The Nmap Scripting Engine (NSE) is one of the most powerful features within Nmap. It allows penetration testers and security researchers to create, automate, and perform customized scanning on a target system or network. When using NSE, the scanning techniques are usually aggressive and can sometimes create data loss or even crash a target system.
NSE script types:
Auth: This category contains scripts that can scan a target to detect whether authentication bypass is possible.Broadcast: This category contains scripts that are used to discover host systems on a network.Brute: This category contains scripts that are used to perform some types of bruteforce attacks on a remote server to gain unauthorized access.Default: This category contains a set of default scripts within NSE for scanning.Discovery: This category contains scripts that are used in active information gathering regarding network services on a target."DoS": This category contains scripts that can simulate a Denial-of-Service (DoS) attack on a target to check whether the target is susceptible to such types of attacks.Exploit: This category contains scripts that are used to actively exploit security vulnerabilities on a target.External: This category contains scripts that usually send data that’s been gathered from a target to an external resource for further processing.Fuzzer: This category contains scripts that are used to send random data into an application to discover any software bugs and vulnerabilities within applications.Intrusive: This category contains high-risk scripts that can crash systems and cause data loss.Malware: This category contains scripts that can determine whether a target is infected with malware.Safe: This category contains scripts that are not intrusive and safe to use on a target system.Version: This category contains scripts that are used to gather the version information of services on a target system.Vuln: This category contains scripts that are used to check for specific vulnerabilities on a target system.
Performing scan using NSE:
nmap --script ftp-vsftpd-backdoor 172.30.1.134 -p 21
The --script command allows you to specify either a single script, multiple scripts, or a category of scripts. We also saw that the target machine is exploitable:
2. I searched up for the version name and it’s exploit , we got one:
3. Additionally, within Kali Linux, there is a tool known as searchsploit that allows you to perform a query/search for exploits within the offline version of Exploit-DB on Kali Linux
4. Open msfconsole , search for vsftpd 2.3.4
5. use that exploit using the command use 0 , then show info
6. If you want to execute an entire category of scripts in NSE, you can use the –script <category-name>
nmap --script vuln 172.30.1.134
A bunch of information will be spit out by NMAP
