View
134
Download
0
Category
Preview:
DESCRIPTION
null Mumbai Chapter October 2013 Meet
Citation preview
Nmap for Scriptors Sanoop Thomas
@s4n7h0
• This is very small session to accommodate
some coding concept (I agree it’s a bad try)
• We will try to cover up some very important
points required
• A kick start session for security researchers
to know how NSE can be build and use to
create PoCs
Disclaimer
• How many of you used Nmap ?
• What about –A option ?
• What are Nmap scripts ?
Some Wrong Questions I’m sure many of you must be familiar with Nmap; but still for those who are new….
Nmap Script Scan
• Windows
– C:\Program Files (x86)\Nmap\scripts
• Linux
– /usr/share/nmap/scripts
• In Backtrack
– /usr/local/share/nmap/scripts
Script Path
• Network Discovery
• Version Detection
• Vulnerability Detection
• Malware Detection
• Exploitation
Nmap Script Engine [NSE]
Anatomy of NSE
require
metadata
categories
portrule
action
description =[[
Just to show the Skelton of an NSE script
]]
author = “Mr. X”
categories = {"safe", "discovery"}
require "shortport"
portrule = shortport.port_or_service({80,8080,443},{"http"},{"tcp"})
action = function(host,port)
return "Webserver found on port "..port.number
end
NSE Skelton
• Import libraries
• require "shortport“
• local shortport = require "shortport"
require
• Includes description of script, author name,
license information, etc.
• Not much relevant; but will help the user to
know what your script does
metadata
• Defines the type of your script
– auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln
• Because you can run scripts with
categories
categories
• nmap --script “http-*”
• nmap --script “http-* and ftp-*”
• nmap --script “not brute”
• nmap --script “vuln,safe”
• nmap --script “vuln or safe”
• nmap --script “(vuln or safe) and not http-*”
Scan Smartly
• Script executions are conditional
• portrule = shortport.http
• portrule = shortport.port_or_service(21, “ftp”)
portrule
• The actual code to execute based of the
portrule
• A combination of LUA code and NMAP library
calls
action = function(host, port)
-- code to execute
end
action
• It’s coding
– Means – giving life to a code snippet
– So,
• You need to know how, what, why etc.
Some Practical Approach
• Specify the script directory (--datadir)
• Use debugging mode when running script (-d)
• Update the script database once you are
done with final make (--script-updatedb)
• Use script trace (--script-trace)
Tips for Scriptors
• nmap.org/nsedoc/
• lua.org/docs.html
References
Thanks
Any Questions ?
Sanoop Thomas @s4n7h0
Recommended