Now that we have covered some of the more important features of Nmap, we would like to talk about one of the most, if not the most, important features: NSE, short for Nmap Scripting Engine. Firstly, let’s mention the fact that the set of NSE scripts is quite diverse and constantly growing. NSE was designed to be flexible, specifically for network discovery, more sophisticated version detection, backdoor detection, vulnerability detection and exploitation.
NSE scripts are written in the Lua programming language. They are tagged with the -sC option (default scripts option) or with –script when we want to specify an exact set of scripts. Note that there are two types of scripts that are supported – host and service scripts.
Service scripts pertain to some service (open port) that’s running on our target host. All results are shown next to the port in the Nmap output. Host scripts run only once for every target IP.
Before delving further into usage of NSE scripts, and some examples, we would like to provide a bit more context on what spurred the genesis of NSE and what was the original intention for them.
From the Nmap Network Scanning book:
Network discovery – “Examples include looking up whois data based on the target domain, querying ARIN, RIPE, or APNIC for the target IP to determine ownership, performing identd lookups on open ports, SNMP queries, and listing available NFS/SMB/RPC shares and services.”
More sophisticated version detection – “The Nmap version detection system is able to recognize thousands of different services through its probe and regular expression signature based matching system… Nmap could also recognize more SNMP services if it tried a few hundred different community names by brute force. Neither of these tasks are well suited to traditional Nmap version detection, but both are easily accomplished with NSE…”
Vulnerability detection – “When a new vulnerability is discovered, you often want to scan your networks quickly to identify vulnerable systems before the bad guys do. While Nmap isn’t a comprehensive vulnerability scanner, NSE is powerful enough to handle even demanding vulnerability checks. Many vulnerability detection scripts are already available and we plan to distribute more as they are written.”
Backdoor detection – “Many attackers and some automated worms leave backdoors to enable later reentry. Some of these can be detected by Nmap’s regular expression based version detection. For example, within hours of the MyDoom worm hitting the Internet, Jay Moran posted an Nmap version detection probe and signature so that others could quickly scan their networks for MyDoom infections. NSE is needed to reliably detect more complex worms and backdoors.”
NSE – Usage
As mentioned above, to use most common scripts, specify -sC. With –script, we can use a specific script we need, but we can also use this switch to further customize our scripts by providing them with some arguments. For example, we can say —script-args (for arguments), or —script-trace and –script-updatedb if we want to debug our script.
NSE scripts are defined by categories, and current categories are:
As the name implies, these scripts try to decide what the authentication credentials are for the target machine. Some examples are: snmp-brute, ftp-anon.
These are run when we use the -A or -sC options. But, we can also explicitly specify them with the —script option. Some factors to consider when trying to decide if you should be running a script by default:
Of course, these are mostly subjective and subject to your discretion, as the limitations in their usage will vary depending on your use case. Thus, you should ponder which ones you would like to promote to the default category.
These look for information about our target network, mostly by querying SNMP-enabled devices, public registries, etc. Some examples would be: smb-enum-shares, html-title (looks for the root path of a website).
External scripts may, at times, send data to a db owned by a third-party. (Whois for example) Meaning, if that service is logging activity (which is very likely) they might see and record all that you’ve sent, which will most likely include your IP address. Note that most scripts send traffic strictly between the target (scanned machine) and the scanning machine (attacker machine). Those that don’t send traffic that way are placed in the external category.
Scripts that do not end up in the safe category, due to the risks being too high (use a lot of resources – CPU, bandwidth, etc.) and/or considered to be malicious, end up within the intrusive category. Some of the examples are: snmp-brute, http-open-proxy,
Scripts in this category check to see if the target is infected with malware. Some examples are: smtp-strangeport, auth-spoof. Strangeport looks for SMTP servers that are running on unorthodox ports. Auth-spoof looks for spoofing daemons that love giving fake answers even before queried. These are all signs of malware infected behavior.
As the name implies, these scripts are designed specifically not to crash anything that’s running, hence they’re categorized as safe. However, they can still anger an administrator! Still, most usually do some regular things and are thus not considered to be a particular threat, or overly aggressive in behavior. Examples: ssh-hostkey, html-title.
These scripts basically extend the version detection, but cannot be specified explicitly. They’re covered under the -sV command. Examples include: skypev2-version, pptp-version, iax2-version.
Vuln scripts check against a specific known vulnerability. They only report results if the vulns are found. Examples would be: realvnc-auth-bypass, xampp-default-auth.
Mainly, there are five arguments when it comes to script scanning.
- -sC – the default set of scripts, equivalent to –script=default
- –script <script-categories> | <directory> | <filename> | all
Please note that Nmap scripts are stored in the scripts directory of Nmap. All would execute all scripts in the Nmap script db. Similarly, if we were to specify a directory, Nmap would load (and run) all the scripts inside – rather, all the files that have .nse extension. Also, note that these can harm your system since they are not run in a sandbox. Verify first. Always.
- –script-args – with this, we can give arguments to our scripts
- –script-trace – this option is akin to the –packet-trace, but with one main difference: it runs at the application layer.
- –script-updatedb – only used if you’ve removed or added some scripts to the default scripts directory, or if some of the categories have been changed. It is ran by specifying the following command – nmap –script-updatedb
Network Scripting Engine, or NSE for short, is a big and important part of Nmap. We hope that by covering the basics in this article, you’re now at least a bit more familiar with some of the ways in which it works.
Remember that anyone can contribute to this project, too. So, if you have some special use cases that you would like to automate, or tweak further, this might be an option for you. There’s also many great resources on the Internet about NSE, so you can see what are some of the uses of it. For example, in the aftermath of the whole Log4j debacle, someone made an NSE script that will check against log4shell or LogJam vulns (CVE-2021-44228). You can check out the Github repo here.
Just typing Nmap in Github search gave us 4,577 hits!
And there you have it! Boosted with your knowledge of NSE, you can further improve on your Nmap mastery, and if you’re interested in writing your own NSE scripts, go and check out this link for NSE script writing tutorial. There is also a simple example script on Nmap’s official website, called finger, that might be a good starting point for you!
Below are some interesting links on the topic of NSE, but we greatly encourage you to go out and search them yourselves.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.