Nmap scripting engine

Nmap now has an scripting engine, that allows users to write their own custom scripts that can perform various scanning tasks in an automated fashion. This provides a powerful way to code a multi-step complex scanner using the inbuilt features of nmap. There are already many scripts available along with nmap that have been developed and submitted by the community. Details about the existing nmap scripts can be found here.

The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.

The scripts basically use nmap's own scanning features, but in an automated and programmatic manner like calling an external library.

In this post we shall take a look at some of the scripts that can be used to perform "information gathering" on domain names and ip addresses.

1. Find geo location of an ip address or domain

Nmap has multiple scripts to get the geo location of an ip address. To use them issue a command like this

$ nmap -Pn -p80 --script ip-geolocation-* 8.8.8.8 Starting Nmap 6.00 ( http://nmap.org ) at 2013-03-04 14:11 IST Nmap scan report for 8.8.8.8 Host is up. PORT STATE SERVICE 80/tcp filtered http Host script results: | ip-geolocation-geobytes: | 8.8.8.8 | coordinates (lat,lon): 40.7488,-73.9846 |_ city: New York, New York, United States Nmap done: 1 IP address (1 host up) scanned in 31.19 seconds

As can be seen in the output, the latitude, longitude,city and country have been detected from the ip address. It uses web services like geoplugin, ipinfodb and geobytes to find the location.

2. Dns bruteforcing

This tool attempts to enumerate DNS hostnames by brute force guessing of common subdomains. Here is a sample usage.

$ nmap -p80 --script dns-brute insecure.org Starting Nmap 6.00 ( http://nmap.org ) at 2013-03-04 14:41 IST Nmap scan report for insecure.org (74.207.254.18) Host is up (0.33s latency). rDNS record for 74.207.254.18: web.insecure.org PORT STATE SERVICE 80/tcp open http Host script results: | dns-brute: | DNS Brute-force hostnames | www.insecure.org - 74.207.254.18 | mx0.insecure.org - 74.207.254.18 | lab.insecure.org - 74.207.254.18 | corp.insecure.org - 74.207.254.18 | whois.insecure.org - 74.207.254.18 | www.insecure.org - 2600:3c01:0:0:f03c:91ff:fe96:967c | mail.insecure.org - 64.13.134.2 | intranet.insecure.org - 74.207.254.18 | mx1.insecure.org - 74.207.254.18 | ssl.insecure.org - 74.207.254.18 | ldap.insecure.org - 74.207.254.18 | mysql.insecure.org - 74.207.254.18 | crs.insecure.org - 74.207.254.18 | linux.insecure.org - 74.207.254.18 | secure.insecure.org - 74.207.254.18 | sql.insecure.org - 74.207.254.18 .............

But since this tool uses a predefined list of subdomains to query for, it is limited. However can be useful sometimes.

3. Find other domains hosted on the same ip address or on same server of a host

During information gathering it is often needed to know what other domains are hosted on a certain server. The easiest way to do this is to use the bing search engine. To find domains hosted on a certain ip address we have to search for the following on bing.com

ip:aaa.bbb.ccc.ddd

The same thing can be automated with nmap to produce results in a neat format. There is a nse script that does the same thing and can be downloaded here.

Download the script and save it in the scripts directory of nmap. On linux the directory is generally

/usr/share/nmap/scripts/

otherwise use any of the following commands to find the exact location

find / -name '*.nse' locate *.nse

Once the http-reverse-ip.nse script is saved in the nmap scripts directory, use it like this

$ nmap -Pn -p80 --script http-reverse-ip nmap.org Starting Nmap 6.00 ( http://nmap.org ) at 2013-03-04 14:30 IST Nmap scan report for nmap.org (74.207.254.18) Host is up (0.30s latency). rDNS record for 74.207.254.18: web.insecure.org PORT STATE SERVICE 80/tcp open http | http-reverse-ip: | nmap.org | sectools.org | insecure.org | seclists.org |_cgi.insecure.org Nmap done: 1 IP address (1 host up) scanned in 7.09 seconds

So it lists out all domains that are on the same ip address as that of nmap.org.

Resources