Skip to main content

NMAP - NSE Scripts (Advanced)

Vulnerability scanning using NSE in Nmap. 

Note: I have written this tutorial taking the fact into consideration that the user is well versed with basic NMAP commands.


For basic NMAP commands please refer the cheat-sheet given below:

Basic Scanning Techniques

• Scan a single target :                                                                  nmap [target]
• Scan multiple targets:                                                                nmap [target1,target2,etc]
• Scan a list of targets                                                                  nmap -iL [list.txt]
• Scan a range of hosts                                                                nmap [range of IP addresses]
• Scan an entire subnet                                                                nmap [IP address/cdir]
• Scan random hosts                                                                    nmap -iR [number]
• Excluding targets from a scan                                                  nmap [targets] –exclude [targets]
• Excluding targets using a list                                                   nmap [targets] –excludefile [list.txt]
• Perform an aggressive scan                                                      nmap -A [target]
• Scan an IPv6 target                                                                  nmap -6 [target]

Discovery Options

• Perform a ping scan only                                                         nmap -sP [target]
• Don’t ping                                                                                nmap -PN [target]
• TCP SYN ping                                                                         nmap -PS [target]
• TCP ACK ping                                                                        nmap -PA [target]
• UDP ping                                                                                 nmap -PU [target]
• SCTP Init Ping                                                                         nmap -PY [target]
• ICMP echo ping                                                                       nmap -PE [target]
• ICMP Timestamp ping                                                             nmap -PP [target]
• ICMP address mask ping                                                         nmap -PM [target]
• IP protocol ping                                                                       nmap -PO [target]
• ARP ping                                                                                 nmap -PR [target]
• Traceroute                                                                                nmap –traceroute [target]

Firewall Evasion Techniques

• Fragment packets                                                                     nmap -f [target]
• Specify a specific MTU                                                           nmap –mtu [MTU] [target]
• Use a decoy                                                                              nmap -D RND: [number] [target]
• Idle zombie scan                                                                      nmap -sI [zombie] [target]
• Manually specify a source port                                                nmap –source-port [port] [target]
• Append random data                                                                nmap –data-length [size] [target]
• Randomize target scan order                                                    nmap –randomize-hosts [target]
• Spoof MAC Address                                                             nmap –spoof-mac [MAC|0|vendor] [target]
• Send bad checksums                                                                nmap –badsum [target]

Version Detection

• Operating system detection                                                     nmap -O [target]
• Attempt to guess an unknown OS                                           nmap -O –osscan-guess [target]
• Service version detection                                                        nmap -sV [target]
• Troubleshooting version scans                                                nmap -sV –version-trace [target]
• Perform a RPC scan                                                                nmap -sR [target]

Nmap Scripting Engine

• Execute individual scripts                                                       nmap –script [script.nse] [target]
• Execute multiple scripts                                                          nmap –script [expression] [target]
• Execute scripts by category                                                    nmap –script [cat] [target]
• Execute multiple scripts categories                                        nmap –script [cat1,cat2, etc]
• Troubleshoot scripts                                                               nmap –script [script] –script-trace [target]
• Update the script database                                                      nmap –script-updatedb
 __________________________________________________________________________________

NSE Script- Vulscan

Requirements:

OS: Windows 10
NMAP             - DOWNLOAD
Vulscan Script - DOWNLOAD

STEP 1:

Download and install Nmap for windows from the above given link.
Check if nmap is working or not by typing the following command in power shell:

nmap -h



STEP 2:

Download the Vulscan script.
Navigate to the Scripts folder in NMAP installation directory and make a new folder with the name vulscan

Paste the extracted Vulscan script in vulscan folder.

STEP 3:

Select any target to scan for vulnerability.
Open power shell and execute the following command:

nmap -sV --script=vulscan/vulscan.nse www.fcibank.com.pk





It will list all the vulnerabilities present in the target. Now you can use METASPLOIT for further exploitation. ☺

STEP 4:

Update Database
The vulnerability databases are updated and assembled on a regularly basis. To support the latest disclosed vulnerabilities, keep your local vulnerability databases up-to-date.

