Four nmap NSE scripts for penetration testing.

Today, I write simple blog post to my go-to four nmap NSE scripts for penetration testing.
Maybe it’s something everyone knows, but I hope you have fun.

Let’s start!

https://neoslab.com/wp-content/uploads/2019/01/1547824695-b553a0774e0dd211928a2405738be22a-960x540.jpg

dns-brute.nse

First. Subdomain search script dns-brute.nse
this nse script is found subdomain with bruteforce.

$ nmap -p 80 --script dns-brute.nse hahwul.com
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for hahwul.com (183.111.174.31)
Host is up (0.0088s latency).


PORT STATE SERVICE
80/tcp open http


Host script results:
| dns-brute:
| DNS Brute-force hostnames:
| test.hahwul.com - 127.0.0.1
| www.hahwul.com - 172.217.161.179
| www.hahwul.com - 2404:6800:4005:80f:0:0:0:2013
|_ *A: 183.111.174.31

http-enum & http-title

This scripts in the http * series are very helpful in identifying http services, and banner

$ nmap --script http-enum 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00076s latency).
Not shown: 975 closed ports
PORT STATE SERVICE
32/tcp filtered unknown
80/tcp open http
| http-enum:
| /test/: Test page
| /test.html: Test page
| /robots.txt: Robots file
|_ /index/: Potentially interesting folder
801/tcp filtered device
1037/tcp filtered ams
1110/tcp filtered nfsd-status
1122/tcp filtered availant-mgr
1148/tcp filtered elfiq-repl
1163/tcp filtered sddp
1503/tcp filtered imtc-mcs
1658/tcp filtered sixnetudr
2170/tcp filtered eyetv
3000/tcp open ppp
4005/tcp filtered pxc-pin

Vulscan & vulners

Third, these scripts(vuldb,vulners) can identify known vulnerabilities. This NSE Scripts vulnerability information by querying vulnerability db sites.

There are the following pre-installed databases available at the moment:
$ nmap -sV --script=vulscan/vulscan.nse 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0036s latency).
Not shown: 501 filtered ports, 495 closed ports
PORT STATE SERVICE VERSION
80/tcp open http
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 200 OK
| Last-Modified: Tue, 09 Apr 2019 08:09:37 GMT
| Content-Type: text/html
| Content-Length: 2193


5432/tcp open postgresql PostgreSQL DB 9.6.0 or later
| fingerprint-strings:
| SMBProgNeg:
| SFATAL
| VFATAL
| C0A000
| Munsupported frontend protocol 65363.19778: server supports 2.0 to 3.0
| Fpostmaster.c
| L2015
|_ RProcessStartupPacket
| vulscan: VulDB - https://vuldb.com:
| No findings
|
| MITRE CVE - https://cve.mitre.org:
| No findings
|
| SecurityFocus - https://www.securityfocus.com/bid/:
| No findings
|
| IBM X-Force - https://exchange.xforce.ibmcloud.com:
| No findings
|
| Exploit-DB - https://www.exploit-db.com:
| No findings
|
| OpenVAS (Nessus) - http://www.openvas.org:
| No findings
|
| SecurityTracker - https://www.securitytracker.com:
| No findings
|
| OSVDB - http://www.osvdb.org:
| No findings
|_

Vulners
22/tcp  open    ssh     OpenSSH 4.3 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:4.3:
| CVE-2006-5051 9.3 https://vulners.com/cve/CVE-2006-5051
| CVE-2006-4924 7.8 https://vulners.com/cve/CVE-2006-4924
| CVE-2007-4752 7.5 https://vulners.com/cve/CVE-2007-4752
| CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478
| CVE-2014-1692 7.5 https://vulners.com/cve/CVE-2014-1692
| CVE-2009-2904 6.9 https://vulners.com/cve/CVE-2009-2904
| CVE-2008-4109 5.0 https://vulners.com/cve/CVE-2008-4109
| CVE-2007-2243 5.0 https://vulners.com/cve/CVE-2007-2243
| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
| CVE-2006-5052 5.0 https://vulners.com/cve/CVE-2006-5052
| CVE-2010-5107 5.0 https://vulners.com/cve/CVE-2010-5107
| CVE-2010-4755 4.0 https://vulners.com/cve/CVE-2010-4755
| CVE-2012-0814 3.5 https://vulners.com/cve/CVE-2012-0814
| CVE-2011-5000 3.5 https://vulners.com/cve/CVE-2011-5000
| CVE-2011-4327 2.1 https://vulners.com/cve/CVE-2011-4327
|_ CVE-2008-3259 1.2 https://vulners.com/cve/CVE-2008-3259

How to Install - vulscan
$ git clone https://github.com/scipag/vulscan

# for MacOS
$ ln -s `pwd`/vulscan /usr/local/share/nmap/scripts/vulscan

# for Linux
$ ln -s `pwd`/vulscan /usr/share/nmap/scripts/vulscan

How to Install - Vulners
$ wget https://raw.githubusercontent.com/vulnersCom/nmap-vulners/master/vulners.nse

# for MacOS
$ cp vulners.nse /usr/local/share/nmap/scripts/

# for Linux
$ cp vulners.nse /usr/share/nmap/scripts/
Finally, banner grabbing NSE script.
This script is more detail and better than the default banner grabbing script on nmap. If you look at the code, it is a way to test by connecting directly to a known port.

$ nmap 127.0.0.1 --script=banner-plus
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0011s latency).
Not shown: 964 closed ports, 29 filtered ports
PORT STATE SERVICE
22/tcp open ssh
|_banner-plus: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2......
80/tcp open http
|_banner-plus: HTTP/1.0 200 OK\r\nLast-Modified: Tue, 09 Apr 2019 08:09:37 GMT\r\nContent-Type: text/html\r\nContent-Length: 2193\r\n\r\n<title>Plutotottoo</title>\n<script>function run()... 생략 ...
3000/tcp open ppp
|_banner-plus: HTTP/1.1 200 OK\r\nX-Frame-Options: SAMEORIGIN\r\nX-XSS-Protection: 1; mode=block\r\nX-Content-Type-Options: nosniff\r\nX-Download-Options: noopen\r\nX-Permitted-Cross-Domain-Policies: no... 생략 ...
3001/tcp open nessus
3003/tcp open cgms
4444/tcp open krb524
5432/tcp open postgresql
8081/tcp open blackice-icecap
|_banner-plus: HTTP/1.1 502 Bad Gateway\r\nContent-Type: text/plain; charset=UTF-8\r\nContent-Length: 1907\r\n\r\nZAP Error [java.net.UnknownHostException]: www\n\nStack Trace:\njava.net.UnknownHostException: www\n\tat java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)\n\tat java.net.SocksSocketImpl.... 생략 ...

How to install?
$ wget https://raw.githubusercontent.com/hdm/scan-tools/master/nse/banner-plus.nse

# for MacOS
$ cp banner-plus.nse /usr/local/share/nmap/scripts/

# for Linux
$ cp banner-plus.nse /usr/share/nmap/scripts/