Nmap 5.0 Howto – Teil 8: NSE Nmap Scripting Engine – praktische Beispiele
Die folgenden Beispiele werden mit der aktuellen Nmap Version 5.0 durchgeführt.
Wie man Nmap 5.0 auf einem aktuellen Debian System installiert, habe ich hier erklärt.
Das Nmap Security Scanner Projekt und Insecure.org erlauben ausdrücklich, dass
man den Host scanme.nmap.org mit Nmap zu Testzwecken scannen darf.
Ich habe für die unten gezeigten Beispiele ausschließlich scanme.nmap.org und meine eigenen Rechner benutzt!
-sC (NSE Standard Scripts)
Nmap benutzt bei diesem Scan alle Scripts, die als default kategorisiert sind. Einige dieser Scripts sind sehr aufdringlich und können leicht von einem IDS leicht erkannt werden.
Eine Auflistung der unterschiedlichen Script Kategorien findet man hier: NSE Grundlagen
Alle Nmap-Scripts werden in der script.db Datenbank (/usr/local/share/nmap/scripts/script.db) indiziert und kategorisiert.
Alle Scripts, die u.a. als default klassifiziert sind:
Entry { filename = "auth-owners.nse", categories = { "default", "safe", } }
Entry { filename = "dns-recursion.nse", categories = { "default", "intrusive", } }
Entry { filename = "dns-zone-transfer.nse", categories = { "default", "discovery", "intrusive", } }
Entry { filename = "finger.nse", categories = { "default", "discovery", } }
Entry { filename = "ftp-anon.nse", categories = { "auth", "default", "safe", } }
Entry { filename = "ftp-bounce.nse", categories = { "default", "intrusive", } }
Entry { filename = "html-title.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-auth.nse", categories = { "auth", "default", "intrusive", } }
Entry { filename = "http-open-proxy.nse", categories = { "default", "discovery", "external", "intrusive", } }
Entry { filename = "imap-capabilities.nse", categories = { "default", } }
Entry { filename = "irc-info.nse", categories = { "default", "discovery", } }
Entry { filename = "ms-sql-info.nse", categories = { "default", "discovery", "intrusive", } }
Entry { filename = "mysql-info.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "nbstat.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "p2p-conficker.nse", categories = { "default", "safe", } }
Entry { filename = "pop3-capabilities.nse", categories = { "default", } }
Entry { filename = "realvnc-auth-bypass.nse", categories = { "default", "vuln", } }
Entry { filename = "robots.txt.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "rpcinfo.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "smb-os-discovery.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "smtp-commands.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "snmp-sysdescr.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "socks-open-proxy.nse", categories = { "default", "discovery", "external", "intrusive", } }
Entry { filename = "ssh-hostkey.nse", categories = { "default", "intrusive", "safe", } }
Entry { filename = "sshv1.nse", categories = { "default", "safe", } }
Entry { filename = "sslv2.nse", categories = { "default", "safe", } }
Entry { filename = "upnp-info.nse", categories = { "default", "safe", } }
Beispiel-Scan mit -sC
Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-30 21:53 CET
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 994 filtered ports
PORT STATE SERVICE
25/tcp closed smtp
53/tcp open domain
70/tcp closed gopher
80/tcp open http
|_ html-title: Go ahead and ScanMe!
113/tcp closed auth
31337/tcp closed Elite
Nmap done: 1 IP address (1 host up) scanned in 21.39 seconds
--script (erweiterter Script-Scan)
Man kann Nmap mit --script entweder verschiedene Scriptkategorien, einzelne Scripts oder ganze Scripverzeichnisse übergeben. Mit --datadir kann ein alternatives Scriptverzeichnis definiert werden. Nmap verwendet alle Scripts mit .nse Endung. Individuellen Scripts die mit absoluten Pfad angegeben werden, müssen keine spezielle Endung haben.
Beispiele:
Nmap nimmt alle Scripts aus den Kategorien: intrusive, vuln, version
Nmap verwendet alle Scripts außer die als safe kategorisierten.
Nmap benutzt die Scripts aus der Kategorie intrusive, das Standard-Script mysql-info.nse und alle Scripts mit .nse Endung aus dem Verzeichnis /meine/tollen/scripts
Nmap benutzt alle verfügbaren Scripts, die in der script.db Datenbank indiziert sind.
Beispiel-Scan mit --script all
Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-30 22:21 CET
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 995 filtered ports
PORT STATE SERVICE
25/tcp closed smtp
53/tcp open domain
80/tcp open http
|_ html-title: Go ahead and ScanMe!
113/tcp closed auth
31337/tcp closed Elite
Host script results:
| whois: Record found at whois.arin.net
| netrange: 64.13.134.0 - 64.13.134.63
| netname: NET-64-13-143-0-26
| orgname: Titan Networks
| orgid: INSEC
|_ country: US stateprov: CA
| asn-query:
| BGP: 64.13.128.0/18 | Country: US
| Origin AS: 8121 - TCH - TCH Network Services
|_ Peer AS: 1299 2516 3356 4565 4657 19080
Nmap done: 1 IP address (1 host up) scanned in 21.99 seconds
--script-trace
Nmap gibt die gesammte Kommunikation des Scripts aus. Diese Option dient hauptsächlich der Fehlersuche oder zum besseren Verständnis des Scans.
Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-30 22:46 CET
NSOCK (0.6290s) nsock_loop() started (timeout=50ms). 0 events pending
NSOCK (0.6300s) TCP connection requested to 64.13.134.52:80 (IOD #1) EID 8
NSOCK (0.6310s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.6820s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.7340s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.7860s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.8270s) Callback: CONNECT SUCCESS for EID 8 [64.13.134.52:80]
NSE: TCP 192.168.178.7:43365 > 64.13.134.52:80 | CONNECT
NSOCK (0.8280s) nsock_loop() started (timeout=50ms). 0 events pending
NSE: TCP 192.168.178.7:43365 > 64.13.134.52:80 | 00000000: 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a GET / HTTP/1.1
00000010: 48 6f 73 74 3a 20 73 63 61 6e 6d 65 2e 6e 6d 61 Host: scanme.nma
00000020: 70 2e 6f 72 67 0d 0a 55 73 65 72 2d 41 67 65 6e p.org User-Agen
00000030: 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 t: Mozilla/5.0 (
00000040: 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4e 6d 61 70 compatible; Nmap
00000050: 20 53 63 72 69 70 74 69 6e 67 20 45 6e 67 69 6e Scripting Engin
00000060: 65 3b 20 68 74 74 70 3a 2f 2f 6e 6d 61 70 2e 6f e; http://nmap.o
00000070: 72 67 2f 62 6f 6f 6b 2f 6e 73 65 2e 68 74 6d 6c rg/book/nse.html
00000080: 29 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 ) Connection: c
00000090: 6c 6f 73 65 0d 0a 0d 0a lose
NSOCK (0.8280s) Write request for 152 bytes to IOD #1 EID 19 [64.13.134.52:80]
NSOCK (0.8290s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.8290s) Callback: WRITE SUCCESS for EID 19 [64.13.134.52:80]
NSOCK (0.8290s) nsock_loop() started (timeout=50ms). 0 events pending
NSOCK (0.8290s) Read request from IOD #1 [64.13.134.52:80] (timeout: 15000ms) EID 26
NSOCK (0.8300s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.8840s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.9340s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.9870s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (1.0280s) Callback: READ SUCCESS for EID 26 [64.13.134.52:80] (928 bytes)
NSE: TCP 192.168.178.7:43365 < 64.13.134.52:80 | HTTP/1.1 200 OK
Date: Mon, 30 Nov 2009 20:43:38 GMT
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Content-Length: 739
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
<head>
<title>Go ahead and ScanMe!</title>
</head>
<body>
<p>Hello, and welcome to Scanme.Nmap.Org, a service provided by the <a href="http://nmap.org">Nmap Security Scanner Project</a> and <a href="http://insecure.$
<p>We set up this machine to help folks learn about Nmap and also to test and make sure that their Nmap installation (or Internet connection) is working prop$
<p>Thanks<br>
-<a href="http://insecure.org/fyodor">Fyodor</a>
</body>
</html>
NSOCK (1.0290s) nsock_loop() started (timeout=50ms). 0 events pending
NSOCK (1.0290s) Read request from IOD #1 [64.13.134.52:80] (timeout: 15000ms) EID 34
NSOCK (1.0290s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (1.0290s) Callback: READ EOF for EID 34 [64.13.134.52:80]
NSOCK (1.0300s) nsock_loop() started (timeout=50ms). 0 events pending
NSE: TCP 192.168.178.7:43365 > 64.13.134.52:80 | CLOSE
Interesting ports on scanme.nmap.org (64.13.134.52):
PORT STATE SERVICE
80/tcp open http
|_ html-title: Go ahead and ScanMe!
Nmap done: 1 IP address (1 host up) scanned in 1.03 seconds
--script-updatedb
Wenn man neu NSE-Scripte in das script Verzeichnis kopiert, Scripts löscht oder verändert z.B. Kategorisierung sollte man die script.db Datenbank aktualisieren.
Diese Option wird ohne Argumente aufgerufen.
Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-30 22:42 CET
NSE: Updating rule database.
NSE script database updated successfully.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.33 seconds
Quelle: nmap.org
NSE-Script Datenbank: http://nmap.org/nsedoc/
Nmap 5.0 - Howto Teil 1: Ziele richtig definieren
Nmap 5.0 - Howto Teil 2: Host-Erkennung
Nmap 5.0 - Howto Teil 3: Port-Scans
Nmap 5.0 – Howto Teil 4: Dienst- und Versionserkennung
Nmap 5.0 – Howto Teil 5: Betriebssystem-Erkennung
Nmap 5.0 – Howto Teil 6: Debugging & ausführliche Ausgabe
Nmap 5.0 – Howto Teil 7: Nmap Scripting Engine (NSE) – Grundlagen
Nmap Grundlagen: Port-Zustände
Nmap Grundlagen: Nmap 5.0 Installation
About Moritz TANZER
Sysadmin
Seiten
Tags
Blogroll
- /var/bergercity/
- adminlife.net
- aptgetupdate.de
- Caschys Blog
- Gerds Blog
- infoblog.li
- Linux und Ich
- scareware.de
- SECURITY-BLOG.EU
- TIMBOBS BLOG
- Webmaster, Security und Technik
- YAFIB
Links
Kalender
Sonstiges
Translator
