Nmap/Script Ideas

From SecWiki
Jump to: navigation, search

Planned NSE scripts and other ideas. Add new ideas to the "Incoming" section. The "high-priority" section is for ideas that are definitely wanted. "Other ideas" are those that may be accepted with a good implementation and for a good reason. Only Nmap developers should move things into these latter two categories.

You are welcome and encouraged to leave comments below script ideas. You can use one or more ":" before your comment line to cause it to be indented, and you can end a comment with four tildes (~) in a row to fill in your username and the time.

Please include enough information to allow someone to start implementing your idea, including sample output and script arguments.

Contents

Incoming

Please add your new script ideas here to the top of this list! They can be discussed here and will also be moved to another section (and potentially discussed further) by the NSE team when they do periodic reviews.

tnfs-ls

A script for listing the files and directories at the root of a TNFS "tiny file system" file share. The TNFS protocol and utilities are optimized for ZX Spectrum users. The TNFS protocol is sometimes referred to as "Spectranet TNFS" after Spectranet, a popular network interface card for the ZX Spectrum. A TNFS server would typically be running on a PC while clients exist for both PC and ZX Spectrum. Communication between client and server is unencrypted. The protocol supports password authentication as well as unauthenticated anonymous connections. However, some (most?) TNFS server implementations simply ignore the credentials, making the service publicly accessible unless the credentials are checked by a 3rd party proxy or firewall.

UPnP IPv6 address discovery

Cisco Talos Intelligence did some awesome work showing that sending a Location header with an IPv6 address to an IPv4 UPnP listener can cause it to connect via IPv6, revealing its IPv6 address. We could do a similar thing with NSE, though we'd have to invent a way to have a listening IPv6 TCP server. Probably worth it to create something like that for NSE.

Bidirectional Forwarding Detection (BFD)

This is an interesting UDP protocol that seems to be in widespread use. There's a 3-way handshake, a few authentication methods, and an echo function that could be explored. Specifically, I'd like to see a nmap-payloads UDP payload for the no-auth Init message, and maybe a script to identify unauthenticated services. Auth bruteforcing is probably not really feasible since the protocol just discards incorrect auth attempts, including incorrect auth type; unless you get it right, you get nothing from the service to even know if it's present.

Netgear RAIDar

Netgear's RAIDiator storage system uses some sort of broadcast discovery. They publish a tool called RAIDar to do this. We should try to replicate this. https://kb.netgear.com/20684/ReadyNAS-Downloads

mysql-vuln-cve2017-3599.nse

This script can DOS an Oracle MySQL server from version 5.6.13 till 5.7.17. It doesn't require authentication. The script is here: https://github.com/nmap/nmap/pull/877.

langserver-info

This script would attempt to extract a list of files, versions, and other high-level information from a server that implements Language Server Protocol. Script args should be supported that would cause additional information -- chunks of source code, ideally -- to be exported.

warpcopy64-info

This is a bit tongue in the cheek but I thought it would be interesting if nmap recognized the WarpCopy64 server and printed a file listing or other similar info about the files available on the C64 disk drive. There is some information available on the project's home page. I did not find any protocol documentation but I assume it is a relatively simple protocol and could be easily reverse-engineered by looking at the network traffic with Wireshark. I started a thread on retro computing Stack Exchange about running Warpcopy64 on an emulator.

websocket-discovery

The script should try connecting to a web server using the WebSocket protocol. It would probably make sense to first implement generic WebSocket support as an nse library. Connecting to a WebSocket service requires a resource name and a protocol name. There is a list of registered protocol names available from IANA. Ofcourse there might also be popular protocols that are unregistered. The resource names are a lot more problematic. I assume the script could try connecting to the root resource by default but in that case it won't be able to connect to WebSockets under other resource names. I guess it would also be possible to gather a list of typical resource names used for certain protocols.

This was already begun, but initial critique showed lots of places to expand: http://seclists.org/nmap-dev/2015/q1/134

tls-cert-transparency

Google's Certificate Transparency project can be used to audit CAs and detect when they issue bad certs. RFC 6962 has the details on the protocol. A NSE script could act as a TLS client, verify the Signed Certificate Timestamp (Section 5.2), and potentially audit the log.

ssl-ocsp-check

Use OCSP to check a SSL certificate's revocation status. (Currently in progress by Mak Kolybabi.)

ftp-syst

FTP servers often support the SYST command, which can report the OS version or other useful information. We could report this directly, but it would also be great to support parsing of common results and reporting OS type and CPE. Ref: https://cr.yp.to/ftp/syst.html (Currently in progress by Jay Smith.)

Mikrotik winbox protocol

Mikrotik RouterOS can be administered with a tool called winbox, which connects to the router on port 8291. It communicates with a binary protocol. There are a few example matches in nmap-service-probes, but without a better understanding of the protocol, we can't really match it well. It'd be great if we could extract any pre-auth info from the service, and even better if we could write a brute-forcing script for it.

DANE checking and verification

Checking whether DANE is configured properly would be a great use of NSE, combining our DNS and SSL NSE libraries into a useful script that could help security researchers and domain administrators alike.

In progress as dnssec-check-config: https://github.com/nmap/nmap/pull/497

Punycode, IDN, and public suffix handling

DNS names have all sorts of special rules and things that we would like to handle better. We need routines to do this in dns.lua. Public suffix handling could replace the (outdated) whitelist of TLDs in dns-zone-transfer.nse. Punycode handling could even be extended to detection of terminal encoding in Nmap itself. But one thing at a time.

Other reverse-DNS record type lookups

Wikipedia says that there are some records other than PTR that get stored in the in-addr.arpa or ip6.arpa tree. KEY, IPSECKEY, SSHFP, TLSA, etc. could be looked up based on the target's IP address. Code to parse these record types is already in dns-zone-transfer.nse, and should probably be moved into dns.lua.