If you want to update your databases, go to the following web site and download these files:

https://www.computec.ch/projekte/vulscan/download/cve.csv
https://www.computec.ch/projekte/vulscan/download/exploitdb.csv
https://www.computec.ch/projekte/vulscan/download/openvas.csv
https://www.computec.ch/projekte/vulscan/download/osvdb.csv
https://www.computec.ch/projekte/vulscan/download/scipvuldb.csv
https://www.computec.ch/projekte/vulscan/download/securityfocus.csv
https://www.computec.ch/projekte/vulscan/download/securitytracker.csv
https://www.computec.ch/projekte/vulscan/download/xforce.csv
Copy the files into your vulscan folder:

/vulscan/

Nmap script categories

Nmap Script NameDescription
authAll sorts of authentication and user privilege scripts
broadcastNetwork discovery scripts that use broadcast petitions for intel gathering
bruteSet of scripts for performing brute force attacks to guess access credentials
defaultThe most popular Nmap scripts, using -sC by default
discoveryScripts related to network, service and host discovery
dosDenial of service attack scripts used to test and perform DOS and floods
exploitUsed to perform service exploitation on different CVEs
externalScripts that rely on 3rd party services or data
fuzzerUsed to perform fussing attacks against apps, services or networks
intrusiveAll the ‘aggressive’ scripts that cause a lot of network noise
malwareMalware detections and exploration scripts
safeSafe and non-intrusive/noisy scripts
versionOS, service and software detection scripts
vulnThe Nmap vuln category includes vulnerability detection and exploitation scripts

Comments

Post a Comment

Popular posts from this blog

SQLMAP - Using TOR proxy

Using SQLMAP with TOR OS: Windows 10 Compiler : Python 3.x Script : SQLMAP Proxy: TOR STEP 1: Download and install TOR  https://www.torproject.org/download/ STEP 2: Install TOR and Start TOR services After installing Tor, a new folder of Tor will be created (Desktop in my case) Navigate to the following location and start tor.exe Desktop\Tor Browser\Browser\TorBrowser\Tor STEP 3: Follow my previous post on SQLMAP to find a target Navigate to the SQLMAP folder in power shell. Execute the following commands- python .\sqlmap.py --tor --tor-type=SOCKS5 -u "https://www.fcibank.com.pk/index.php?route=common/page&pageid=%7B021A9F2C-951C-B9F7-D1B6-805BA07752DB%7D" --dbs STEP 4: Follow the same steps as in my previous post on SQLMAP to find Database names, Table names and dump the Tables. Just add the following option in it: .\sqlmap.py --tor --tor-type=SOCKS5 SQLMAP OPTIONS # Enumerate databases sqlmap --dbms=mysql -u " $URL " --dbs # Enumerate tables sqlmap --dbms=...
3 comments
Read more

Android Hacking

Hacking Android using SPYNOTE Prerequisites: Android Device Windows 10 SpyNote Java  STEP 1: Download and Execute SpyNote (spynote.us is taken down by Department of Homeland Security) DOWNLOAD STEP 2: Provide the Port number and Java path if asked or leave everything as default.   STEP 3: Navigate to Tools menu and select Payload. Fill in the reverse IP and other app details. Here in this step you can configure the properties of the Payload If you plan to merge this payload with any legit application then browse that application here. STEP 4: Now click on build, it will trigger apktool and the apk will be created  . STEP 5:  Now copy the apk file to the android device using any medium like file sharing websites (mega.nz) STEP 6: Install the apk in the android device. You will get a session on the SPYNOTE interface. Right click on the session and explore multiple options. As you can see there are multiple options available now, in short the mobile device is in your co...
31 comments
Read more