Using Nmap as a vulnerability scanner

All good hackers know nmap; the popular and highly functional port scanner. However, one thing you may have overlooked, is some of the newer functionality such as NSE.

It like to remind people, when discussing Hacking techniques, to remember that your actions are your Karma, and you will reap the results of your Karma. Please be an Ethical Hacker.

The Nmap Scripting Engine (NSE) was introduced with the release of nmap 4.2, and adds powerful functionality, such as brute force attacks, vulnerability scanning and much more.

Lets take a look at one example.

First check your version is up to it
(I'm using backtrack 4, so it's all good ;o)

nmap -V

Nmap version 5.21 ( http://nmap.org )

Looks fine, so take a look in "/usr/share/nmap/scripts", and you will see a whole batch of scripts.

Picking one at random, lets look at robots.txt.nse

If you do a "more robots.txt.nse" you will find more information, but a simple usage could be something like:

nmap --script robots.txt.nse -p80 http://www.insidetrust.com/

Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-03 17:01 BST
NSE: Script Scanning completed.
Nmap scan report for http://www.insidetrust.com/ (192.168.20.120)
Host is up (0.037s latency).
PORT   STATE SERVICE
80/tcp open  http
| robots.txt: has 15 disallowed entries
| /cgi /iaweb/ /cpc/vision/ /cpc/eps/
| /cpc/archive/ /cpc/dia/ /cpc/ecs/ /cpc/fcs/ /cpc/gif/
|_/cpc/OptContent/ /cpc/pix/ /cpc/sound/ /cpc/feature/

Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds

Which would be pretty handy if you were looking for areas on a webserver that the owner doesn't want Google to index, and of course you could easily scan a large range of hosts.

You can try some other examples for yourself of course.

Try this for example, which runs all of the relevant scripts, on a host, or range of hosts (based on open ports):

nmap --script all ipaddressrange

This is very useful for vulnerability scanning and could help identify holes in your server patching processes.