I have talked about nmap in past blog posts; for example here and here. Despite having written about nmap before, I am writing about it once more because it is such a valuable, versatile, and powerful tool for every network engineer.
In the previous post I talked about some basic commands and options. And, although you can do a great deal with just that, the most powerful feature is the Nmap Scripting Engine (NSE). If you want to dig deeper, you can follow the documentation and learn the nuts and bolts of scripting.
In this post, I’d like to show you what the NSE low hanging fruit is and how to use it by following my examples below.
Obviously you can write your own scripts, but the nmap team packages some of the most useful and popular scripts that developers submit with each new version that they release. A complete list of those scripts can be found here https://nmap.org/nsedoc/. If your nmap version is missing some of these scripts, you might need to install the latest version by following these instructions. As of version 7.80, there are 598 prepackaged scripts! They cover use cases in network discovery, vulnerability detection and exploitation, as well as backdoor detection.
ASN Query
As a first simple example, here is how to map an IP address to an Autonomous System (AS) number.
netbeez@172.31.0.121 :~:$ nmap --script asn-query 8.8.8.8 Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-19 19:57 EDT Nmap scan report for dns.google (8.8.8.8) Host is up (0.015s latency). Not shown: 998 filtered ports PORT STATE SERVICE 53/tcp open domain 443/tcp open https Host script results: | asn-query: | BGP: 8.8.8.0/24 | Country: US | Origin AS: 15169 - GOOGLE - Google LLC, US |_ Peer AS: 2381 6453 Nmap done: 1 IP address (1 host up) scanned in 23.56 seconds
DHCP Discover
This script allows you to query and test a DHCP server with different DHCP requests.
By default the dhcp-discover script will send a DHCPINFORM request and it will get information from the DHCP server as follows:
netbeez@172.31.0.121 :~:$ sudo nmap -sU -p 67 --script=dhcp-discover 172.31.0.1 Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-20 14:10 EDT Nmap scan report for 172.31.0.1 Host is up (0.00021s latency). PORT STATE SERVICE 67/udp open dhcps | dhcp-discover: | DHCP Message Type: DHCPACK | Server Identifier: 172.31.0.1 | Subnet Mask: 255.255.255.0 | Router: 172.31.0.1 | Domain Name Server: 8.8.8.8 | Domain Name: local.netbeez.net |_ Broadcast Address: 172.31.0.255 MAC Address: 00:01:C0:15:A3:32 (CompuLab) Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds
If you want to test if the DHCP server will issue an IP you can give as input argument to the script the option to do a DHCPREQUEST as follows:
netbeez@172.31.0.121 :~:$ sudo nmap -sU -p 67 --script=dhcp-discover --script-args dhcptype=DHCPREQUEST 172.31.0.1 Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-20 14:18 EDT Nmap scan report for 172.31.0.1 Host is up (0.00020s latency). PORT STATE SERVICE 67/udp open dhcps | dhcp-discover: | IP Offered: 172.31.0.121 | DHCP Message Type: DHCPACK | Server Identifier: 172.31.0.1 | IP Address Lease Time: 5m00s | Subnet Mask: 255.255.255.0 | Router: 172.31.0.1 | Domain Name Server: 8.8.8.8 | Domain Name: local.netbeez.net | Broadcast Address: 172.31.0.255 | Renewal Time Value: 2m30s |_ Rebinding Time Value: 4m22s MAC Address: 00:01:C0:15:A3:32 (CompuLab) Nmap done: 1 IP address (1 host up) scanned in 6.77 seconds
DNS Cache Snoop
With this script, you can check which addresses a DNS server has cached. By default it checks the 50 most popular sites (once with www and once without) and confirms which ones are cached. Here is an example:
netbeez@172.31.0.121 :~:$ sudo nmap -sU -p 53 --script dns-cache-snoop.nse 8.8.8.8 Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-20 14:30 EDT Nmap scan report for dns.google (8.8.8.8) Host is up (0.012s latency). PORT STATE SERVICE 53/udp open domain | dns-cache-snoop: 43 of 100 tested domains are cached. | google.com | www.google.com | www.youtube.com | yahoo.com | www.yahoo.com | baidu.com | www.baidu.com | amazon.com ... | amazon.co.jp | imdb.com | apple.com |_www.conduit.com Nmap done: 1 IP address (1 host up) scanned in 3.13 seconds
You can also test whether specific sites are cached on not. Below I found out that Google’s 8.8.8.8 doesn’t cache netbeez.net while CloudFlares 1.1.1.1 does cache it.
netbeez@172.31.0.121 :~:$ sudo nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.domains={netbeez.net}' 1.1.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-20 14:49 EDT
Nmap scan report for one.one.one.one (1.1.1.1)
Host is up (0.014s latency).
PORT STATE SERVICE
53/udp open domain
| dns-cache-snoop: 1 of 1 tested domains are cached.
|_netbeez.net
Nmap done: 1 IP address (1 host up) scanned in 6.58 seconds
netbeez@172.31.0.121 :~:$ sudo nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.domains={netbeez.net}' 8.8.8.8
Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-20 14:49 EDT
Nmap scan report for dns.google (8.8.8.8)
Host is up (0.012s latency).
PORT STATE SERVICE
53/udp open domain
|_dns-cache-snoop: 0 of 1 tested domains are cached.
Nmap done: 1 IP address (1 host up) scanned in 6.57 seconds
Path MTU
The path MTU script performs a simple MTU discovery test. I am sure every single one of you has had to troubleshoot an MTU misconfiguration issue in the past. This NSE script might have helped you:
netbeez@172.31.0.121 :~:$ sudo nmap --script path-mtu 8.8.8.8 Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-19 20:54 EDT Nmap scan report for dns.google (8.8.8.8) Host is up (0.012s latency). Not shown: 998 filtered ports PORT STATE SERVICE 53/tcp open domain 443/tcp open https Host script results: |_path-mtu: PMTU == 1500 Nmap done: 1 IP address (1 host up) scanned in 11.15 seconds
As I mentioned already, there are 598 NSE scripts. If you just skim through them here, I am sure you will find a few that you can use or you wished you had known about when you were troubleshooting that DNS, or DHCP, or MTU issue some time ago.
