SYSADMIN Nmap Scripting SCANAutomated penetration testing with TIME Nmap’s new scripting engine Nmap is rolling out a new scripting engine to automatically investigate vulnerabilities that turn up in a security scan. We’ll show you how to protect your network with Nmap and NSE. BY ERIC AMBERG map is the tool of choice for pen- functions into custom scripts. Fyodor, expressions – a useful option for pen tes- etration testing [1]. Experts use the Nmap project leader, placed the de- ters who want to check existing vulnera- NNmap to search out security velopment of this scripting engine in the bilities by launching exploits. However, holes and scan for open network services. capable hands of Diman Todorov. The the developers point out that Nmap is But what happens when you find a prob- result is the Nmap Scripting Engine not looking to compete with the lem? Many administrators prefer to follow (NSE) [2], which has been an integral Metasploit framework [3]. up the discovery with additional tests. For part of Nmap since version 4.21. NSE provides an easy means for build- instance, if Nmap finds an http service, NSE extends the core functionality of ing automated solutions around Nmap. why not query to determine the web the Nmap scanner, providing detailed in- The NSE option works well for small to server version? formation on services such as NFS, SMB, mid-sized networks. Tools such as Nes- Thus far, administrators have written or RPC. You can also use NSE to search sus [4], GFI LANguard [5], or ISS Inter- their own scripts to parse Nmap output for active systems using domain look- net Scanner [6] might be better suited files – a slow and time-consuming pro- ups, Whois searches, or other source for large-scale scanning operations. You cess. The Nmap project recently decided network discovery techniques. To can download the NSE source code from it was time to introduce a scripting en- discover backdoors, NSE checks any the project server [1] or check out your gine so that users could automate Nmap version strings it detects against regular distributor’s repository for a binary. 68 ISSUE 87 FEBRUARY 2008 068-072_nmap-script.indd 68 13.12.2007 16:54:22 Uhr Nmap Scripting SYSADMIN NSE is built on the Lua interpreted NSE. The pre-built scripting language [7]. Lua is designed scripts attend to to work with software written in other common tasks Scanned Host languages, such as C or C++. Lua, often associated which is based on ANSI C, owes its flexi- with Nmap. For bility to the fact that most functions are example, if the available in the form of libraries. This scanner discovers approach makes it easy to extend the that TCP port 80 is functional scope by binding required open and if the Nmap modules. In addition, the Lua interpreter pre-built showHT- with Nmap Scripting Engine has a very small footprint; even commer- MLTitle.nse script cial games (including World of Warcraft) is available, a call rely on Lua. to the script is is- A Lua interpreter forms the core of sued. The script NSE (see Figure 1). When Nmap detects queries the web NSE Script Nmap API a host or port, it calls the Lua interpreter server’s front page with a matching script to leverage the and displays the abilities of the Lua language and Nmap- header (see Figure specific functions from the NSE library. 2). Several pre- The NSE library provides additional built scripts are Nmap-related features that Lua doesn’t available in /usr/ Lua Extensions offer such as tools for evaluating and share/nmap/ manipulating IP addresses, using Perl- scripts. compatible regular expressions, or ma- Figure 1: A combination of NSE scripts, Nmap libraries, and new Lua nipulating URLs. Categories calls extends the functional scope of the classic Nmap tool. Lua makes intensive use of data struc- NSE organize tures in tables. Tables contain attribute- scripts in categories to allow for more search fails, Nmap then looks for a direc- value pairs, and they can also contain granular control. The defined script cate- tory with the same name and binds any subtables. For example, NSE uses the host gories are safe and intrusive, malware, scripts ending in .nse. and port tables to access Nmap scan re- version, discovery, and vulnerability. If this search also fails, Nmap searches sults. A registry table that all scripts can Scripts that NSE categorizes as safe are for an individual script of the same read and write to resides above all scripts. very unlikely to cause problems on the name. For example, the command-line This design lets scripts exchange data. scan target. The scripts in the intrusive option --script discovery,malware binds category are unlikely to cause damage, the