DefCon: Mastering the Nmap scripting engine
By Fyodor and David Fifield
In this talk Fyodor and David are giving an in depth overview of the nmap scripting engine. The Nmap scripting engine allow users to create and share scripts for all ip related tasks from vulnerability detection to exploitation.
There are a lot of NSE scripts already available for tasks like discovery, authentication tests, Denial of Service, Exploitation and lots of other stuff. All come with nmap by default, there are 131 NSE scripts bundled with Nmap at the moment. There are two catagories the are of special interest; disruptive and safe and they mean exactly what you would expect them to do. In 3.5 years the number of available nse scripts has grown from 20 to over 130.
In the next part of the presentation Fyodor shows an example of a scenario where NSE really enables a big assessment. Fyodor applied the scripts submitted by Ron Bowes around SMB vulnerabilities against Microsoft’s public IP space, a space of over 1,000,000 ip addresses. First step was a quick scan of over 1 million hosts to find interesting targets. Nmap is currently smart and fast enough to scan these ip addresses in about 26 hours.
In his scanning Fyodor found loads of printers and RDP servers openly exposed to the internet, but he was specifically looking for the ports related to SMB. Using NSE Fyodor ran a scan looking for SMB vulnerabilities.
Microsoft has machines that share their IPS$, C$ and D$ shares over the internet and in some cases allow full user enumeration.
NSE allows you to develop scripts yourself or adapt some of the scripts provided by insecure.org. NSE scripts use the language called LUA, which distribution fits comfortable on a floppy disk. “For the young people in the audience, this is a small storage technology” Fyodor shows us the rpcinfo.nse script which is only 46 lines long and surprisingly readable.
Next up on the stage is David who is going to demonstrate how easy it is to write an NSE script that will look for a webcam located in his home in Denver. The script was not hard to write and within a couple of minutes the webcam was found. Another script was needed to brute force the username and password and we where able to look out of David’s window.
All in all a very interesting talk that show the huge potential of the Nmap scripting engine.