Infiltration artifact series nmap

This world is like a melting pot, burning a batch of souls of different quality and different from the original quality

This article, as the third in the series of penetration artifacts, will introduce a classic port scanning tool – nmap. There are many mature port scanners on the market, such as massscan (full network scanner), zenmap (nmap GUI version), etc., but I personally still love nmap, the reason is very simple, because it is very powerful, and supports extension. In the latest versions of Nmap, the nmap script engine (NSE) function has been added to support extended scripts. That is, you can load custom nse scripts in nmap to achieve the purpose of scanning. At present, the official nse script has more than 500, nse script address [https://nmap.org/nsedoc/] (https://nmap.org/nsedoc/), or view [github library] (https:// Github.com/nmap/nmap).
This article will introduce how to write and use nse scripts, in order to maximize the power of nmap (extended function), of course, this paragraph will also briefly introduce the basic use of the nmap tool and parameter settings.

NSE

nse script exploit

Create a new file in the scripts directory, such as: hello.nse, write the following:

1
2
3
4
5
6
7
8
9
-- The Head Section --
-- The Rule Section --
portrule = function(host, port)
return port.protocol == "tcp" and port.number == 80 and port.state == "open"
end
-- The Action Section --
action = function(host, port)
return "Hello world"
end

After the above code is run, it will detect whether the target ip is open to port 80. If it is open, it will return helloworld.
The nse script follows the nmap api specification, which consists of three parts, where – the behavior of the comment at the beginning.

The Head Section

This section contains some metadata that describes the functionality of the script, author, influence, category, and more.

The Rule Section

This section defines some rules for the script, including at least one of the functions in the following list:

  • portrule
  • hostrule
  • prerule
  • postrule
The Action Section

This part defines the script logic, that is, the content that is executed after the condition is met. For example, the above example is output helloworld.

Calling the built-in library

NSE scripts can call built-in libraries, such as the http library, the shortport library, the nmap library, and so on.
Import method:

1
2
3
local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"

More nse-api reference: https://nmap.org/book/nse-api.html
More lua syntax reference: http://www.runoob.com/lua/lua-tutorial.html

nse script usage

After writing the hello.nse script under scripts, how do I load it?
method one:

1
2
Nmap -script-updatedb update script library
Nmap --script=hello Use this script

Method Two:

1
Nmap -script=d:/..../hello.nse absolute path

Other parameters:

1
2
3
4
5
```
#### nse example
Scan the target machine and enumerate the users of smb.
```bash
nmap --script=smb-enum-users target_ip

Enumerate the smb share opened by the target machine.

1
nmap --script=smb-enum-shares target_ip

Violent guessing of the target machine’s username and password.

1
nmap --script=smb-brute target_ip

Test the heart drip loophole on the target machine.

1
nmap -sV --script=ssl-heartbleed target_ip

Here are a few examples of hardware devices:

1
2
3
4
5
6
7
Modbus-discover.nse (This script can call Modbus 43 (2B function code) function code to read device information)
Modbus-enum.nse (Modbus TCP device enumeration script)
S7-enumerate.nse (Siemens S7 PLC device discovery script, you can enumerate some basic information of PLC)
Enip-enumerate.nse (can read the basic information of EtherNet/IP devices)
BACnet-discover-enumerate.nse (can read basic information about BACnet devices)
Iec-identify.nse (IEC104 protocol asdu address enumeration script)
Mms-identify.nse (IEC-61850-8-1 protocol information enumeration script)

nmap introduce

The above content is the basic knowledge of nmap nse extension script, which involves the grammar rules of nse script writing, etc. This article does not introduce in detail, please refer to the official documentation. The following content is used by nmap, including command line parameters and so on.

