

There are the following pre-installed databases available at the moment:

scipvuldb.csv - https://vuldb.com
cve.csv - https://cve.mitre.org
securityfocus.csv - https://www.securityfocus.com/bid/
xforce.csv - https://exchange.xforce.ibmcloud.com/
expliotdb.csv - https://www.exploit-db.com
openvas.csv - http://www.openvas.org
securitytracker.csv - https://www.securitytracker.com (end-of-life)
osvdb.csv - http://www.osvdb.org (end-of-life)
vulnes.com - https://vulners.com

nmap -sV --script=vulscan/vulscan.nse 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0036s latency).
Not shown: 501 filtered ports, 495 closed ports
PORT     STATE SERVICE              VERSION
80/tcp   open  http
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.0 200 OK
|     Last-Modified: Tue, 09 Apr 2019 08:09:37 GMT
|     Content-Type: text/html
|     Content-Length: 2193
…

5432/tcp open  postgresql           PostgreSQL DB 9.6.0 or later
| fingerprint-strings:
|   SMBProgNeg:
|     SFATAL
|     VFATAL
|     C0A000
|     Munsupported frontend protocol 65363.19778: server supports 2.0 to 3.0
|     Fpostmaster.c
|     L2015
|_    RProcessStartupPacket
| vulscan: VulDB - https://vuldb.com:
| No findings
|
| MITRE CVE - https://cve.mitre.org:
| No findings
|
| SecurityFocus - https://www.securityfocus.com/bid/:
| No findings
|
| IBM X-Force - https://exchange.xforce.ibmcloud.com:
| No findings
|
| Exploit-DB - https://www.exploit-db.com:
| No findings
|
| OpenVAS (Nessus) - http://www.openvas.org:
| No findings
|
| SecurityTracker - https://www.securitytracker.com:
| No findings
|
| OSVDB - http://www.osvdb.org:
| No findings
|_

Vulners

22/tcp  open    ssh     OpenSSH 4.3 (protocol 2.0)
| vulners:
|   cpe:/a:openbsd:openssh:4.3:
|       CVE-2006-5051           9.3             https://vulners.com/cve/CVE-2006-5051
|       CVE-2006-4924           7.8             https://vulners.com/cve/CVE-2006-4924
|       CVE-2007-4752           7.5             https://vulners.com/cve/CVE-2007-4752
|       CVE-2010-4478           7.5             https://vulners.com/cve/CVE-2010-4478
|       CVE-2014-1692           7.5             https://vulners.com/cve/CVE-2014-1692
|       CVE-2009-2904           6.9             https://vulners.com/cve/CVE-2009-2904
|       CVE-2008-4109           5.0             https://vulners.com/cve/CVE-2008-4109
|       CVE-2007-2243           5.0             https://vulners.com/cve/CVE-2007-2243
|       CVE-2017-15906          5.0             https://vulners.com/cve/CVE-2017-15906
|       CVE-2006-5052           5.0             https://vulners.com/cve/CVE-2006-5052
|       CVE-2010-5107           5.0             https://vulners.com/cve/CVE-2010-5107
|       CVE-2010-4755           4.0             https://vulners.com/cve/CVE-2010-4755
|       CVE-2012-0814           3.5             https://vulners.com/cve/CVE-2012-0814
|       CVE-2011-5000           3.5             https://vulners.com/cve/CVE-2011-5000
|       CVE-2011-4327           2.1             https://vulners.com/cve/CVE-2011-4327
|_      CVE-2008-3259           1.2             https://vulners.com/cve/CVE-2008-3259

How to Install - vulscan

git clone https://github.com/scipag/vulscan

# for MacOS (Apple Silicon)
ln -s `pwd`/vulscan /opt/homebrew/share/nmap/scriptsvulscan

# for MacOS (Intel)
ln -s `pwd`/vulscan /usr/local/share/nmap/scripts/vulscan

# for Linux
ln -s `pwd`/vulscan /usr/share/nmap/scripts/vulscan

How to Install - Vulners

wget https://raw.githubusercontent.com/vulnersCom/nmap-vulners/master/vulners.nse

# for MacOS (Apple Silicon)
cp vulners.nse /opt/homebrew/share/nmap/scripts/

# for MacOS (Intel)
cp vulners.nse /usr/local/share/nmap/scripts/

# for Linux
cp vulners.nse /usr/share/nmap/scripts/

Finally, banner grabbing NSE script. This script is more detail and better than the default banner grabbing script on nmap. If you look at the code, it is a way to test by connecting directly to a known port.

nmap 127.0.0.1 --script=banner-plus
Starting Nmap 7.70 ( https://nmap.org ) 
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0011s latency).
Not shown: 964 closed ports, 29 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
|_banner-plus: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2......
80/tcp   open  http
|_banner-plus: HTTP/1.0 200 OK\r\nLast-Modified: Tue, 09 Apr 2019 08:09:37 GMT\r\nContent-Type: text/html\r\nContent-Length: 2193\r\n\r\n<title>Plutotottoo</title>\n<script>function run()... 생략 ...
3000/tcp open  ppp
|_banner-plus: HTTP/1.1 200 OK\r\nX-Frame-Options: SAMEORIGIN\r\nX-XSS-Protection: 1; mode=block\r\nX-Content-Type-Options: nosniff\r\nX-Download-Options: noopen\r\nX-Permitted-Cross-Domain-Policies: no... 생략 ...
3001/tcp open  nessus
3003/tcp open  cgms
4444/tcp open  krb524
5432/tcp open  postgresql
8081/tcp open  blackice-icecap
|_banner-plus: HTTP/1.1 502 Bad Gateway\r\nContent-Type: text/plain; charset=UTF-8\r\nContent-Length: 1907\r\n\r\nZAP Error [java.net.UnknownHostException]: www\n\nStack Trace:\njava.net.UnknownHostException: www\n\tat java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)\n\tat java.net.SocksSocketImpl.... 생략 ...

How to install?

wget https://raw.githubusercontent.com/hdm/scan-tools/master/nse/banner-plus.nse

# for MacOS (Apple Silicon)
cp banner-plus.nse /opt/homebrew/share/nmap/scripts/

# for MacOS (Intel)
cp banner-plus.nse /usr/local/share/nmap/scripts/

# for Linux
cp banner-plus.nse /usr/share/nmap/scripts/