Hack Like a Pro: Using the Nmap Scripting Engine (NSE) for Reconnaissance
Welcome back, my tenderfoot hackers!
Those of you who have been reading my posts here for awhile know how much I emphasize good reconnaissance. Novice hackers often jump into a hack/exploit without doing proper recon and either fail or get caught. Experienced and expert hackers know that 70-80 percent of a good and successful hack is dependent upon successful and accurate reconnaissance.
I know I have said it before, but bear with me as I say it again for the newcomers. There is NO SILVER BULLET that succeeds under all circumstances. Long before we ever begin the hack, we have spent hours, days, and maybe months doing reconnaissance. If you aren't willing to do that, you will never be successful in this field of endeavor.
Nmap is one of the few tools that every hacker should be conversant in. Although it is not perfect, it is excellent for active reconnaissance. Although I discourage the use of Windows for hacking, Nmap does have a version for Windows with a nice GUI called Zenmap. You can download it here.
The Nmap scripting engine is one of Nmap's most powerful and, at the same time, most flexible features. It allows users to write their own scripts and share these scripts with other users for the purposes of networking, reconnaissance, etc. These scripts can be used for:
- Network discovery
- More sophisticated and accurate OS version detection
- Vulnerability detection
- Backdoor detection
- Vulnerability exploitation
In this tutorial, we will look at the scripts that have been shared and are built into Kali (we will write scripts in a future tutorial), and will examine how to use them to do thorough recon on our target, to increase the possibility of success, and reduce the possibilities of frustration... or worse.
As usual, let's start by firing up Kali and opening a terminal. If you aren't using Kali, but instead one of the many hacking/security distributions such Buqtraq's Black Window, Security Onion, BackTrack, or another, no problem—Nmap is built into ALL of them. You can't really have a security/hacking platform without Nmap.
From the terminal, let's look for the Nmap scripts. All of the scripts should end in .nse (nmap scripting engine), so we can find the scripts by using the Linux locate command with the wildcard *.nse. That should find all files ending in .nse.
- kali > locate *.nse
As you can see in the screenshot above, our terminal displays hundreds of Nmap scripts.
Among the most useful to us are the vulnerability scanning scripts. These scripts are usually designed to find a specific vulnerability or type of vulnerability that we can then come back later and exploit. To locate those scripts that we can use for vulnerability scanning, we can type:
- kali> locate *vuln*.nse
As you can see, it returned a few vulnerability scanning scripts. I have highlighted one I want to use next, namely smb-check-vulns.nse. This script will check the system to see whether it has any of the well-known SMB vulnerabilities such as MS08-067.
The basic syntax for running these scripts is this:
- nmap --script <scriptname> <host ip>
Let's try running the SMB vulnerability checking script against an internal LAN host.
- kali> nmap --script smb-check-vulns-nse 192.168.1.121
When we do so, we can see that it returns some errors and suggests that we add --script-args=unsafe=1 to our command. I did so below and, in this case, added -p445 so that the script focuses upon just the SMB port 445.
- kali> nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p445 192.168.1.121
Now, when I run the command, I get much more useful results.
As you can see, it tells me that MS08-067 is vulnerable, so now I know I can use that module in Metasploit to exploit that system!
With these hundreds of scripts, we may need some help in determining what they do and how they work. For instance, if we scroll down to the "http" section of the scripts, we will see a script named:
To determine what this script does, we can retrieve its help file by typing:
- nmap -script-help http-vuln-cve2013-0156.nse
When we do so, we will retrieve its help file like that below.
Note that this script is designed to find the CVE2013-0156 vulnerability, which is a vulnerability in Ruby on Rails. Ruby on Rails is very popular open-source web design framework that is behind millions of database driven web apps, so this vulnerability is likely to still be out there in thousands of websites. Happy hunting!
The Nmap scripting engine is a powerful item in our arsenal of hacking tools that can be tailored to a multitude of tasks. In future posts, I will explore more of its capabilities and show you how to write your own Nmap scripts. So keep coming back, my tenderfoot hackers!