{"id":11158,"date":"2019-03-09T22:59:33","date_gmt":"2019-03-09T22:59:33","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=11158"},"modified":"2019-03-09T22:59:33","modified_gmt":"2019-03-09T22:59:33","slug":"how-to-use-nmap-script-engine-nse-scripts-in-linux","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/09\/how-to-use-nmap-script-engine-nse-scripts-in-linux\/","title":{"rendered":"How to Use Nmap Script Engine (NSE) Scripts in Linux"},"content":{"rendered":"<p><a href=\"https:\/\/www.tecmint.com\/nmap-command-examples\/\" target=\"_blank\" rel=\"noopener\">Nmap<\/a>\u00a0is a popular, powerful and cross-platform command-line network security scanner and exploration tool. It can also help you get an overview of systems that connected your network; you can use it to\u00a0<a href=\"https:\/\/www.tecmint.com\/find-live-hosts-ip-addresses-on-linux-network\/\" target=\"_blank\" rel=\"noopener\">find out all IP addresses of live hosts<\/a>,\u00a0<a href=\"https:\/\/www.tecmint.com\/find-open-ports-in-linux\/\" target=\"_blank\" rel=\"noopener\">scan open ports and services running<\/a>\u00a0on those hosts, and so much more.<\/p>\n<p>One of the interesting features of Nmap is the\u00a0<strong>Nmap Script Engine<\/strong>\u00a0(<strong>NSE<\/strong>), which brings even more flexibility and efficiency to it. It enables you to write your own scripts in\u00a0<strong>Lua<\/strong>\u00a0programming language, and possibly share these scripts with other Nmap users out there.<\/p>\n<p><strong>Read Also<\/strong>:\u00a0<a href=\"https:\/\/www.tecmint.com\/nmap-command-examples\/\" target=\"_blank\" rel=\"noopener\">29 Practical Examples of Nmap Commands for Linux<\/a><\/p>\n<p>There are four types of NSE scripts, namely:<\/p>\n<ul>\n<li><strong>Prerule scripts<\/strong>\u00a0\u2013 are scripts that run before any of Nmap\u2019s scan operations, they are executed when Nmap hasn\u2019t gathered any information about a target yet.<\/li>\n<li><strong>Host scripts<\/strong>\u00a0\u2013 are scripts executed after Nmap has performed normal operations such as host discovery, port scanning, version detection, and OS detection against a target host.<\/li>\n<li><strong>Service scripts<\/strong>\u00a0\u2013 are scripts run against specific services listening on a target host.<\/li>\n<li><strong>Postrule scripts<\/strong>\u00a0\u2013 are scripts run after Nmap has scanned all of its target hosts.<\/li>\n<\/ul>\n<p>Then these scripts are grouped under various categories including those for authentication (<strong>auth<\/strong>), discovering of hosts (<strong>broadcast<\/strong>), brute force attacks to guess authentication credentials (<strong>brute<\/strong>), discovering more about a network (<strong>discovery<\/strong>), causing a denial of service (<strong>dos<\/strong>), exploiting some vulnerability (<strong>exploit<\/strong>), etc. A number of scripts belong to the default category.<\/p>\n<p><strong>Note<\/strong>: Before we move any further, you should take a note of these key points:<\/p>\n<ul>\n<li>Do not execute scripts from third parties without critically looking through them or only if you trust the authors. This is because these scripts are not run in a sandbox and thus could unexpectedly or maliciously damage your system or invade your privacy.<\/li>\n<li>Secondly, many of these scripts may possibly run as either a\u00a0<strong>prerule<\/strong>\u00a0or\u00a0<strong>postrule<\/strong>\u00a0script. Considering this, it is recommend to use a prerule for purposes of consistency.<\/li>\n<li>Nmap uses the\u00a0<strong>scripts\/script.db<\/strong>\u00a0database to figure out the available default scripts and categories.<\/li>\n<\/ul>\n<p>To see the location of all available NSE scripts, run the\u00a0<a href=\"https:\/\/www.tecmint.com\/linux-locate-command-practical-examples\/\" target=\"_blank\" rel=\"noopener\">locate utility<\/a>\u00a0on the terminal, like this:<\/p>\n<pre><strong>$ locate *.nse<\/strong>\r\n\r\n\/usr\/share\/nmap\/scripts\/acarsd-info.nse\r\n\/usr\/share\/nmap\/scripts\/address-info.nse\r\n\/usr\/share\/nmap\/scripts\/afp-brute.nse\r\n\/usr\/share\/nmap\/scripts\/afp-ls.nse\r\n\/usr\/share\/nmap\/scripts\/afp-path-vuln.nse\r\n\/usr\/share\/nmap\/scripts\/afp-serverinfo.nse\r\n\/usr\/share\/nmap\/scripts\/afp-showmount.nse\r\n\/usr\/share\/nmap\/scripts\/ajp-auth.nse\r\n\/usr\/share\/nmap\/scripts\/ajp-brute.nse\r\n\/usr\/share\/nmap\/scripts\/ajp-headers.nse\r\n\/usr\/share\/nmap\/scripts\/ajp-methods.nse\r\n\/usr\/share\/nmap\/scripts\/ajp-request.nse\r\n\/usr\/share\/nmap\/scripts\/allseeingeye-info.nse\r\n\/usr\/share\/nmap\/scripts\/amqp-info.nse\r\n\/usr\/share\/nmap\/scripts\/asn-query.nse\r\n...