Home page logo
/
Namespaces

Variants
Actions
Personal tools

Nmap/Script Ideas

From SecWiki
< Nmap(Redirected from Nmap Script Ideas)
Jump to: navigation, search

Planned NSE scripts and other ideas. Add new ideas to the "Incoming" section. The "high-priority" section is for ideas that are definitely wanted. "Other ideas" are those that may be accepted with a good implementation and for a good reason. Only Nmap developers should move things into these latter two categories.

You are welcome and encouraged to leave comments below script ideas. You can use one or more ":" before your comment line to cause it to be indented, and you can end a comment with four tildes (~) in a row to fill in your username and the time.

Please include enough information to allow someone to start implementing your idea, including sample output and script arguments.

Contents

Incoming

Please add your new script ideas here to the top of this list! They can be discussed here and will also be moved to another section (and potentially discussed further) by the NSE team when they do periodic reviews.

RIPv1, RIPv2, and RIPng scripts

RIPv1 is especially interesting because it's being used for DDoS reflection. We have a UDP payload for scanning, but it might not be working properly. We have no service fingerprints or softmatches for any of these related services, so that would be an important part of this effort. Particular script ideas:

  • Print the list of routes. Doesn't need authentication in some cases (RIPv1, some RIPv2, others?)
  • RIPv2 brute-forcing. This could be tough because the action when authentication is incorrect is to just ignore.
  • Packet decoder for broadcast-listener.nse

tftp-version

Service version detection (-sV) doesn't work on TFTP because it sends replies with a different source port than it listens on. A simple script would send a request for a random file and receive the response, marking the port as open and tftp if it gets one. It could be extended to send corrupted requests and distinguish versions based on the responses; examples that we already match because they use source port 69/udp:

Probe UDP DNSStatusRequest q|\0\0\x10\0\0\0\0\0\0\0\0\0|
match tftp m|^\0\x05\0\x02\0The IP address is not in the range of allowable addresses\.\0| p/SolarWinds tftpd/ i/IP disallowed/ o/Windows/ cpe:/a:solarwinds:tftp_server/ cpe:/o:microsoft:windows/a
match tftp m|^\0\x05\0\0Invalid TFTP Opcode| p/Cisco tftpd/ cpe:/a:cisco:tftp_server/
match tftp m|^\0\x05\0\x04Illegal TFTP operation\0| p/Plan 9 tftpd/ o/Plan 9/ cpe:/o:belllabs:plan_9/a
match tftp m|^\0\x05\0\x04Error: Illegal TFTP Operation\0\0\0\0\0| p/Zoom X5 ADSL modem tftpd/ d/broadband router/ cpe:/h:zoom:x5/a
match tftp m|^\0\x05\0\x04Illegal operation\0$| p/Cisco router tftpd/ d/router/ o/IOS/ cpe:/a:cisco:tftp_server/ cpe:/o:cisco:ios/a
match tftp m|^\0\x05\0\x04Illegal operation error\.\0$| p/Microsoft Windows Deployment Services tftpd/ o/Windows/ cpe:/o:microsoft:windows/
match tftp m|^\0\x05\0\x04Unknown operatation code: 0 received from [\d.]+:\d+\0| p/SolarWinds Free tftpd/ cpe:/a:solarwinds:tftp_server/
match tftp m|^\0\x05\0\x04illegal \(unrecognized\) tftp operation\0$| p/Brother printer tftpd/ d/printer/
match tftp m|^\0\x05\0\0Not defined, see error message\(if any\)\.\0| p/HP Intelligent Management Center tftpd/ cpe:/a:hp:intelligent_management_center/
--
Probe UDP xdmcp q|\0\x01\0\x02\0\x01\0|
match tftp m|^\0\x05\0\x04Illegal TFTP operation\0| p/Windows 2003 Server Deployment Service/ o/Windows/ cpe:/o:microsoft:windows_server_2003/a
match tftp m|^\0\x05\0\x01File not found\.\0$| p/Enistic zone controller tftpd/

nbd-info

Network Block Device description is here: https://github.com/yoe/nbd/blob/3923c514321694ef7feebe20e2bc0022db93417c/doc/proto.txt

dns-any-query

DNS ANY queries (rcode 255) are being seen used as amplifiers in DDoS attacks (https://isc.sans.edu/diary.html?storyid=19419). They behave differently depending on whether the DNS server is authoritative or not. Just like our other DNS scripts, this one could be run in several ways:

  • as a prerule script with script args specifying the name to query and the server to query against (and newtargets support)
  • as a hostrule script with script args specifying the dns server to query against for the target's hostname
  • as a portrule script that runs on dns servers discovered, with script args specifying the name to query or just using the target name to determine support for the ANY query.

SSL Labs API query script

Our own ssl-enum-ciphers is great, but SSL Labs is really the reference implementation. Now they have an API that can be queried to perform this kind of assessment, and we should have a script to query it as well, subject to appropriate licensing. http://blog.ivanristic.com/2015/01/ssl-labs-apis-now-available-beta.html

ssl-known-ca

See http://seclists.org/nmap-dev/2015/q1/202 for discussion. Would check whether an SSL service is using a certificate signed by one of a set of CA certificates or orgs.

CPE adder

Lots of service matches look like this:

   match http m|^.*<address>Apache/([\d.]+) \([^)]+\) ?(.*) Server at ([-\w_.]+) Port \d+</address>\n</body></html>\n|si p/Apache httpd/ v/$1/ i/$2/ h/$3/ cpe:/a:apache:http_server:$1/

Meaning that all the module and language versions like (mod_security/2.8 Perl/5.8.8) are not being turned into CPE entries. A script could look in the extrainfo section for Software/version and turn known software into cpe:/a:vendor:software:version for consumers of that sort of structured data (lots of vulnerability scanners, etc.). We don't currently have a way for scripts to add this information, but that could come later.

