Analyzing hosts and networks with Nmap

Scripting Engine

For more detailed investigations, Nmap version 4.5 or later comes with the Nmap Scripting Engine (NSE). With NSE and the current crop of 430 NSE scripts implemented in Lua, you can elicit many additional details from individual hosts (Table 1).

Table 1

NSE Scripts

Name

Purpose

auth

Bypass authentication

brute

Brute force attack

dos

Denial-of-service test

discovery

Call shares and websites

fuzzer

Attack server with unexpected input

vuln

Check for known vulnerabilities

To discover what the individual scripts actually do, run the

nmap --script-help "*"

command. If you replace the asterisk with a category or script name, you only receive information about the associated script(s).

To run one or more scripts against one or more hosts, you can use the

nmap --script <name>

command, where <name> refers to a script, a whole category, a directory of scripts, or a regular expression. Some scripts require additional parameters, which you pass in to Nmap, as in --script-args <parameter>. Using the

nmap - script http-enum <target>

command, for example, will attempt to identify all the interesting URLs that the target host offers (Figure 8).

Figure 8: The http-enum script reveals interesting pages on web servers very quickly.

On the other hand,

nmap -sV -O --script vuln <target>

lets you run all the scripts in the vuln category against each host on the network. Scanning every host with a single command does not replace a thorough review, but it does discover some common vulnerabilities very quickly.

In addition to the NSE scripts included in the Nmap package, you will find more on the Nmap developer list [6] or on the pages of individual developers. You can copy the scripts to Nmap's script directory, if needed, and then bind them to the port scanner using the nmap --script-updatedb command.

Conclusions

Nmap is a very powerful tool whose capabilities go far beyond those of a normal port scanner. The software already supports IPv6 and does not simply give you yes/no statements on whether ports are open; rather, it also determines exactly which services and operating systems are running on the computers under investigation.

Nmap scans both TCP and UDP ports and comes with a number of ping test methods that can work despite firewalls. Additional tricks, such as packages filled with random characters, can also help trick firewalls, IDS, and IPS systems. The Nmap Scripting Engine lets you automate many steps. If you frequently need to analyze networks, it pays to read the excellent and extensive Nmap documentation, which provides examples and a huge amount of background knowledge.

Before you start investigating a third-party host or network, be sure you obtain the consent of the operator; otherwise, they will feel they are being attacked, which can lead to unpleasant legal consequences. If you want to practice, do so on your home network – or use the scanme host offered by Nmap [7].

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Nmap 4.75 recognizes iPhones and visualizes networks

    "If we are going to call Nmap the 'Network Mapper', it should at least be able to draw you a map of the network! " writes developer Fyodor in announcing the newest version 4.75 of the Nmap security scanner.

  • Nmap Scripting

    Nmap is rolling out a new scripting engine to automatically investigate vulnerabilities that turn up in a security scan. We’ll show you how to protect your network with Nmap and NSE.

  • Scanning with Zenmap

    Discover your network with the user-friendly Zenmap network scanner.

  • Nmap Methods

    How does the popular Nmap scanner identify holes in network security? In this article, we examine some Nmap analysis techniques.

  • Perl: Network Monitoring

    To discover possibly undesirable arrivals and departures on their networks, a Perl daemon periodically stores the data from Nmap scans and passes them on to Nagios via a built-in web interface.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News