1. N m a p S c r ip t in g E n g in e
R u lin g t h e n e t w o r k w it h N m a p
o n s t e r o id s
Hani Benhabiles
President @ OWASP Algeria Student Chapter
Nmap-dev team (gsoc)
Security enthusiast
Student @ ESI
Twitter: @kroosec
Email: hani.benhabiles@owasp.org
9. N m a p S c r ip t in g E n g in e
2006, by Diman Todorov (GSoC project)
Extends Nmap capabilities
Scripts are written in Lua
10. N m a p S c r ip t in g E n g in e
365 scripts
/usr/share/nmap/scripts/
95 libraries
/usr/share/nmap/nselib/
11. N m a p S c r ip t in g E n g in e
Script types: Prerule, Host, Service, Postrule
Script categories: broadcast, brute, default (-A),
discovery, dos, safe, version, vuln...
http://nmap.org/nsedoc/
14. P ha s e s of a n Nma p
sc an
Script pre-scanning
Target enumeration
Host discovery
Reverse-DNS resolution
Port scanning
Version detection
OS detection
Traceroute
Script scanning
Output
Script post-scanning
15. E x e c u t in g S c r ip t s
--script http-enum
--script default,safe
--script http-* --script-args user=foo
18. W r it in g N m a p s c r ip t s
Scripting language
Fast and very light
Used by other security projects
(Wireshark, Snort, ModSecurity...)
Also used in game development: Crysis, WoW...
yes, World of Warcraft :)
19. W r it in g N m a p s c r ip t s
Meta-information
description, categories, dependencies, author and
license.
20. W r it in g N m a p s c r ip t s
Rules
Prerule, hostrule, portrule, postrule
May have more than one rule
21. W r it in g N m a p s c r ip t s
action
Core of the script
Function executed when a rule returns true.
23. W r it in g N m a p s c r ip t s
Drupal Views module Information Leakage
Permits recovering list of users
admin/views/ajax/autocomplete/user/S returns
usernames that begin with S
Results in JSON format
24. W r it in g N m a p s c r ip t s
Not patched
Drupal.org is vulnerable :)
For more information:
http://www.madirish.net/node/465