Utilize Nmap Scripting Engine

NmapNmapBeginner
Practice Now

Introduction

In this lab, you will learn to utilize the Nmap Scripting Engine. The lab covers running default scripts, using specific scripts, adding arguments to scripts, updating scripts, testing multiple scripts, and viewing script output in the Xfce terminal. You'll execute commands like nmap -sC, nmap --script, and nmap --script-updatedb against target IP addresses to perform various scans and gather information.


Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/output_formats("Output Formats") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/service_detection("Service Detection") nmap/NmapGroup -.-> nmap/scripting_basics("Scripting Engine Basics") nmap/NmapGroup -.-> nmap/script_management("Script Categories and Updating") subgraph Lab Skills nmap/output_formats -.-> lab-530187{{"Utilize Nmap Scripting Engine"}} nmap/port_scanning -.-> lab-530187{{"Utilize Nmap Scripting Engine"}} nmap/service_detection -.-> lab-530187{{"Utilize Nmap Scripting Engine"}} nmap/scripting_basics -.-> lab-530187{{"Utilize Nmap Scripting Engine"}} nmap/script_management -.-> lab-530187{{"Utilize Nmap Scripting Engine"}} end

Run default scripts with nmap -sC 192.168.1.1

In this step, we will explore how to use Nmap to run its default set of scripts against a target. Nmap scripts are powerful tools that can automate a wide range of tasks, from identifying vulnerabilities to gathering information about a target system. The -sC option tells Nmap to use the "default" script category. This category includes scripts that are considered safe and useful for general-purpose scanning.

Before we begin, let's make sure we are in the correct directory.

cd ~/project

Now, let's run Nmap with the -sC option against the target IP address 192.168.1.1. This IP address is a placeholder. In a real-world scenario, you would replace it with the actual IP address of the target you want to scan. For this lab environment, we will assume that 192.168.1.1 is a valid target.

sudo nmap -sC 192.168.1.1

This command will perform a standard Nmap scan, including a port scan and service detection, and then run the default scripts against any open ports. The output will show the results of the port scan, service detection, and any information gathered by the scripts.

The output will look something like this (the exact output will vary depending on the target system):

Starting Nmap 7.80 ( https://nmap.org ) at ...
Nmap scan report for 192.168.1.1
Host is up (0.00028s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu)
| ssh-hostkey:
|   2048 ... (RSA)
| ssh-rsa ...
|_ssh-algorithm: ...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
|_nbstat: NetBIOS name: ..., NetBIOS user: ..., NetBIOS MAC: ... (unknown)
| smb-os-discovery:
|   OS: Unix
|   ...
|_  System time: ...

Nmap done: 1 IP address (1 host up) scanned in ... seconds

In this example, the output shows that port 22 is open and running SSH. The ssh-hostkey script has identified the SSH host key, and the ssh-algorithm script has identified the supported algorithms. The clock-skew script has detected a slight clock skew on the target system. The nbstat and smb-os-discovery scripts have gathered information about the NetBIOS and SMB services, respectively.

In this step, we will learn how to use a specific Nmap script. Nmap has a large library of scripts that can be used to perform various tasks. We will use the banner script, which attempts to retrieve the banner from a service running on a target host. Banners often contain information about the software version and other details that can be useful for reconnaissance.

First, ensure you are in the ~/project directory:

cd ~/project

Now, let's use the nmap command with the --script option to specify the banner script and target the localhost IP address, 127.0.0.1.

sudo nmap --script banner 127.0.0.1

This command tells Nmap to run the banner script against all open ports on 127.0.0.1. The output will show the results of the script, including any banners that were retrieved.

The output might look similar to this (the exact output will depend on the services running on your localhost):

Starting Nmap 7.80 ( https://nmap.org ) at ...
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000028s latency).
Other addresses for localhost (not scanned): ::1

PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
631/tcp  open  ipp
5900/tcp open  vnc
8000/tcp open  http
8080/tcp open  http

Host script results:
|_banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
|_banner: 111/tcp:  rpcbind version 2-4
|_banner: 631/tcp: CUPS v2.4.1
|_banner: 5900/tcp: RFB 003.008
|_banner: 8000/tcp: Werkzeug/2.0.1 Python/3.9.7
|_banner: 8080/tcp: Jetty(9.4.44.v20210927)

Nmap done: 1 IP address (1 host up) scanned in ... seconds

In this example, the banner script successfully retrieved banners from several services running on 127.0.0.1, including SSH, rpcbind, CUPS, VNC, and HTTP servers. The banners provide information about the software versions being used.

Add arguments with nmap --script http-title --script-args http.useragent=Test 192.168.1.1

In this step, we will learn how to pass arguments to Nmap scripts. Some scripts require or allow arguments to be customized. We will use the http-title script and modify its http.useragent argument. The http-title script retrieves the title from an HTTP server. The http.useragent argument specifies the User-Agent string that the script will use when making HTTP requests.

