How to use Nmap NSE Scripts to find Vulnerabilities - 8 min read

Find Vulnerabilities, Nmap has a lot of features and one of them is a built-in script interpreter called NSE Nmap Scripting Engine.

Nmap is one of the most used and best port scanning tools that exist and is the favorite for many people including for me. But Nmap is not only a port scanner, but this tool is also much more and has so many features. In this article, we highlight the Nmap Script Engine (NSE). Nmap has a lot of features, and one of them is a built-in script interpreter called NSE “Nmap Scripting Engine” Nmap stands for “Network Mapper


Nmap scripts can be used for:

  • Vulnerability detection.
  • Vulnerability exploitation.
  • Backdoor detection.
  • Network discovery.
  • More sophisticated and accurate OS version detection.

Before we move any further, take a look at these points:

  • Do not execute scripts from third parties without critically looking through them or only if you trust the authors. It’s highly recommended that you do this with every script before you use it. First of all, it’s a good start for your own safety and furthermore it will help you to understand how the script is made and the scripting language used to make it.
  • Many of these scripts may possibly run as either a prerule or postrule script. The current standard to choose between a “prerule” or a “postrule” is this: If the script is doing host discovery or any other network operation then the “prerule” should be used. “Postrule” is reserved for reporting of data and statistics that were gathered during the scan.
  • Nmap uses the script.db database to figure out the available default scripts and categories.

Install Nmap on Windows

Nmap is available in several versions and formats. Recent source releases and binary packages are described in the download page of the software.


Install Nmap on Linux distributions

Debian based

sudo apt install nmap

Arch Based

sudo pacman -S nmap

Red Hat Based

yum install nmap
or
rpm install nmap

OpenSUSE Based

zypper install nmap

Fedora Based

sudo dnf install nmap

Install Nmap using snap package

Amazingly, the Nmap tool is now available in Snap. To install this app via Snap on your system, use the below command.

sudo snap install nmap

There are four types of NSE scripts:

Host Scripts 

This scripts executed after Nmap has performed normal operations such as host discovery, port scanning, version detection, and OS detection against a target host.

Prerule Scripts 

These are scripts that run before any of Nmap’s scan operations, they are executed when Nmap hasn’t gathered any information about a target yet.

Service Scripts 

These are scripts run against specific services listening on a target host.

Postrule Scripts 

These are scripts run after Nmap has scanned all of its target hosts.


Location of the NSE scripts

Depending on the operating system you use but also depending on the Nmap version installed on your computer, NSE scripts can be in different locations.

For Linux system

~/.nmap/scripts/ or /usr/share/nmap/scripts/ 

or 

$NMAPDIR.

For Mac

/usr/local/Cellar/nmap//share/nmap/scripts/.

For Windows 

C:\Program Files (x86)\Nmap\scripts 

or 

C:\Program Files\Nmap\scripts

if you are using a 32bits version

The path of your NSE scripts folder

For Linux, the easiest way to find the path of your NSE scripts folder is to use the below command in your terminal:

locate *.nse

Output


Find Vulnerabilities, Nmap has a lot of features and one of them is a built-in script interpreter called NSE Nmap Scripting Engine.

In the above screenshot, we can see that the Nmap NSE Scripts can be found are located:

/usr/share/nmap/scripts

Maybe you like to know more about Linux commands, you can find them here.


How to install the new NSE Nmap script

To add new scripts to your script.db database, you simply need to copy your .nse files to the NSE scripts directory in our example referenced by “/usr/share/nmap/scripts”, and run the following command to update the Nmap script database:

sudo nmap --script-updatedb*

Output

Find Vulnerabilities, Nmap has a lot of features and one of them is a built-in script interpreter called NSE Nmap Scripting Engine.

Use of the NSE Nmap scripts

You can view the description of a script using –script-help option. Additionally, you can pass arguments to some scripts via the –script-args and –script-args-file options, the later is used to provide a filename rather than a command-line arg. To perform a scan with most of the default scripts, use the -sC flag or alternatively use –script=default.

Hacking vulnerabilities using NSE script

Personally, I use very often many NSE scripts provided by default with Nmap. In addition, you will find below a number of vulnerability scanners that you can add to your Nmap software.


winnti-nmap-script

This Nmap script can be used to scan hosts for Winnti infections. It uses parts of Winnti’s protocol as seen in the wild in 2016/2017 to check for infection and gather additional information.

