If someone asked me 7 or 8 years ago what I use nmap for, my answer would be: simple port scanning – it’s a port scanner, and that’s what it should be used for. Boy was I wrong.
As some of our readers certainly know, nmap includes the map Scripting Engine (NSE), which turns nmap into much more than a scanner – it allows creation of scripts which can perform all sort of actions. The scripts are written in the Lua programming language and nmap comes with many them – the very latest SVN version comes with 601 NSE script.
While scripts can be updated separately, nmap is actually one of the rare tools I download, compile and install manually. The main reason is because with nmap we really do want to have the very latest version always – development is very active and new features and bugs are constantly added. Besides that, the whole compilation process is typically trivial.
Since I do a lot of network penetration tests, where quite often I need to scan large networks (and report on findings), I found some NSE scripts unbelievably useful – this diary will contain some of the top NSE scripts I use during penetration tests – let us know if you have other candidates!
There is a bunch of scripts that test for various SSL/TLS configuration issues. These are a must – if you are doing a penetration test or you simply want to check if you have servers supporting SSLv3 in your enterprise, these scripts will do the job.
Here is one example of me checking the certificate on the isc.sans.edu web site:
Hmm, do you see something interesting here? Let us know.
Issues in configuration of SMB services can be devastating – anyone who even remotely heard about Responder, Impacket and ntlmrelayx knows what I’m talking about. That’s why I think it is mandatory to check SMB configuration in every penetration test (and in your enterprises). Nmap comes to the rescue here, again with a number of great scripts:
I am running these scripts here against a server – we can see that it’s misconfigured because it supports SMBv1 (which should really be disabled everywhere), but at least it has message signing set to required:
There is a large number of HTTP scripts – 135 of them currently so I suggest that you get familiar with what is available so you can use them when needed. That being said, there are few cool scripts that I tend to run almost every time, just because they are so convenient:
Again, this is very useful in cases when you need to check a large number of target servers – simply run the script against them and analyze the results offline.
Huh, look at those results, do you see anything suspicious there?
I hope you liked this selection of nmap NSE scripts – there are many, many other useful scripts. Let us know which ones are your favorites!
May 7th 2020
May 7th 2020
3 months ago