categories discovery and malware. A NSE in Action but will attempt to use default pass- database file titled script.db in the scripts Nmap and NSE use the Nmap API to ex- words to access systems, and thus they subdirectory maps scripts to individual change information, including the target are more likely to generate log entries categories. Admins can update the file host name, the operating system and IP on the scan target. by entering --script-updatedb after address, the port number, and the port Scripts in the malware and vulnerabil- adding scripts. If you set the -sC flag, status. The API also lets users call ity categories test the scan targets for only scripts from the categories safe and Nmap’s socket functions for network malware and known vulnerabilities. The intrusive are executed. communications. An extension that lets version category plays a special role: users send custom packets is due for re- scripts in this category, which are en- Your Own NSE Scripts lease in the near future. abled by the -sV command-line option, Anexample will make it easier to under- Nmap starts by checking whether it extend Nmap’s version detection capa- stand the structure of an NSE script. can reach ports on a host. In case of a bilities. Their output is no different from Most built-in scripts are kept simple – TCP scan, the tool will ascertain the port standard Nmap output; the script is not normally smaller than 100 lines includ- status, which could be open, closed, or referenced in the report generated by the ing comments. The ripeQuery.nse script filtered. Once Nmap has detected a port, scan. The discovery category includes in Listing 1 should give you some idea and assuming NSE has been enabled scripts that are designed to find out more of how Lua and NSE work. The script with the -sC option, the subsystem will about the target host or network by que- queries an address for an entry in the attempt to locate a matching script for rying various services (including SNMP RIPE network registration system [8]. the test. or LDAP). An NSE script consists of three compo- Scripting rules determine whether The --script argument specifies the nents: the header defines the script Nmap will run an NSE script. These categories, directories, and individual name in the Nmap output, the script scripting rules specify the conditions scripts for NSE to integrate and execute. category, and the run level. The rule under which the script will launch. A comma-separated list of values is pos- specifies the conditions under which the You can build your own scripts or rely sible. Nmap starts by searching for a script is executed. The action component on the pre-built scripts included with category with the specified name; if the calls the functions that handle the actual FEBRUARY 2008 ISSUE 87 69 068-072_nmap-script.indd 69 13.12.2007 16:54:58 Uhr SYSADMIN Nmap Scripting socket:connectU ("whois.ripe.net", 43) tells the script to connect to the RIPE da- tabase, which responds to TCP port 43 requests. The Whois service expects an IP address in quatted dot notation. The code socket:send(host.ip .. "\n") sends the IP address. The query line must be terminated by a newline character. To allow this to happen, the concatenator operator .. adds \n to the IP address for the scanned host parsed from host.ip. In- side an infinite loop beginning in line 23, local status, lines = U Figure 2: In new script mode (option -sC), Nmap calls external scripts. Nmap has detected socket:receive_lines(1) that port 80 is open, so the tool chips in to query the heading of the website it has discovered and displays the results. The figure also shows NSE detecting the NetBIOS names of a target. reads the response from the RIPE data- base until the data input dries up. The tasks. Authors can implement all three (host, port) function. The function again Boolean variable status shows whether sections of the script in Lua. expects host and port as arguments. the connection is still delivering data. Each NSE script has a header that In line 16, the script first creates a new If this is not so, break in line 27 quits comprises four descriptive details. The TCP/ IP socket then defines the local the loop. The parsed response is avail- id contains the script name and is used variables status, line, and result. Line 20, able in lines, and result accumulates the for Nmap output; description is a short description; and author names the au- Listing 1: ripeQuery.nse thor. The interpreter does not process 01 require “ipOps” 23 while true do the license field. 02 24 local status, lines = socket: A script will only run under specific 03 id = “RIPE query” receive_lines(1) conditions.