Discover Network Services with Nmap and Its Scripting Engine

Introduction

In this lab, you will learn about the Nmap Scripting Engine (NSE), a powerful part of the Nmap network scanning tool. NSE enhances Nmap's functions, enabling you to carry out advanced network discovery, vulnerability detection, and service enumeration.

This engine is crucial for modern network administrators, security experts, and ethical hackers. They need to understand network topologies, spot potential security problems, and collect detailed information about network services. In this lab, you'll set up a local network service and use Nmap to discover and analyze it. By the end, you'll grasp the basics of using Nmap and its scripting engine to explore and gather data on network services.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/installation("Installation and Setup") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/service_detection("Service Detection") subgraph Lab Skills nmap/installation -.-> lab-415931{{"Discover Network Services with Nmap and Its Scripting Engine"}} nmap/save_output -.-> lab-415931{{"Discover Network Services with Nmap and Its Scripting Engine"}} nmap/port_scanning -.-> lab-415931{{"Discover Network Services with Nmap and Its Scripting Engine"}} nmap/target_specification -.-> lab-415931{{"Discover Network Services with Nmap and Its Scripting Engine"}} nmap/service_detection -.-> lab-415931{{"Discover Network Services with Nmap and Its Scripting Engine"}} end

Setting Up a Local Network Service for Scanning

In this step, we're going to create a simple network service. Why do we do this? Well, in the real world of cybersecurity, you often need to find and analyze the services running on a network. By creating this simple service, we can practice using Nmap to scan it later, just like you would in a real - world situation.

First, we need to open a terminal. A terminal is a text - based interface where you can enter commands to interact with your computer. Once you've opened the terminal, you need to make sure you're in the project directory. The project directory is like a folder where all the files related to this project are stored. To navigate to the project directory, enter the following command in the terminal:

cd /home/labex/project

Next, we're going to create a simple HTML file. HTML stands for HyperText Markup Language, and it's used to create web pages. This file will be hosted by our server, just like the web pages you see on the internet. The content of this file is what a real - world web server might serve to users. To create the file, use the following command:

echo "<h1>Welcome to the hidden treasure chamber</h1>" > treasure.html

This command does two things. First, it creates a string with an HTML heading. Then, it redirects that string into a file named treasure.html. To check if the file was created correctly, you can use the cat command. The cat command is used to display the contents of a file. Enter the following command in the terminal:

cat treasure.html

If everything went well, you should see the HTML content we just added:

<h1>Welcome to the hidden treasure chamber</h1>

Now, we're going to start a simple HTTP server. HTTP stands for HyperText Transfer Protocol, and it's the protocol used for transferring web pages over the internet. We'll use Python's built - in module to start this server. This server will listen on port 8000. A port is like a door on your computer where network traffic can enter or leave. The server will serve files from the current directory, which is the project directory we navigated to earlier. To start the server, enter the following command in the terminal:

python3 -m http.server 8000

After running this command, you should see output similar to:

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

This output indicates that the HTTP server is now running and waiting for connections on port 8000. Make sure to leave this terminal window open. If you close it, the server will stop running, and we won't be able to scan it with Nmap later.

Discovering Network Services with Nmap

Now that we have successfully set up a network service, it's time to use Nmap to discover and analyze it. Nmap, short for Network Mapper, is a well - known and powerful open - source tool. It's widely used for network discovery, which means finding out what devices and services are available on a network, and security auditing, which helps in identifying potential security risks.

First, open a new terminal window. Make sure to keep the previous terminal window open, as it's running the HTTP server. Once you've opened the new terminal, you need to navigate to the project directory. This is important because all the commands related to this project will be executed from this directory. Use the following command to change the directory:

cd /home/labex/project

Let's start with a basic port scan. A port scan is a technique used to check which ports on a device are open and running services. Ports are like doors through which network traffic enters and exits a device. In this case, we'll scan port 8000 on the localhost, which refers to the current machine we are working on. Run the following command:

nmap -p 8000 localhost

This command instructs Nmap to specifically scan port 8000 on the local machine. After running the command, you should see an output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-XX-XX XX:XX XXX
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000016s latency).

PORT     STATE SERVICE
8000/tcp open  http-alt

Nmap done: 1 IP address (1 host up) scanned in X.XX seconds

The output tells us that port 8000 is open, which means there is a service running on it. The "http - alt" is Nmap's default way of identifying alternative HTTP services.