TLS-SRP and TLS-PSK scripts and enhancements

As pointed out, Nmap can't do much with TLS-SRP or TLS-PSK, since the server can determine from the ClientHello whether or not the PSK identity is even supported. The unique "unknown_psk_identity" alert message could be used by ssl-enum-ciphers to determine that some sort of PSK is in use, but not much more than that. We could write scripts to brute-force the PSK identity (or SRP username).

`openflow-info` and service probe

OpenFlow software-defined switch looks like it may divulge information in reply to a feature request or description request packet. TLS with client certs may be used, but no other authentication is described, so very likely open in many cases. A good nmap-service-probes Probe would let us pull information without invoking NSE, but we would want one that can get a response from any of the 5 protocol versions. (Currently in review by Jay Smith and Mak Kolybabi.)

`tls-poodle` or expand `ssl-poodle` to do testing

The POODLE vulnerability (padding oracle attack on SSLv3.0) has been shown to affect some TLS implementations which do not check cryptographic padding. This is a more challenging thing to check for than original POODLE, since that affected any SSLv3.0 implementation with CBC ciphersuites enabled. We would have to actually start a TLS session and then alter the padding on an otherwise-valid record. Due to the cryptography involved, this would probably require binding some low-level TLS functions from OpenSSL to NSE, but I'm not sure that any of them write records to a buffer instead of to a socket. If it were made to work, the same technique could be used to verify POODLE on SSLv3.0.

`targets-xml`, `targets-gnmap`, etc.

Using the targets library, we could use NSE scripts to input host lists directly from Nmap XML or Grepable output formats.

  • Update: targets-xml exists now, but there is room for improvement: host filters, etc.

OS fingerprint analysis

hostrule script to analyze unidentified OS fingerprints looking for signs of middlebox interference. Would require updating NSE API to pass the OS fingerprint like we do for unidentified services.

RIPv1, RIPv2, and RIPng scripts

RIPv1 is especially interesting because it's being used for DDoS reflection. We have a UDP payload for scanning, but it might not be working properly. We have no service fingerprints or softmatches for any of these related services, so that would be an important part of this effort. Particular script ideas:

  • Print the list of routes. Doesn't need authentication in some cases (RIPv1, some RIPv2, others?)
  • RIPv2 brute-forcing. This could be tough because the action when authentication is incorrect is to just ignore.
  • Packet decoder for broadcast-listener.nse

tftp-version

Service version detection (-sV) doesn't work on TFTP because it sends replies with a different source port than it listens on. A simple script would send a request for a random file and receive the response, marking the port as open and tftp if it gets one. It could be extended to send corrupted requests and distinguish versions based on the responses; examples that we already match because they use source port 69/udp: (Currently in review by Mak Kolybabi.)

nbd-info

Network Block Device description is here: https://github.com/yoe/nbd/blob/3923c514321694ef7feebe20e2bc0022db93417c/doc/proto.txt (Currently in review by Mak Kolybabi.)

dns-any-query

DNS ANY queries (rcode 255) are being seen used as amplifiers in DDoS attacks (https://isc.sans.edu/diary.html?storyid=19419). They behave differently depending on whether the DNS server is authoritative or not. Just like our other DNS scripts, this one could be run in several ways:

  • as a prerule script with script args specifying the name to query and the server to query against (and newtargets support)
  • as a hostrule script with script args specifying the dns server to query against for the target's hostname
  • as a portrule script that runs on dns servers discovered, with script args specifying the name to query or just using the target name to determine support for the ANY query.

(In progress by Erhad Husovic)

SSL Labs API query script

Our own ssl-enum-ciphers is great, but SSL Labs is really the reference implementation. Now they have an API that can be queried to perform this kind of assessment, and we should have a script to query it as well, subject to appropriate licensing. http://blog.ivanristic.com/2015/01/ssl-labs-apis-now-available-beta.html

ssl-known-ca

See http://seclists.org/nmap-dev/2015/q1/202 for discussion. Would check whether an SSL service is using a certificate signed by one of a set of CA certificates or orgs. See also the eDellRoot certificate fiasco.

CPE adder

Lots of service matches look like this: 

   match http m|^.*<address>Apache/([\d.]+) \([^)]+\) ?(.*) Server at ([-\w_.]+) Port \d+</address>\n</body></html>\n|si p/Apache httpd/ v/$1/ i/$2/ h/$3/ cpe:/a:apache:http_server:$1/

Meaning that all the module and language versions like (mod_security/2.8 Perl/5.8.8) are not being turned into CPE entries. A script could look in the extrainfo section for Software/version and turn known software into cpe:/a:vendor:software:version for consumers of that sort of structured data (lots of vulnerability scanners, etc.). We don't currently have a way for scripts to add this information, but that could come later. Actually, easy to put CPE info in version table via nmap.set_port_version.

OpenWebNet discovery

Home automation stuff. Simple text-based protocol. May be layered over HTTP, but at least one service fingerprint submission had it running directly over 20000/tcp.

gdbserver-info

gdbserver has no authentication and can result in remote code injection. See Metasploit's exploit module for instance. (Currently in progress by Mak Kolybabi.)

NSE-based port scanning

As briefly described on the GSoC ideas page, NSE could be leveraged for port scanning. This would let us quickly implement new technique and possibly release nmap's core of certain of its older and not parallel modules. A patch is being developped in nmap-exp/henri/nmap-nseportscan. --Henri 14:39, 12 June 2012 (PDT)

xserver-screenshot, xserver-keylogger, xserver-xwininfo

Open X servers are great sources of information. xserver-screenshot could take screenshots of the open X display (due to image processing and saving files to disk, this could be difficult to implement). xserver-keylogger would use either of 2 techniques (polling or registering) to capture keystrokes until a timeout (See xspy for the more complete polling method, or xkey for the simpler key-register method). xserver-xwininfo could pull information about windows on the X display, including title, geometry, color depth, etc.

APC PowerChute

APC PowerChute uses port 3052/udp to communicate UPS status to servers in order to gracefully shut down when power failure is imminent. May be able to add a section to broadcast-listener for pulling information out of broadcast packets. There may also be a unicast protocol between the UPS and apcupsd running on a server. References: [1] [2]

High-priority

These are scripts which we're sure we want, and as soon as possible, please! :)

HTML parsing

We need a library to do HTML parsing. Currently we do pseudo-parsing using string matching and patterns. Some early implementations:

An HTML library should be able to do what these scripts do:

The slaxml.lua library is probably loose enough to handle this task, but someone should confirm.

Update: Giacomo Mantani wrote an initial try, but it hasn't been reviewed: http://seclists.org/nmap-dev/2016/q3/52

http-mirror

Use the http spider to crawl the remote site and save the pages to a local directory (presumably specified by NSE args). Maybe in the future, httpspider.lua can take an NSE arg which allows it to run "against" a local cache created by http-mirror, so you could run things like http-grep or http-email-harvest against that local copy rather than continuing to hammer the site. One minor issue is that Lua doesn't offer a native way to create directories, so we'd probably have to write a simple wrapper which does an os.exec call on mkdir and deals with proper file separation char, etc.

  • User:Gyani implemented the bulk of this in http-fetch.nse, though additional work would be needed to make an actual mirroring tool. Our discussion during GSoC 2015 was that Nmap does not need to fill this role.

Solid Candidates

These are scripts which the Nmap NSE team considers likely to be incorporated into Nmap if someone submits a well written version to the nmap-dev list.

IPsec IKE enumeration

For some examples of what we can do, see ike-scan. The documentation could serve as ideas for scripts. We already have a UDP payload for IKE, but it just sets the port as open and can't do any more. An IKE detection script could also be better because it could set the source port to 500, potentially and/or use a randomize initiator cookie and try more cipher combinations. See the comments in nmap-payloads. --Nevdull77 07:09, 26 July 2011 (PDT)

SSH Key Acceptance Checker

This script takes one ore more SSH public or private (w/o passphrase) keys and checks whether target SSH servers accept any of those keys for authentication purposes. Metasploit has a useful script which does this, known as ssh_identify_pubkeys which HD Moore also discusses in this blog post. We may want to use a library like ssh2, see also this related entry

Update: This has been implemented as part of the libssh2 integration begun by Devin in GSoC 2015 and continued by Sergey in GSoC 2016: http://seclists.org/nmap-dev/2016/q3/231

deluge-rpc-brute

Script that will brute force authentication on Deluge RPC interface (communication is done with zlib compressed messages, which will need to be implemented). --Duarte Silva 10:27, 3 February 2012 (CST)

We're going to look at implementing zlib as part of the http-git script. --Ron

Microsoft Version Table

Create a function that would take the Windows major and minor version numbers and optionally the build and type and return the long Windows Name. As some major and minor version numbers have been used for several Windows versions eg. 6.1 is both Windows 2008 and Windows 7 the build could help distinguish between them. Scripts that know the server type type (server or client OS) could supply this instead to distinguish between versions. This function could be used to enhance the output of ndmp-version and smb-mbenum scripts any maybe a few more. --Nevdull77 22:59, 19 February 2012 (PST)

An example of a build number that implies a Windows version, from nmap-os-db 

# Version 5.2 (Build 3790.srv03_sp1_gdr.060315-1609 : Service Pack 1)
Fingerprint Microsoft Windows Server 2003 SP1

A list of build numbers:

David 15:41, 5 June 2012 (CDT)

I have been working on this library, currently calling it "osinfo". The library creates name and cpe from a given version string or uname string. Supports a couple of vendor-family combinations, deals well with Microsoft versions.[3]

--Gyani (talk) 21:04, 10 August 2015 (UTC)

wmi-info and wmi-brute

Windows Management and Instrumentation. Apparently you can get *all* of system configuration/managemnent information through this service, though it does require authentication. It's pre-installed in Windows 2000 and later. Wikipedia: http://en.wikipedia.org/wiki/Windows_Management_Instrumentation. If the DCOM interface is too problematic, it looks like the information may be available via SOP using WS-Management (http://en.wikipedia.org/wiki/WS-Management). Fyodor 15:26, 21 March 2012 (CDT) Notes from NSE meeting (05/06/2012)

  • The protocol could be complicated but its fully documented.
  • Uses NTLMSSP for auth. A container that support multiple algorithms
  • Since the service requires auth, a brute script will be a great addition.

service-os

This script takes service detection output and uses it to make a guess about the operating system and distribution. For example a server running Apache 2.2.8 and OpenSSH 4.7 is likely to be Ubuntu 8.04 LTS (Hardy Heron). Some services include the distro name already in the output, but those are already mostly handed by service detection. I think the idea is to take, for example, "Apache 2.2.8" and see that it matches some subset of known distributions in a database, then take "OpenSSH 4.7" and see that it matches another subset, and take the intersection of the sets, maybe with some weighting to allow near matches.


cctv-dvr-brute

Script to detect CCTV DVR video surveillance installments, try to authenticate with default passwords and do a bruteforce attack. We should also check if we can gather additional info from this services. The script it's self should be similar to metasploit one at http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/auxiliary/scanner/misc/cctv_dvr_login.rb What needs to be done is to see how the authentication is performed and implement bruteforce by using brute lib.


Improvements to duplicates

A postrule script that reports when different target addresses appear to be the same host. This may use results from other scripts. Already handls SSL certs, MAC address, SSH hostkeys, and Netbios names. Other ideas:

  • Matching IP ID sequences.
  • Uptimes.
  • Clock skew.
  • IPv4-mapped and IPv4-compatible IPv6 addresses.

