Take an initial look at Nmap scripts and how to use them.
- [Instructor] Once we've identified the available services to access, the next stage in testing is to enumerate the services in more detail. Nmap comes with a wide range of scripts that can be used to do this. Nmap scripts are found in the user share Nmap scripts folder. Let's take a look at some of the scripts which support enumeration.
A simple script for websites is http enum.nse, which can be used as a quick first pass on the website. Let's have a look at the script code. Nmap scripts are written in the Lua language. Lua, which means moon in Portuguese, is a lightweight and embeddable scripting language developed by the Pontifical Catholic University of Rio de Janeiro, abbreviated to PUC-Rio in Brazil.
The language was developed by the computer graphics technology group of PUC-Rio, and is maintained in the university in LabLua. It's a popular language, used for developing online games, and it's fairly intuitive. Looking at the script, we can see at the top of the file the libraries that need to be included, followed by an extended description of the script. We can then see some parameters which we can use with the call.
And an example of the output. Moving down, we see a function named get variations being declared. This is followed by the functions bad prints and get fingerprints. Then we can see the main action code. The code then either uses the command line parameters or the default values to set its internal variables.
And the fingerprints are loaded. The fingerprint is a set of probes that will be used to do one of the tests required for enumeration. The code then loops, checking each fingerprint. And for each one, it loops for the number of probes in that fingerprint, and checks that it gets a valid response. Then it does these loops again, checking the website against the fingerprint probes. Let's run this against the Shrek server.
We can see that this has identified three pages, icons, images, and uploads, and has identified that the folder contents are able to be listed. Let's run this again, against Valentine. We get a similar response, showing the two pages, /dev, and /index. Let's have a look at an SMB enumeration script called SMB OS Discovery.
Again we see the include file to the start of the script, followed by the description of the script. We can then see the usage of the script, and an example of the output. Down in the code we can see the script checks a result field to determine which OS is being used. And further down in the action code, we can see the call to SMB get OS. The script will work if the anonymous credentials are allowed, or if we give it valid credentials.
I won't go through the script in detail, but let's run it against the Reel server. We can see that this is a Windows Server 2012 R2 system, with computer name Reel. And in the htb.local domain.
We can also see the system time. The successive Nmap scripts are dependent upon the configuration of the service you're trying to enumerate, and may often not provide any information. Let's try enumerating the TFTP service on the Joker server.
The script ran, but in this case, found no user accounts. And so did not display anything other than the standard Nmap service line. There are a lot of scripts, and it's useful to spend time understanding what you can do with them. Of course, you may not need to run Nmap scripts manually, as the minus A option will run what it considers to be relevant service scripts. In addition, many of the automated tools will run Nmap scripts.
- Using Masscan for rapid full-service scanning
- Passive scanning with Shodan
- Using Nmap scripts
- Scanning with Reconnoitre and Vanquish
- Diagnosing uncommon ports
- Enumerating Drupal, WordPress, and Joomla sites
- Enumerating in the Linux shell
- Using the JAWS PowerShell script