Nmap Script Engine (NSE)

The Nmap Scripting Engine (NSE) enhances Nmap by enabling users to run or create Lua-based scripts that automate advanced scanning tasks, including vulnerability detection, brute-force testing, service discovery, and information gathering.

Where are NSE Scripts stored?

When you install Nmap, it comes with a large collection of pre-installed NSE (Nmap Scripting Engine) scripts. These scripts are stored in a specific directory on your system.

Default path:

/usr/share/nmap/scripts/

For listing them:

ls /usr/share/nmap/scripts/ | head

• Mention that users don’t need to “create” NSE scripts to use them — Nmap ships with hundreds by default.

Nmap (Network Mapper) is an open-source tool used to discover hosts and services on a computer network. It is one of the most powerful and flexible port scanners available today. On operating systems such as Ubuntu or Kali Linux, Nmap can be installed easily using the package manager.

For example, a basic service version detection scan can be performed using:

nmap -sV <target-ip>

Working with Nmap Script Engine(NSE) Scripts

1. We can discover all the connected devices in the network using the command 

sudo netdiscover

2. The output of netdiscover show's that VMware Inc mac vendor which is our metasploitable 2 machines. Now we can start a Nmap scan. The Nmap command shown here is:

nmap -sV -T4  192.168.1.6

where:

• -sV used for service version detection.
• -T4 denotes the speed of nmap scan.

3. The result obtained denotes the service and version running on metasploitable2 but what if we want more information gathering about the target. This is where NSE is useful. NSE allows users to write simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency.  NSE scripts are written in a programming language called Lua.

4. In order to use NSE scripts we use the flag -sC, or we can use --script to run custom scripts.

5. The Nmap command for default service scan is 

nmap -sC -T4  192.168.147.132

6. Now if we compare the results of service version scan(-sV) and default scripts scans there are a lot of differences. Let's take the case of port 21 (FTP). In the case of service version scan, we get only the version. In the case of script scan, it detected that anonymous login is also allowed and the script written in lua tried to login anonymously to verify if it's possible. The problem with script scans is they can sometimes be intrusive in nature. This means the script is trying to engage directly with the target and also firewalls and IDS may block your request but Nmap is so powerful that it can perform scans by bypassing filters. -sC is equivalent to --script=default.

7. Nmap has a set of scripts that are grouped together as default,safe and other categories. When you use the flag -sC flag and when Nmap discovers a port it will run a set of scripts that default to that port and will return the results. That's the reason the results vary in both cases there are many scripts available when using -sC flag itself.

8. The scripts of nmap are located at /usr/share/nmap/scripts/ . There are more than 600 NSE scripts available for different ports created by the open-source community. You can update the NSE scripts by using the following command:

 nmap --script-updatedb

9. In case, if we want to check the available scripts we can grep the results to see available scripts for a port. 

10. ftp-anon.nse is the NSE script used to detect anonymous login in FTP servers. This script is part of the default scripts for port 21. That's the reason we obtained the anonymous login allowed result while using -sC flag.

11. Nmap’s scripting engine is so powerful that it can even exploit known vulnerabilities on a target system. In the example below, we use the ftp-vsftpd-backdoor.nse script against a host running a vulnerable version of the vsFTPd 2.3.4 service. This backdoored version allows attackers to execute arbitrary commands remotely.

nmap -p 21 -T4 192.168.147.132 --script /usr/share/nmap/scripts/ftp-vsftpd-backdoor.nse

12. To shows the help information about a specific NSE script (in this case, ftp-vsftpd-backdoor.nse).

nmap --script-help ftp-vsftpd-backdoor.nse

13. To listen to a port using nmap

nc -nvlp 1234

where, -lp stands for listening on port 1234