OpenWebNet discovery

Home automation stuff. Simple text-based protocol. May be layered over HTTP, but at least one service fingerprint submission had it running directly over 20000/tcp.

impress-remote-discover

LibreOffice Impress has a (default on) remote control feature for presentations. It seems to be discoverable via multicast to 239.0.0.1:1598.

gdbserver-info

gdbserver has no authentication and can result in remote code injection. See Metasploit's exploit module for instance.

Tridium Fox

Not sure what's possible here, but this Shodan report says it's the most commonly exposed ICS/SCADA service worldwide.

datetime-skew

This script would try to calculate clock skew between systems. A postrule could display hosts which are not synchronized with others. Sources of date-time information include NTP, HTTP Date header, SMTP banner, daytime, etc. Bonsaiviking 13:37, 5 June 2012 (PDT)

TLS is also a source of date. https://github.com/ioerror/tlsdate/ David (talk) 11:22, 20 July 2012 (CDT)

NSE-based port scanning

As briefly described on the GSoC ideas page, NSE could be leveraged for port scanning. This would let us quickly implement new technique and possibly release nmap's core of certain of its older and not parallel modules. A patch is being developped in nmap-exp/henri/nmap-nseportscan. --Henri 14:39, 12 June 2012 (PDT)

xserver-screenshot, xserver-keylogger, xserver-xwininfo

Open X servers are great sources of information. xserver-screenshot could take screenshots of the open X display (due to image processing and saving files to disk, this could be difficult to implement). xserver-keylogger would use either of 2 techniques (polling or registering) to capture keystrokes until a timeout (See xspy for the more complete polling method, or xkey for the simpler key-register method). xserver-xwininfo could pull information about windows on the X display, including title, geometry, color depth, etc.

APC PowerChute

APC PowerChute uses port 3052/udp to communicate UPS status to servers in order to gracefully shut down when power failure is imminent. May be able to add a section to broadcast-listener for pulling information out of broadcast packets. There may also be a unicast protocol between the UPS and apcupsd running on a server. References: [1] [2]

High-priority

These are scripts which we're sure we want, and as soon as possible, please! :)

HTML parsing

We need a library to do HTML parsing. Currently we do pseudo-parsing using string matching and patterns. Some early implementations:

An HTML library should be able to do what these scripts do:

http-mirror

Use the http spider to crawl the remote site and save the pages to a local directory (presumably specified by NSE args). Maybe in the future, httpspider.lua can take an NSE arg which allows it to run "against" a local cache created by http-mirror, so you could run things like http-grep or http-email-harvest against that local copy rather than continuing to hammer the site. One minor issue is that Lua doesn't offer a native way to create directories, so we'd probably have to write a simple wrapper which does an os.exec call on mkdir and deals with proper file separation char, etc.

Solid Candidates

These are scripts which the Nmap NSE team considers likely to be incorporated into Nmap if someone submits a well written version to the nmap-dev list.

IPsec IKE enumeration

For some examples of what we can do, see ike-scan. The documentation could serve as ideas for scripts. We already have a UDP payload for IKE, but it just sets the port as open and can't do any more. An IKE detection script could also be better because it could set the source port to 500, potentially and/or use a randomize initiator cookie and try more cipher combinations. See the comments in nmap-payloads. --Nevdull77 07:09, 26 July 2011 (PDT)

SSH Key Acceptance Checker

This script takes one ore more SSH public or private (w/o passphrase) keys and checks whether target SSH servers accept any of those keys for authentication purposes. Metasploit has a useful script which does this, known as ssh_identify_pubkeys which HD Moore also discusses in this blog post. We may want to use a library like ssh2, see also this related entry

tor-consensus-checker

This script would allow the the user to check if target is listed as a Tor node using the Tor network consensus (replacing the dan.me.co.uk provider from the dnsbl.lua library). This script will need to understand the directory services protocol, that should be implemented has a library. --Duarte Silva 10:27, 3 February 2012 (CST)

Could you provide additional information about how Tor networks consensus works? --Nevdull77 06:47, 16 March 2012 (CDT)

It is probably either https://gitweb.torproject.org/torspec.git/blob/HEAD:/dir-spec.txt or one of the other documents at https://gitweb.torproject.org/torspec.git/tree. David 14:08, 5 April 2012 (PDT)

Dan M. says: Lots of good information to be had from TOR directory entries: contact info, bandwidth, exit node policy. If you find an exit node behind a firewall, that's huge. Fyodor 14:17, 5 June 2012 (PDT)
David F says: So what's different about this script is that instead of accessing a third-party blacklist that is mirroring the information the that Tor directory authorities provide, you would just ask the authorities directly. Fyodor 14:17, 5 June 2012 (PDT)
David also notes: "But it's all the same information you can get from e.g. https://atlas.torproject.org/ or https://torstatus.blutmagie.de/ I don't think you get anything special from goin directly to the authorities, just possibly more recent information. Fyodor 14:18, 5 June 2012 (PDT)

deluge-rpc-brute

Script that will brute force authentication on Deluge RPC interface (communication is done with zlib compressed messages, which will need to be implemented). --Duarte Silva 10:27, 3 February 2012 (CST)

