The Nmap Script Engine is used to run custom scripts written by users to automate network-level actions. Typically, Nmap scripts end with a .nse extension. These scripts are used to perform the following tasks:
- Host and port discovery: The whole purpose of Nmap being so widely used is to perform simple tasks to check whether the remote host is live or non-live, along with the current status of the ports.
- Version detection: Nmap has a database of a variety of application and service signatures which are checked against the responses received from the ports to identify the service running on the port and sometimes the specific version as well.
- Affected vulnerabilities: Nmap Script Engine allows users to determine whether a particular port/service is vulnerable to a specific disclosed vulnerability. It depends on the script written by the user to query data from the service running and sends custom packets based on a response to determine whether the port/service is actually vulnerable. The Nmap scripts use the Lua programming language, and we will be looking into a few syntax as a part of this recipe to write a custom script. All the Nmap scripts are categorized into the following categories:
- auth: This category of script deals with any authentication-related check, for example, default username and password logins, and anonymous and null logins.
- broadcast: This category of script is used to add newly discovered hosts dynamically which are to be scanned by Nmap, allowing the user to perform a full network discovery and scan at the same time.
- brute: This category of the script is used to perform a brute force attack to guess the password for various services such as HTTP, database, FTP, and so on.
- default: This category of script is run along with all the scans where specific scripts are not mentioned in the command line.
- discovery: This category of script is used to obtain further information about network services on their shared resources within the network .
- dos: This category of script would be one of the most unwanted in the Nmap scripts. These scripts are used to test vulnerabilities which cause Denial of Service (DoS) attacks by crashing the service.
- exploit: These scripts are used to exploit specific vulnerabilities.
- external: This category of script uses external resources to perform the given task. For example, for any DNS-related scripts, Nmap will have to query the local DNS servers.
- fuzzer: This category of script is used to generate random payloads to exploit a specific service. The response of the service to these payloads can be used to determine whether a particular service is vulnerable.
- intrusive: This category of script is used to directly exploit the vulnerability. These scans must be used in a later phase after reconnaissance.
- malware: This category of script allows the user to identify if the remote host is affected by any malware or has any backdoor open.
- safe: This category of script is used to grab data which is available to everyone in the network such as banners, keys, and so on.
- version: This category of script is used to identify and determine the versions of the services running on the remote host.
- vuln: This category of script is used to verify specific vulnerabilities.