Githubhttps://github.com/TKCERT/winnti-nmap-script

How to Use

# For Help Type
sudo nmap --script-help winnti-detect.nse

# For Detection Type
sudo nmap --script winnti-detect.nse

SSL-Heardbleed

Detects whether a server is vulnerable to the OpenSSL Heartbleed bug (CVE-2014-0160).

Download : https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse

How to Use

sudo nmap -sV -p 443 –script=ssl-heartbleed.nse <target>

Nmap-vulners

NSE script based on Vulners.com API. This NSE script uses this well-known service to provide information about vulnerabilities that may be present on a system.

Githubhttps://github.com/vulnersCom/nmap-vulners

How to Use

sudo nmap -sV --script vulners [--script-args mincvss=] <target>

Freevulnsearch

Free Nmap NSE script to query vulnerabilities via the cve-search.org API.

GitHub: https://github.com/OCSAF/freevulnsearch

How to Use

sudo nmap -sV --script freevulnsearch <target>

Vulscan

Advanced vulnerability scanning with Nmap NSE. The script does not perform a vulnerability scan by itself, but using the fingerprinting feature (-sV), it can detect the running applications and versions and use this information to lookup keys in some vulnerabilities databases.

Github: https://github.com/scipag/vulscan

How to Use

sudo nmap -sV --script=vulscan/vulscan.nse <target>

http-pulse_ssl_vpn.nse

Simple NSE script to detect the Pulse Secure SSL VPN file disclosure breach via specially crafted HTTP resource requests. This exploit reads /etc/passwd as a proof of concept. This vulnerability affect (8.1 R15.1, 8.2 before 8.2 R12.1, 8.3 before 8.3 R7.1, and 9.0 before 9.0 R3.4).

Githubhttps://github.com/r00tpgp/http-pulse_ssl_vpn.nse


How to Use

sudo nmap -n -p 443 --script http-pulse_ssl_vpn -n <target>

An example of installing Nmap Vulscan:

In order to follow the below example, you will need to open your terminal and type the following commands:

git clone https://github.com/scipag/vulscan scipag_vulscan
sudo ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan

Find Vulnerabilities, Nmap has a lot of features and one of them is a built-in script interpreter called NSE Nmap Scripting Engine.

Find Vulnerabilities, Nmap has a lot of features and one of them is a built-in script interpreter called NSE Nmap Scripting Engine.

sudo nmap -sV --script=vulscan/vulscan.nse <target>

Hacking the NSE Libraries

Libraries often accidentally make use of global variables when a local scope was intended. The scripts that make use of library functions which unintentionally use the same global variable will find that variable constantly rewritten.

This is a very serious bug that can cause NSE to stall or a correct script to spectacularly fail. Another common bug is due to the use by Lua of global-by-default scope assignment when it encounters a variable.

Consider a global variable being used by two different scripts, within the library, to hold sockets or data. When one script is yielded after storing data in the variable, another script awakens only to replace that data. In contrast, a local variable would store the information on the stack of the running script separate from others.

To help correct this problem, NSE now uses an adapted library from the standard Lua distribution called strict.lua. The library will raise a runtime error on any access or modification of a global variable that was undeclared in the file scope. A global variable is considered declared if the library makes an assignment to the global name in the file scope.

If you areplanning to write a Nmap NSE script yourself

Then these NSE Libraries can help you further. All scripts used by NSE are written in an embedded scripting language called Lua.


IMPORTANT THINGS TO REMEMBER

  • This article was written for educational purposes and pentest only.
  • The author can not be held responsible for damages caused by the use of these resources.
  • You will not misuse the information to gain unauthorized access.
  • This information shall only be used to expand knowledge and not for causing malicious or damaging attacks.
  • Just remember, Performing any hacks without written permission is illegal ..!

Read also the Disclaimer..!


Finally

If you have any questions about this article, any feedback, suggestions if you want to share your thoughts, please feel free to do it using the below comment form.

Written by

23   Posts

My name is Jolanda de Koff and on the internet, I'm also known as Bulls Eye. Ethical Hacker, Penetration tester, Researcher, Programmer, Self Learner and forever n00b. Not necessarily in that order. Like to make my own hacking tools and I sometimes share them with you. "You can create art & beauty with a computer and Hacking is not a hobby but a way of life ..." I ♥ open source"
View All Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Do NOT follow this link or you will be banned from the site!