We're going to look at implementing zlib as part of the http-git script. --Ron

Microsoft Version Table

Create a function that would take the Windows major and minor version numbers and optionally the build and type and return the long Windows Name. As some major and minor version numbers have been used for several Windows versions eg. 6.1 is both Windows 2008 and Windows 7 the build could help distinguish between them. Scripts that know the server type type (server or client OS) could supply this instead to distinguish between versions. This function could be used to enhance the output of ndmp-version and smb-mbenum scripts any maybe a few more. --Nevdull77 22:59, 19 February 2012 (PST)

An example of a build number that implies a Windows version, from nmap-os-db

# Version 5.2 (Build 3790.srv03_sp1_gdr.060315-1609 : Service Pack 1)
Fingerprint Microsoft Windows Server 2003 SP1

A list of build numbers:

David 15:41, 5 June 2012 (CDT)

I have been working on this library, currently calling it "osinfo". The library creates name and cpe from a given version string or uname string. Supports a couple of vendor-family combinations, deals well with Microsoft versions.[3]

--Gyani (talk) 21:04, 10 August 2015 (UTC)

wmi-info and wmi-brute

Windows Management and Instrumentation. Apparently you can get *all* of system configuration/managemnent information through this service, though it does require authentication. It's pre-installed in Windows 2000 and later. Wikipedia: http://en.wikipedia.org/wiki/Windows_Management_Instrumentation. If the DCOM interface is too problematic, it looks like the information may be available via SOP using WS-Management (http://en.wikipedia.org/wiki/WS-Management). Fyodor 15:26, 21 March 2012 (CDT) Notes from NSE meeting (05/06/2012)

  • The protocol could be complicated but its fully documented.
  • Uses NTLMSSP for auth. A container that support multiple algorithms
  • Since the service requires auth, a brute script will be a great addition.

service-os

This script takes service detection output and uses it to make a guess about the operating system and distribution. For example a server running Apache 2.2.8 and OpenSSH 4.7 is likely to be Ubuntu 8.04 LTS (Hardy Heron). Some services include the distro name already in the output, but those are already mostly handed by service detection. I think the idea is to take, for example, "Apache 2.2.8" and see that it matches some subset of known distributions in a database, then take "OpenSSH 4.7" and see that it matches another subset, and take the intersection of the sets, maybe with some weighting to allow near matches.


cctv-dvr-brute

Script to detect CCTV DVR video surveillance installments, try to authenticate with default passwords and do a bruteforce attack. We should also check if we can gather additional info from this services. The script it's self should be similar to metasploit one at http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/auxiliary/scanner/misc/cctv_dvr_login.rb What needs to be done is to see how the authentication is performed and implement bruteforce by using brute lib.


Improvements to duplicates

A postrule script that reports when different target addresses appear to be the same host. This may use results from other scripts. Already handls SSL certs, MAC address, SSH hostkeys, and Netbios names. Other ideas:

  • Matching IP ID sequences.
  • Uptimes.
  • Clock skew.
  • IPv4-mapped and IPv4-compatible IPv6 addresses.

Linux/UNIX local commands over ssh

Being able to do lsof -i remotely would be really useful --Cyberix 15:37, 3 April 2011 (PDT)
This would be very valuable for various kinds of software/os auditing scripts, but looks like a lot of work. --Nevdull77 06:50, 26 July 2011 (PDT)
The libssh library may provide a way to do this that works across several platforms. libssh --Nevdull77 03:52, 13 January 2012 (CST)
Actually libssh2 may be better than libssh since it is BSD licensed rather than LGPL and it is client-only and so probably smaller. I guess we'd have to research the best way to implement (raw or by using a library) Fyodor 16:10, 27 March 2012 (CDT)
Consensus at 6/19/12 NSE meeting seemed to be for C library approach such as libssh2, though we wouldn't rule out other approaches.

ssh-brute

Brute force support for the SSH protocol. Of course this is a complex protocol, so we may need to use a library such as libssh2. See the "Linux/UNIX local commands over ssh" entry for more thoughts.

Update brute scripts to use brute.lua

There are a number of bruteforce scripts that predate brute.lua. For example, POP3 and smb-brute.nse. It would be nice to update them to take advantage of the new brute.lua library.

  • afp-brute.nse
  • dns-brute.nse
  • drda-brute.nse
  • http-iis-short-name-brute.nse
  • ldap-brute.nse
  • ms-sql-brute.nse
  • netbus-brute.nse
  • oracle-sid-brute.nse
  • pgsql-brute.nse
  • rtsp-url-brute.nse
  • smb-brute.nse
  • snmp-brute.nse

smb-enum-services

List Windows services, like PsService from sysinternals.

bgpmon-info

One would hope that bgpmon provides some useful information. Requires some research to figure out what should be displayed. See http://bgpmon.netsec.colostate.edu/ protocol http://tools.ietf.org/html/draft-cheng-grow-bgp-xml-00 Also http://bgpmon.netsec.colostate.edu/index.php/live-data

--John Bond what information do you see being useful, there are a lot of values to query in the ietf doc, haven't checked out bgpmon yet

---Gorjan Petrovski The BGPMon service advertizes changes in BGP data on a certain port, so a client would only have to connect and listen go get the information. The BGPMon message format is XML so any attempt at implementing such a script should probably be made after we have XML parsing libraries available. The top level structure of the message is called BGP_MESSAGE. It includes structures containing time information(TIME), info abt the connection over which the message was transfered(PEERING), BGP-related info(ASCII_MSG/OCTET_MSG), and info about the status of the BGPMon server and it's peers (STATUS_MSG). Information which would perhaps be useful in a simple *-info script is the TIME, PEERING and STATUS_MSG. The STATUS_MSG itself contains one of four kinds of messages: QUEUE_STATUS(internal queue), SESSION_STATUS(BGP peering routers), CHAIN_STATUS(peering BGPMon server), BGPMON_STATUS(BGPMon server itself). Out of these four, the CHAIN_STATUS and BGPMON_STATUS would be the main source of info for this kind of script. On the other hand, the BGP info which the BGPMon service advertizes could perhaps be used for something wicked :) --John Bond thanks for the info

mbmon-info

A script that connects to an mbmon service revealing health stats of the remote system to the nmap user. The script would be useful for administrators, as it allows gathering statistics of multiple machines with nmap scans. Developing the script requires access to mbmon compatible hardware. The protocol is flexible, making raw use of the protocol easier, but this makes writing clients for it a bit harder. Depending on configuration one of several formats is used over the connection.