\r\n<\/pre>\n<p>NSE scripts are loaded using the\u00a0<code>--script<\/code>\u00a0flag, which also allows you to run your own scripts by providing categories, script file names, or the name of directories where your scripts are located.<\/p>\n<p>The syntax for enabling scripts is as follows:<\/p>\n<pre>$ namp -sC target     #load default scripts\r\nOR\r\n$ nmap --script filename|category|directory|expression,...   target    \r\n<\/pre>\n<p>You can view a description of a script with the\u00a0<code>--script-help<\/code>\u00a0option. Additionally, you can pass arguments to some scripts via the\u00a0<code>--script-args<\/code>\u00a0and\u00a0<code>--script-args-file<\/code>\u00a0options, the later is used to provide a filename rather than a command line arg.<\/p>\n<p>To perform a scan with most of the default scripts, use the\u00a0<code>-sC<\/code>\u00a0flag or alternatively use\u00a0<code>--script=default<\/code>as shown.<\/p>\n<pre>$ nmap -sC scanme.nmap.org\r\nOR\r\n$ nmap --script=default scanme.nmap.org\r\nOR\r\n$ nmap --script default scanme.nmap.org\r\n<\/pre>\n<h5>Sample Output<\/h5>\n<pre>Starting Nmap 7.01 ( https:\/\/nmap.org ) at 2017-11-15 10:36 IST\r\nNmap scan report for scanme.nmap.org (45.33.32.156)\r\nHost is up (0.0027s latency).\r\nNot shown: 999 filtered ports\r\nPORT   STATE SERVICE\r\n80\/tcp open  http\r\n|_http-title: Go ahead and ScanMe!\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 11.74 seconds\r\n<\/pre>\n<p>To use a script for the appropriate purpose, you can first of all get a brief description of what it actually does, for instance\u00a0<strong>http-headers<\/strong>.<\/p>\n<pre>$ nmap --script-help http-headers scanme.nmap.org\r\n<\/pre>\n<h5>Sample Output<\/h5>\n<pre>Starting Nmap 7.01 ( https:\/\/nmap.org ) at 2017-11-15 10:37 IST\r\n\r\nhttp-headers\r\nCategories: discovery safe\r\nhttps:\/\/nmap.org\/nsedoc\/scripts\/http-headers.html\r\n  Performs a HEAD request for the root folder (\"\/\") of a web server and displays the HTTP headers returned.\r\n<\/pre>\n<h3>Loading NSE Scripts To Perform Nmap Scans<\/h3>\n<p>You can select or load scripts to perform a scan in different methods explained below.<\/p>\n<h4>Using Script Name<\/h4>\n<p>Once you know what a script does, you can perform a scan using it. You can use one script or enter a comma-separated list of script names. The command below will enable you view the HTTP headers configured on the web server at the target host.<\/p>\n<pre>$ nmap --script http-headers scanme.nmap.org\r\n<\/pre>\n<div class=\"code-label\">Scan HTTP Headers<\/div>\n<pre>Starting Nmap 7.01 ( https:\/\/nmap.org ) at 2017-11-15 10:39 IST\r\nNmap scan report for scanme.nmap.org (45.33.32.156)\r\nHost is up (0.27s latency).\r\nNot shown: 996 closed ports\r\nPORT      STATE    SERVICE\r\n22\/tcp    open     ssh\r\n80\/tcp    open     http\r\n| http-headers: \r\n|   Date: Wed, 15 Nov 2017 05:10:04 GMT\r\n|   Server: Apache\/2.4.7 (Ubuntu)\r\n|   Accept-Ranges: bytes\r\n|   Vary: Accept-Encoding\r\n|   Connection: close\r\n|   Content-Type: text\/html\r\n|   \r\n|_  (Request type: HEAD)\r\n179\/tcp   filtered bgp\r\n31337\/tcp open     Elite\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 20.96 seconds\r\n<\/pre>\n<h4>Using Categories<\/h4>\n<p>You can also load scripts from one category or from a comma-separated list of categories. In this example, we are using all scripts in the default and broadcast category to carry out a scan on the host\u00a0<strong>192.168.56.1<\/strong>.<\/p>\n<pre>$ nmap --script default,broadcast 192.168.56.1\r\n<\/pre>\n<div id=\"attachment_27868\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/11\/Scan-a-Host-using-Nmap.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-27868\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/11\/Scan-a-Host-using-Nmap.png\" sizes=\"auto, (max-width: 912px) 100vw, 912px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/11\/Scan-a-Host-using-Nmap.png 912w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/11\/Scan-a-Host-using-Nmap-768x722.png 768w\" alt=\"Scan a Host \" width=\"912\" height=\"857\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">Scan a Host<\/p>\n<\/div>\n<h4>Using * Wildcard<\/h4>\n<p>This is useful when you want to select scripts with a given name pattern. For example to load all scripts with names starting with\u00a0<strong>ssh<\/strong>, run the command below on the terminal:<\/p>\n<pre>$ nmap --script \"ssh-*\" 192.168.56.1\r\n<\/pre>\n<div id=\"attachment_27869\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/11\/Load-Scripts-Using-Wildcards-.