Linux/UNIX local commands over ssh

Being able to do lsof -i remotely would be really useful --Cyberix 15:37, 3 April 2011 (PDT)
This would be very valuable for various kinds of software/os auditing scripts, but looks like a lot of work. --Nevdull77 06:50, 26 July 2011 (PDT)
The libssh library may provide a way to do this that works across several platforms. libssh --Nevdull77 03:52, 13 January 2012 (CST)
Actually libssh2 may be better than libssh since it is BSD licensed rather than LGPL and it is client-only and so probably smaller. I guess we'd have to research the best way to implement (raw or by using a library) Fyodor 16:10, 27 March 2012 (CDT)
Consensus at 6/19/12 NSE meeting seemed to be for C library approach such as libssh2, though we wouldn't rule out other approaches.

Update: This has been implemented as part of Sergey's GSoC 2016 work: http://seclists.org/nmap-dev/2016/q3/231

ssh-brute

Brute force support for the SSH protocol. Of course this is a complex protocol, so we may need to use a library such as libssh2. See the "Linux/UNIX local commands over ssh" entry for more thoughts.

Update: This has been implemented as part of Sergey's GSoC 2016 work: http://seclists.org/nmap-dev/2016/q3/231

Update brute scripts to use brute.lua

There are a number of bruteforce scripts that predate brute.lua. For example, POP3 and smb-brute.nse. It would be nice to update them to take advantage of the new brute.lua library.

  • afp-brute.nse
  • dns-brute.nse
  • drda-brute.nse
  • http-iis-short-name-brute.nse
  • ldap-brute.nse
  • ms-sql-brute.nse
  • netbus-brute.nse
  • oracle-sid-brute.nse
  • pgsql-brute.nse
  • rtsp-url-brute.nse
  • smb-brute.nse
  • snmp-brute.nse

smb-enum-services

List Windows services, like PsService from sysinternals.

bgpmon-info

One would hope that bgpmon provides some useful information. Requires some research to figure out what should be displayed. See http://bgpmon.netsec.colostate.edu/ protocol http://tools.ietf.org/html/draft-cheng-grow-bgp-xml-00 Also http://bgpmon.netsec.colostate.edu/index.php/live-data

--John Bond what information do you see being useful, there are a lot of values to query in the ietf doc, haven't checked out bgpmon yet

---Gorjan Petrovski The BGPMon service advertizes changes in BGP data on a certain port, so a client would only have to connect and listen go get the information. The BGPMon message format is XML so any attempt at implementing such a script should probably be made after we have XML parsing libraries available. The top level structure of the message is called BGP_MESSAGE. It includes structures containing time information(TIME), info abt the connection over which the message was transfered(PEERING), BGP-related info(ASCII_MSG/OCTET_MSG), and info about the status of the BGPMon server and it's peers (STATUS_MSG). Information which would perhaps be useful in a simple *-info script is the TIME, PEERING and STATUS_MSG. The STATUS_MSG itself contains one of four kinds of messages: QUEUE_STATUS(internal queue), SESSION_STATUS(BGP peering routers), CHAIN_STATUS(peering BGPMon server), BGPMON_STATUS(BGPMon server itself). Out of these four, the CHAIN_STATUS and BGPMON_STATUS would be the main source of info for this kind of script. On the other hand, the BGP info which the BGPMon service advertizes could perhaps be used for something wicked :) --John Bond thanks for the info

mbmon-info

A script that connects to an mbmon service revealing health stats of the remote system to the nmap user. The script would be useful for administrators, as it allows gathering statistics of multiple machines with nmap scans. Developing the script requires access to mbmon compatible hardware. The protocol is flexible, making raw use of the protocol easier, but this makes writing clients for it a bit harder. Depending on configuration one of several formats is used over the connection.

http://www.nt.phys.kyushu-u.ac.jp/shimizu/download/download.html

soap.lua and xmlrpc.lua

It'd be handy to have libraries that can speak SOAP or XMLRPC, since many modern servers use those protocols.

Update: the xmlrpc-methods script does XMLRPC, but just uses slaxml directly.

smb-logs

Gather Windows system logs, like PsLogList from sysinternals.

opentracker-stats

The OpenTracker bittorrent tracker provides stats at the address http://<server>/stats?mode=everything The script should read and parse the stats, and return them in a convenient format.

Mogi57 This tracker is aimed at minimal resource usage and intended to be run on routers (wlan). It's based on libowfat (general purpose APIs). Statistics include info on software version, peers, torrents, seeds, uptime, connections and debugging info. A configuration file is used to set which statistics can be shared. This seems to be a young project, and libowfat looks like it's bleeding-edge. According to Toni, some high profile trackers use it, among which used to be The Pirate Bay before they gave up torrent tracking.

Citrix Access Gateway Command Execution (HTTP) (CVE-2010-4566)

  • Info: the NTLM authentication module of the Citrix Access Gateway, allows attackers to execute arbitrary commands via shell metacharacters by sending a specially crafted POST request, more precisely in the password field.
Date: Dec 21 2010
CVE: CVE-2010-4566
Vulnerable versions: 9.2-49.8 and earlier.
URLs:
cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4566
vsecurity.com http://www.vsecurity.com/resources/advisory/20101221-1/
exploit-db http://www.exploit-db.com/exploits/16916/
metasploit Metasploit citrix_access_gateway_exec.rb

http-contentkeeper-file-download (OSVDB:54551)

Exploits ContentKeeper Web Appliance to download a remote file by abusing the 'mimencode' binary included with the installations.

http-sonicwall-format-dos (OSVDB:54881)

Exploits a format string vulnerability in SonicWALL's SSL-VPN Appliance seroes 200, 2000 and 4000. We exploit it by sending a string longer than 127 characters.

Note: We need someone with access to this device to take care of this.

radmin-brute

Bruteforce script for the Radmin service (a popular commercial remote computer control service).