http://www.nt.phys.kyushu-u.ac.jp/shimizu/download/download.html

soap.lua and xmlrpc.lua

It'd be handy to have libraries that can speak SOAP or XMLRPC, since many modern servers use those protocols.


smb-logs

Gather Windows system logs, like PsLogList from sysinternals.

opentracker-stats

The OpenTracker bittorrent tracker provides stats at the address http://<server>/stats?mode=everything The script should read and parse the stats, and return them in a convenient format.

Mogi57 This tracker is aimed at minimal resource usage and intended to be run on routers (wlan). It's based on libowfat (general purpose APIs). Statistics include info on software version, peers, torrents, seeds, uptime, connections and debugging info. A configuration file is used to set which statistics can be shared. This seems to be a young project, and libowfat looks like it's bleeding-edge. According to Toni, some high profile trackers use it, among which used to be The Pirate Bay before they gave up torrent tracking.

Citrix Access Gateway Command Execution (HTTP) (CVE-2010-4566)

  • Info: the NTLM authentication module of the Citrix Access Gateway, allows attackers to execute arbitrary commands via shell metacharacters by sending a specially crafted POST request, more precisely in the password field.
Date: Dec 21 2010
CVE: CVE-2010-4566
Vulnerable versions: 9.2-49.8 and earlier.
URLs:
cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4566
vsecurity.com http://www.vsecurity.com/resources/advisory/20101221-1/
exploit-db http://www.exploit-db.com/exploits/16916/
metasploit Metasploit citrix_access_gateway_exec.rb

http-contentkeeper-file-download (OSVDB:54551)

Exploits ContentKeeper Web Appliance to download a remote file by abusing the 'mimencode' binary included with the installations.

http-sonicwall-format-dos (OSVDB:54881)

Exploits a format string vulnerability in SonicWALL's SSL-VPN Appliance seroes 200, 2000 and 4000. We exploit it by sending a string longer than 127 characters.

Note: We need someone with access to this device to take care of this.

radmin-brute

Bruteforce script for the Radmin service (a popular commercial remote computer control service).

Concerns: this script uses the Twofish encryption algorithm for connection and SRP (RFC 2945) for authentication and there might be a need for adding external C libraries.
Twofish implementation by Bruce Scheiner: http://www.schneier.com/twofish-download.html
Related nmap-dev discussion: http://seclists.org/nmap-dev/2011/q2/341

vulndb

A script which has a database of known vulnerable software versions so that it can list possible vulnerabilities based on Nmap version detection results. Since sometimes software is patched but keeps the same version number, these vulnerability reports will likely be listed as "possible vulnerabilities" rather than sure things. If a more reliable detection method is found for a vuln, it can be moved into its own script. For each vuln we should provide relevant information such as a name, CVE #, and reference link. We could consider trying to use existing vuln DBs for this (license permitting) as in Marc Ruef's script here. But we will probably need to just make our own DB.

backorifice2000-info

Backorifice2000 is a complete rewrite of Backorifice remote administration application. It supports serious encryption through. The script might be able to use openssl to support some of these. The script may need to ask the user for authentication credentials, but some servers may also run in a null authentication mode.

ipmi-version, ipmi-cipher-zero, ipmi-dump-hashes, ipmi-user-brute etc.

IPMI is the basis for Dell's iDRAC, HP iLO, IBM IMM2, etc. HD Moore & co have discovered lots of security problems with the protocol, and it is used all over the place. Metasploit has three scanner modules that already do some of this stuff, but some NSE scripts would put it into more network admins' hands.

PXE extensions for broadcast-dhcp-discover

Extend dhcp.lua to support PXE extensions. Let the dhcp discovery scripts also send these requests and report the results.

snmp-engine-id

Look up the the SNMP engine ID from a data file. Replace this section of nmap-service-probes in SNMPv3GetRequest:

# Enterprise numbers as used in SNMP engine IDs are here:
# http://www.iana.org/assignments/enterprise-numbers

# Cisco - SNMP Engine ID 9 (CiscoSystems) = \x00\x09
match snmp m|^..\x02\x01\x030.\x02\x02Ji\x02.{3,4}\x04\x01.\x02\x01\x03\x04.{5,6}\0\x00\x09|s p/Cisco SNMP service/

# Cisco - SNMP Engine ID 99 (SNMP Research) = \x00\x63
match snmp m|^..\x02\x01\x030.\x02\x02Ji\x02.{3,4}\x04\x01.\x02\x01\x03\x04.{5,6}\0\x00\x63|s p/Cisco SNMP service/

# Brocade - SNMP Engine ID 1588 (Brocade Communications Systems, Inc.) = \x06\x34
match snmp m|^..\x02\x01\x030.\x02\x02Ji\x02.{3,4}\x04\x01.\x02\x01\x03\x04.{5,6}\0\x06\x34|s p/Brocade SNMP service/

The last 2 bytes of each of these is an engine ID. Engine IDs are mapped to names by the file https://www.iana.org/assignments/enterprise-numbers. Instead of having all these version signatures, we should just do it in a script once and for all.