nmap parameter

Nmap parameter:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
nmap [Scan Type(s)] [Options] {target specification}
Scan type(s) is used to specify the scan type
Options for specifying options
Target specification is used to specify the scan target
-s specifies the scan type
as follows:
-sP (ping scan) * surviving host detection
-sS (TCP SYN scan stealth scan) *Default scan mode
-sT (tcp scan) * syn can not be used when tcp scan
-sU (UDP scan)
-sA (ACK scan) *Three-way handshake Used to detect the firewall filter port. Actually, it is not very useful.
-sV (version detection)
-A operating system detection
-O (enable operating system detection)
-v in detail
Option description
-P0 [specified port] (no ping scan)
-PU [specified port] (udp ping scan)
-PS [specified port] (TCP SYN ping scan)
-PA [specified port] (tcp ack ping scan)
-PI uses a real pingICMP echo request to scan if the target host is running
-iL specifies the scan host list
-iR randomly selects the target
--exclude Exclude scan targets
--excludefile excludes the list of targets in the file
-n (without domain name resolution)
-R (resolve domain names for all targets)
-T time optimization (every time the package is sent) -T5 fastest -T0 slowest
-F quick scan
-e specifies the network interface
-M set tcp scan thread

nmap output

Output results:

1
2
3
4
5
-oS save scan result output
-oN redirects the scan result to a readable file logfilename
-oM one result per result
-oA Same as above
--append-output is attached to the original result

nmap status

Nmap port status:

1
2
3
4
5
6
Open (open)
Closed
Filtered undefined open or closed
Unfiltered (unfiltered)
Openfiltered (open or filtered)
Closedfiltered (closed or unfiltered)

nmapCommon Commands

The following commands are collected on the web and partly from personal summaries.
Lightweight scanning:

1
2
3
4
5
6
Nmap -sP 192.168.0.0/24 to determine which hosts survive
Nmap -sT 192.168.0.3 which ports are open
Nmap -sS 192.168.0.127 which ports are open (concealed scanning)
Nmap -sU 192.168.0.127 Which ports are open (UDP)
Nmap -sS -O 192.168.0.127 Operating system identification
Nmap -sV -p 80 thief.one Lists server types (list operating system, development port, server type, website script type, etc.)

Batch scan:

1
nmap -sT -sV -O -P0 --open -n -oN result.txt -p80-89,8080-8099,8000-8009,7001-7009,9000-9099,21,443,873,2601,2604,3128,4440,6082,6379,8888,3389,9200,11211,27017,28017,389,8443,4848,8649,995,9440,9871,2222,2082,3311,18100,9956,1433,3306,1900,49705,50030,7778,5432,7080,5900,50070,5000,5560,10000 -iL ip.txt

Batch scan:

1
nmap -sT -sV -p80-89,8080-8099,8000-8009,7001-7009,9000-9099,21,443,873,2601,2604,3128,4440,6082,6379,8888,3389,9200,11211,27017,28017,389,8443,4848,8649,995,9440,9871,2222,2082,3311,18100,9956,1433,3306,1900,49705,50030,7778,5432,7080,5900,50070,5000,5560,10000 --open --max-hostgroup 10 --max-parallelism 10 --max-rtt-timeout 1000ms --host-timeout 800s --max-scan-delay 2000ms -iL ~/Desktop/ip.txt -oN ~/Desktop/result/result.txt

nmap api

Nmap supports many language extensions. This article briefly introduces how to use nmap in Python.

python-nmap

Install: pip install python-nmap
Role: use python to call the nmap interface to achieve port scanning.
use:

1
2
3
4
>>> import nmap
>>> nm = nmap.PortScanner()
>>> nm.scan('127.0.0.1', '22-443')
>>> nm.command_line()

For more ways to use, refer to: http://xael.org/pages/python-nmap-en.html

Portal

[[Infiltration Artifact Series] Metasploit] (http://thief.one/2017/08/01/1/)
[[Infiltration Artifact Series] DNS Information Query] (http://thief.one/2017/07/12/1/)
[[Infiltration artifact series] nc] (http://thief.one/2017/04/10/1/)
[[Infiltration Artifact Series] Fiddler] (http://thief.one/2017/04/27/1)
[Infiltration Artifact Series] Search Engine
[[Infiltration Artifact Series] WireShark] (http://thief.one/2017/02/09/WireShark%E8%BF%87%E6%BB%A4%E8%A7%84%E5%88%99/)

本文标题:Infiltration artifact series nmap

文章作者:nmask

发布时间:2017年05月02日 - 14:05

最后更新:2019年07月11日 - 15:07

原始链接:https://thief.one/2017/05/02/01/en/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

nmask wechat
欢迎您扫一扫上面的微信公众号,订阅我的博客!
坚持原创技术分享,您的支持将鼓励我继续创作!

热门文章推荐: