mastering the nmap scripting engine
play

Mastering the Nmap Scripting Engine by Fyodor and David Fifield - PowerPoint PPT Presentation

Aug 20, 2023 •220 likes •424 views

Insecure.Org Insecure.Org Mastering the Nmap Scripting Engine by Fyodor and David Fifield http://insecure.org/presentations/BHDC10/ Black Hat Briefings Las Vegas Defcon 18 July 28; 4:45 PM; Augustus 5+6 July 30; 5:00 PM; Track One

  1. Insecure.Org Insecure.Org Mastering the Nmap Scripting Engine by Fyodor and David Fifield http://insecure.org/presentations/BHDC10/ Black Hat Briefings Las Vegas Defcon 18 July 28; 4:45 PM; Augustus 5+6 July 30; 5:00 PM; Track One

  2. Insecure.Org Insecure.Org Outline • NSE Intro & Usage • Large-scale Scan: SMB/MSRPC • Writing NSE Scripts • Live Script Writing Demo • Final Notes & Q/A

  3. Insecure.Org Insecure.Org Nmap Scripting Engine # nmap -A -T4 scanme.nmap.org Starting Nmap 5.35DC18 ( http://nmap.org ) Nmap scan report for scanme.nmap.org (64.13.134.52) Host is up (0.0018s latency). Not shown: 995 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | ssh-hostkey: 1024 60:ac:4d:51:b1:cd:85:09:12:16:92:76:1d:5d:27:6e (DSA) |_2048 2c:22:75:60:4b:c3:3b:18:a2:97:2c:96:7e:28:dc:dd (RSA) 53/tcp open domain 80/tcp open http Apache httpd 2.2.3 ((CentOS)) |_html-title: Go ahead and ScanMe! | http-methods: Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html 113/tcp closed auth 31337/tcp closed Elite OS details: Linux 2.6.13 - 2.6.31, Linux 2.6.18 Nmap done: 1 IP address (1 host up) scanned in 23.32 seconds

  4. Insecure.Org Insecure.Org Pre-written Scripts and the NSEDoc Portal http://nmap.org/nsedoc/

  5. Insecure.Org Insecure.Org Script Collection Growth 140 120 100 80 60 40 20 0 2007-1 2007-2 2008-1 2008-2 2009-1 2009-2 2010-1 2010-2

  6. Insecure.Org Insecure.Org Large Scale Scan #1: SMB/MSRPC Scripts Ron Bowes spent months researching SMB/MSRPC protocols and wrote a suite of 13 scripts. Informational : smb-os-discovery, smb- server-stats, smb-system-info, smb-security- mode Detailed Enumeration : smb-enum-users, smb-enum-domains, smb-enum-groups, smb-enum-processes, smb-enum-sessions, smb-enum-shares More intrusive : smb-brute, smb-check- vulns, smb-psexec

  7. Insecure.Org Insecure.Org Who to test them out on?

  8. Insecure.Org Insecure.Org MS Scan Details • Step 1: Find target IP addresses. 1,004,632 located in ARIN DB. • Step 2: Start broad version detection scan (nmap -T4 --top-ports 50 -sV -O --osscan- limit --osscan-guess --min-hostgroup 128 --host-timeout 10m -oA ms-vscan -iL ms.ips.lst) – Found 74,293 hosts up out of 1M IPs in 26 hours • Step 3: Examine results

  9. Insecure.Org Insecure.Org MS SMB Scan Results • Vast majority of MS networks block Windows ports such as 135 and 445 at their gateways. • ... but not all! • New scan: nmap -v -O -sV -T4 --osscan- guess -oA ms-smbscan --script=smb- enum-domains,smb-enum-processes,smb- enum-sessions,smb-enum-shares,smb- enum-users,smb-os-discovery,smb- security-mode,smb-system-info [Target Ips] • Results

  10. Insecure.Org Insecure.Org Writing NSE Scripts

  11. Insecure.Org Insecure.Org Introduction to Lua & Why We Chose It • Lightweight embeddable scripting language – Easy to learn – Tiny to embed: “Complete distribution (source code, manual, plus binaries for some platforms) fits comfortably on a floppy disk”. • Widely used, known, and debugged – Created in Brazil in 1993, still actively developed – Best known for its use in the game industry: World of Warcraft, Crysis, etc. – Security tools: Nmap, Wireshark, Snort 3.0

