Introduction to Nmap Scripting Engine (NSE)

Practice with ssh Scripts

Let’s continue our practice with Nmap Scripting Engine by exposing the localhost SSH server.
With SSH server exposure, you can discover more information about a system network.

Note: The ssh service is not running on this box so we have faked some terminal interactions
in this specific exercise. This is so you can experience how this script would work when ssh is
running on port 22.

Instructions

1. Checkpoint 1 Passed

1.
We know that ssh runs on port 22. Run a scan on port 22 that uses default
scripts and does version detection. Our target is localhost.

Recall running a scan on a specific port requires the following format:

nmap -p[port#] [option] [option] [target]

Make sure to press the Check Work button once you’ve completed each
checkpoint!

Stuck? Get a hint

2. Checkpoint 2 Passed

2.
Great! Let’s look at the result further.

In the result, you can see that the server is running the following: OpenSSH
6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)

This is helpful because you can use them to find known exploits. Additionally,
the result revealed the server’s host key information.
 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux;
protocol 2.0)
| ssh-hostkey:
| 1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
| 2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
| 256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
|_ 256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (ED25519)

Let’s find additional SSH information from the target.

Find out if the target leaks private key paths, passphrases, or usernames by
running the script ssh-publickey-acceptance. This scan should not be looking at a
specific port, it should just look at the target localhost.

Stuck? Get a hint

3. Checkpoint 3 Passed

3.
Looking at the result, it seems that the target does NOT accept public keys.

PORT STATE SERVICE

22/tcp open ssh
| ssh-publickey-acceptance:
|_ Accepted Public Keys: No public keys accepted

Let’s find out the server’s authentication methods by running the ssh-auth-
methods script. The ssh-auth-methods script reveals the authentication methods
configured on the SSH server.

Knowing this information shows that the server accepts password

authentication, which may be subject to brute-force attacks.

$ nmap -p22 -sC -sV localhost

Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.080s latency).

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu
Linux; protocol 2.0)
| ssh-hostkey:
| 1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
| 2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
| 256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
|_ 256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results

at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.44 seconds
$

$ nmap --script ssh-publickey-acceptance localhost

Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.080s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
| ssh-publickey-acceptance:
|_ Accepted Public Keys: No public keys accepted
2121/tcp open ccproxy-ftp
4000/tcp open remoteanything
8000/tcp open http-alt

Nmap done: 1 IP address (1 host up) scanned in 5.07 seconds

$

$ nmap --script ssh-auth-methods localhost

Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.080s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
2121/tcp open ccproxy-ftp
4000/tcp open remoteanything
8000/tcp open http-alt

Nmap done: 1 IP address (1 host up) scanned in 5.85 seconds

Practicing with http Scripts

Through our practice with Nmap Scripting Engine, we were able to discover that
port 8000 is the http-alt service. To explore HTTP on port 80, we’ll switch our target
to scanme.nmap.org.

Let’s investigate the web server more with HTTP scripts.

Remember: Sites like scanme.nmap.org explicitly give written permission for port scanning!
Don’t just scan random websites.

Instructions

1. Checkpoint 1 Passed

1.
Let’s find out the date and time zone on the target scanme.nmap.org using
the http-date script. This will give you an idea of which timezone the server is
located. We need to specifically look at the port that HTTP is on with this
script.

Let’s try it out!

Make sure to press the Check Work button once you’ve completed each
checkpoint!

Stuck? Get a hint

2. Checkpoint 2 Passed

2.
Port 80 might be open or filtered. If you see that port 80 is filtered, this script won’t
actually do anything! This doesn’t mean the port is closed, but it does mean
that we can’t currently access it.

PORT STATE SERVICE

80/tcp filtered HTTP

Let’s run our startup script so we can scan port 8000 on localhost and see if we
get a different result.

bash script.sh &

Remember, you will need to press Enter a second time to return to the normal
terminal prompt.
 Stuck? Get a hint

3. Checkpoint 3 Passed

3.
Let’s test the http-date script out on port 8000 on localhost to see if we get a
different result.

Stuck? Get a hint

4. Checkpoint 4 Passed

4.
Interesting! Sometimes “no result” can tell you a lot about a service. For this
next script, we’re exploring HTTP on port 80, and we’ll switch our target back
to scanme.nmap.org.

Let’s check the web server for potential Cross-Site Request Forgery (CSRF)
vulnerabilities using Nmap preloaded script: http-csrf.

Note: A CSRF is a common web vulnerability that hackers can exploit.

CSRF, when successfully exploited, allows an attacker to make the victim
carry out any malicious action without knowing what they did. For
instance, a hacker can craft a CSRF attack to make users change their
password, execute JavaScript, or even delete their account.
What vulnerabilities did you find?

Stuck? Get a hint

5. Checkpoint 5 Passed

5.
Using the same port and target, let’s use the http-backup-finder script to see if the
web server reveals any backup files.

Sometimes backup files may contain sensitive information that a hacker can
leverage for a future attack!
Review

Nmap is a powerful tool, but scripts can make it even more powerful!

In this lesson we:

 Explored SSH on port 22 and HTTP on port 80.

 Used the -sC -sV options to do verbose scans with default scripts.
 Used --script to dictate specific scripts that we wanted to run.

Used the following scripts:

 Enumerated directories with http-enum.

 Found out if the target leaked private key paths, passphrases, or usernames with ssh-
publickey-acceptance.
 Found out the server’s authentication methods with ssh-auth-methods.
 Discovered the data and time zone of a server with http-date.
 Looked for backup files with http-backup-finder.

Great job!