Linux for Network Engineers: NMAP Scripts

By August 21, 2019Linux

I have talked about nmap in past blog posts; for example here and here. Despite having written about nmap before, I am writing about it once more because it is such a valuable, versatile, and powerful tool for every network engineer.

In the previous post I talked about some basic commands and options. And, although you can do a great deal with just that, the most powerful feature is the Nmap Scripting Engine (NSE). If you want to dig deeper, you can follow the documentation and learn the nuts and bolts of scripting.

In this post, I’d like to show you what the NSE low hanging fruit is and how to use it by following my examples below. 

Obviously you can write your own scripts, but the nmap team packages some of the most useful and popular scripts that developers submit with each new version that they release. A complete list of those scripts can be found here If your nmap version is missing some of these scripts, you might need to install the latest version by following these instructions. As of version 7.80, there are 598 prepackaged scripts! They cover use cases in network discovery, vulnerability detection and exploitation, as well as backdoor detection.

ASN Query

As a first simple example, here is how to map an IP address to an Autonomous System (AS) number.

DHCP Discover

This script allows you to query and test a DHCP server with different DHCP requests. 

By default the dhcp-discover script will send a DHCPINFORM request and it will get information from the DHCP server as follows:

If you want to test if the DHCP server will issue an IP you can give as input argument to the script the option to do a DHCPREQUEST as follows:

DNS Cache Snoop

With this script, you can check which addresses a DNS server has cached. By default it checks the 50 most popular sites (once with www and once without) and confirms which ones are cached. Here is an example:

You can also test whether specific sites are cached on not. Below I found out that Google’s doesn’t cache while CloudFlares does cache it.

Path MTU

The path MTU script performs a simple MTU discovery test. I am sure every single one of you has had to troubleshoot an MTU misconfiguration issue in the past. This NSE script might have helped you:

As I mentioned already, there are 598 NSE scripts. If you just skim through them here, I am sure you will find a few that you can use or you wished you had known about when you were troubleshooting that DNS, or DHCP, or MTU issue some time ago.