You are previewing Mastering the Nmap Scripting Engine.
O'Reilly logo
Mastering the Nmap Scripting Engine

Book Description

Master the Nmap Scripting Engine and the art of developing NSE scripts

In Detail

Nmap is a well-known security tool used by penetration testers and system administrators for many different networking tasks. The Nmap Scripting Engine (NSE) was introduced during Google's Summer of Code 2006 and has added the ability to perform additional tasks on target hosts, such as advanced fingerprinting and service discovery and information gathering.

This book will teach you everything you need to know to master the art of developing NSE scripts. The book starts by covering the fundamental concepts of Lua programming and reviews the syntax and structure of NSE scripts. After that, it covers the most important features of NSE. It jumps right into coding practical scripts and explains how to use the Nmap API and the available NSE libraries to produce robust scripts. Finally, the book covers output formatting, string handling, network I/O, parallelism, and vulnerability exploitation.

What You Will Learn

  • Get to grips with the fundamentals of Lua, the programming language used by the Nmap Scripting Engine

  • Extend the capabilities of Nmap by writing your own NSE scripts

  • Explore the Nmap Scripting Engine API

  • Discover all the available NSE libraries

  • Write robust brute force password auditing scripts

  • Customize the databases distributed with Nmap

  • Produce flexible script reports in NSE

  • Optimize Nmap scans with script and library arguments

  • Enhance the version detection capabilities of Nmap

  • Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at If you purchased this book elsewhere, you can visit and register to have the files e-mailed directly to you.

