2012-01-13

NMAP Scripts for your entertainment.


::The following info was taken from http://nmap.org/book/nse.html  

WHAT IS IT?
The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing
and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.

Scripts are written in the embedded Lua programming language2. The language itself is well documented in the books Programming in Lua, Second Edition and Lua 5.1 Reference Manual. The reference manual is also freely available online3, as is the first edition of Programming in Lua4. Given the availability of these excellent general Lua programming references, this document only covers aspects and extensions specific to Nmap's scripting engine.

HOW DO I USE IT?
NSE is activated with the -sC option (or --script if you wish to specify a custom set of scripts) and results are integrated into Nmap normal and XML output. Two types of scripts are supported: service and host scripts. Service scripts relate to a certain open port (service) on the target host, and any results they
produce are included next to that port in the Nmap output port table. Host scripts, on the other hand, run no more than once against each target IP and produce results below the port table.

SHOW ME WHAT TO TYPE...
Example 1 shows a typical script scan. Service scripts producing output in this example are ssh-hostkey, which provides the system's RSA and DSA SSH keys, and rpcinfo, which queries portmapper to enumerate available services. The only host script producing output in this example is smb-os-discovery, which collects a variety of information from SMB servers. Nmap discovered all of this information in a third of a second. 

Example 1. Typical NSE output

# nmap -sC -p22,111,139 -T4 localhost
 
Starting Nmap ( http://nmap.org )
Interesting ports on flog (127.0.0.1):
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey: 1024 b1:36:0d:3f:50:dc:13:96:b2:6e:34:39:0d:9b:1a:38 (DSA)
|_ 2048 77:d0:20:1c:44:1f:87:a0:30:aa:85:cf:e8:ca:4c:11 (RSA)
111/tcp open rpcbind
| rpcinfo:
| 100000 2,3,4 111/udp rpcbind
| 100024 1 56454/udp status
|_ 100000 2,3,4 111/tcp rpcbind
139/tcp open netbios-ssn
Host script results:
| smb-os-discovery: Unix
| LAN Manager: Samba 3.0.31-0.fc8
|_ Name: WORKGROUP
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds


I DO NOT HAVE TIME TO WRITE MY OWN SCRIPTS!!
Listed are the build-in scripts preloaded on NMAP 5.61TEST4 (Release January 2012)

