nmap scripting engine

26
Nmap Scripting Engine (NSE) 1

Upload: nu-the-open-security-community

Post on 15-May-2015

2.735 views

Category:

Education


6 download

DESCRIPTION

null Bangalore Chapter - October 2013 Meet

TRANSCRIPT

Page 1: Nmap scripting engine

PwC

Nmap Scripting Engine (NSE)

1

Page 2: Nmap scripting engine

PwC

3 Sections Todays Agenda – NSE

1. Nmap Overview - 10 Mins

Nmap ? Basic Scan Options

2. NSE Overview – 20 Mins

Existing Categories How to use these available scripts ? Use of 2 sample scripts

3. How to write your own NSE script ?- 20 Mins

Baiscs on writing NSE Script Write a script to find website title “Null”

2

Page 3: Nmap scripting engine

PwC

Nmap Overview 10 Mins

3

Page 4: Nmap scripting engine

PwC

Nmap (Network Mapper) – Overview

Was written 15 years back as a port scanner by Gordon Lyon (Fyodor)

Port Scanner : Used to discover hosts and services on a computer network by sending specially crafted packets to the target host and then analyzes the responses.

Current Stable release : version 6.40 (Free)

Have CLI and GUI interfaces. GUI called Zenmap/NmapFE/Xnmap(Mac)

Linux, Mac OS X, Windows, Solaris, Free/Net/OpenBSD are supported.

Why Nmap? – Fast, free, easy to use, flexible in scan options, portable with multiple OS, large community support and neat documentation.

4

Page 5: Nmap scripting engine

PwC

How to use Nmap ? (As port scanner)

5

What i plan to scan ? IP Address : 220.220.220.2xx Subnet : /24 Host Name : Target.Nmaptest.com

How to start with nmap ?

Single Host # nmap 220.220.220.2xx # nmap Target.Nmaptest.com Subnet # nmap 220.220.220.2xx Mulitple Targets # nmap 220.220.220.2x1 220.220.220.2x5 IP Address Range # nmap 220.220.220.2x1-100 Random Ip Address (Make a list in text file - list.txt) # nmap -sL list.txt Sepcific ports # nmap -p21,23,80,443 220.220.220.2xx

Page 6: Nmap scripting engine

PwC

Nmap Basic Scan Output

6

Page 7: Nmap scripting engine

PwC

Nmap Switches

7

Scan Options :

-sS/sT/sA: TCP SYN/Connect()/ACK/ -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas Specify Ports : -p <port ranges>: scan specified ports Eg: -p22; -p1-65535; -p U:53,111,137, -F: Fast mode - Scan fewer ports -r: Scan ports consecutively --top-ports <number>:Scancommon ports OS Detection : -O: Enable OS detection

Host Discovery :

-sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan -Pn: Treat hosts as online, skip H discovery Time Change :

-T<0-5>: Set timing template (higher is faster) IP version 6 scan : -6 : Enable IPv6 scanning Output: -oN : Output scan in normal, -oX : Output scan XML

How to use them together , just chain them : # nmap [ <Scan Type> ...] [ <Options> ] { <target specification> } e.g. # nmap –sS –sU -T4 -A -v -Pn 220.220.220.211 #namp –T4 –randomize-host –iL list.txt –oX scanresults.xml Cheet Sheet : http://pentestlab.wordpress.com/2012/08/17/nmap-cheat-sheet/

Page 8: Nmap scripting engine

PwC

NSE Overview 20 Mins

8

Page 9: Nmap scripting engine

PwC

Nmap Scripting Engine (NSE) – Introduction

9

Nmap Scripting Engine (NSE) allows users to write simple scripts to automate networking and pentesting tasks.

NSE include network discovery, sophisticated version detection, vulnerability detection and even for vulnerability exploitation.

Uses Lua programming. Lua also used in Wireshark, snort and some Web App. F/W.

Current download of nmap comes with 437 scripts.