Next, we want to gather more detailed information about this service. We'll use the -sV flag with Nmap. This flag tells Nmap to try and determine the version of the running service. Knowing the service version can be crucial for security purposes, as it helps in identifying if there are any known vulnerabilities associated with that specific version. Run the following command:

sudo nmap -sV -p 8000 localhost > /home/labex/project/nmap_output_service_version.txt

This command performs a version detection scan on port 8000. The sudo is used to run the command with administrative privileges, which might be required for some Nmap operations. The > symbol redirects the output of the command to a file named nmap_output_service_version.txt. This way, we can save the results for later analysis.

To view the results, use the following command:

cat /home/labex/project/nmap_output_service_version.txt

You should see more detailed information about the HTTP service, including the possible software version. The output might look like this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-XX-XX XX:XX XXX
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000016s latency).

PORT     STATE SERVICE VERSION
8000/tcp open  http    Python http.server 3.10.X (Python 3.10.X)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in X.XX seconds

This output confirms that the service is an HTTP server powered by Python, which matches what we set up in the previous step.

Using Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) is a powerful tool that allows you to expand Nmap's capabilities using Lua scripts. Lua is a lightweight programming language, and these scripts can perform a wide variety of tasks. For example, they can help with advanced service detection, which means identifying what services are running on a network device more precisely. They can also be used for vulnerability scanning, which is crucial for finding security weaknesses in a system.

Let's use NSE to gather more information about our HTTP server. NSE scripts are grouped into different categories. These categories include "default", which contains commonly used and safe scripts; "discovery", which is for finding network services; "safe", which won't cause any harm to the target system; and "vuln", which is used for vulnerability scanning.

First, we want to see what HTTP-related scripts are available. To do this, we'll use the following command:

ls /usr/share/nmap/scripts/http*

This command lists all the NSE scripts in the /usr/share/nmap/scripts/ directory that start with http. When you run this command, you'll see a list of scripts designed to interact with HTTP services. These scripts can perform different functions, from simple information gathering, like getting the title of a web page, to more complex tasks such as scanning for vulnerabilities in an HTTP service.

Now, let's use the http-title script to extract the title from our web page. The http-title script is designed to look at an HTTP service and find the title of the web page it serves. Here's the command to run this script:

sudo nmap --script=http-title -p 8000 localhost > /home/labex/project/nmap_script_output.txt

In this command, sudo is used to run the command with administrative privileges because some Nmap operations may require them. nmap is the main command, and --script=http-title tells Nmap to use the http-title script. -p 8000 specifies that we're targeting port 8000, which is where our HTTP server is running. localhost is the target, which means we're running the scan on our own machine. The > symbol redirects the output of the command to the file /home/labex/project/nmap_script_output.txt.

Let's check the output of the command. We can do this by using the following command:

cat /home/labex/project/nmap_script_output.txt

The cat command is used to display the contents of a file. When you run this command, you should see output that includes information about the title of our web page. The output might look like this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-XX-XX XX:XX XXX
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000040s latency).

PORT     STATE SERVICE
8000/tcp open  http-alt
|_http-title: Directory listing for /

Nmap done: 1 IP address (1 host up) scanned in X.XX seconds

Now, let's try a more comprehensive scan using multiple scripts. The "default" category includes safe scripts that provide useful information about the target. To run all the scripts in the "default" category against our HTTP server on port 8000, we use the following command:

sudo nmap --script=default -p 8000 localhost > /home/labex/project/nmap_default_scripts.txt

This command is similar to the previous one, but instead of specifying a single script, we're telling Nmap to run all the scripts in the "default" category.

Let's examine the results of this scan. We can do this by using the cat command again:

cat /home/labex/project/nmap_default_scripts.txt

The output will contain more detailed information about our HTTP server, gathered by various NSE scripts that run by default.

Finally, let's explore the script help feature to learn more about a specific script. If you want to know more about the http-title script, you can use the following command:

nmap --script-help=http-title

This command displays documentation for the http-title script. The documentation includes the script's purpose, how to use it, and the format of its output. Understanding script documentation is essential when using NSE for specific tasks because it helps you know what the script does and how to use it correctly.

Summary

In this lab, you have learned how to use the Nmap Scripting Engine (NSE) for network service discovery and analysis. You first set up a local HTTP server and then employed various Nmap commands to scan and collect information about this service.

You acquired skills such as setting up a basic network service for testing, using Nmap to find open ports and running services, performing version detection with the -sV flag, leveraging NSE scripts to obtain detailed service information, and interpreting Nmap scan results to understand service characteristics. These skills are essential for network administrators, security professionals, and ethical hackers. As you progress in cybersecurity, Nmap and its Scripting Engine will be valuable for network discovery and security assessment.