The Nmap Scripting Engine (NSE)…

July 29, 2010

The Nmap Scripting Engine extends the results of an Nmap port scan. It combines the Lua programming language, a library of network functions, and the results provided by other parts of Nmap to give more information about network hosts and their open ports.

There are standard scripts that grab SSH host keys or SSL certificates, discover the remote date and time, check for weak passwords and unpatched vulnerabilites, and much more.

While started, Nmap loads the scripts (all of the available in the repository if “-sC” is given on the command line, or only the given ones via “–script=<scriptname>”). The script is parsed and if a portrule is present, saved in the porttests table with a portrule key and file closure value. Otherwise, if the script has a hostrule, it is saved in the hosttests table in the same manner. During the scan, a thread is created for each of the matching script-target combinations. More details about how scripts are implemented are available here.

Each thread contains detailed information such as the runlevel, target, port (if a porttest), host and port tables, and the script type (service or host script). The value returned by the “action” block will be printed in the Nmap output below the port:

Starting Nmap ( http://nmap.org )
Interesting ports on flog (
80/tcp   open  http
|_ Script output

Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds

Now, a few words about writing rules and documentation. You have to follow some basic rules. All Nmap scripts must start with description variables (the “header”):

description     = "This is a simple nmap script"
author          = "Khairul Azrin B Azman
license         = "See http://nmap.org/book/man-legal.html"
categories      = { "default", "discovery", "safe" }
runlevel       = 1.0

The most important is categories. It describes the script behavior and can be a mix of the following keywords: auth, default, discovery, external, intrusive, malware, safe, version, and vuln. Check out the online documentation for a full description of each category.

If you check your <installprefix>/share/nmap/scripts directory you will find a lot of scripts ready to be used.

NSE is supposed to be versatile, with these NSE functions:-

Network discovery
This is Nmap’s bread and butter. Examples include looking up whois data based on the target domain, querying ARIN, RIPE, or APNIC for the target IP to determine ownership, performing identd lookups on open ports, SNMP queries, and listing available NFS/SMB/RPC shares and services.

More sophisticated version detection
The Nmap version detection system (Chapter 7, Service and Application Version Detection) is able to recognize thousands of different services through its probe and regular expression signature based matching system, but it cannot recognize everything. For example, identifying the Skype v2 service requires two independent probes, which version detection isn’t flexible enough to handle. Nmap could also recognize more SNMP services if it tried a few hundred different community names by brute force. Neither of these tasks are well suited to traditional Nmap version detection, but both are easily accomplished with NSE. For these reasons, version detection now calls NSE by default to handle some tricky services. This is described in the section called “Version Detection Using NSE”.

Vulnerability detection
When a new vulnerability is discovered, you often want to scan your networks quickly to identify vulnerable systems before the bad guys do. While Nmap isn’t a comprehensive vulnerability scanner, NSE is powerful enough to handle even demanding vulnerability checks. Many vulnerability detection scripts are already available and we plan to distribute more as they are written.

Backdoor detection
Many attackers and some automated worms leave backdoors to enable later reentry. Some of these can be detected by Nmap’s regular expression based version detection. For example, within hours of the MyDoom worm hitting the Internet, Jay Moran posted an Nmap version detection probe and signature so that others could quickly scan their networks for MyDoom infections. NSE is needed to reliably detect more complex worms and backdoors.

Vulnerability exploitation
As a general scripting language, NSE can even be used to exploit vulnerabilities rather than just find them. The capability to add custom exploit scripts may be valuable for some people (particularly penetration testers), though we aren’t planning to turn Nmap into an exploitation framework such as Metasploit.

Nmap Scripting Engine (NSE) has been one of the hottest topic that are discussed in this year Defcon and Black Hat.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: