nmap脚本扫描
[rps-include post=6632]
[rps-include post = 6632]
Nmap provides script scanning which gives nmap very flexible behavior to get more information and test about the target host. This feature is called Nmap Scripting Engine (NSE). NSE gives user the ability to write scripts for test. Lua is programming language supported by NSE. NSE have some vulnerability detection scripts too.
Nmap提供脚本扫描,使nmap具有非常灵活的行为,以获取更多信息并测试有关目标主机的信息。 此功能称为Nmap脚本引擎(NSE)。 NSE使用户能够编写脚本进行测试。 Lua是NSE支持的编程语言。 NSE也有一些漏洞检测脚本。
NSE have categories to make things tidy. Here are these categories
NSE具有使事情整洁的类别。 这些是这些类别
auth is used to authentication related scripts like x11-access, ftp-anon etc.
auth用于与身份验证相关的脚本,例如x11-access,ftp-anon等。
broadcast script used to get new targets not listed in target parameter
用于获取目标参数中未列出的新目标的广播脚本
brute is used to brute forcing scripts like http-brute, snmp-brute
brute用于对诸如http-brute,snmp-brute之类的脚本进行暴力破解
default is some common script used for script scan
默认是一些用于脚本扫描的常用脚本
discovery gives ability to determine targets information like html-title, snmp-sysdescr
发现使您能够确定目标信息,例如html-title,snmp-sysdescr
dos scripts used to test some Denial Of Service attacks
用于测试某些拒绝服务攻击的dos脚本
exploit category scripts will try to exploit some vulnerabilities
利用类别脚本将尝试利用某些漏洞
external is used to get some information from 3 party databases like whois
external用于从3个第三方数据库中获取某些信息,例如whois
fuzzer category scripts gives ability to fuzz some parts of the network packets
模糊器类别脚本使您能够模糊网络数据包的某些部分
intrusive category provides scripts those not safe because there is a risk to crash target
侵入式类别为脚本提供了不安全的脚本,因为它们可能导致崩溃目标
malware scripts is used to scan target if the target have all ready installed malware
恶意软件脚本用于扫描目标是否已安装了所有现成的恶意软件
safe category provides scripts those have no destructive effect on the target
安全类别可提供对目标没有破坏性影响的脚本
version category provides scripts to determine version like -sV
版本类别提供脚本来确定-sV之类的版本
vuln scripts will check for specific known vulnerabilities like realvnc-auth-bypass
vuln脚本将检查特定的已知漏洞,例如realvnc-auth-bypass
Now some action is required to gain experience about NSE
现在需要采取一些措施来获得有关NSE的经验
启用脚本扫描(Enable Script Scan)
To use different category scripts in the nmap script NSE should be enable for script scan with -sC . This will by default enable default category scripts for the target
要在nmap脚本中使用不同类别的脚本,应使用-sC为脚本扫描启用NSE 。 默认情况下,这将为目标启用默认类别脚本
$ nmap -sC localhost
可用的NSE脚本列表(List Of Available NSE Scripts)
Now we want to use specific script for our scan but first we should list and get information about these script Nmap have a web page where all scripts are listed.
现在,我们想使用特定的脚本进行扫描,但是首先我们应该列出并获取有关这些脚本的信息。Nmap有一个列出所有脚本的网页。
To get details information we click mysql-info script as an example.
要获取详细信息,我们以mysql-info脚本为例。
Here we can see that mysql-info script is part of default, discovery and safe categories and there is a summary about the script and sample of useage
在这里,我们可以看到mysql-info脚本是默认,发现和安全类别的一部分,并且有关于该脚本的摘要和使用示例
These scripts can be found in local system directory /usr/share/nmap/nselib/
这些脚本可以在本地系统目录/ usr / share / nmap / nselib /中找到
运行特定脚本(Run Specific Script)
By default default category scripts are fired while nmap scan but if we want to run specific script we can specify the script name or category name like below.
默认情况下,在nmap扫描时会触发默认类别脚本,但是如果我们要运行特定的脚本,我们可以指定脚本名称或类别名称,如下所示。
$ nmap -sC --script mysql-info localhost
As we see only our specified script is fired.
如我们所见,仅触发了指定的脚本。
运行特定类别脚本 (Run Specific Category Script)
We can specify the whole scripts in a category the same as script by providing category name. Be aware that my system is a test system so I specify dangerous categories. In this example we run intrusive category scripts.
通过提供类别名称,我们可以在与脚本相同的类别中指定整个脚本。 请注意,我的系统是测试系统,因此我指定了危险类别。 在此示例中,我们运行侵入式类别脚本。
$ nmap --script "auth" localhost
排除脚本类别(Exclude Script Category)
While specifying script category we can specify a category to exclude like below.
在指定脚本类别时,我们可以指定要排除的类别,如下所示。
$ nmap --script "not intrusive" localhost
指定多个类别(Specify Multiple Categories)
Multiple categories can be specified like below.
可以如下指定多个类别。
$ nmap --script "default or auth" localhost
提供脚本参数(Provide Script Arguments)
Some scripts need arguments to work. Arguments can be provided like below.
一些脚本需要参数才能起作用。 可以像下面一样提供参数。
$ nmap -p 3306 localhost --script mysql-audit --script-args "mysql-audit.username='root', \
mysql-audit.password='123456',mysql-audit.filename='nselib/data/mysql-cis.audit'"
Here we provides 3 arguments;
这里我们提供3个参数;
mysql-audit.username will provide username for database
mysql-audit.username将提供数据库的用户名
mysql-audit.password will provide password for database
mysql-audit.password将提供数据库密码
mysql-audit.filename is audit rule file path for this script
mysql-audit.filename是此脚本的审核规则文件路径
提供文件中的脚本参数(Provide Scripts Arguments From File)
Providing scripts arguments can be done from terminal but how can we accomplish providing script arguments from file because we may want to run nmap as batch process. First we will create file which holds arguments and their values. File named nmap-arg and looks like below.
提供脚本参数可以从终端完成,但是我们如何完成从文件提供脚本参数的工作,因为我们可能希望将nmap作为批处理进程运行。 首先,我们将创建一个包含参数及其值的文件。 文件名为nmap-arg ,如下所示。
mysql-audit.username='root' , mysql-audit.password='123456' , mysql-audit.filename='nselib/data/mysql-cis.audit'
$ nmap localhost --script-args-file ./nmap-arg
获取脚本帮助(Get Script Help)
We have looked how to get information about scripts from web above. But we may not accessibility to the web page always or it may not a practical way for us. Here we will get help from command line about a NSE script.
我们已经研究了如何从上面的Web获取有关脚本的信息。 但是我们可能无法始终访问网页,或者对我们而言可能不是一种实用的方式。 在这里,我们将从命令行获得有关NSE脚本的帮助。
$ nmap --script-help=mysql-audit
获取脚本类别帮助(Get Script Category Help)
Getting help about script category is the same as single script help.
获得有关脚本类别的帮助与单个脚本帮助相同。
$ nmap --script-help=default
调试脚本(Debug Scripts)
Some times we can not be sure if things go as we expected. We can get more verbose output about scripts by debugging them while running like below.
有时我们不能确定事情是否如我们所愿。 通过像下面那样运行时调试它们,可以获得关于脚本的更多详细输出。
$ nmap -sC --script-trace localhost
[rps-include post=6632]
[rps-include post = 6632]
nmap脚本扫描