  12. Insecure.Org Insecure.Org Why We Chose Lua (Continued) • Extensible – Hooked to Nmap's fast parallel networking libraries • Safe & Secure – No buffer overflows, format string vulns, etc. • Portable – Windows, Linux, Mac, *BSD, etc. • Interpreted

  13. Insecure.Org Insecure.Org Capabilities Added by Nmap • Protocol/helper libraries – 45, including DNS, HTTP, MSRPC, Packet, SNMP, unpwdb, etc. • Protocol brute forcers • Easy SSL • Dependencies

  14. Insecure.Org Insecure.Org Script Example: rpcinfo.nse

  15. Insecure.Org Insecure.Org Live Script Demonstration Problem: Find my webcam on a dynamic IP address. The webcam uses thttpd to serve /cam.jpg, so use a script to check those two things.

  16. Insecure.Org Insecure.Org Make it a Production Script To turn http-brute into distribution-ready script, I would next • expand the portrule to match more HTTP services, • add script arguments to control the path retrieved and the method used, • add NSEDoc @usage and @output examples, and • let it cache credentials for other scripts to use.

  17. Insecure.Org Insecure.Org What's Coming in NSE? • Prerules & Postrules • Target Acquisition Scripts • Lots more scripts! Current queue: – Vnc-info (Patrik Karlsson) – Vnc-brute (Patrik Karlsson) – Svn-brute (Patrik Karlsson) – Hostmap (Ange Gutek) – Http-xst (Eduardo Garcia Melia) – Rmi-dumpregistry (Martin Swende)

  18. Insecure.Org Insecure.Org Zenmap NSE Integration

  19. Insecure.Org Insecure.Org Nmap Script Authors Aaron Leininger Eugene V. Alexeev Michael Schierl Andrew Orr Felix Groebert Patrik Karlsson Ange Gutek Ferdy Riphagen Philip Pickering Arturo Busleiman Jah Richard Sammet Bernd Stroessenreuther Jason DePriest Rob Nicholls Brandon Enright Joao Correa Ron Bowes David Fifield Kris Katterjohn Sven Klemm Diman Todorov Mak Kolybabi Thomas Buchanan Djalal Harouni Marek Majkowski Tom Sellers Doug Hoyte Martin Swende Vladz Duarte Silva Matthew Boyle Vlatko Kosturjak Eddie Bell Michael Pattrick

  20. Insecure.Org Insecure.Org Final Notes • Slides: http://insecure.org/presentations/ • Download Nmap from: http://nmap.org • NSEDoc portal: http://nmap.org/nsedoc/ • NSE system docs: http://nmap.org/book/nse.html • Q&A in Track #1 Q&A Room

Recommend

Mastering the Nmap Scripting Engine by Fyodor and David Fifield

Mastering the Nmap Scripting Engine by Fyodor and David Fifield

Insecure.Org Insecure.Org Mastering the Nmap Scripting Engine by Fyodor and David Fifield http://insecure.org/presentations/BHDC10/ Black Hat Briefings Las Vegas Defcon 18 July 28; 4:45 PM; Augustus 5+6 July 30; 5:00 PM; Track One

622 views • 34 slides
Mastering the Nmap Scripting Engine by Fyodor and David Fifield

Mastering the Nmap Scripting Engine by Fyodor and David Fifield

Insecure.Org Insecure.Org Mastering the Nmap Scripting Engine by Fyodor and David Fifield http://insecure.org/presentations/BHDC10/ Black Hat Briefings Las Vegas Defcon 18 July 28; 4:45 PM; Augustus 5+6 July 30; 5:00 PM; Track One

539 views • 4 slides
The New Nmap Gordon Fyodor Lyon iSec Open Security Forum August 21, 2008 San Jose, CA

The New Nmap Gordon Fyodor Lyon iSec Open Security Forum August 21, 2008 San Jose, CA

Insecure.Org Insecure.Org The New Nmap Gordon Fyodor Lyon iSec Open Security Forum August 21, 2008 San Jose, CA Insecure.Org Insecure.Org Nmap Scripting Engine (NSE) # nmap -A -PN -T4 www.ebay.com Starting Nmap ( http://nmap.org

792 views • 32 slides
Advanced network scanning with Nmap 6 Henri Doreau henri.doreau@gmail.com 13 th LSM - Geneva 2012

Advanced network scanning with Nmap 6 Henri Doreau henri.doreau@gmail.com 13 th LSM - Geneva 2012