Concerns: this script uses the Twofish encryption algorithm for connection and SRP (RFC 2945) for authentication and there might be a need for adding external C libraries.
Twofish implementation by Bruce Scheiner: http://www.schneier.com/twofish-download.html
Related nmap-dev discussion: http://seclists.org/nmap-dev/2011/q2/341

vulndb

A script which has a database of known vulnerable software versions so that it can list possible vulnerabilities based on Nmap version detection results. Since sometimes software is patched but keeps the same version number, these vulnerability reports will likely be listed as "possible vulnerabilities" rather than sure things. If a more reliable detection method is found for a vuln, it can be moved into its own script. For each vuln we should provide relevant information such as a name, CVE #, and reference link. We could consider trying to use existing vuln DBs for this (license permitting) as in Marc Ruef's script here. But we will probably need to just make our own DB.

Update: Jiayi Ye worked on this in GSOC 2015 and did a lot of improvements to the vulscan script. A summary and analysis of that effort can be found at http://seclists.org/nmap-dev/2015/q3/249 .

backorifice2000-info

Backorifice2000 is a complete rewrite of Backorifice remote administration application. It supports serious encryption through. The script might be able to use openssl to support some of these. The script may need to ask the user for authentication credentials, but some servers may also run in a null authentication mode.

ipmi-dump-hashes, etc.

IPMI is the basis for Dell's iDRAC, HP iLO, IBM IMM2, etc. HD Moore & co have discovered lots of security problems with the protocol, and it is used all over the place. Metasploit has three scanner modules that already do some of this stuff, but some NSE scripts would put it into more network admins' hands.

Update: Claudiu Perta did a bunch of these for GSoC 2014. These have been committed (ipmi-brute, ipmi-version, ipmi-cipher-zero), but there are other possibilities here.

oracle-dump-hashes

Some broken versions of the Oracle authentication protocol disclose a value that is essentially equivalent to a password hash. A script would dump all these hashes for offline cracking. CVE-2012-3137.

pppoe-enum-auth

Starts PPPoE session against the given PPPoE server and tries to learn whether the server supports PAP/CHAP/EAP. --Nevdull77 11:49, 11 January 2012 (CST) There's code in the library to support this, but it needs some more work before it's done

Sun RPC scripts (rup, rusers, etc)

Specs for these protocols are often distributed in ONC IDL files (.x extension). Some services (like rstatd) respond to broadcast requests. Lots of good information can be pulled from these. yp/NIS will give directory information (passwd, passwd.adjunct, hosts, group, etc). rusers is very similar to finger. Bonsaiviking 12:51, 5 June 2012 (PDT)

svrloc-info

RFC 2608 specifies the Service Location Protocol for automatic service discovery via multicast UDP (may also support unicast and/or TCP). Bonsaiviking 13:12, 5 June 2012 (PDT)

There is a library for this called srvloc.lua and two scripts make use of it broadcast-novell-locate.nse and broadcast-versant-locate.nse. We could probably make a script (srvloc-info) that pulls more generic stuff out though. --Nevdull77 02:53, 6 June 2012 (PDT)

Maybe

These are script ideas that may be eligible for Nmap inclusion if well written, but we have one or more concerns about them. The concerns are listed along with the script idea. Feel free to discuss the idea on this page (you can sign your name with the signature button above the edit field). If you really want a script listed here, don't hesitate to write it and submit it to nmap-dev. We might still accept these into Nmap. And even if we don't, they will be permanently archived in the script archive so you and anyone else who desires them can use them.

http-fingerprints update

Fix the http-fingerprints.lua file indentation, extract the fingerprints listed in the attacks category that are associated with a CVE or OSVDB identifier into their own scripts, taking advantage of the vulnerability library. Add a bunch of new fingerprints. --Duarte Silva 10:27, 3 February 2012 (CST)

This is a good idea, but kind of vague overall (hard to ever say it is "done"), and we need to consider that some vulns really are worth moving to individual scripts where there is true value there, but many others are probably better staying in http-fingerprints.lua. As we identify individual new scripts to write, we can add those as separate entries in incoming/solid candidates/etc. Fyodor 13:58, 5 June 2012 (PDT)

peer-to-peer shared files' vulnerability scanning

With more numbers of peer-to-peer sharing programs out there, sharing (knowingly or otherwise) of important, personal and vulnerable data has increased drastically. Its easy to hack someone when a user himself share all the data a hacker wants, so a proposal is to write a script which would scan for the users in all the hubs of a peer-to-peer software ( for instance DC++ ) and list out those users who have shared folders like C:/ ( the Windows installation folder ), AppData ( a hidden and very vulnerable folder in windows ), .mozilla in linux and various other vulnerable files and folders, download those folders and compile important data ( read important passwords ). This has been done manually and a script in place would help those vulnerability to be detected fast and would eventually help those open source sharing software to add these detection in their code to prevent users from sharing no-to-be-shared-files.

If this script is going to function by searching the known P2P network hubs themselves, and doesn't relate to any of the targets given to Nmap, it might be better as a standalone script. Though further interrogation of P2P nodes discovered by Nmap in its scanning can be quite valuable and warrant NSE scripts, but we'd need more details about how that would work, what protocols, etc. (Per discussion on #nmap IRC, Tue Jun 5 20:22:00 UTC 2012)

pptp-brute

Add a brute force script for the pptp service, supporting authentication using PAP, CHAP and MS-CHAP. --Nevdull77 13:40, 8 March 2012 (PST)

This would be a nice script, but Patrik tried to implement it and ran into technical challenges. More complex protocol than it seems.


Windows installed software (registry/uninstall)

  • Prefetch
  • Registry (uninstall)
  • List folders in c:\program files

This could be partly achieved using the snmp-win32-software script --Nevdull77 06:47, 26 July 2011 (PDT)

SSL renegotiation [4]

Determine whether or not a server supports SSL Renegotiation and is vulnerable to a certain class of attacks.

Might be worth doing, though this is a 2009 bug. Fyodor 16:25, 18 October 2011 (PDT)
TLS renegotiation seems to be a troublesome topic. See the Triple Handshake attack in March 2014 Bonsaiviking (talk) 13:12, 5 March 2014 (UTC)

Bruteforce framework improvements - arbitrary number of inputs

  • Handle arbitrary number of inputs (e.g., username, password, repository)

ExploitSearch script

  • Info: The ExploitSearch[5] website references data from several exploits/vulnerability databases. A script could submit version detection results and display related vulnerabilities according to this search engine.

http-wordpress-custompages-lfi

Exploits a local file inclusion vulnerability to retrieve files from the server.

