Tips for an Information Security Analyst/Pentester career - Ep. 28: NSE (pt.2)
Over a previous post, I have analyzed Nmap scripting engine (NSE) under a very generic and brief point of view.
NSE allows to perform a vulnerability scanning, extending the functionalities of the tool way beyond the simple portscanning most people know it for.
Nmap scripts are stored in the /usr/share/nmap/scripts directory and are written in Lua programming language (an example of the syntax of this programming language is shown in the embedded video with reference to a specific script).
If you learn the specific language, you can also add your own customized scripts to the directory.
Before running any of them, it's good practice to learn more about them by using the command nmap --script-help <name of the script>
In fact, as I previously mentioned, not all such scripts can be run at all times.
Some of them are very intrusive, activate a brute force attack and can cause a denial of service, or may anyway take down the target system, which you don't normally want in a pentest.
Overview and prep stages
For the purposes of this tutorial, I chose a non-intrusive script, called unusual–port.
What it does is to compare the expected port a service should be expected to run with the port where it was actually detected.
In other terms, it defeats the so-called security through obscurity, which is achieved by re-configuring a service that would normally run on a well known port (e.g. SSH on port 22 TCP) to a nonstandard dynamic port (e.g. port 40,000 TCP).
The most important information retrieved from this command, though, is the one indicated under Categories.
As you can see, in fact, this script is reported to be safe, so we can run it with confidence, as it wouldn't cause any denial of service.
Other scripts are instead reported to be intrusive, so you don't normally want to run those in a production environment.
An example of an intrusive script is shown below.
Vulnerability scanning
After running the script (which requires service versioning (-sV) as well for it to work), we can find some important indications that would have been very likely missed through a normal Nmap scan.
In fact, we found several services configured on a nonstandard port, the most important of which is FTP, set up on port 2121.
With a normal scan, we would very likely have missed this information and wouldn't know an FTP server was running on that specific machine.
Even though configuring an FTP server on a nonstandard port is more secure than setting it up on the well-known port 21, it could even be that specific server wasn't even authorized or supposed to be there.
Sometimes people implement all sorts of personal servers on corporate networks without any authorization whatsoever, which can open up severe security vulnerabilities the IT security department may not even be aware of (if such department actually exists in the specific organization we're talking about).
I hope this brief overview might give you a much better idea of the potential and the power of NSE and about how it extends the functionalities of the tool way beyond what can be done with a normal scan.
Comments
Post a Comment