David (talk) 14:50, 29 October 2012 (PDT)

  • snmp-info does this now. Does this mean we should remove all those fingerprints? Any other considerations? Bonsaiviking (talk) 04:17, 18 December 2014 (UTC)
  • Since snmp-info is in version category, it sounds like it subsumes all the matchlines and they should be deleted.

oracle-dump-hashes

Some broken versions of the Oracle authentication protocol disclose a value that is essentially equivalent to a password hash. A script would dump all these hashes for offline cracking. CVE-2012-3137.

pppoe-enum-auth

Starts PPPoE session against the given PPPoE server and tries to learn whether the server supports PAP/CHAP/EAP. --Nevdull77 11:49, 11 January 2012 (CST) There's code in the library to support this, but it needs some more work before it's done

Sun RPC scripts (rup, rusers, etc)

Specs for these protocols are often distributed in ONC IDL files (.x extension). Some services (like rstatd) respond to broadcast requests. Lots of good information can be pulled from these. yp/NIS will give directory information (passwd, passwd.adjunct, hosts, group, etc). rusers is very similar to finger. Bonsaiviking 12:51, 5 June 2012 (PDT)

svrloc-info

RFC 2608 specifies the Service Location Protocol for automatic service discovery via multicast UDP (may also support unicast and/or TCP). Bonsaiviking 13:12, 5 June 2012 (PDT)

There is a library for this called srvloc.lua and two scripts make use of it broadcast-novell-locate.nse and broadcast-versant-locate.nse. We could probably make a script (srvloc-info) that pulls more generic stuff out though. --Nevdull77 02:53, 6 June 2012 (PDT)

Maybe

These are script ideas that may be eligible for Nmap inclusion if well written, but we have one or more concerns about them. The concerns are listed along with the script idea. Feel free to discuss the idea on this page (you can sign your name with the signature button above the edit field). If you really want a script listed here, don't hesitate to write it and submit it to nmap-dev. We might still accept these into Nmap. And even if we don't, they will be permanently archived in the script archive so you and anyone else who desires them can use them.

http-fingerprints update

Fix the http-fingerprints.lua file indentation, extract the fingerprints listed in the attacks category that are associated with a CVE or OSVDB identifier into their own scripts, taking advantage of the vulnerability library. Add a bunch of new fingerprints. --Duarte Silva 10:27, 3 February 2012 (CST)

This is a good idea, but kind of vague overall (hard to ever say it is "done"), and we need to consider that some vulns really are worth moving to individual scripts where there is true value there, but many others are probably better staying in http-fingerprints.lua. As we identify individual new scripts to write, we can add those as separate entries in incoming/solid candidates/etc. Fyodor 13:58, 5 June 2012 (PDT)

peer-to-peer shared files' vulnerability scanning

With more numbers of peer-to-peer sharing programs out there, sharing (knowingly or otherwise) of important, personal and vulnerable data has increased drastically. Its easy to hack someone when a user himself share all the data a hacker wants, so a proposal is to write a script which would scan for the users in all the hubs of a peer-to-peer software ( for instance DC++ ) and list out those users who have shared folders like C:/ ( the Windows installation folder ), AppData ( a hidden and very vulnerable folder in windows ), .mozilla in linux and various other vulnerable files and folders, download those folders and compile important data ( read important passwords ). This has been done manually and a script in place would help those vulnerability to be detected fast and would eventually help those open source sharing software to add these detection in their code to prevent users from sharing no-to-be-shared-files.

If this script is going to function by searching the known P2P network hubs themselves, and doesn't relate to any of the targets given to Nmap, it might be better as a standalone script. Though further interrogation of P2P nodes discovered by Nmap in its scanning can be quite valuable and warrant NSE scripts, but we'd need more details about how that would work, what protocols, etc. (Per discussion on #nmap IRC, Tue Jun 5 20:22:00 UTC 2012)

pptp-brute

Add a brute force script for the pptp service, supporting authentication using PAP, CHAP and MS-CHAP. --Nevdull77 13:40, 8 March 2012 (PST)

This would be a nice script, but Patrik tried to implement it and ran into technical challenges. More complex protocol than it seems.


Windows installed software (registry/uninstall)

  • Prefetch
  • Registry (uninstall)
  • List folders in c:\program files

This could be partly achieved using the snmp-win32-software script --Nevdull77 06:47, 26 July 2011 (PDT)

SSL renegotiation [4]

Determine whether or not a server supports SSL Renegotiation and is vulnerable to a certain class of attacks.

Might be worth doing, though this is a 2009 bug. Fyodor 16:25, 18 October 2011 (PDT)
TLS renegotiation seems to be a troublesome topic. See the Triple Handshake attack in March 2014 Bonsaiviking (talk) 13:12, 5 March 2014 (UTC)

Bruteforce framework improvements - arbitrary number of inputs

  • Handle arbitrary number of inputs (e.g., username, password, repository)

ExploitSearch script

  • Info: The ExploitSearch[5] website references data from several exploits/vulnerability databases. A script could submit version detection results and display related vulnerabilities according to this search engine.

http-wordpress-custompages-lfi

Exploits a local file inclusion vulnerability to retrieve files from the server.

Script can't be found online anywhere anymore.

http-phpmyadmin-dir-traversal

Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 to retrieve remote files on the web server. Other phpmyadmin versions might be vulnerable.

This vulnerability is from 2005. Are there still installations out there?

Debian OpenSSL blacklist [6]

Detect and report if somebody is using a bad key from Debian (this script requires a significant amount of data to be stored, or an external lookup)

The keys generated by HD Moore (DSA 1024 + RSA 2048 and RSA 1023 / 1024 / 2047 / 4096 / 8192 bit keys) are about 4MB compressed and about 7MB decompressed. Has anyone started this script? It would be useful, but useful enough to bloat nmap by 4MB? --Bcoles 17:06, 11 June 2011 (PDT)
How about downloading it on the first use? D33tah (talk) 21:57, 19 July 2013 (UTC)

peer-to-peer shared files' vulnerability scanning

With more numbers of peer-to-peer sharing programs out there, sharing (knowingly or otherwise) of important, personal and vulnerable data has increased drastically. Its easy to hack someone when a user himself share all the data a hacker wants, so a proposal is to write a script which would scan for the users in all the hubs of a peer-to-peer software ( for instance DC++ ) and list out those users who have shared folders like C:/ ( the Windows installation folder ), AppData ( a hidden and very vulnerable folder in windows ), .mozilla in linux and various other vulnerable files and folders, download those folders and compile important data ( read important passwords ). This has been done manually and a script in place would help those vulnerability to be detected fast and would eventually help those open source sharing software to add these detection in their code to prevent users from sharing no-to-be-shared-files.

comments from irc meeting 05/06/12 --Balder 13:22, 5 June 2012 (PDT)

if this script is going to function by searching the known P2P network hubs themselves, and doesn't relate to any of the targets given to Nmap, it might be better as a standalone script. Though further interrogation of P2P nodes discovered by Nmap in its scanning can be quite valuable and warrant NSE scripts, but we'd need more details about how that would work, w

Resources:

  • http://itsecurity.net/
  • We added this to maybe section because the problem is likely mostly addressed (vulnerable certificates either expired or detected and replaced) since this issue happened years ago. Plus the data file is too large to include with Nmap, so the user would have to get it themselves. For those reasons, we see this script as lower priority than some of the other opportunities.

http-iomega-session (CVE-2009-2367)

Exploits weak session ids by bruteforcing a valid session to the web administration interface of the Iomega StorCenter Pro NAS.

RESOURCES

NOTE: We need access to this device to write it and it only works if a user is logged in

http-jetadmin-code-exec (OSVDB:5798)

Exploits a comman execution vulnerability in the web management interface of the HP Web JetAdmin network printer tool v6.2 - v6.5

http-webrick-headers-dos (CVE 2008-3656)

Exploits a denial of service vulnerability by sending a specially crafted HTTP request.

Note: The reason we moved it here is because webrick is not as popular and this vulnerability is only a DoS

http-dell-openmanage-dos (CVE 2004-2691)

Exploits a heap overflow in Dell's OpenManage Web Server to cause a denial of service due improper handling of POST data.

http-3com-dos (CVE-2004-2691)

Exploits a denial of service vulnerability in 3Com SuperStack switches by sending excessive data to the Management interface.

Note: Added to 'maybe' because it's an old DoS vulnerability that might not be too popular anymore.

http-authbypass-verb

Checks for http authentication bypass vulnerabilities when using unexpected HTTP verbs. Resources:

There is a script that partially does this called http-method-tamper written by Hani Benhabiles. We could extend it with other verbs such as DEBUG and TRACE in addition to HEAD. --Nevdull77 05:01, 20 November 2011 (PST)

http-tomcat-transferencoding-dos (CVE:2010-2227)

Exploits a denial of service and information disclosure vulnerability in Apache Tomcat installations. Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta are affected.

Resources:

http-fileupload-exploiter

A script to exploit insecure file upload forms in web applications. Since there are several ways of exploiting insecure uploads we can include different methods with this script.

  • Insecure extensions
We upload a file and check if payload was executed to test for insecure uploads.
  • PHP getimagesize() / content type checks bypassing
We send an image file containing valid content type with our payload appended to trick PHP applications that use getimagesize or content type checks.

http://www.scanit.be/uploads/php-file-upload.pdf

Implementation by George Chatzisofroniou:

Note: This is in the Maybe category since implementation is hard compared to the time it takes the user to perform this actions manually.

Zend Server Java Bridge Arbitrary Java Code Execution

  • Info: pre-authentication remote Jave code execution. We should give it a shot if we can install this infrastructure on Ubuntu, however even if I've learned Java at school, I still don't know it. So we must copy some Java code.
Date: 2011-03-30
Verified: OK (by exploit-db.com)
Vulnerable versions: 5.0.2 and prior.
OSVDB: OSVDB-71420 (see: http://osvdb.org/71420)
URLs: (see [7] and [8]).

dhclient remote arbitrary commands execution

  • Info: dhclient is vulnerable to remote arbitrary commands execution via shell metacharacters in a hostname obtained from a DHCP message.
Date: 2011-04-05
CVE: 2011-0997
OSVDB-ID: 71493
URLs
Red Hat bugzilla [9]
CVE [10]
OSVDB [11]

wesnoth-info

Reveals details of a Battle for Wesnoth server by discussing the protocol. The network protocol is documented and is called WML. The procol is XML-based. Gzip is used for compression.

teredo-info

Teredo is used to form IPv6 over IPv4 tunnels. The involved service is used to negotiate tunnels, and to do diagnostics required for NAT hole punching, finding out a local public IP and such. Designing the script requires examining a lenghty RFC in detail.

Sounds valuable, but can the submitter (or anyone) provide more information about how such a script would work and what information it should provide?--Fyodor 16:21, 30 March 2011 (PDT)
Teredo provides services that quite similar to STUN, but not compatible with STUN. As the Teredo specification contains all kinds of functionality, I think it would make sense to write the stun-info script first, and try to dig the same information out of the teredo service. Something might be a bit different, or Teredo might provide some information that STUN does not, but basing the teredo script on the STUN script provides a good starting point. --Cyberix 08:30, 16 June 2011 (PDT)

gnutella-info

The script should list any information that it can get from a gnutella node, by discussing the gnutella protocol.

We need more details about what information is available from gnutella nodes before we can really consider this one. If useful info is available from the nodes, we would probably accept the script. If someone adds more details to this script description, feel free to put it back up in the incoming section of this page.--Fyodor 16:01, 30 March 2011 (PDT)

sub7-info

Sub7 is a remote administration tool. The info script should provide any information trivially available by discussing the protocol. Other scripts may be written to support more advanced features.

We need more details about what information is available from Sub7 before we can really consider this one. If useful info is available, we would probably accept the script. If someone adds more details to this script description, feel free to put it back up in the incoming section of this page.--Fyodor 16:13, 30 March 2011 (PDT)
I am bit lost regarding sub7. There seems to be multiple versions, and I am not sure, if it was completely rewritten at some point. Some versions seem to have a plain text protocol, and offer useful information. Some one would need to check, if the server supports anonymous use, or if it always requires a password. --Cyberix 13:15, 1 April 2011 (PDT)

netbus2-info

NetBus 2.x Pro is a shareware remote administration tool that was created as a follower to the free 1.x versions. All communication seem to be encrypted. The script should provide information can be retrieved by discussing the protocol. The project is hard as one needs reverse engineer the system to find out what kind of encryption is used.

We need more details about what information is available from netbus2 before we can really consider this one. If useful info is available, we would probably accept the script. If someone adds more details to this script description, feel free to put it back up in the incoming section of this page.--Fyodor 16:13, 30 March 2011 (PDT)


http-auth-checker/http-auth-inspector

The purpose of this script is to find pages that should be protected but aren't due to flaws in the authentication logic of web applications. First, the script will crawl a web server using valid credentials to generate a sitemap of protected pages. Then it will try to access those pages again but without using the credentials to try to identify the files where authentication mechanisms are missing causing auth bypass vulnerabilities.

Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS

  • Windows Vista and later are vulnerable to a stack corruption, This can be caused by a special crafted Link Local Multicast Name Resolution (LLMNR) query. Currently this is only a DoS, but perhaps it can be turned into a remote code execution.
Date: 2011-04-12
CVE: CVE-2011-0657
URLs: (see Metasploit ms11_030_dnsapi.rb)

Samba

Samba < 3.5.5 is vulnerable to remote code execution (see [12]).

A problem is that it appears that you need admin credentials in order to exploit. Fyodor 13:03, 24 May 2011 (PDT)

Samba Symlink Traversal

  • Info: remote authenticated users are able to create symbolic links to the root filesystem when the file share is writable. Anonymous users with write access can also exploit this vulnerability.
Date: 2010-02-08
Verified: OK
URLs: (see [13] and Metasploit samba_symlink_traversal.rb)

Asterisk

Several security holes were recently reported for Asterisk (like: [14] and [15]). See whether they're interesting ones to detect.

One is a DoS bug, another allows executing shell commands, but only if you already have "System" privileges. Fyodor 13:03, 24 May 2011 (PDT)

broadcast-firesheep-discovery

Firesheep is a session high jacking tool that may be used to take over unprotected network sessions on wireless networks. The firesheep-discovery prerule script would list hosts that are running Firesheep on the current LAN. The script should support adding discovered hosts as scan targets. A tool called BlackSheep does this type of discovery. The discovery can be done by creating fake sessions, and capturing messages sent by Firesheep to gather details of the available sessions.

  • It might also be possible to detect Firesheep version based on the sites that it tries to hijack, but there might not be too many different versions available.

Implementing HTTP anti-IDS tactics

Create an NSE library that implements anti-IDS techniques. There is an interesting paper here. This would be useful for http-enum and probably other scripts that send a lot of probes and are pretty intrusive.

Web app fingerprinting (static files)

This works by storing hashes of static files in known web applications and query them.

/CHANGELOG.txt (One HTTP request)
"b54c033af08c823221535ed0677242ba" -> Drupal 6.20
"aeb74a5dbcd3a1adcc0ca8b78449e50f" -> Drupal 6.23
"1e992c3dd0243b078885d99368004d53" -> FooBar CMS 1.2

/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
"37e194b799d4aaff10e39c4e3b2679a2" -> PHP 5.0.0 - 5.0.3
"4b2c92409cf0bcf465d199e93a15ac3f" -> PHP 4.3.11, 4.4.0 - 4.4.9, 5.0.4 - 5.0.5, 5.1.0 - 5.1.2

...

Obviously, hashes will be maintained in a different file (like http-fingerprints.lua for http-enum).

Compared to the way http-enum works, this is less ressource intensive (no grepping in large dynamically output pages) and more accurate (less false positives) but both technics are complementary.

A good demonstration of this technic is BlindElephant but also Nmap's http-favicon script which could be considered a special case. Also, see Kolkata But what Nmap has that such tools don't is the huge community that would be contributing fingerprints to support more and more web applications.

Development along these lines:

* http://seclists.org/nmap-dev/2013/q1/172
* http://seclists.org/nmap-dev/2013/q2/57
* http://seclists.org/nmap-dev/2013/q2/146

httpspider redesign

Update: This is now in our bugtracker: https://github.com/nmap/nmap/issues/82

Currently, httpspider is a library that provides a nice interface to a web crawler, but each script that uses it gets a separate crawler. Even with the caching from http library, this can get inefficient, especially if the crawlers are not synced closely (pages cached by the first crawler are dropped from the cache before the second crawler gets there).

