Mastering the Nmap Scripting Engine电子书

Mastering the Nmap Scripting Engine

Table of Contents

Mastering the Nmap Scripting Engine

Credits

About the Author

Acknowledgments

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. Introduction to the Nmap Scripting Engine

Installing Nmap

Building Nmap from source code

Keeping Nmap up to date

Running NSE scripts

Script categories

NSE script selection

Selecting by script name or category

Selecting by filename or folder

Advanced script selection with expressions

NSE script arguments

Loading script arguments from a file

Forcing the execution of NSE scripts

Debugging NSE scripts

Scan phases and NSE

NSE script rules

Applications of NSE scripts

Information-gathering

Collecting UPNP information

Finding all hostnames resolving to the same IP address

Advanced host discovery

Discovering hosts with broadcast pings

Listening to your LAN to discover targets

Password auditing

Brute-forcing MySQL passwords

Brute-forcing SMTP passwords

Vulnerability scanning

Detecting insecure MySQL server configurations

Detecting web servers vulnerable to slow denial-of-service attacks

Detecting SSL servers vulnerable to CVE-2014-3566

Setting up a development environment

Halcyon IDE

Adding new scripts

Summary

2. Lua Fundamentals

Quick notes about Lua

Comments

Dummy assignments

Indexes

Semantics

Coercion

Safe language

Booleans

Flow control structures

Conditional statements – if-then, else, and elseif

Loops – while

Loops – repeat

Loops – for

Data types

String handling

Character classes

Magic characters

Patterns

Captures

Repetition operators

Concatenation

Finding substrings

String repetition

String length

Formatting strings

Splitting and joining strings

Common data structures

Tables

Arrays

Linked lists

Sets

Queues

Custom data structures

http-enum database

http-default-accounts

I/O operations

Modes

Opening a file

Reading a file

Writing a file

Closing a file

Coroutines

Creating a coroutine

Executing a coroutine

Determining the running coroutine

Getting the status of a coroutine

Yielding a coroutine

Metatables and metamethods

Arithmetic metamethods

Relational metamethods

Summary

3. NSE Data Files

Locating your data directory

Data directory search order

Username and password lists used in brute-force attacks

Username dictionaries

Password dictionaries

Web application auditing data files

http-fingerprints.lua

http-sql-errors.lst

http-web-files-extensions.lst

http-devframework-fingerprints.lua

http-folders.txt

vhosts-default.lst

wp-plugins.lst

DBMS-auditing data files

mysql-cis.audit

oracle-default-accounts.lst

oracle-sids

Java Debug Wire Protocol data files

JDWPExecCmd.java

JDWPSystemInfo.class

Other NSE data files

mygroupnames.db

rtsp-urls.txt

snmpcommunities.lst

ssl-ciphers

ssl-fingerprints

ike-fingerprints.lua

tftplist.txt

Other Nmap data files

Summary

4. Exploring the Nmap Scripting Engine API and Libraries

Understanding the structure of an NSE script

Other NSE script fields

Author

License

Dependencies

A sample NSE script

Exploring environment variables

Accessing the Nmap API

NSE arguments

Host table

Port table

Exception handling in NSE scripts

The NSE registry

Writing NSE libraries

Extending the functionality of an NSE library

NSE modules in C/C++

Exploring other popular NSE libraries

stdnse

openssl

target

shortport

creds

vulns

http

Summary

5. Enhancing Version Detection

Understanding version detection mode in NSE

Phases of version detection

Adjusting the rarity level of a version scan

Updating the version probes database

Taking a closer look at the file format

Excluding scanned ports from version detection

Using fallbacks to match other version probes

Getting to know post-processors

Nmap Scripting Engine

SSL

Writing your own version detection scripts

Defining the category of a version detection script

Defining the portrule of a version detection script

Updating the port version information

Setting the match confidence level

Examples of version detection scripts

NSE script – modbus-discover

NSE script – ventrilo-info

NSE script – rpc-grind

Summary

6. Developing Brute-force Password-auditing Scripts

Working with the brute NSE library

Selecting a brute mode

Implementing the Driver class

Passing library and user options

Returning valid accounts via Account objects

Handling execution errors gracefully with the Error class

Reading usernames and password lists with the unpwdb NSE library

Managing user credentials found during scans

Writing an NSE script to launch password-auditing attacks against the MikroTik RouterOS API

Summary

7. Formatting the Script Output

Output formats and Nmap Scripting Engine

XML structured output

Implementing structured output in your scripts

Printing verbosity messages

Including debugging information

The weakness of the grepable format

NSE script output in the HTML report

Summary

8. Working with Network Sockets and Binary Data

Working with NSE sockets

Creating an NSE socket

Connecting to a host using NSE sockets

Sending data using NSE sockets

Receiving data using NSE sockets

Closing NSE sockets

Example script – sending a payload stored in a file over a NSE socket

Understanding advanced network I/O

Opening a socket for raw packet capture

Receiving raw packets

Sending packets to/from IP and Ethernet layers

Manipulating raw packets

Packing and unpacking binary data

Building Ethernet frames

Raw packet handling and NSE sockets

Summary

9. Parallelism

Parallelism options in Nmap

Scanning multiple hosts simultaneously

Increasing the number of probes sent

Timing templates

Parallelism mechanisms in Lua

Coroutines

Working with coroutines

Parallelism mechanisms in NSE

NSE threads

Condition variables

Mutexes

Consuming TCP connections with NSE

Summary

10. Vulnerability Detection and Exploitation

Vulnerability scanning

The exploit NSE category

Exploiting RealVNC

Detecting vulnerable Windows systems

Exploiting the infamous heartbleed vulnerability

Exploiting shellshock in web applications

Reporting vulnerabilities

Using the vulns library in your NSE scripts

Summary

A. Scan Phases

B. NSE Script Template

Other templates online

C. Script Categories

D. Nmap Options Mind Map

E. References

Index