Scrips are categratized into various caterogies based on the usage. Every script needs to be identified by a category. E.g. categories = {"intrusive", "auth"}

Nmap.org also provides libary details for writting your own scripts.

NSE Docuemntation : http://nmap.org/nsedoc/

Page 10: Nmap scripting engine

PwC

NSE Script Categories

10

auth These scripts deal with authentication credentials (or bypassing them) on the target system. E.g. ftp-anon, oracle-enum-users

broadcast Scripts in this category typically do discovery of hosts not listed on the command line by broadcasting on the local network. E.g. newtargets

brute Use brute force attacks to guess authentication credentials of a remote server. E.g. http-brute, oracle-brute, snmp-brute

default - A option with namp E.g. http-auth, ftp-anon

discovery try to actively discover more about the network by querying public registries, SNMP-enabled devices, directory services, and similar. E.g. html-title, smb-enum-shares

dos Denial of service scripts. E.g. broadcast-avahi-dos

Exploit Scripts aim to actively exploit some vulnerability. E.g. http-fileupload-exploiter

external Connects to 3rd party database to get info. E.g. Whois

fuzzer Designed to fuzz. E.g. dns-fuzz

Page 11: Nmap scripting engine

PwC

NSE Script Categories

11

intrusive Intrusive scripts E.g. snmp-brute, http-open-proxy

malware Scripts test whether the target platform is infected by malware or backdoors E.g. smtp-strangeport, auth-spoof

Safe Most of these perform general network discovery. E.g. html-title, ssh-hostkey

Version Works with –sV switch with nmap. E.g. skypev2-version, pptp-version

vuln Check for specific known vulnerabilities and generally only report results if they are found E.g. realvnc-auth-bypass and afp-path-vuln

Page 12: Nmap scripting engine

PwC

How to use existing NSE scripts? Existing 437 scripts with v6.40

Every Script will have category defined by the author, this will also be used to use the script with nmap scanning. E.g. domino-enum-users

Usage :

# nmap –sC (equivalent to --script=default; sC == script) e.g #nmap x.x.x.x –sC # nmap --script <filename>|<category>|<directory>|<expression> e.g # nmap --script all x.x.x.x (Runs all avalable Scripts on ip x.x.x.x) # namp –script safe,external, http-auth x.x.x.x

# nmap --script <scriptname> --script-args <args> e.g. nmap --script snmp-sysdescr --script-args snmpcommunity=admin example.com #nmap --script-help <scriptname > ( provides help on the script) e.g. #nmap --script-help http-auth

12

Page 13: Nmap scripting engine

PwC

Sample Nmap NSE Scan Output

13

January 2010

Page 14: Nmap scripting engine

PwC

How to write your own NSE script ? 20 Mins

14

Page 15: Nmap scripting engine

PwC

Writing your own NSE script !!

Writing NSE script is simple !!!

You write them in Lua

Pretty set structure for the script.

15

Page 16: Nmap scripting engine

PwC

HR Portal Script (Oracle_Fussion.nse)

16

1. description Field : The description field describes what a script is testing for and any important notes the user should be aware of. description = [[Attempts to retrieve HR Potral hosted on Oracle Fussion App. ]]

Page 17: Nmap scripting engine

PwC

HR Portal Script (Oracle_Fussion.nse)

17

description = [[Attempts to retrieve HR Potral hosted on Oracle Fussion App. ]] 2. author Field : The author field contains the script authors' names and can also contain contact information author = “Sudhir Babu B <[email protected] >"

Page 18: Nmap scripting engine

PwC

HR Portal Script (Oracle_Fussion.nse)

18

description = [[Attempts to retrieve HR Potral hosted on Oracle Fussion App. ]] author = “Sudhir Babu B <[email protected] >“ 3. categories Field : The categories field defines one or more categories to which a script belongs. categories = {"default", "discovery", "safe"}