Advanced network scanning with Nmap 6 Henri Doreau henri.doreau@gmail.com 13 th LSM - Geneva 2012 Project presentation Nmap Scripting Engine Nmap 6 new features Ongoing developments Conclusion Outline Project presentation 1 Introduction

844 views • 35 slides
Scripting and Extending Nmap and Wireshark with Lua by Gerald Combs & Gordon Fyodor

Scripting and Extending Nmap and Wireshark with Lua by Gerald Combs & Gordon Fyodor

Insecure.Org Insecure.Org Scripting and Extending Nmap and Wireshark with Lua by Gerald Combs & Gordon Fyodor Lyon Sharkfest 2010 June 16, 1:15 PM http://insecure.org/presentations/Sharkfest10/ Insecure.Org Insecure.Org Nmap

278 views • 16 slides
Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th

Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th

Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th 2015 Only perform scans and exploitations after receiving permission from the owner of the machine/device. Nmap Purpose Scan a

671 views • 30 slides
THE MOD METHOD with VESPERS MASTERING In this Module What mastering can do & what it

THE MOD METHOD with VESPERS MASTERING In this Module What mastering can do & what it

THE MOD METHOD with VESPERS MASTERING In this Module What mastering can do & what it cant Self-mastering vs. third-party mastering Picking a mastering engineer Mastering work fl ow Audio artifacts & fi delity:

520 views • 16 slides
NMAP Jen Beveridge and Joe Kolenda secret.pathetic.net History of NMAP Developed by Gordon

NMAP Jen Beveridge and Joe Kolenda secret.pathetic.net History of NMAP Developed by Gordon

NMAP Jen Beveridge and Joe Kolenda secret.pathetic.net History of NMAP Developed by Gordon Lyon Features Host discovery Port scanning Version detecting OS detection Scriptable interaction with the target Uses of

339 views • 10 slides
Trinity uses nmap in the film The Matrix Reloaded to hack the city power grid Benjamin

Trinity uses nmap in the film The Matrix Reloaded to hack the city power grid Benjamin

Trinity uses nmap in the film The Matrix Reloaded to hack the city power grid Benjamin uses nmap in Who Am I - No System is Safe to compromise the local power company, causing a brief blackout Lisbeth uses nmap in the film The

710 views • 26 slides
Mastering the Gospel P resentation Welcome to the CMF Training page on Mastering a Gospel

Mastering the Gospel P resentation Welcome to the CMF Training page on Mastering a Gospel

Mastering the Gospel P resentation Welcome to the CMF Training page on Mastering a Gospel Presentation. This may be the most important thing that you do and you need to be able to do this as you grow in your Christian walk. You may be the only

290 views • 6 slides
Scripting with Objects: A Comparative Presentation of Scripting With Perl and Python Avinash C.

Scripting with Objects: A Comparative Presentation of Scripting With Perl and Python Avinash C.

Scripting with Objects: A Comparative Presentation of Scripting With Perl and Python Avinash C. Kak Click here if your download doesn"t start automatically Scripting with Objects: A Comparative Presentation of Scripting With Perl and

269 views • 5 slides
Nmap: Scanning the Internet by Fyodor Black Hat Briefings USA August 6, 2008; 10AM Defcon 16

Nmap: Scanning the Internet by Fyodor Black Hat Briefings USA August 6, 2008; 10AM Defcon 16

Insecure.Org Insecure.Org Nmap: Scanning the Internet by Fyodor Black Hat Briefings USA August 6, 2008; 10AM Defcon 16 August 8, 2008; 4PM Insecure.Org Insecure.Org Scan Goals Collect empirical data and use it to enhance Nmap

558 views • 45 slides
Extending LLDB to More Scripting Languages Jonas Devlieghere, Apple C++ API Scripting Bridge

Extending LLDB to More Scripting Languages Jonas Devlieghere, Apple C++ API Scripting Bridge

Extending LLDB to More Scripting Languages Jonas Devlieghere, Apple C++ API Scripting Bridge API Scripting Bridge API SBThread SBDebugger SBBreakpoint SBTarget SBFrame SBSymbol SBValue SBProcess SBFunction Python Python

307 views • 15 slides
A Comparison of Python, JavaScript and Lua Scripting Language Features CS798 Scripting

A Comparison of Python, JavaScript and Lua Scripting Language Features CS798 Scripting

A Comparison of Python, JavaScript and Lua Scripting Language Features CS798 Scripting Languages Project Final Presentation March 31, 2014 Afiya Nusrat, Alexander Pokluda and Michael Wexler Outline Introduction Letter Lizard