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-27869\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2017\/11\/Load-Scripts-Using-Wildcards-.png\" alt=\"Load Scripts Using Wildcards-\" width=\"672\" height=\"382\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">Load Scripts Using Wildcards-<\/p>\n<\/div>\n<h4>Using Boolean Expressions<\/h4>\n<p>You can also select scripts using boolean expressions which you can build using the\u00a0<strong>and<\/strong>,\u00a0<strong>or<\/strong>, and\u00a0<strong>not<\/strong>\u00a0operators. And names in a Boolean expression may be a category, a filename from\u00a0<strong>script.db<\/strong>, or all.<\/p>\n<p>The following command will load scripts from the default or broadcast categories.<\/p>\n<pre>$ nmap --script \"default or broadcast\" 192.168.56.10\r\n<\/pre>\n<p>Which is equivalent to:<\/p>\n<pre>$ nmap --script default,broadcast 192.168.56.10\r\n<\/pre>\n<p>To load all scripts omitting those in the\u00a0<strong>vuln<\/strong>\u00a0category, run this command on the terminal.<\/p>\n<pre>$ nmap --script \"not vuln\" 192.168.56.10\r\n<\/pre>\n<p>The next command looks a little complicated but it is easy to understand, it selects scripts in the default, or broadcast categories, leaving out those with names starting with ssh-:<\/p>\n<pre>$ nmap --script \"(default or broadcast) and not ssh-*\" 192.168.56.10\r\n<\/pre>\n<p>Importantly, it is possible to combine categories, script names, a directory containing your custom scripts or a boolean expression to load scripts, like this:<\/p>\n<pre>$ nmap --script broadcast,vuln,ssh-auth-methods,\/path\/to\/custom\/scripts 192.168.56.10\r\n<\/pre>\n<h4>Passing Arguments to NSE Scripts<\/h4>\n<p>Below is an example showing how to pass arguments to scripts with the\u00a0<strong>\u2013script-args<\/strong>\u00a0option:<\/p>\n<pre>$ nmap --script mysql-audit --script-args \"mysql-audit.username='root', \\\r\nmysql-audit.password='password_here', mysql-audit.filename='nselib\/data\/mysql-cis.audit'\"\r\n<\/pre>\n<p>To pass a port number, use the\u00a0<strong>-p<\/strong>\u00a0nmap option:<\/p>\n<pre>$ nmap -p 3306 --script mysql-audit --script-args \"mysql-audit.username='root', \\ \r\nmysql-audit.password='password_here' , mysql-audit.filename='nselib\/data\/mysql-cis.audit'\"\r\n<\/pre>\n<p>This above command runs an audit of the MySQL database server security configuration against parts of the\u00a0<strong>CIS MySQL v1.0.2<\/strong>\u00a0benchmark. You can as well create your own useful custom audit files for other MySQL audits.<\/p>\n<p>That\u2019s it for now. You can find more information in the nmap man page or check out\u00a0<a href=\"https:\/\/nmap.org\/book\/nse-usage.html\" target=\"_blank\" rel=\"nofollow noopener\">NSE Usage<\/a>.<\/p>\n<p>To get started with writing your own NSE scripts, check out this guide:\u00a0<a href=\"https:\/\/nmap.org\/book\/nse-tutorial.html\" target=\"_blank\" rel=\"nofollow noopener\">https:\/\/nmap.org\/book\/nse-tutorial.html<\/a><\/p>\n<h5>Conclusion<\/h5>\n<p><strong>Nmap<\/strong>\u00a0is a really powerful and useful tool that every system or network administrator needs in his\/her security arsenal \u2013\u00a0<strong>NSE<\/strong>\u00a0simply adds more efficiency to it.<\/p>\n<p>In this article, we introduced you to the\u00a0<strong>Nmap Script Engine<\/strong>, and looked at how to find and use the various available scripts under different categories. If you have any questions, do not hesitate to write back to us via the comment form below.<\/p>\n<p>&nbsp;<br \/>\n<a href=\"https:\/\/www.tecmint.com\/use-nmap-script-engine-nse-scripts-in-linux\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Nmap\u00a0is a popular, powerful and cross-platform command-line network security scanner and exploration tool. It can also help you get an overview of systems that connected your network; you can use it to\u00a0find out all IP addresses of live hosts,\u00a0scan open ports and services running\u00a0on those hosts, and so much more. One of the interesting features &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/09\/how-to-use-nmap-script-engine-nse-scripts-in-linux\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;How to Use Nmap Script Engine (NSE) Scripts in Linux&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-11158","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11158","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=11158"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11158\/revisions"}],"predecessor-version":[{"id":11159,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11158\/revisions\/11159"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=11158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=11158"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=11158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}