Linux for Network Engineers: NMAP Scripts

By August 21, 2019Linux

I have talked about nmap in past blog posts; for example here and here. Despite having written about nmap before, I am writing about it once more because it is such a valuable, versatile, and powerful tool for every network engineer.

In the previous post I talked about some basic commands and options. And, although you can do a great deal with just that, the most powerful feature is the Nmap Scripting Engine (NSE). If you want to dig deeper, you can follow the documentation and learn the nuts and bolts of scripting.

In this post, I’d like to show you what the NSE low hanging fruit is and how to use it by following my examples below. 

Obviously you can write your own scripts, but the nmap team packages some of the most useful and popular scripts that developers submit with each new version that they release. A complete list of those scripts can be found here https://nmap.org/nsedoc/. If your nmap version is missing some of these scripts, you might need to install the latest version by following these instructions. As of version 7.80, there are 598 prepackaged scripts! They cover use cases in network discovery, vulnerability detection and exploitation, as well as backdoor detection.

ASN Query

As a first simple example, here is how to map an IP address to an Autonomous System (AS) number.

netbeez@172.31.0.121 :~:$ nmap --script asn-query 8.8.8.8

Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-19 19:57 EDT
Nmap scan report for dns.google (8.8.8.8)
Host is up (0.015s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
53/tcp  open  domain
443/tcp open  https

Host script results:
| asn-query:
| BGP: 8.8.8.0/24 | Country: US
|   Origin AS: 15169 - GOOGLE - Google LLC, US
|_    Peer AS: 2381 6453

Nmap done: 1 IP address (1 host up) scanned in 23.56 seconds

DHCP Discover

This script allows you to query and test a DHCP server with different DHCP requests. 

By default the dhcp-discover script will send a DHCPINFORM request and it will get information from the DHCP server as follows:

netbeez@172.31.0.121 :~:$  sudo nmap -sU -p 67 --script=dhcp-discover 172.31.0.1
Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-20 14:10 EDT
Nmap scan report for 172.31.0.1
Host is up (0.00021s latency).

PORT   STATE SERVICE
67/udp open  dhcps
| dhcp-discover:
|   DHCP Message Type: DHCPACK
|   Server Identifier: 172.31.0.1
|   Subnet Mask: 255.255.255.0
|   Router: 172.31.0.1
|   Domain Name Server: 8.8.8.8
|   Domain Name: local.netbeez.net
|_  Broadcast Address: 172.31.0.255
MAC Address: 00:01:C0:15:A3:32 (CompuLab)

Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds

If you want to test if the DHCP server will issue an IP you can give as input argument to the script the option to do a DHCPREQUEST as follows:

netbeez@172.31.0.121 :~:$ sudo nmap -sU -p 67 --script=dhcp-discover --script-args dhcptype=DHCPREQUEST 172.31.0.1
Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-20 14:18 EDT
Nmap scan report for 172.31.0.1
Host is up (0.00020s latency).

PORT   STATE SERVICE
67/udp open  dhcps
| dhcp-discover:
|   IP Offered: 172.31.0.121
|   DHCP Message Type: DHCPACK
|   Server Identifier: 172.31.0.1
|   IP Address Lease Time: 5m00s
|   Subnet Mask: 255.255.255.0
|   Router: 172.31.0.1
|   Domain Name Server: 8.8.8.8
|   Domain Name: local.netbeez.net
|   Broadcast Address: 172.31.0.255
|   Renewal Time Value: 2m30s
|_  Rebinding Time Value: 4m22s
MAC Address: 00:01:C0:15:A3:32 (CompuLab)

Nmap done: 1 IP address (1 host up) scanned in 6.77 seconds

DNS Cache Snoop

With this script, you can check which addresses a DNS server has cached. By default it checks the 50 most popular sites (once with www and once without) and confirms which ones are cached. Here is an example:

netbeez@172.31.0.121 :~:$ sudo nmap -sU -p 53 --script dns-cache-snoop.nse 8.8.8.8
Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-20 14:30 EDT
Nmap scan report for dns.google (8.8.8.8)
Host is up (0.012s latency).

PORT   STATE SERVICE
53/udp open  domain
| dns-cache-snoop: 43 of 100 tested domains are cached.
| google.com
| www.google.com
| www.youtube.com
| yahoo.com
| www.yahoo.com
| baidu.com
| www.baidu.com
| amazon.com
...
| amazon.co.jp
| imdb.com
| apple.com
|_www.conduit.com

Nmap done: 1 IP address (1 host up) scanned in 3.13 seconds

You can also test whether specific sites are cached on not. Below I found out that Google’s 8.8.8.8 doesn’t cache netbeez.net while CloudFlares 1.1.1.1 does cache it.

netbeez@172.31.0.121 :~:$ sudo nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.domains={netbeez.net}' 1.1.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-20 14:49 EDT
Nmap scan report for one.one.one.one (1.1.1.1)
Host is up (0.014s latency).

PORT   STATE SERVICE
53/udp open  domain
| dns-cache-snoop: 1 of 1 tested domains are cached.
|_netbeez.net

Nmap done: 1 IP address (1 host up) scanned in 6.58 seconds
netbeez@172.31.0.121 :~:$ sudo nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.domains={netbeez.net}' 8.8.8.8
Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-20 14:49 EDT
Nmap scan report for dns.google (8.8.8.8)
Host is up (0.012s latency).

PORT   STATE SERVICE
53/udp open  domain
|_dns-cache-snoop: 0 of 1 tested domains are cached.

Nmap done: 1 IP address (1 host up) scanned in 6.57 seconds

Path MTU

The path MTU script performs a simple MTU discovery test. I am sure every single one of you has had to troubleshoot an MTU misconfiguration issue in the past. This NSE script might have helped you:

netbeez@172.31.0.121 :~:$ sudo nmap --script path-mtu 8.8.8.8
Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-19 20:54 EDT
Nmap scan report for dns.google (8.8.8.8)
Host is up (0.012s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
53/tcp  open  domain
443/tcp open  https

Host script results:
|_path-mtu: PMTU == 1500

Nmap done: 1 IP address (1 host up) scanned in 11.15 seconds

As I mentioned already, there are 598 NSE scripts. If you just skim through them here, I am sure you will find a few that you can use or you wished you had known about when you were troubleshooting that DNS, or DHCP, or MTU issue some time ago.