758 views • 20 slides
What are scripting languages? Unix shells: sh, ksh, bash Scripting Languages job control

What are scripting languages? Unix shells: sh, ksh, bash Scripting Languages job control

10/22/08 What are scripting languages? Unix shells: sh, ksh, bash Scripting Languages job control Perl Slashdot, bioinformatics, financial data processing, cgi Python System administration at Google BitTorrent file

570 views • 7 slides
Mastering the DMA and IOMMU APIs Embedded Linux Conference Europe 2014 Dsseldorf Laurent

Mastering the DMA and IOMMU APIs Embedded Linux Conference Europe 2014 Dsseldorf Laurent

Mastering the DMA and IOMMU APIs Embedded Linux Conference Europe 2014 Dsseldorf Laurent Pinchart laurent.pinchart@ideasonboard.com DMA != DMA DMA != DMA (mapping) (engine) The topic we will focus on is how to manage system

1.45k views • 102 slides
Evolution of Scripting Languages UNIX shell scripting awk, sed, ksh, csh Tck/Tk Perl

Evolution of Scripting Languages UNIX shell scripting awk, sed, ksh, csh Tck/Tk Perl

Python Some material from: Stephen Ferg Bureau of Labor Statistics and Guido van Rossum Python Architect 1 Maria Hybinette, UGA Evolution of Scripting Languages UNIX shell scripting awk, sed, ksh, csh Tck/Tk Perl Python

473 views • 35 slides
Lecture 17: Scripting and Steering David Bindel 28 Mar 2010 Overview of today Scripting

Lecture 17: Scripting and Steering David Bindel 28 Mar 2010 Overview of today Scripting

Lecture 17: Scripting and Steering David Bindel 28 Mar 2010 Overview of today Scripting sales pitch + typical uses in scientific code Truth in advertising Cross-language communication mechanisms Tool support Some simple

336 views • 21 slides
Scripting languages can be used for small tools as well as larger applications Perforce

Scripting languages can be used for small tools as well as larger applications Perforce

Adventures in Scripting Land Scripting Perforce using Perl, Ruby and Python Overview Scripting languages can be used for small tools as well as larger applications Perforce provides the APIs P4Perl , P4Ruby and P4Python for the most

361 views • 16 slides
04 The Find command, editing, and scripting CS 2043: Unix Tools and Scripting, Spring 2019 [1]

04 The Find command, editing, and scripting CS 2043: Unix Tools and Scripting, Spring 2019 [1]

04 The Find command, editing, and scripting CS 2043: Unix Tools and Scripting, Spring 2019 [1] Matthew Milano January 30, 2019 Cornell University 1 Table of Contents 1. As always: Everybody! ssh to wash.cs.cornell.edu 4. Scripting 5.

724 views • 36 slides
Mastering Your Mindset Mastering Your Money Focus: How to Focus on Earning More Income, and

Mastering Your Mindset Mastering Your Money Focus: How to Focus on Earning More Income, and

Mastering Your Mindset Mastering Your Money Focus: How to Focus on Earning More Income, and Managing & Investing Your Money with John Assaraf What Is Money? Money Is A VERY Powerful Idea Money Is A Means Of Exchange Money Is

955 views • 40 slides
Search Engine Optimization What is Search Engine Optimization Search Engine Optimization is the

Search Engine Optimization What is Search Engine Optimization Search Engine Optimization is the

Search Engine Optimization What is Search Engine Optimization Search Engine Optimization is the process of improving the visibility of a website on organic ("natural" or un-paid) search engine result pages (SERPs), by incorporating

1.54k views • 35 slides
On the use of SSA with Scripting Languages Paul Biggar and David Gregg different Department of

On the use of SSA with Scripting Languages Paul Biggar and David Gregg different Department of

1. 18 min talking On the use of SSA with Scripting Languages 2. 12 min questions 3. Scripting langs are On the use of SSA with Scripting Languages Paul Biggar and David Gregg different Department of Computer Science and Statistics 4. Plan:

621 views • 42 slides
Shell scripting with Haskell Franz Thoma Berlin, 2017-02-24 Overview Shell scripting with

Shell scripting with Haskell Franz Thoma Berlin, 2017-02-24 Overview Shell scripting with

Shell scripting with Haskell Franz Thoma Berlin, 2017-02-24 Overview Shell scripting with high-level languages The turtle library Scripts & Dependency Management Parsing command line options A small application Conclusion Shell

537 views • 27 slides

More recommend