오늘은 nmap NSE 스크립트 4개에 대해 글 작성해봅니다. 음, 초안?은 좀 써놓은지 되었는데, 최근에 여러모로 신경쓸일이 많아서 이제서야 글 올리게되네요. 우선, 신박한 내용은 아니고 그냥 보편적으로 많이들 쓰시는 스크립트 4개정도 추려봤습니다. 혹시나 좋은 스크립트를 아신다면 댓글로 공유해주시면 정말 감사하겠습니다 :)
dns-brute.nse
첫번째는 dns-brute.nse 입니다. 대체로 서브도메인 스캐닝 툴들이 워낙 잘 나와있어서 활용도가 엄청 높진 않으나, nmap 자체의 기능이랑 같이 사용할 수 있기 때문에 한번에 여러가지 작업을 하는데 있어서는 유용합니다.
스크립트 이름대로 bruteforce를 통해 대상 도메인의 하위 서브 도메인을 찾아줍니다.
nmap -p 80 --script dns-brute.nse hahwul.com
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for hahwul.com (183.111.174.31)
Host is up (0.0088s latency).
PORT STATE SERVICE
80/tcp open http
Host script results:
| dns-brute:
| DNS Brute-force hostnames:
| test.hahwul.com - 127.0.0.1
| www.hahwul.com - 172.217.161.179
| www.hahwul.com - 2404:6800:4005:80f:0:0:0:2013
|_ *A: 183.111.174.31
http-enum & http-title
다음은 http-enum, http-title인데요, http* 계열의 스크립트들이 http 식별에 있어서는 굉장히 좋습니다만, 솔직히 시간이 좀 오래걸립니다. 그중에선 짧은데 결과가 잘 나온다고 생각되는 것들이 2개정도여서 이 2개로 선정해봤습니다.
nmap --script http-enum 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00076s latency).
Not shown: 975 closed ports
PORT STATE SERVICE
32/tcp filtered unknown
80/tcp open http
| http-enum:
| /test/: Test page
| /test.html: Test page
| /robots.txt: Robots file
|_ /index/: Potentially interesting folder
801/tcp filtered device
1037/tcp filtered ams
1110/tcp filtered nfsd-status
1122/tcp filtered availant-mgr
1148/tcp filtered elfiq-repl
1163/tcp filtered sddp
1503/tcp filtered imtc-mcs
1658/tcp filtered sixnetudr
2170/tcp filtered eyetv
3000/tcp open ppp
4005/tcp filtered pxc-pin
Vulscan & vulners
3번째는 취약점 검색 스크립트입니다. 잘 알려진 취약점 DB 사이트들에 쿼리를 날려서 관련 버전이나 서비스에 해당하는 취약점 정보를 받아와 표현해줍니다. vulscan쪽이 확실히 지원하는 사이트 대역이 크긴합니다.
실질적인 유효타를 찾는다는 느낌보단 보안적인 하드닝 미흡 구간을 찾는데 있어서 나름 쓸만하다고 생각되네요. 하나의 홀이라도 찾을 수 있으면 다행이니..
지원하는 사이트는 이렇습니다. 다만 맨 아래 vulners를 제외하곤 모두 vulscan에서 사용하는 사이트입니다.
- scipvuldb.csv - https://vuldb.com
- cve.csv - https://cve.mitre.org
- securityfocus.csv - https://www.securityfocus.com/bid/
- xforce.csv - https://exchange.xforce.ibmcloud.com/
- expliotdb.csv - https://www.exploit-db.com
- openvas.csv - http://www.openvas.org
- securitytracker.csv - https://www.securitytracker.com (end-of-life)
- osvdb.csv - http://www.osvdb.org (end-of-life)
- vulnes.com - https://vulners.com
nmap -sV --script=vulscan/vulscan.nse 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0036s latency).