address-info.nse
afp-brute.nse
afp-ls.nse
afp-path-vuln.nse
afp-serverinfo.nse
afp-showmount.nse
amqp-info.nse
asn-query.nse
auth-owners.nse
auth-spoof.nse
backorifice-brute.nse
backorifice-info.nse
banner.nse
bitcoin-getaddr.nse
bitcoin-info.nse
bitcoinrpc-info.nse
bittorrent-discovery.nse
broadcast-avahi-dos.nse
broadcast-db2-discover.nse
broadcast-dhcp-discover.nse
broadcast-dns-service-discovery.nse
broadcast-dropbox-listener.nse
broadcast-listener.nse
broadcast-ms-sql-discover.nse
broadcast-netbios-master-browser.nse
broadcast-novell-locate.nse
broadcast-pc-anywhere.nse
broadcast-pc-duo.nse
broadcast-ping.nse
broadcast-rip-discover.nse
broadcast-sybase-asa-discover.nse
broadcast-upnp-info.nse
broadcast-wake-on-lan.nse
broadcast-wpad-discover.nse
broadcast-wsdd-discover.nse
citrix-brute-xml.nse
citrix-enum-apps-xml.nse
citrix-enum-apps.nse
citrix-enum-servers-xml.nse
citrix-enum-servers.nse
couchdb-databases.nse
couchdb-stats.nse
creds-summary.nse
cvs-brute-repository.nse
cvs-brute.nse
daap-get-library.nse
daytime.nse
db2-das-info.nse
db2-discover.nse
dhcp-discover.nse
dns-blacklist.nse
dns-brute.nse
dns-cache-snoop.nse
dns-fuzz.nse
dns-nsec-enum.nse
dns-random-srcport.nse
dns-random-txid.nse
dns-recursion.nse
dns-service-discovery.nse
dns-update.nse
dns-zeustracker.nse
dns-zone-transfer.nse
domcon-brute.nse
domcon-cmd.nse
domino-enum-users.nse
dpap-brute.nse
drda-brute.nse
drda-info.nse
epmd-info.nse
finger.nse
firewalk.nse
ftp-anon.nse
ftp-bounce.nse
ftp-brute.nse
ftp-libopie.nse
ftp-proftpd-backdoor.nse
ftp-vsftpd-backdoor.nse
ftp-vuln-cve2010-4221.nse
ganglia-info.nse
giop-info.nse
gopher-ls.nse
hadoop-datanode-info.nse
hadoop-jobtracker-info.nse
hadoop-namenode-info.nse
hadoop-secondary-namenode-info.nse
hadoop-tasktracker-info.nse
hbase-master-info.nse
hbase-region-info.nse
hddtemp-info.nse
hostmap.nse
http-affiliate-id.nse
http-apache-negotiation.nse
http-auth.nse
http-awstatstotals-exec.nse
http-axis2-dir-traversal.nse
http-backup-finder.nse
http-barracuda-dir-traversal.nse
http-brute.nse
http-cakephp-version.nse
http-cors.nse
http-date.nse
http-default-accounts.nse
http-domino-enum-passwords.nse
http-email-harvest.nse
http-enum.nse
http-favicon.nse
http-form-brute.nse
http-google-malware.nse
http-grep.nse
http-headers.nse
http-iis-webdav-vuln.nse
http-joomla-brute.nse
http-litespeed-sourcecode-download.nse
http-majordomo2-dir-traversal.nse
http-malware-host.nse
http-method-tamper.nse
http-methods.nse
http-open-proxy.nse
http-open-redirect.nse
http-passwd.nse
http-php-version.nse
http-put.nse
http-robots.txt.nse
http-robtex-reverse-ip.nse
http-title.nse
http-trace.nse
http-unsafe-output-escaping.nse
http-userdir-enum.nse
http-vhosts.nse
http-vmware-path-vuln.nse
http-vuln-cve2011-3192.nse
http-vuln-cve2011-3368.nse
http-waf-detect.nse
http-wordpress-brute.nse
http-wordpress-enum.nse
http-wordpress-plugins.nse
iax2-version.nse
imap-brute.nse
imap-capabilities.nse
informix-brute.nse
informix-query.nse
informix-tables.nse
ip-geolocation-geobytes.nse
ip-geolocation-geoplugin.nse
ip-geolocation-ipinfodb.nse
ip-geolocation-maxmind.nse
ipidseq.nse
ipv6-node-info.nse
irc-botnet-channels.nse
irc-brute.nse
irc-info.nse
irc-unrealircd-backdoor.nse
iscsi-brute.nse
iscsi-info.nse
jdwp-version.nse
krb5-enum-users.nse
ldap-brute.nse
ldap-novell-getpass.nse
ldap-rootdse.nse
ldap-search.nse
lexmark-config.nse
lltd-discovery.nse
maxdb-info.nse
metasploit-xmlrpc-brute.nse
modbus-discover.nse
mongodb-databases.nse
mongodb-info.nse
ms-sql-brute.nse
ms-sql-config.nse
ms-sql-dump-hashes.nse
ms-sql-empty-password.nse
ms-sql-hasdbaccess.nse
ms-sql-info.nse
ms-sql-query.nse
ms-sql-tables.nse
ms-sql-xp-cmdshell.nse
mysql-audit.nse
mysql-brute.nse
mysql-databases.nse
mysql-empty-password.nse
mysql-info.nse
mysql-users.nse
mysql-variables.nse
nat-pmp-info.nse
nbstat.nse
ncp-enum-users.nse
ncp-serverinfo.nse
nessus-brute.nse
netbus-auth-bypass.nse
netbus-brute.nse
netbus-info.nse
netbus-version.nse
nexpose-brute.nse
nfs-ls.nse
nfs-showmount.nse
nfs-statfs.nse
notepad.exe
nping-brute.nse
nrpe-enum.nse
ntp-info.nse
ntp-monlist.nse
omp2-brute.nse
omp2-enum-targets.nse
openlookup-info.nse
openvas-otp-brute.nse
oracle-brute.nse
oracle-enum-users.nse
oracle-sid-brute.nse
ovs-agent-version.nse
p2p-conficker.nse
path-mtu.nse
pgsql-brute.nse
pjl-ready-message.nse
pop3-brute.nse
pop3-capabilities.nse
pptp-version.nse
qscan.nse
quake3-info.nse
quake3-master-getservers.nse
realvnc-auth-bypass.nse
resolveall.nse
reverse-index.nse
rexec-brute.nse
rlogin-brute.nse
rmi-dumpregistry.nse
rpcinfo.nse
rtsp-methods.nse
rtsp-url-brute.nse
script.db
servicetags.nse
sip-brute.nse
sip-enum-users.nse
skypev2-version.nse
smb-brute.nse
smb-check-vulns.nse
smb-enum-domains.nse
smb-enum-groups.nse
smb-enum-processes.nse
smb-enum-sessions.nse
smb-enum-shares.nse
smb-enum-users.nse
smb-flood.nse
smb-mbenum.nse
smb-os-discovery.nse
smb-psexec.nse
smb-security-mode.nse
smb-server-stats.nse
smb-system-info.nse
smbv2-enabled.nse
smtp-brute.nse
smtp-commands.nse
smtp-enum-users.nse
smtp-open-relay.nse
smtp-strangeport.nse
smtp-vuln-cve2010-4344.nse
smtp-vuln-cve2011-1720.nse
smtp-vuln-cve2011-1764.nse
sniffer-detect.nse
snmp-brute.nse
snmp-interfaces.nse
snmp-ios-config.nse
snmp-netstat.nse
snmp-processes.nse
snmp-sysdescr.nse
snmp-win32-services.nse
snmp-win32-shares.nse
snmp-win32-software.nse
snmp-win32-users.nse
socks-open-proxy.nse
sql-injection.nse
ssh-hostkey.nse
ssh2-enum-algos.nse
sshv1.nse
ssl-cert.nse
ssl-enum-ciphers.nse
ssl-google-cert-catalog.nse
ssl-known-key.nse
sslv2.nse
stuxnet-detect.nse
svn-brute.nse
targets-ipv6-multicast-echo.nse
targets-ipv6-multicast-invalid-dst.nse
targets-ipv6-multicast-slaac.nse
targets-sniffer.nse
targets-traceroute.nse
telnet-brute.nse
telnet-encryption.nse
tftp-enum.nse
unusual-port.nse
upnp-info.nse
vnc-brute.nse
vnc-info.nse
vuze-dht-info.nse
wdb-version.nse
whois.nse
wsdd-discover.nse
x11-access.nse
xmpp-brute.nse
xmpp-info.nse
Posted by at
Labels: , , ,