Script can't be found online anywhere anymore.

http-phpmyadmin-dir-traversal

Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 to retrieve remote files on the web server. Other phpmyadmin versions might be vulnerable.

This vulnerability is from 2005. Are there still installations out there?

Debian OpenSSL blacklist [6]

Detect and report if somebody is using a bad key from Debian (this script requires a significant amount of data to be stored, or an external lookup)

The keys generated by HD Moore (DSA 1024 + RSA 2048 and RSA 1023 / 1024 / 2047 / 4096 / 8192 bit keys) are about 4MB compressed and about 7MB decompressed. Has anyone started this script? It would be useful, but useful enough to bloat nmap by 4MB? --Bcoles 17:06, 11 June 2011 (PDT)
How about downloading it on the first use? D33tah (talk) 21:57, 19 July 2013 (UTC)

peer-to-peer shared files' vulnerability scanning

With more numbers of peer-to-peer sharing programs out there, sharing (knowingly or otherwise) of important, personal and vulnerable data has increased drastically. Its easy to hack someone when a user himself share all the data a hacker wants, so a proposal is to write a script which would scan for the users in all the hubs of a peer-to-peer software ( for instance DC++ ) and list out those users who have shared folders like C:/ ( the Windows installation folder ), AppData ( a hidden and very vulnerable folder in windows ), .mozilla in linux and various other vulnerable files and folders, download those folders and compile important data ( read important passwords ). This has been done manually and a script in place would help those vulnerability to be detected fast and would eventually help those open source sharing software to add these detection in their code to prevent users from sharing no-to-be-shared-files.

comments from irc meeting 05/06/12 --Balder 13:22, 5 June 2012 (PDT)

if this script is going to function by searching the known P2P network hubs themselves, and doesn't relate to any of the targets given to Nmap, it might be better as a standalone script. Though further interrogation of P2P nodes discovered by Nmap in its scanning can be quite valuable and warrant NSE scripts, but we'd need more details about how that would work, w

Resources:

  • http://itsecurity.net/
  • We added this to maybe section because the problem is likely mostly addressed (vulnerable certificates either expired or detected and replaced) since this issue happened years ago. Plus the data file is too large to include with Nmap, so the user would have to get it themselves. For those reasons, we see this script as lower priority than some of the other opportunities.

http-iomega-session (CVE-2009-2367)

Exploits weak session ids by bruteforcing a valid session to the web administration interface of the Iomega StorCenter Pro NAS.

RESOURCES

NOTE: We need access to this device to write it and it only works if a user is logged in

http-jetadmin-code-exec (OSVDB:5798)

Exploits a comman execution vulnerability in the web management interface of the HP Web JetAdmin network printer tool v6.2 - v6.5

http-webrick-headers-dos (CVE 2008-3656)

Exploits a denial of service vulnerability by sending a specially crafted HTTP request.

Note: The reason we moved it here is because webrick is not as popular and this vulnerability is only a DoS

http-dell-openmanage-dos (CVE 2004-2691)

Exploits a heap overflow in Dell's OpenManage Web Server to cause a denial of service due improper handling of POST data.

http-3com-dos (CVE-2004-2691)

Exploits a denial of service vulnerability in 3Com SuperStack switches by sending excessive data to the Management interface.

Note: Added to 'maybe' because it's an old DoS vulnerability that might not be too popular anymore.

http-authbypass-verb

Checks for http authentication bypass vulnerabilities when using unexpected HTTP verbs. Resources:

There is a script that partially does this called http-method-tamper written by Hani Benhabiles. We could extend it with other verbs such as DEBUG and TRACE in addition to HEAD. --Nevdull77 05:01, 20 November 2011 (PST)

http-tomcat-transferencoding-dos (CVE:2010-2227)

Exploits a denial of service and information disclosure vulnerability in Apache Tomcat installations. Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta are affected.

Resources:

http-fileupload-exploiter

A script to exploit insecure file upload forms in web applications. Since there are several ways of exploiting insecure uploads we can include different methods with this script.

  • Insecure extensions
We upload a file and check if payload was executed to test for insecure uploads.
  • PHP getimagesize() / content type checks bypassing
We send an image file containing valid content type with our payload appended to trick PHP applications that use getimagesize or content type checks.

http://www.scanit.be/uploads/php-file-upload.pdf

Implementation by George Chatzisofroniou:

Note: This is in the Maybe category since implementation is hard compared to the time it takes the user to perform this actions manually.

Zend Server Java Bridge Arbitrary Java Code Execution

  • Info: pre-authentication remote Jave code execution. We should give it a shot if we can install this infrastructure on Ubuntu, however even if I've learned Java at school, I still don't know it. So we must copy some Java code.
Date: 2011-03-30
Verified: OK (by exploit-db.com)
Vulnerable versions: 5.0.2 and prior.
OSVDB: OSVDB-71420 (see: http://osvdb.org/71420)
URLs: (see [7] and [8]).

dhclient remote arbitrary commands execution

  • Info: dhclient is vulnerable to remote arbitrary commands execution via shell metacharacters in a hostname obtained from a DHCP message.
Date: 2011-04-05
CVE: 2011-0997
OSVDB-ID: 71493
URLs
Red Hat bugzilla [9]
CVE [10]
OSVDB [11]

wesnoth-info

Reveals details of a Battle for Wesnoth server by discussing the protocol. The network protocol is documented and is called WML. The procol is XML-based. Gzip is used for compression.

teredo-info

Teredo is used to form IPv6 over IPv4 tunnels. The involved service is used to negotiate tunnels, and to do diagnostics required for NAT hole punching, finding out a local public IP and such. Designing the script requires examining a lenghty RFC in detail.