Not shown: 501 filtered ports, 495 closed ports
PORT STATE SERVICE VERSION
80/tcp open http
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 200 OK
| Last-Modified: Tue, 09 Apr 2019 08:09:37 GMT
| Content-Type: text/html
| Content-Length: 2193
…
5432/tcp open postgresql PostgreSQL DB 9.6.0 or later
| fingerprint-strings:
| SMBProgNeg:
| SFATAL
| VFATAL
| C0A000
| Munsupported frontend protocol 65363.19778: server supports 2.0 to 3.0
| Fpostmaster.c
| L2015
|_ RProcessStartupPacket
| vulscan: VulDB - https://vuldb.com:
| No findings
|
| MITRE CVE - https://cve.mitre.org:
| No findings
|
| SecurityFocus - https://www.securityfocus.com/bid/:
| No findings
|
| IBM X-Force - https://exchange.xforce.ibmcloud.com:
| No findings
|
| Exploit-DB - https://www.exploit-db.com:
| No findings
|
| OpenVAS (Nessus) - http://www.openvas.org:
| No findings
|
| SecurityTracker - https://www.securitytracker.com:
| No findings
|
| OSVDB - http://www.osvdb.org:
| No findings
|_
Vulners
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:4.3:
| CVE-2006-5051 9.3 https://vulners.com/cve/CVE-2006-5051
| CVE-2006-4924 7.8 https://vulners.com/cve/CVE-2006-4924
| CVE-2007-4752 7.5 https://vulners.com/cve/CVE-2007-4752
| CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478
| CVE-2014-1692 7.5 https://vulners.com/cve/CVE-2014-1692
| CVE-2009-2904 6.9 https://vulners.com/cve/CVE-2009-2904
| CVE-2008-4109 5.0 https://vulners.com/cve/CVE-2008-4109
| CVE-2007-2243 5.0 https://vulners.com/cve/CVE-2007-2243
| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
| CVE-2006-5052 5.0 https://vulners.com/cve/CVE-2006-5052
| CVE-2010-5107 5.0 https://vulners.com/cve/CVE-2010-5107
| CVE-2010-4755 4.0 https://vulners.com/cve/CVE-2010-4755
| CVE-2012-0814 3.5 https://vulners.com/cve/CVE-2012-0814
| CVE-2011-5000 3.5 https://vulners.com/cve/CVE-2011-5000
| CVE-2011-4327 2.1 https://vulners.com/cve/CVE-2011-4327
|_ CVE-2008-3259 1.2 https://vulners.com/cve/CVE-2008-3259
How to Install - vulscan
git clone https://github.com/scipag/vulscan
# for MacOS (Apple Silicon)
ln -s `pwd`/vulscan /opt/homebrew/share/nmap/scriptsvulscan
# for MacOS (Intel)
ln -s `pwd`/vulscan /usr/local/share/nmap/scripts/vulscan
# for Linux
ln -s `pwd`/vulscan /usr/share/nmap/scripts/vulscan
How to Install - Vulners
wget https://raw.githubusercontent.com/vulnersCom/nmap-vulners/master/vulners.nse
# for MacOS (Apple Silicon)
cp vulners.nse /opt/homebrew/share/nmap/scripts/
# for MacOS (Intel)
cp vulners.nse /usr/local/share/nmap/scripts/
# for Linux
cp vulners.nse /usr/share/nmap/scripts/
banner-plus
마지막으로 banner-plus.nse입니다. 오픈된 포트에서 어떤 서비스를 사용하는 지 배너그래빙하여 사용자에게 제공해줍니다.
nmap 자체에도 기본적인 배너그래빙 모듈, NSE 스크립트가 들어있지만 테스트 여러번 해봤을 떈 banner-plus가 가장 좋은 결과를 나타냈었습니다.
nmap 127.0.0.1 --script=banner-plus
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0011s latency).
Not shown: 964 closed ports, 29 filtered ports
PORT STATE SERVICE
22/tcp open ssh
|_banner-plus: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2......
80/tcp open http
|_banner-plus: HTTP/1.0 200 OK\r\nLast-Modified: Tue, 09 Apr 2019 08:09:37 GMT\r\nContent-Type: text/html\r\nContent-Length: 2193\r\n\r\n<title>Plutotottoo</title>\n<script>function run()... 생략 ...
3000/tcp open ppp
|_banner-plus: HTTP/1.1 200 OK\r\nX-Frame-Options: SAMEORIGIN\r\nX-XSS-Protection: 1; mode=block\r\nX-Content-Type-Options: nosniff\r\nX-Download-Options: noopen\r\nX-Permitted-Cross-Domain-Policies: no... 생략 ...
3001/tcp open nessus
3003/tcp open cgms
4444/tcp open krb524
5432/tcp open postgresql
8081/tcp open blackice-icecap
|_banner-plus: HTTP/1.1 502 Bad Gateway\r\nContent-Type: text/plain; charset=UTF-8\r\nContent-Length: 1907\r\n\r\nZAP Error [java.net.UnknownHostException]: www\n\nStack Trace:\njava.net.UnknownHostException: www\n\tat java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)\n\tat java.net.SocksSocketImpl.... 생략 ...
How to install?
wget https://raw.githubusercontent.com/hdm/scan-tools/master/nse/banner-plus.nse
# for MacOS (Apple Silicon)
cp banner-plus.nse /opt/homebrew/share/nmap/scripts/
# for MacOS (Intel)
cp banner-plus.nse /usr/local/share/nmap/scripts/
# for Linux
cp banner-plus.nse /usr/share/nmap/scripts/