Script Scanning and Targeted Service Analysis
In this step, we will explore Nmap's powerful scripting engine (NSE) and learn how to perform targeted service analysis. NSE scripts extend Nmap's functionality by enabling more detailed scans for specific services and vulnerabilities.
Introduction to Nmap Scripting Engine (NSE)
The Nmap Scripting Engine allows users to write and share scripts to automate a variety of networking tasks. Nmap comes with hundreds of pre-written scripts categorized into various groups:
auth
: Authentication related scripts
default
: Scripts run by default with -sC
discovery
: Host and service discovery
exploit
: Attempt to exploit vulnerabilities
malware
: Detect malware and backdoors
safe
: Safe, non-intrusive scripts
vuln
: Vulnerability detection scripts
Running Default Scripts (-sC)
The -sC
flag runs the default set of scripts, which are generally safe and provide useful information:
nmap -sC localhost
Output:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:10 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
| 256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_ 256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
80/tcp open http
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp open ipp
|_http-server-header: CUPS/2.3 IPP/2.1
|_http-title: Home - CUPS 2.3.1
3306/tcp open mysql
|_mysql-info: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 3.42 seconds
Notice how the scripts have provided additional information about each service, like SSH host keys and HTTP page titles.
Running Specific Scripts
You can run specific scripts using the --script
flag followed by the script name or category:
nmap --script=http-title localhost
This runs only the http-title script, which retrieves the title of HTTP pages:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:15 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp open ipp
|_http-title: Home - CUPS 2.3.1
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds
Running Scripts by Category
You can run all scripts in a specific category:
nmap --script=discovery localhost
This runs all discovery scripts, which can provide a wealth of information about network services (output truncated for brevity):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:20 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
| 256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_ 256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
80/tcp open http
|_http-favicon: Unknown favicon MD5: 6D33949773573A11BEBE0D20AC1B7967
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp open ipp
| cups-info:
| CUPS Server:
| Server: CUPS/2.3 IPP/2.1
|_ Authentication-Method: Basic
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS POST
|_http-server-header: CUPS/2.3 IPP/2.1
|_http-title: Home - CUPS 2.3.1
3306/tcp open mysql
| mysql-info:
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 15
| Capabilities flags: 65535
| Some Capabilities: ConnectWithDatabase, SupportsLoadDataLocal, SupportsTransactions, DontAllowDatabaseTableColumn, Support41Auth, InteractiveClient, Speaks41ProtocolOld, FoundRows, IgnoreSigpipes, ODBCClient, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, LongColumnFlag, Speaks41ProtocolNew, SupportsMultipleStatments, LongPassword, SupportsCompression, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: \x7FeL)\x0C\x5C#S\x06N%\x1E\x7EYaC
|_ Auth Plugin Name: caching_sha2_password
Nmap done: 1 IP address (1 host up) scanned in 5.28 seconds
Combining Script Scanning with Service Detection
For the most comprehensive results, combine script scanning with service detection:
nmap -sV -sC localhost
Output:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:25 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
| 256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_ 256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp open ipp CUPS 2.3
|_http-server-header: CUPS/2.3 IPP/2.1
|_http-title: Home - CUPS 2.3.1
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
|_mysql-info: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.03 seconds
Targeted Service Analysis
Let's focus on analyzing specific services in more detail.
Analyzing HTTP Services
To analyze HTTP services in detail, we can use the http-*
scripts:
nmap --script="http-*" -p 80 localhost
This runs all HTTP-related scripts against port 80:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:30 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
PORT STATE SERVICE
80/tcp open http
|_http-chrono: Request times for /; avg: 32.68ms; min: 32.68ms; max: 32.68ms
|_http-comments-displayer: Couldn't find any comments.
|_http-date: Thu, 14 Sep 2023 17:30:24 GMT; +6s from local time.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-favicon: Unknown favicon MD5: 6D33949773573A11BEBE0D20AC1B7967
|_http-feed: Couldn't find any feeds.
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-generator: Couldn't find any generator in the HTML headers and body
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-mobileversion-checker: No mobile version detected.
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-security-headers:
| http-server-header:
| Apache/2.4.41
|_ Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-traceroute: ERROR: Script execution failed (use -d to debug)
|_http-useragent-tester:
|_http-xssed: No previously reported XSS vuln.
Nmap done: 1 IP address (1 host up) scanned in 2.31 seconds
Analyzing SSH Services
Similarly, we can analyze SSH services:
nmap --script="ssh-*" -p 22 localhost
Output:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:35 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
| 256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_ 256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
|_ssh-run: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
Vulnerability Scanning
Nmap includes scripts that can detect potential vulnerabilities. Using the vuln
category can help identify security issues:
nmap --script=vuln localhost
This can take some time as it runs various vulnerability checks. Output might look like:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:40 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
631/tcp open ipp
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 87.28 seconds
In this case, Nmap has identified that the Apache web server might be vulnerable to a Slowloris DoS attack. This information can be valuable for securing your systems.
Creating a Comprehensive Scan Report
Now, let's combine everything we've learned to create a comprehensive security report:
sudo nmap -sS -sV -O -sC --script=vuln -T4 -oA comprehensive_security_report localhost
This command:
- Uses SYN stealth scan (-sS)
- Detects service versions (-sV)
- Attempts OS detection (-O)
- Runs default scripts (-sC)
- Runs vulnerability detection scripts (--script=vuln)
- Uses aggressive timing (-T4)
- Saves results in all formats (-oA)
The output will be comprehensive and might take some time to complete. Once finished, you'll have a detailed security report in various formats (normal, XML, and grepable) that you can reference for security analysis.
In this step, you've learned how to use Nmap's scripting engine to gather detailed information about services and detect potential vulnerabilities. These advanced techniques are essential for comprehensive network security assessments.