    Table of Contents

    1. Mastering the Nmap Scripting Engine
      1. Table of Contents
      2. Mastering the Nmap Scripting Engine
      3. Credits
      4. About the Author
      5. Acknowledgments
      6. About the Reviewers
        1. Support files, eBooks, discount offers, and more
          1. Why subscribe?
          2. Free access for Packt account holders
      8. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Errata
          3. Piracy
          4. Questions
      9. 1. Introduction to the Nmap Scripting Engine
        1. Installing Nmap
          1. Building Nmap from source code
          2. Keeping Nmap up to date
        2. Running NSE scripts
        3. Script categories
          1. NSE script selection
            1. Selecting by script name or category
            2. Selecting by filename or folder
            3. Advanced script selection with expressions
          2. NSE script arguments
            1. Loading script arguments from a file
          3. Forcing the execution of NSE scripts
          4. Debugging NSE scripts
        4. Scan phases and NSE
          1. NSE script rules
        5. Applications of NSE scripts
          1. Information-gathering
            1. Collecting UPNP information
            2. Finding all hostnames resolving to the same IP address
          2. Advanced host discovery
            1. Discovering hosts with broadcast pings
            2. Listening to your LAN to discover targets
          3. Password auditing
            1. Brute-forcing MySQL passwords
            2. Brute-forcing SMTP passwords
          4. Vulnerability scanning
            1. Detecting insecure MySQL server configurations
            2. Detecting web servers vulnerable to slow denial-of-service attacks
            3. Detecting SSL servers vulnerable to CVE-2014-3566
        6. Setting up a development environment
          1. Halcyon IDE
        7. Adding new scripts
        8. Summary
      10. 2. Lua Fundamentals
        1. Quick notes about Lua
          2. Dummy assignments
          3. Indexes
          4. Semantics
          5. Coercion
          6. Safe language
          7. Booleans
        2. Flow control structures
          1. Conditional statements – if-then, else, and elseif
          2. Loops – while
          3. Loops – repeat
          4. Loops – for
        3. Data types
        4. String handling
          1. Character classes
          2. Magic characters
          3. Patterns
            1. Captures
            2. Repetition operators
          4. Concatenation
          5. Finding substrings
          6. String repetition
          7. String length
          8. Formatting strings
          9. Splitting and joining strings
        5. Common data structures
          1. Tables
          2. Arrays
          3. Linked lists
          4. Sets
          5. Queues
          6. Custom data structures
            1. http-enum database
            2. http-default-accounts
        6. I/O operations
          1. Modes
          2. Opening a file
          3. Reading a file
          4. Writing a file
          5. Closing a file
        7. Coroutines
          1. Creating a coroutine
          2. Executing a coroutine
          3. Determining the running coroutine
          4. Getting the status of a coroutine
          5. Yielding a coroutine
        8. Metatables and metamethods
          1. Arithmetic metamethods
          2. Relational metamethods
        9. Summary
      11. 3. NSE Data Files
        1. Locating your data directory
        2. Data directory search order
        3. Username and password lists used in brute-force attacks
          1. Username dictionaries
          2. Password dictionaries
        4. Web application auditing data files
          1. http-fingerprints.lua
          2. http-sql-errors.lst
          3. http-web-files-extensions.lst
          4. http-devframework-fingerprints.lua
          5. http-folders.txt
          6. vhosts-default.lst
          7. wp-plugins.lst
        5. DBMS-auditing data files
          1. mysql-cis.audit
          2. oracle-default-accounts.lst
          3. oracle-sids
        6. Java Debug Wire Protocol data files
          2. JDWPSystemInfo.class
        7. Other NSE data files
          1. mygroupnames.db
          2. rtsp-urls.txt
          3. snmpcommunities.lst
          4. ssl-ciphers
          5. ssl-fingerprints
          6. ike-fingerprints.lua
          7. tftplist.txt
        8. Other Nmap data files
        9. Summary
      12. 4. Exploring the Nmap Scripting Engine API and Libraries
        1. Understanding the structure of an NSE script
          1. Other NSE script fields
            1. Author
            2. License
            3. Dependencies
          2. A sample NSE script
        2. Exploring environment variables
        3. Accessing the Nmap API
          1. NSE arguments
            1. Host table
            2. Port table
          2. Exception handling in NSE scripts
        4. The NSE registry
        5. Writing NSE libraries
          1. Extending the functionality of an NSE library
          2. NSE modules in C/C++
        6. Exploring other popular NSE libraries
          1. stdnse
          2. openssl
          3. target
          4. shortport
          5. creds
          6. vulns
          7. http
        7. Summary
      13. 5. Enhancing Version Detection
        1. Understanding version detection mode in NSE
          1. Phases of version detection
          2. Adjusting the rarity level of a version scan
          3. Updating the version probes database
            1. Taking a closer look at the file format
          4. Excluding scanned ports from version detection
          5. Using fallbacks to match other version probes
          6. Getting to know post-processors
            1. Nmap Scripting Engine
            2. SSL
        2. Writing your own version detection scripts
          1. Defining the category of a version detection script
          2. Defining the portrule of a version detection script
          3. Updating the port version information
            1. Setting the match confidence level
        3. Examples of version detection scripts
          1. NSE script – modbus-discover
          2. NSE script – ventrilo-info
          3. NSE script – rpc-grind
        4. Summary
      14. 6. Developing Brute-force Password-auditing Scripts
        1. Working with the brute NSE library
          1. Selecting a brute mode
          2. Implementing the Driver class
          3. Passing library and user options
          4. Returning valid accounts via Account objects
          5. Handling execution errors gracefully with the Error class
        2. Reading usernames and password lists with the unpwdb NSE library
        3. Managing user credentials found during scans
        4. Writing an NSE script to launch password-auditing attacks against the MikroTik RouterOS API
        5. Summary
      15. 7. Formatting the Script Output
        1. Output formats and Nmap Scripting Engine
        2. XML structured output
          1. Implementing structured output in your scripts
        3. Printing verbosity messages
        4. Including debugging information
        5. The weakness of the grepable format
        6. NSE script output in the HTML report
        7. Summary
      16. 8. Working with Network Sockets and Binary Data
        1. Working with NSE sockets
          1. Creating an NSE socket
          2. Connecting to a host using NSE sockets
          3. Sending data using NSE sockets
          4. Receiving data using NSE sockets
          5. Closing NSE sockets
          6. Example script – sending a payload stored in a file over a NSE socket
        2. Understanding advanced network I/O
          1. Opening a socket for raw packet capture
          2. Receiving raw packets
          3. Sending packets to/from IP and Ethernet layers
        3. Manipulating raw packets
          1. Packing and unpacking binary data
          2. Building Ethernet frames
        4. Raw packet handling and NSE sockets
        5. Summary
      17. 9. Parallelism
        1. Parallelism options in Nmap
          1. Scanning multiple hosts simultaneously
          2. Increasing the number of probes sent
          3. Timing templates
        2. Parallelism mechanisms in Lua
          1. Coroutines
            1. Working with coroutines
        3. Parallelism mechanisms in NSE
          1. NSE threads
            1. Condition variables
            2. Mutexes
        4. Consuming TCP connections with NSE
        5. Summary
      18. 10. Vulnerability Detection and Exploitation
        1. Vulnerability scanning
          1. The exploit NSE category
          2. Exploiting RealVNC
          3. Detecting vulnerable Windows systems
          4. Exploiting the infamous heartbleed vulnerability
          5. Exploiting shellshock in web applications
        2. Reporting vulnerabilities
          1. Using the vulns library in your NSE scripts
        3. Summary
      19. A. Scan Phases
      20. B. NSE Script Template
        1. Other templates online
      21. C. Script Categories
      22. D. Nmap Options Mind Map
      23. E. References
      24. Index