NSE or backside of Nmap

Pentestit
Pentestit
Aug 6, 2019 · 4 min read

Today we will examine one of the most universal pentester’s tool — Nmap — iconic cross-platform scanner which means «Network Mapper». The tool in itself is rather powerful, but more often it is used with other utilities. They even do not suppose that besides network scanning, Nmap has a lot of other possibilities. The main of them is using scripts with NSE (Nmap Scripting Engine) — the Nmap component, which is based on Lua script language like Java Script. It is NSE makes Nmap so universal.

All materials gave in this article are intended for educational purposes. Using the materials in illegal purposes is prohibited.

Suppose, we scanned the host and detected open ports:

root@kali:~# nmap site.test.lan
Starting Nmap 7.70 ( https://nmap.org ) at 2019–05–31 11:58 MSK
Nmap scan report for site.test.lan (192.168.60.50)
Host is up (0.000030s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
90/tcp open dnsix
3306/tcp open mysql
MAC Address: 6E:93:12:AA:1F:6D (Unknown)

First of all we are interested in port 80. Probably, here the site is. If run script http-enum, it will gather all useful information on the web server like vulnerability scanner Nikto:

nmap site.test.lan --script http-enum

Information gathering

Learning that site is on WordPress, run the script http-wordpress-enum.
nmap -p80 --script http-wordpress-enum --script-args http-wordpress-enum.search-limit=all site.test.lan

Information gathering

But that is not all. There are nearly 600 scripts in the standard Nmap set and if there are not the necessary one, you can write your own. Let’s find authorization pages on the site if they are there. We will use script http-auth-finder:

nmap -p80 --script http-auth-finder site.test.lan

Authorization

If use the command nmap --script=auth, all scripts from the section auth will be implemented to the host. As soon as the authorization form will be found, we will try to find some account password, using script http-form-brute:

nmap -p-80 --script=http-form-brute --script-args=http-form-brute.path=/wp-login.php site.test.lan

Brute-force

Not bad for «port scanner». Using different scripts and using only «port scanner», we got a lot of information. But we should note that unlike Nmap, WPScan displays not only components names, but their possible vulnurabilities.

Further we can see open port 22 SSH and try to find service password, using script ssh-brute:

nmap -p22 --script ssh-brute site.test.lan

SSH

We also can see open port 21 which assumed indicates the existence FTP server. We can get some server information using script ftp-syst:

nmap -p21 --script ftp-syst site.test.lan

FTP

After that make brute-force FTP server users:

nmap -p21 192.168.60.50 --script ftp-brute --script-args userdb=/root/user.txt,passdb=/root/pass.txt

Brute-force FTP

We also have MySQL and its open port 3306. Script mysql-info will display some information about MySQL (it is necessary to run Nmap with keys -sV -sC):

nmap -p3306 -sV -sC site.test.lan

MySQL

Script connects to MySQL server and displays information such as protocol and version number, the flow identificator, state possibilities and password salt. More than that we can list valid MySQL users:

nmap -p3306 --script mysql-enum site.test.lan

More MySQL

If it is necessary to list custom users, you should indicate in arguments file path with their names. Getting the list you are able to make account password mining.

You can try it in Pentestit «Test lab» — the penetration testing laboratory based on real company network! It’s totally free. https://lab.pentestit.ru

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade