Binaryfigments

Play with Nmap


Nmap is most used as a portscanner. If you want to know if your firewall correctly setup, Nmap is THE tool to use. Unfortunately, Nmap is also used by hackers and script kiddies. I think, most of the time, it are the script kiddies who use it to do some harm. IDS’s and firewalls are getting better at detecting portscans with for example Nmap. Hackers want to stay more under the radar to avoid detection.

More than a portscanner

There is a scripting engine in Nmap, called the Nmap Scripting Engine (NSE), that you can use with Nmap to do some more than a portscan. NSE scripts are programmed in Lua and there are a bunch delivered with the installation of Nmap. You can find NSE documentation over here: https://nmap.org/nsedoc/.

Installing Nmap

Nmap has installable packages in much Linux distributions. So, installing it with a package can be easy as:

# Debian / Ubuntu
apt install nmap
# Redhat / CentOS
yum install nmap
# Fedora
dnf install nmap

Script catecories

The NSE scripts delivered with Nmap are divided in a few categories so you can find and run them seperatly. These are the main categories:

  • auth
  • broadcast
  • brute
  • default
  • discovery
  • dos
  • exploit
  • external
  • fuzzer
  • intrusive
  • malware
  • safe
  • version
  • vuln

You can find them all here: https://nmap.org/book/nse-usage.html#nse-categories

Running the scripts

Running the script is easy. The default scripts are from itself very powerful. But if you want to go further and look for vulnerabilitys, you can use the vuln category like this.

nmap --script vuln yourdomain.nl

Running all the NSE scripts in de vuln category can take a while.

Another nice category is the discover category.

nmap --script discover yourdomain.nl

To run the default scripts:

nmap -sC yourdomain.nl

When you get the message “check disables” you can add an argument to run unsage scripts.

nmap --script-args=unsafe=1 --script vuln yourdomain.nl

Updates for the scripts

Nmap can be installed and updated with your package manager, but the development of some scripts are going a bit faster than your package manager knows.

nmap --script-updatedb

Starting Nmap 6.47 ( http://nmap.org ) at 2016-08-25 00:18 CEST
NSE: Updating rule database.
NSE: Script Database updated successfully.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.34 seconds

Take a look at the scripts and go play with them. There are some awesome scripts packed with Nmap. Most of the time, you can find them here: /usr/share/nmap/scripts.

It’s a multitool!

As you can see, Nmap can be a real multitool. With some effort you can cat much information of your server with it.