Sounds valuable, but can the submitter (or anyone) provide more information about how such a script would work and what information it should provide?--Fyodor 16:21, 30 March 2011 (PDT)
Teredo provides services that quite similar to STUN, but not compatible with STUN. As the Teredo specification contains all kinds of functionality, I think it would make sense to write the stun-info script first, and try to dig the same information out of the teredo service. Something might be a bit different, or Teredo might provide some information that STUN does not, but basing the teredo script on the STUN script provides a good starting point. --Cyberix 08:30, 16 June 2011 (PDT)

gnutella-info

The script should list any information that it can get from a gnutella node, by discussing the gnutella protocol.

We need more details about what information is available from gnutella nodes before we can really consider this one. If useful info is available from the nodes, we would probably accept the script. If someone adds more details to this script description, feel free to put it back up in the incoming section of this page.--Fyodor 16:01, 30 March 2011 (PDT)

sub7-info

Sub7 is a remote administration tool. The info script should provide any information trivially available by discussing the protocol. Other scripts may be written to support more advanced features.

We need more details about what information is available from Sub7 before we can really consider this one. If useful info is available, we would probably accept the script. If someone adds more details to this script description, feel free to put it back up in the incoming section of this page.--Fyodor 16:13, 30 March 2011 (PDT)
I am bit lost regarding sub7. There seems to be multiple versions, and I am not sure, if it was completely rewritten at some point. Some versions seem to have a plain text protocol, and offer useful information. Some one would need to check, if the server supports anonymous use, or if it always requires a password. --Cyberix 13:15, 1 April 2011 (PDT)

netbus2-info

NetBus 2.x Pro is a shareware remote administration tool that was created as a follower to the free 1.x versions. All communication seem to be encrypted. The script should provide information can be retrieved by discussing the protocol. The project is hard as one needs reverse engineer the system to find out what kind of encryption is used.

We need more details about what information is available from netbus2 before we can really consider this one. If useful info is available, we would probably accept the script. If someone adds more details to this script description, feel free to put it back up in the incoming section of this page.--Fyodor 16:13, 30 March 2011 (PDT)


http-auth-checker/http-auth-inspector

The purpose of this script is to find pages that should be protected but aren't due to flaws in the authentication logic of web applications. First, the script will crawl a web server using valid credentials to generate a sitemap of protected pages. Then it will try to access those pages again but without using the credentials to try to identify the files where authentication mechanisms are missing causing auth bypass vulnerabilities.

Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS

  • Windows Vista and later are vulnerable to a stack corruption, This can be caused by a special crafted Link Local Multicast Name Resolution (LLMNR) query. Currently this is only a DoS, but perhaps it can be turned into a remote code execution.
Date: 2011-04-12
CVE: CVE-2011-0657
URLs: (see Metasploit ms11_030_dnsapi.rb)

Samba

Samba < 3.5.5 is vulnerable to remote code execution (see [12]).

A problem is that it appears that you need admin credentials in order to exploit. Fyodor 13:03, 24 May 2011 (PDT)

Samba Symlink Traversal

  • Info: remote authenticated users are able to create symbolic links to the root filesystem when the file share is writable. Anonymous users with write access can also exploit this vulnerability.
Date: 2010-02-08
Verified: OK
URLs: (see [13] and Metasploit samba_symlink_traversal.rb)

Asterisk

Several security holes were recently reported for Asterisk (like: [14] and [15]). See whether they're interesting ones to detect.

One is a DoS bug, another allows executing shell commands, but only if you already have "System" privileges. Fyodor 13:03, 24 May 2011 (PDT)

broadcast-firesheep-discovery

Firesheep is a session high jacking tool that may be used to take over unprotected network sessions on wireless networks. The firesheep-discovery prerule script would list hosts that are running Firesheep on the current LAN. The script should support adding discovered hosts as scan targets. A tool called BlackSheep does this type of discovery. The discovery can be done by creating fake sessions, and capturing messages sent by Firesheep to gather details of the available sessions.

  • It might also be possible to detect Firesheep version based on the sites that it tries to hijack, but there might not be too many different versions available.

Implementing HTTP anti-IDS tactics

Create an NSE library that implements anti-IDS techniques. There is an interesting paper here. This would be useful for http-enum and probably other scripts that send a lot of probes and are pretty intrusive.

Web app fingerprinting (static files)

This works by storing hashes of static files in known web applications and query them. 

/CHANGELOG.txt (One HTTP request)
"b54c033af08c823221535ed0677242ba" -> Drupal 6.20
"aeb74a5dbcd3a1adcc0ca8b78449e50f" -> Drupal 6.23
"1e992c3dd0243b078885d99368004d53" -> FooBar CMS 1.2

/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
"37e194b799d4aaff10e39c4e3b2679a2" -> PHP 5.0.0 - 5.0.3
"4b2c92409cf0bcf465d199e93a15ac3f" -> PHP 4.3.11, 4.4.0 - 4.4.9, 5.0.4 - 5.0.5, 5.1.0 - 5.1.2

...

Obviously, hashes will be maintained in a different file (like http-fingerprints.lua for http-enum).

Compared to the way http-enum works, this is less ressource intensive (no grepping in large dynamically output pages) and more accurate (less false positives) but both technics are complementary.

A good demonstration of this technic is BlindElephant but also Nmap's http-favicon script which could be considered a special case. Also, see Kolkata But what Nmap has that such tools don't is the huge community that would be contributing fingerprints to support more and more web applications.

Development along these lines: 

* http://seclists.org/nmap-dev/2013/q1/172
* http://seclists.org/nmap-dev/2013/q2/57
* http://seclists.org/nmap-dev/2013/q2/146

httpspider redesign

Update: This is now in our bugtracker: https://github.com/nmap/nmap/issues/82

Currently, httpspider is a library that provides a nice interface to a web crawler, but each script that uses it gets a separate crawler. Even with the caching from http library, this can get inefficient, especially if the crawlers are not synced closely (pages cached by the first crawler are dropped from the cache before the second crawler gets there).

