Nmap for Scriptors Sanoop Thomas

@s4n7h0

• This is very small session to accommodate

some coding concept (I agree it’s a bad try)

• We will try to cover up some very important

points required

• A kick start session for security researchers

to know how NSE can be build and use to

create PoCs

Disclaimer

• How many of you used Nmap ?

• What about –A option ?

• What are Nmap scripts ?

Some Wrong Questions I’m sure many of you must be familiar with Nmap; but still for those who are new….

Nmap Script Scan

• Windows

– C:\Program Files (x86)\Nmap\scripts

• Linux

– /usr/share/nmap/scripts

• In Backtrack

– /usr/local/share/nmap/scripts

Script Path

• Network Discovery

• Version Detection

• Vulnerability Detection

• Malware Detection

• Exploitation

Nmap Script Engine [NSE]

Anatomy of NSE

require

metadata

categories

portrule

action

description =[[

Just to show the Skelton of an NSE script

]]

author = “Mr. X”

categories = {"safe", "discovery"}

require "shortport"

portrule = shortport.port_or_service({80,8080,443},{"http"},{"tcp"})

action = function(host,port)

return "Webserver found on port "..port.number

end

NSE Skelton

• Import libraries

• require "shortport“

• local shortport = require "shortport"

require

• Includes description of script, author name,

license information, etc.

• Not much relevant; but will help the user to

know what your script does

metadata

• Defines the type of your script

– auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln

• Because you can run scripts with

categories

categories

• nmap --script “http-*”

• nmap --script “http-* and ftp-*”

• nmap --script “not brute”

• nmap --script “vuln,safe”

• nmap --script “vuln or safe”

• nmap --script “(vuln or safe) and not http-*”

Scan Smartly

• Script executions are conditional

• portrule = shortport.http

• portrule = shortport.port_or_service(21, “ftp”)

portrule

• The actual code to execute based of the

portrule

• A combination of LUA code and NMAP library

calls

action = function(host, port)

-- code to execute

end

action

• It’s coding

– Means – giving life to a code snippet

– So,

• You need to know how, what, why etc.

Some Practical Approach

• Specify the script directory (--datadir)

• Use debugging mode when running script (-d)

• Update the script database once you are

done with final make (--script-updatedb)

• Use script trace (--script-trace)

Tips for Scriptors

• nmap.org/nsedoc/

• lua.org/docs.html

References

Thanks

Any Questions ?

Sanoop Thomas @s4n7h0