Tips for for an Information Security Analyst/Pentester career - Episode 4: NSE overview
DISCLAIMER: All the scanning techniques explained here and over the prior episodes were performed either against my Metaploitable 2 virtual machine or against scanme.nmap.org
Don't attempt these techniques against any other websites, unless you're their owner or you're legally authorized/entitled to do so.
Depending on local regulations, portscanning a system without any authorization from its owner can cause you legal troubles, so be advised.
Over the previous episodes, we went through a brief overview of Nmap scanning options and capabilities.
We end this short series on Nmap with an introduction to its scripting engine, called NSE (Nmap Scripting Engine).
A thorough overview of this topic is available on the official website, and I strongly urge you to check it out for more information, if your knowledge of this topic is more advanced.
Nmap is very well known for its scanning capabilities, but NSE makes it much more powerful, allowing to automate tasks and to retrieve a whole lot of more information.
Quoting the official website, NSE "allows users to write (and share) simple scripts (using the Lua programming language ) to automate a wide variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs. Tasks we had in mind when creating the system include network discovery, more sophisticated version detection, vulnerability detection. NSE can even be used for vulnerability exploitation".
As a side note, Lua programming language is used by Wireshark, too, which allows for the two tools to integrate each other.
Caveat
Before going ahead and examining scripts, we must take a caveat into consideration.
What you can do with NSE depends on the so-called rules of engagement, defined prior to the penetration test.
Such rules define which systems are included in the authorized scope and which attack types are allowed on the customer's systems.
NSE scripts can be distinguished between intrusive and non-intrusive.
Based on what you agreed with the customer, you may not be allowed to use the former ones, so you might want to stick with the non-intrusive scripts.
NSE basic scan
In its most basic form, NSE can be used with the -sC option, which calls all the available standard scripts, working like a sort of saturation bombing, as shown below:
The information available from the scan goes way beyond what you can get from an ordinary Nmap scan. We see important information, such as SSH keys, SMTP commands that can be run, SSL version and type of cryptography supported by it, etc.
Scanning through non-intrusive scripts only
If you are not allowed to use intrusive scripts, you might want to stick your analysis to non-intrusive ones, which can be done with the following command:
Even non-intrusive scans give us a wealth of results, though not comparable to the previous case scenario.
Wrap-up
NSE expands Nmap capabilities way beyond the simple portscanning, making it a very useful tool for vulnerability assessment and advanced reconnaissance.
A good pentester needs to know it thoroughly, but some programming knowledge might be required.
I barely scratched the surface with its potential here, even due to time constraints, so I encourage you to visit the official webpage for a more thorough analysis.
Comments
Post a Comment