脚本参数

SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
       script-categories.
-sC 是指的是采用默认配置扫描,与--script=default参数等价
具体调用的函数列表包括
default NSE Category(https://nmap.org/nsedoc/categories/default.html)

--script=脚本名称,脚本一般都在Nmap的安装目录下的scripts目录中

那么Linux下可以查看脚本数量:

ls /usr/share/nmap/scripts/ | sed 's/.nse//' > scripts.list

f8b1569e07c11be6403938.jpg

nmap -p 23 --script telnet-brute --script-args userdb=myusers.lst,passdb=mypwds.lst,telnet-brute.timeout=8s <target>

运营商内网漏洞举例

(以下行为为原作者进行)
下面我们来实战一下,今日刚发现的运营商漏洞,就出在 Telnet 上。
我家上网是没有分配公网IP的,就是路由那里是一个内网,于是我先用nmap探测了一下这个内网,发现有某些网络设备。

nmap -sT -Pn -F 10.14.16.0/24

在结果中发现了一台主机的信息:

Nmap scan report for bogon (10.14.16.106)
Host is up (0.021s latency).
Not shown: 95 filtered ports
PORT      STATE SERVICE
23/tcp    open  telnet
53/tcp    open  domain
1723/tcp  open  pptp
8081/tcp  open  blackice-icecap
49152/tcp open  unknown

作为一个搞Web安全的,首先去看的是8081,但是未果。于是准备从Telnet碰碰运气,会不会运营商也用弱口令?
我把字典放到了 /usr/share/nmap/nselib/data,因为这个目录中是专门存放Nmap默认字典的。

其他常用脚本

http-ls 目录扫描
http-brute HTTP认证爆破
Nmap目录扫描
nmap --script=http-ls vault.centos.org

扫描结果

root@ThundeRobot:/usr/share/nmap/nselib/data# nmap --script=http-ls vault.centos.org
Starting Nmap 7.01 ( https://nmap.org ) at 2017-04-28 04:01 CST
Nmap scan report for vault.centos.org (109.72.83.61)
Host is up (0.38s latency).
Other addresses for vault.centos.org (not scanned): 2607:ff28:0:28:5054:ff:fe4b:3e8a
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
| http-ls: Volume /
|   maxfiles limit reached (10)
| SIZE  TIME               FILENAME
| -     19-Aug-2009 01:36  2.1/
| 1.2M  19-Aug-2009 01:36  2.1/centos2-scripts-v1.tar
| -     07-Sep-2004 13:04  2.1/extras/
| -     13-May-2004 03:26  2.1/final/
| -     15-Apr-2004 05:11  2.1/i386/
| -     08-Jan-2004 00:50  2.1/source/
| -     30-Dec-2003 06:18  2.1/updates/
| -     31-Jul-2005 16:05  3.1/
| -     20-Apr-2012 10:14  3.1/SRPMS/
| -     15-Sep-2004 14:17  3.1/addons/
|_
873/tcp open  rsync
Nmap done: 1 IP address (1 host up) scanned in 58.35 seconds
root@ThundeRobot:/usr/share/nmap/nselib/data#

Nmap HTTP认证爆破

nmap --script=http-brute dvwa.vuln.leafsec.com

MS-08067/MS17-010

nmap --script smb-vuln-ms08-067.nse -p445 10.203.9.131 [--system-dns]
nmap -sU --script smb-vuln-ms08-067.nse -p U:137 10.203.9.131 [--system-dns]

批量扫描

nmap --script smb-vuln* 10.203.9.131/16 # 耗时约五小时
Last modification:May 9th, 2019 at 09:55 am
正在沿街乞讨中……