Nmap 5.61TEST4 on Android

Written by k0st
Grabbed from: https://k0st.wordpress.com/2012/01/12/nmap-5-61test4-on-android/

Mental Note: I did not write this article. I just grabbed it to keep it in the vault to try it out later hoping it won't brick my phone.

January 12, 2012 
Since Fyodor released Nmap 5.61TEST4 version, I had to compile it for Android as well. Nmap works on both rooted and non rooted phones. On non rooted phones you will be limited to functions which are possible as non-root user (i.e. no OS fingerprinting, SYN scan, etc).
Google released android-ndk-r5b which have infamous output problem fixed. Therefore, nmap android binary now works perfectly. Also, new NDK implements (almost) all C++ – therefore Crystax is not needed any more. In short, that means that build process is much simplified.


Download
It is available at usual location:
http://ftp.linux.hr/android/nmap/nmap-5.61TEST4-android-arm-bin.tar.bz2
Note that it is built for Android on arm architecture statically. Therefore, you should build from source if you’re using other platform than standard arm.

How you should install it?



  • extract nmap-5.61TEST4-android-arm-bin.tar.bz2 to opt directory of the root of storage location. That means /sdcard/opt
    cd /sdcard/opt
    tar xvjf nmap-5.61TEST4-android-arm-bin.tar.bz2
  • check that you have following directory structure: /sdcard/opt/nmap-5.61TEST4
    ls /sdcard/opt/nmap-5.61TEST4
  • As you cannot execute from sdcard by default, you have to copy nmap binaries from bin/ to somewhere where you can execute. If you did not root the Android – that probably means /data/data/jackpal.androidterm/nmap is good place as you will probably run nmap from terminal. Still, you can have data files and scripts on VFAT sdcard and you need to copy only nmap bin directory to somewhere where you have execute permissions (your phone, /sd-ext, /data/data/jackpal.androidterm depending on your type of phone/ownership, …).
  • For example, on non-rooted Android you should do something like this (as cp is not possible on most of the Android phones):
    mkdir /data/data/jackpal.androidterm/nmap
    cat /sdcard/opt/nmap-5.61TEST4/bin/nmap > /data/data/jackpal.androidterm/nmap/nmap
  • run nmap
    /data/data/jackpal.androidterm/nmap/nmap 127.0.0.1
    •  
    Compilation
    You need to have Linux based OS, as we have tested building it on Linux only. Scripts are for building arm based binary. You need to modify the build in order to compile it for other platforms.
    Download android helper Makefile and patches here:
    http://ftp.linux.hr/android/nmap/nmap-5.61TEST4-android-src.tar.bz2
    Extract it to Nmap dir. That means you should have android directory inside nmap directory. Go to to nmap-dir/android and run make.
    You can do “make doit” which will automatically download Android NDK (~40 Mb) and build nmap. or If you have NDK already installed, you should edit android/Makefile for NDK path and run “make havendk”.
    Note: patches are not perfect. Some of them are kludgy until nmap devs decide how they want to proceed with patches.



  • that’s it
    •  
    Wiki
    I’ve made pages for Nmap on Android and Kindle on https://secwiki.org, so up-to-date information regarding these two ports you can always find there:
    https://secwiki.org/w/Nmap/Android
    https://secwiki.org/w/Nmap/Kindle
    Good luck and let me if it works for you!
    Posted by at
    Labels: , ,
    Subscribe to: Posts (Atom)