This proposal is to rework the current scripts using httpspider to register callbacks for a single spider instance (perhaps in a dedicated script), so for each request, a series of scripts can view and parse the output immediately. Notional components:

  • httpspider.lua - basically no modifications. Add functions for intelligent merging of options from varying scripts (e.g. whitelist is a set that can be added to, not subtracted from; depth = max(depth, newdepth), etc).
  • http-spider-engine.nse - creates and runs the crawler, executing callbacks (stored perhaps in the host.registry) for each page. Depends on every http-*-spider.nse script (this is kludgy). Outputs results from each script's callbacks under a separate heading in its output.
  • http-*-spider.nse - Defines and registers callbacks for http-spider-engine to execute. Modifies spider options (e.g. whitelist/blacklist) as needed, via httpspider library functions.

Lots of questions about this:

What happens when one script starts the spider, the spider gets halfway through its crawl, and then another script starts that needs directories the spider has already passed over? Does this spider start again from the beginning? What about a script that wants to get .jpg files at depth ≤2 and another script that wants .css files at depth ≤5; will the merging of options cause the spider to start retrieving .jpg files at depth 4?
Is the HTTP cache really so inefficient? I can imagine the situation of things expiring from cache before being needed again, but does it really happen in typical use? Can you back this up with some data? Is requesting a document twice really much worse than forcing all scripts using the spider to run as slowly as the one needing the slowest crawl?

David (talk) 06:09, 16 August 2012 (CDT)

Some replies:
  • I envisioned the spider engine script to be a hostscript, while the "plugin" scripts would be portrule scripts. That would solve the timing issue.
  • Depth could be handled either as a parameter in registering the callback (files below a certain depth are checked against the list of callbacks with a depth <= current) or as a parameter passed to the callback (so the callback decides whether to run.) First option is better, since it allows the spider to determine max depth before running.
  • I haven't done calculations, but I have noticed scans with many debug statements from http lib saying cache is at its max size. Maybe an audit of http scripts could reveal requests that should not be cached.
Bonsaiviking (talk) 07:31, 16 August 2012 (PDT)

Probably not (or needs clarification)

These are script ideas that are unlikely to be a good fit for Nmap proper, but might be worth writing and sending to nmap-dev anyway so folks can download and use the scripts themselves. In some cases, script ideas are here because we don't really understand them or need further clarification to consider them.


nrpe-brute

Brute force this Nagios service. Also see this non-brute force nrpe script. --Nevdull77 01:46, 13 January 2012 (PST) To the best of my knowledge, there's no real authentication in NRPE. At least that's what I've got from a few web searches and this: Opsview Unix Agent Customisation

synergy-brute

Brute force the Synergy remote KVM software system.

I don't really understand, as there is no concept of password in Synergy. Can anyone elaborate on what it is we want to brute here? --Nevdull77 14:17, 24 October 2011 (PDT)

Fingerprint VMware Server

A script to obtain the VMware Server information. This is Aleksey GreenDog Tyurin idea and he already submitted a script. The script uses SOAP HTTP objects. Tixxdz 17:05, 25 July 2011 (PDT)

We will probably do this as a version detection probe instead.Fyodor 16:48, 18 October 2011 (PDT)


http-iphone4-ftp-dos

Crashes iphone 4 FTP Server 1.0 remotely.

It seems that there is no support for password authentication!! (see [16]).

Resources:

Completed scripts

Many scripts from this page have been completed and removed. We generally just delete them from this page rather than adding them here because you can browse all completed Nmap NSE scripts at the script documentation portal.

See complete list at the script documentation portal

Volunteer Work

Ron Bowes + Alex Weber

http-git

This script will detect whether a .git file was left in the web root, and parse it to display interesting information.

More information can be obtained with a zlib binding, so we'll investigate that as well.

Infrastructure Tasks

This is a listing of various infrastructure related tasks. Anything not related to script writing should probably go here.

The pipelining facilities currently in the http are not using the caching functions, this can also be fixed separately.

  • Nmap/Lua_5.2 offers the new Lua bit32 library. Currently none of the scripts or libraries use it though because I (Batrick (talk) 00:40, 19 June 2012 (CDT)) vaguely recalled some differences in behavior with Reuben Thomas' bitlib and the new bit32 library.
  • Improvements to the HTTP spider:
    • Allow doing HEAD requests instead of GET for certain links.
    • Allow a script to piggyback on other scripts doing spidering. No actual direction of a personal spider instance is done. Use case, http-rfi-spider simply wants to examine all html pages, but having it execute its own spider instance alongside other scripts is probably overkill.
  • NSE Debugger (a la GDB). Early work on incorporating a debugger was done by Diman Todorov. This work is probably far too out of date as NSE has changed significantly since that patch was written. Still, the idea is promising. Some features to consider:
    • Examine variables on the stack.
    • Examine the call stack.
    • Examine arbitrary threads in the waiting/running queues.
    • Set breakpoints.

I have these patches if anyone is interested... --Batrick (talk) 00:40, 19 June 2012 (CDT)

  • nse_nsock.cc can be improved to not run the callbacks on the thread which made the callback. It would be better to run the callback on the currently running thread. Generally, it's bad practice to call functions on a yielded thread. This is on my TODO list. --Batrick (talk) 00:40, 19 June 2012 (CDT)
  • A robust, dynamic NSE parallelism algorithm (sets the max number of sockets that can be opened) would be an interesting project to explore. Work was done in the past to measure the effects of parallelism. A benchmark with the current (much larger number of!) scripts would be instructive on whether this is worthwhile.
  • Improve the NSE Nsock binding to only allow one open socket per thread. Currently a script can connect as many sockets as it wants once it has a "socket_lock".
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]