This proposal is to rework the current scripts using httpspider to register callbacks for a single spider instance (perhaps in a dedicated script), so for each request, a series of scripts can view and parse the output immediately. Notional components:

  • httpspider.lua - basically no modifications. Add functions for intelligent merging of options from varying scripts (e.g. whitelist is a set that can be added to, not subtracted from; depth = max(depth, newdepth), etc).
  • http-spider-engine.nse - creates and runs the crawler, executing callbacks (stored perhaps in the host.registry) for each page. Depends on every http-*-spider.nse script (this is kludgy). Outputs results from each script's callbacks under a separate heading in its output.
  • http-*-spider.nse - Defines and registers callbacks for http-spider-engine to execute. Modifies spider options (e.g. whitelist/blacklist) as needed, via httpspider library functions.

Lots of questions about this:

What happens when one script starts the spider, the spider gets halfway through its crawl, and then another script starts that needs directories the spider has already passed over? Does this spider start again from the beginning? What about a script that wants to get .jpg files at depth ≤2 and another script that wants .css files at depth ≤5; will the merging of options cause the spider to start retrieving .jpg files at depth 4?
Is the HTTP cache really so inefficient? I can imagine the situation of things expiring from cache before being needed again, but does it really happen in typical use? Can you back this up with some data? Is requesting a document twice really much worse than forcing all scripts using the spider to run as slowly as the one needing the slowest crawl?

David (talk) 06:09, 16 August 2012 (CDT)

Some replies:
  • I envisioned the spider engine script to be a hostscript, while the "plugin" scripts would be portrule scripts. That would solve the timing issue.
  • Depth could be handled either as a parameter in registering the callback (files below a certain depth are checked against the list of callbacks with a depth <= current) or as a parameter passed to the callback (so the callback decides whether to run.) First option is better, since it allows the spider to determine max depth before running.
  • I haven't done calculations, but I have noticed scans with many debug statements from http lib saying cache is at its max size. Maybe an audit of http scripts could reveal requests that should not be cached.
Bonsaiviking (talk) 07:31, 16 August 2012 (PDT)

Probably not (or needs clarification)

These are script ideas that are unlikely to be a good fit for Nmap proper, but might be worth writing and sending to nmap-dev anyway so folks can download and use the scripts themselves. In some cases, script ideas are here because we don't really understand them or need further clarification to consider them.


nrpe-brute

Brute force this Nagios service. Also see this non-brute force nrpe script. --Nevdull77 01:46, 13 January 2012 (PST) To the best of my knowledge, there's no real authentication in NRPE. At least that's what I've got from a few web searches and this: Opsview Unix Agent Customisation

synergy-brute

Brute force the Synergy remote KVM software system.

I don't really understand, as there is no concept of password in Synergy. Can anyone elaborate on what it is we want to brute here? --Nevdull77 14:17, 24 October 2011 (PDT)

Fingerprint VMware Server

A script to obtain the VMware Server information. This is Aleksey GreenDog Tyurin idea and he already submitted a script. The script uses SOAP HTTP objects. Tixxdz 17:05, 25 July 2011 (PDT)

We will probably do this as a version detection probe instead.Fyodor 16:48, 18 October 2011 (PDT)


http-iphone4-ftp-dos

Crashes iphone 4 FTP Server 1.0 remotely.

It seems that there is no support for password authentication!! (see [16]).

Resources:

Completed scripts

Many scripts from this page have been completed and removed. We generally just delete them from this page rather than adding them here because you can browse all completed Nmap NSE scripts at the script documentation portal.

See complete list at the script documentation portal

Volunteer Work

Ron Bowes + Alex Weber

http-git

This script will detect whether a .git file was left in the web root, and parse it to display interesting information.

More information can be obtained with a zlib binding, so we'll investigate that as well.

Infrastructure Tasks

This is a listing of various infrastructure related tasks. Anything not related to script writing should probably go here.

The pipelining facilities currently in the http are not using the caching functions, this can also be fixed separately.

  • Nmap/Lua_5.2 offers the new Lua bit32 library. Currently none of the scripts or libraries use it though because I (Batrick (talk) 00:40, 19 June 2012 (CDT)) vaguely recalled some differences in behavior with Reuben Thomas' bitlib and the new bit32 library.
  • Improvements to the HTTP spider:
    • Allow doing HEAD requests instead of GET for certain links.
    • Allow a script to piggyback on other scripts doing spidering. No actual direction of a personal spider instance is done. Use case, http-rfi-spider simply wants to examine all html pages, but having it execute its own spider instance alongside other scripts is probably overkill.
  • NSE Debugger (a la GDB). Early work on incorporating a debugger was done by Diman Todorov. This work is probably far too out of date as NSE has changed significantly since that patch was written. Still, the idea is promising. Some features to consider:
    • Examine variables on the stack.
    • Examine the call stack.
    • Examine arbitrary threads in the waiting/running queues.
    • Set breakpoints.

I have these patches if anyone is interested... --Batrick (talk) 00:40, 19 June 2012 (CDT)

  • nse_nsock.cc can be improved to not run the callbacks on the thread which made the callback. It would be better to run the callback on the currently running thread. Generally, it's bad practice to call functions on a yielded thread. This is on my TODO list. --Batrick (talk) 00:40, 19 June 2012 (CDT)
  • A robust, dynamic NSE parallelism algorithm (sets the max number of sockets that can be opened) would be an interesting project to explore. Work was done in the past to measure the effects of parallelism. A benchmark with the current (much larger number of!) scripts would be instructive on whether this is worthwhile.
  • Improve the NSE Nsock binding to only allow one open socket per thread. Currently a script can connect as many sockets as it wants once it has a "socket_lock".
Retrieved from "https://secwiki.org/mediawiki/index.php?title=Nmap/Script_Ideas&oldid=1963"