THE NMAP SCRIPTING ENGINE: FROM CATERPILLAR TO BUTTERFLY: Make no mistake. Nmap is an awesome tool. It is mature, robust, well documented, and supported by an active community.
However, the NSE provides Nmap with an entirely new skill set and dimension. The NSE is a powerful addition to the classic tool that transforms its functionality and capability well beyond its tradition port scanning duties.
Learning to utilize the NSE is critical to getting the most out of Nmap. When properly implemented, the NSE allows Nmap to complete a variety of tasks including vulnerability scanning, advanced network discovery, detection of backdoors, and in some cases even perform exploitation!
The NSE community is a very active and open group. New scripts and capabilities are being constantly added. If you use the NSE to create something new, I encourage you to share your work.
In order to keep things simple, the NSE divides the scripts by category. The current categories include auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vlun.
Each category can be futher broken down into individual scripts that performs a particular function. A hacker or penetration tester can run a single script to the entire category (which includes multiple scripts).
It is important to review the documentation for each category and scripts before invoking them or using them against a target. You can find the most recent and up-to-date NSE information at http://nmap.org/nsedoc/.
THE NMAP SCRIPTING ENGINE: FROM CATERPILLAR TO BUTTERFLY
The NSE and its scripts are prebuild into Nmap. There is nothing for you to install or configure.
In order to invoke the NSE, we use “—script” argument followed by the category or script name and the target IP address as shown below:
Nmap –script banner 192.168.18.132
The “banner” script is an extension of Nmap that creates a connection to a TCP port and prints any output sent from the target system to the local terminal.
This can be extremely helpful in identifying unrecognized services on obscure ports.
Similarly we could invoke an entire family or category of scripts by using the “—script category_name” format as show below:
Nmap –script vuln 192.168.18.132
The “vuln” category will run a series of scripts which look for known issues on the target system. This category typically provides output only when vulnerability is discovered.
The “vuln” functionality of the NSE is an excellent precursor to our conversation on vulnerability scanning. Below shows the output of running an NSE vuln scan against our Metaspoitable target.
Pay special attention to any Common Vulnerabilities and Exposures (CVE), Open Source Vulnerability Database (OSVDB), or links, which are provided,
we will return to this topic during our coverage of exploitation. For now, be sure to take notes and properly document your findings.
If you have any questions regarding the Nmap scripting engine: from caterpillar to butterfly let us know in the comment section so we could answer your question.
By Patrick Engebretson | SYNGRESS | The Nmap Scripting Engine: From Caterpillar to Butterfly