Page 19: Nmap scripting engine

PwC

HR Portal Script (Oracle_Fussion.nse)

19

description = [[Attempts to retrieve HR Potral hosted on Oracle Fussion App. ]] author = “Sudhir Babu B <[email protected] >“ categories = {"default", "discovery", "safe"} 4. license Field (Optional) – Provide appropriate licence. license = "Same as Nmap--See http://nmap.org/book/man-legal.html”"

Page 20: Nmap scripting engine

PwC

HR Portal Script (Oracle_Fussion.nse)

20

description = [[Attempts to retrieve HR Potral hosted on Oracle Fussion App. ]] author = “Sudhir Babu B <[email protected] >“ license = "Same as Nmap--See http://nmap.org/book/man-legal.html”“ categories = {"default", "discovery", "safe“} ----------------------------------------------------------------- 5. As it’s http app. we need the follwoing libary : require “shortport” --- ??? require “hhtp” Why we need short port ? “portrule” defines when nmap when to trigger the script. “shortport” module simplify the this process as common use for portrule 6. Portrule = shortport.port_or_service({80, 443, 8081},{“http”,”https”})

Page 21: Nmap scripting engine

PwC

HR Portal Script (Oracle_Fussion.nse)

21

description = [[Attempts to retrieve HR Potral hosted on Oracle Fussion App. ]] author = “Sudhir Babu B <[email protected] >“ license = "Same as Nmap--See http://nmap.org/book/man-legal.html”“ categories = {"default", "discovery", "safe“} require “shortport” require “hhtp” Portrule = shortport.port_or_service({80, 443, 8081},{“http”,”https”}) 7. Action funtion, what to do when portrule triggers. action = function(host, port) -- Define action end

Page 22: Nmap scripting engine

PwC

HR Portal Script (Oracle_Fussion.nse)

22

description = [[Attempts to retrieve HR Potral hosted on Oracle Fussion App. ]] author = “Sudhir Babu B <[email protected] >“ license = "Same as Nmap--See http://nmap.org/book/man-legal.html”“ categories = {"default", "discovery", "safe“} require “shortport” require “hhtp” Portrule = shortport.port_or_service({80, 443, 8081},{“http”,”https”}) action = function(host, port) -- just checking if the directory exist with 200 OK response local stats = http.get (host, port, ‘/Oracle_Fusion/’).status end

Page 23: Nmap scripting engine

PwC

HR Portal Script (Oracle_Fussion.nse)

23

description = [[Attempts to retrieve HR Potral hosted on Oracle Fussion App. ]] author = “Sudhir Babu B <[email protected] >“ license = "Same as Nmap--See http://nmap.org/book/man-legal.html”“ categories = {"default", "discovery", "safe“} require “shortport” require “hhtp” Portrule = shortport.port_or_service({80, 443, 8081},{“http”,”https”}) action = function(host, port) -- just checking if the directory exist with 200 OK response local stats = http.get (host, port, ‘/Oracle_Fusion/’).status Need to add response : what if ? if stats == 200 then return “Internal HR Portal Found” end end

Page 24: Nmap scripting engine

PwC

HR Portal Script (Oracle_Fussion.nse)

24

description = [[Attempts to retrieve HR Potral hosted on Oracle Fussion App. ]] author = “Sudhir Babu B <[email protected] >“ license = "Same as Nmap--See http://nmap.org/book/man-legal.html”“ categories = {"default", "discovery", "safe“} require “shortport” require “hhtp” Portrule = shortport.port_or_service({80, 443, 8081},{“http”,”https”}) action = function(host, port) local stats = http.get (host, port, ‘/Oracle_Fusion/’).status if stats == 200 then return “Internal HR Portal Found” end end

Page 25: Nmap scripting engine

PwC

Thanks for your time & patience

25

[email protected]

Page 26: Nmap scripting engine

PwC

NSE – Example Y ?? Slide 10

26