Nmap scripts – The best tool for port scanning is Nmap only, and this Nmap tool is also good for some services other than port scanning. Advanced information can be obtained using Nmap scripts and used for enumeration.
NMAP has about 600 scripts serving different purposes. In Kali Linux, the scripts can be found at /usr/share/nmap/scripts.
What are Nmap scripts?
Nmap Scripting Engine (NSE) is one of the most powerful and flexible features of Nmap. It allows users to write simple scripts to automate a variety of networking tasks. Those scripts will be executed in parallel with the speed and performance you expect from Nmap.
All Nmap Scripts for enumeration
HTTP Enumeration
HTTP is a top-level domain that is commonly used by all hosts. This is the default port 80 that can be run. NMAP has a script for enumerating HTTP services. It can be invoked using the command below
nmap --script http-enum <target IP address> 
The output of the HTTP-enum script shows various interesting directories hosted on the webserver that may be useful in building further attacks.
HTTP Methods
HTTP supports the use of various methods such as GET, POST, DELETE, and so on. Sometimes these methods are left open on the web server unnecessarily. you can use the NMAP script HTTP-methods, as shown in the below image to enumerate HTTP methods allowed on the target system.
nmap --script http-methods <target ip address> 
The following are some additional NMAP scripts for HTTP enumeration:
- http-title
- http-method-tamper
- http-trace
- http-fetch
- http-wordpress-enum
- http-devframework
- http NSE Library
SMB Enumeration
An extension of SMB is the server message block. SMB is very helpful for network file sharing, port 445 where SMB can be run, and if you find that port 445 on your target is open you can use Nmap scripts to enumerate and collect more information.
You can invoke the SMB enumeration by using the command nmap -p 445 –script-smb-os-discovery . The -p 445 parameter triggers the script to run against port 445 on the target.
nmap -p 445 –script-smb-­os-discovery <target IP address> 
The following are some additional NMAP scripts for SMB enumeration:
- smb-enum-shares
- smb-vuln-ms17-010
- smb-protocols
- smb-mbenum
- smb-enum-users
- smb-enum-processes
- smb-enum-services
DNS Enumeration
The Domain Name System is indeed the backbone of the Internet as it does the crucial job of translating hostnames to IP addresses and vice versa. It runs on port 53 by default. Enumerating a DNS server can give a lot of interesting and useful information. NMAP has several scripts for enumerating a DNS service.
nmap -p 53 -A -v <target IP address> 
The following are some additional NMAP scripts for DNS enumeration:
- dns-cache-snoop
- dns-service-discovery
- dns-recursion
- dns-brute
- dns-zone-transfer
- dns-nsid
- dns-nsec-enum
- dns-fuzz
- dns-srv-enum
FTP Enumeration
The extension of FTP is the file transfer protocol. This protocol is mostly used to transfer a file between one system and another. This is the default port 21 that can be run, Nmap contains a lot of FTP enumeration scripts. The below image shows the output of two scripts.
- ftp-syst
- ftp-anon
The output shows the FTP server version details and reveals that the server is accepting anonymous connections.
nmap --scripts ftp-syst (Target IP Address) --scripts ftp-anon 
Since the target is running the vsftpd server, you can try another NMAP script, which will check whether the FTP server is vulnerable. The script ftp-vsftpd-backdoor can be used, as shown in the below image.
The following are some additional NMAP scripts for FTP enumeration:
- ftp-brute
- ftp NSE
- ftp-bounce
- ftp-vuln-cve2010-4221
- ftp-libopie
MySQL Enumeration
MySQL is an excellent open-source related database management system. Its default port is 3306. Nmap has many scripts for enumerating the MySQL service. The more information you get when enumerating the MySQL service, the more helpful it will be to continue your attack.
nmap --script mysql-info (Target IP Address) 
The output of the mysql-info script. It shows the protocol version details, server capabilities, and the salt value in use.
The following are some additional NMAP scripts for MySQL enumeration:
- mysql-databases
- mysql-enum
- mysql-brute
- mysql-query
- mysql-empty-password
- mysql-vuln-cve2012-2122
- mysql-users
- mysql-variables
SSH Enumeration
SSH is an extension of the secure shell. This secure shell is used for secure remote logins and administration. Unlike Telnet, SSH encrypts the traffic, making the communication secure. Its default port is 22. Nmap has numerous scripts for enumerations of the ssh service.
nmap --script ssh2-enum-algos (Target IP Address) 
The following are some additional NMAP scripts for SSH enumeration:
- ssh-brute
- ssh-auth-methods
- ssh-run
- ssh-hostkey
- sshv1
- ssh-publickey-acceptance
SMTP Enumeration
Simple Mail Transfer Protocol (SMTP) is used for the transmission of electronic mail. It runs on port 25 by default. NMAP has several scripts for enumerating the SMTP service. These NMAP scripts could reveal several weaknesses in the SMTP server such as open relays, acceptance of arbitrary commands, and so on.
nmap --script smtp-commands (Target IP address) 
Many SMTP servers mistakenly enable open relay. This allows anyone to connect to the SMTP server without authentication and to send mails.This is indeed a critical flaw. NMAP has a script called smtp-open-relay that checks whether the target SMTP server allows for open relays, as shown in the below image.
The following are some additional NMAP scripts for SMTP enumeration:
- smtp-enum-users
- smtp-commands
- smtp-brute
- smtp-ntlm-info
- smtp-strangeport
- smtp-vuln-cve2011-1764
VNC Enumeration
The full form of VNC is Virtual Network Computing, it’s commonly used for remote graphical desktop sharing. Its default port is 5900. Nmap contains numerous VNC service enumeration scripts. the below image shows the output of the vnc-info script. It shows the protocol version details along with the authentication type.
nmap --script vnc-info (Target IP Address) 
The following are some additional scripts for VNC enumeration:
- vnc-brute
- realvnc-auth-bypass
- vnc-title
Service Banner Grabbing
Any service running on a system usually has a banner associated with it. A banner normally contains server version information and may even contain organization-specific information such as disclaimers, warnings, or some corporate e-mail addresses. It is certainly worthwhile to grab service banners to get more information about the target.
nmap --script banner (Target IP Address) 
Detecting Vulnerability
So far we have seen how to do port scanning and enumeration in Nmap, Now you’ll see how NMAP can be used for conducting vulnerability assessments. Though not as comprehensive as vulnerability scanners like Nessus and OpenVAS, NMAP can certainly do basic vulnerability detection. NMAP does this with the help of Common Vulnerabilities and Exposure (CVE) IDs. It searches for matching CVEs against the services running on the target.
So first you need to install some additional scripts. So navigate to directory /usr/share/nmap/scripts and then clone two git directories, as shown here:
Once you have downloaded the required scripts, you are all set to execute them against the target.
nmap -sV --script nmap-vulners <target IP address> 
Conclusion
I hope I have explained everything clearly in this post, let me know by command if I miss anything you know and I want to share this post with your friends.
إرسال تعليق