First, let's navigate to our working directory:

cd ~/project

Now, let's run Nmap with the --script option to specify the http-title script and the --script-args option to set the http.useragent argument to Test. We'll use the target IP address 192.168.1.1. Remember that in a real-world scenario, you would replace this with the actual IP address of a target running an HTTP server.

sudo nmap --script http-title --script-args http.useragent=Test 192.168.1.1

This command tells Nmap to run the http-title script against any open HTTP ports on 192.168.1.1, using "Test" as the User-Agent string.

The output might look similar to this (the exact output will depend on the target system and its HTTP server configuration):

Starting Nmap 7.80 ( https://nmap.org ) at ...
Nmap scan report for 192.168.1.1
Host is up (0.00028s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.18.0
|_http-title: Test

Nmap done: 1 IP address (1 host up) scanned in ... seconds

In this example, the http-title script successfully retrieved the title from the HTTP server running on port 80 of 192.168.1.1. The http.useragent argument was used to set the User-Agent string to "Test" in the HTTP request. The server might log this User-Agent string, which can be useful for identifying scans. If the target does not have port 80 open, you will see a different output.

Update scripts with nmap --script-updatedb

In this step, we will update the Nmap script database. The Nmap Scripting Engine (NSE) relies on a database of scripts. Over time, new scripts are added, and existing scripts are updated. To ensure you have the latest scripts, you should periodically update the script database.

First, ensure you are in the ~/project directory:

cd ~/project

Now, let's use the nmap command with the --script-updatedb option to update the script database.

sudo nmap --script-updatedb

This command will download the latest script information and update the database. The output will show the progress of the update.

The output might look similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at ...
NSE: Updating rule database.
NSE: Using nmap.org/svn/nse_svn to download the latest scripts.
Downloaded nmap-mac-prefixes.lua
Downloaded nselib/data/nmap-services.
Downloaded nselib/data/service-ports.
Downloaded scripts/script.db
NSE: Script database updated.
Nmap done: 0 IP addresses (0 hosts up) scanned in ... seconds

This output indicates that the script database has been successfully updated. Now you have the latest Nmap scripts available for use.

Test multiple scripts with nmap --script banner,http-title 127.0.0.1

In this step, we will run multiple Nmap scripts simultaneously. This allows you to gather more information about a target in a single scan. We will use the banner and http-title scripts against the target 127.0.0.1.

First, let's navigate to our working directory:

cd ~/project

Now, let's run Nmap with the --script option, specifying both the banner and http-title scripts, separated by a comma. We'll use the target IP address 127.0.0.1, which refers to the local machine.

sudo nmap --script banner,http-title 127.0.0.1

This command tells Nmap to run both the banner and http-title scripts against any open ports on 127.0.0.1. The banner script attempts to retrieve service banners, while the http-title script retrieves the title from any HTTP servers.

The output might look similar to this (the exact output will depend on the services running on 127.0.0.1):

Starting Nmap 7.80 ( https://nmap.org ) at ...
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000018s latency).
Loopback interface ignored
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu)
| banner: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1
|_ssh-hostkey:
80/tcp open  http    nginx 1.18.0
|_http-title: Welcome to nginx!

Nmap done: 1 IP address (1 host up) scanned in ... seconds

In this example, the banner script retrieved the SSH banner from port 22, and the http-title script retrieved the title from the HTTP server running on port 80. If the target does not have these ports open, you will see a different output.

View script output in Xfce terminal

In this step, we will focus on viewing the output of Nmap scripts within the Xfce terminal. The Xfce terminal is the default terminal emulator in the LabEx VM environment. You've already been using it in the previous steps. This step is more about understanding how to interpret the output and less about executing a new command.

The output from Nmap scripts is displayed directly in the terminal after the scan completes. The format of the output depends on the script itself. Some scripts provide simple text output, while others may provide more structured data.

Let's revisit the command from the previous step:

sudo nmap --script banner,http-title 127.0.0.1

When you execute this command, the output is printed directly to the Xfce terminal. You can scroll through the terminal output to review the results of the banner and http-title scripts.

For example, the output might include:

  • Banner information: The banner script attempts to retrieve service banners from open ports. This can reveal the software version running on a particular port.
  • HTTP title: The http-title script retrieves the title of the web page served by an HTTP server.

The key is to carefully examine the output for any useful information. The Xfce terminal provides a simple and direct way to view this information. You can also use standard Linux tools like grep to filter the output if needed. For example, to find only the lines containing "http-title", you could pipe the output of the nmap command to grep:

sudo nmap --script banner,http-title 127.0.0.1 | grep "http-title"

This command will execute the same Nmap scan as before, but only display the lines in the output that contain the string "http-title". This can be useful for focusing on specific parts of the output.

This step is primarily about observation and understanding. There's no single command to execute, but rather a focus on how to interpret the results you've already generated in the previous steps within the Xfce terminal environment.

Summary

In this lab, participants learned to utilize the Nmap Scripting Engine through various commands. They started by running default scripts using nmap -sC against a target IP, which includes safe and useful scripts for general scanning. They also learned to use a specific script with nmap --script, add arguments to scripts with --script-args, update scripts with --script-updatedb, and test multiple scripts at once. Finally, they viewed the script output in the Xfce terminal.