HSC
Network Security Consulting Agency Since 1989 - Specialized in Unix, Windows, TCP/IP and Internet
Text mode: access to the page content
Hervé Schauer Consultants
You are here: Home > Resources > Tips > Etendre les fonctionnalités de nmap et réaliser un scan au niveau applicatif
Go to: HSC Trainings
Télécharger le catalogue des formations
Search:  
Version française
   Services   
o Skills & Expertise
o Consulting
o ISO 27001 services
o Audit & Assessment
o Penetration tests
o Vunerability assessment (TSAR)
o Forensics
o ARJEL
o Training courses
o E-learning
   Conferences   
o Agenda
o Past events
o Tutorials
   Resources   
o Thematic index
o Tips
o Lectures
o Courses
o Articles
o Tools (download)
o Vulnerability watch
   Company   
o Hervé Schauer
o Team
o Job opportunities
o Credentials
o History
o Partnerships
o Associations
   Press and
 communication
 
 
o HSC Newsletter
o Bulletin juridique HSC
o Press review
o Press releases
o Publications
   Contacts   
o How to reach us
o Specific inquiries
o Directions to our office
o Hotels near our office
|>|Etendre les fonctionnalités de nmap et réaliser un scan au niveau applicatif   

by Julien Raeis et Jean-Baptiste Aviat (13/01/10)


============================================================================

Extending nmap functionalities to perform layer 7 scans
============================================================================

.
Cet article est diponible en français à nmap-script.html.fr.

--[ 1. Introduction ]---------------------------------------------------



    Nmap includes, since version 4.21, a scripting engine called NSE, based upon
 the LUA programming language (http://nmap.org/nse/). This article shows how
 it is possible, according to open ports revealed during scanning, to go deeper
 into information discovery.




--[ 2. Scripts integration ]--------------------------------------------

 On Linux systems, scripts are stored into the /usr/share/nmap/scripts/
 directory and indexed into the scripts.db database, which can be updated by
 the command "nmap --script-updatedb". Scripts are sorted by categories. Each
 script declares the categories it belongs to by the mean of the following
 line:

    -- Extract from the rpcinfo.nse file:
    categories = {"default","safe","discovery"}


 The scripting engine is activated by using the "-sC" option with nmap. This
 switch launches the scripts categorized as "intrusive" and "safe". It is
 recommended, when operating on a production environment, to disable the
 "intrusive" category, because some scripts in this category may for example
 automatically try SQL injections. To activate different categories, nmap may be
 invocated with the option "--script" as follows:

    For safe scripts:
    $ sudo nmap --script safe 127.0.0.1
    for any available script (be careful, might be dangerous!):
    $ sudo nmap --script all 127.0.0.1
    A single script may also be invocated:
    $ sudo nmap --script nom_du_script.nse 127.0.0.1

 It is reasonable to use only scripts categorized as "safe" in order to minimize
 the risk to crash applications on the tested systems.





--[ 3. Default scripts ]------------------------------------------------

 By default, nmap 5.20 is shipped with 80 scripts analyzing mostly Apache and
 SSH servers banners, requesting available services from RPC servers or
 performing Whois queries. The script "smb-os-discovery.nse" identifies
 the version of a Windows system by fingerprinting its NetBIOS/SMB stack:



    $ sudo nmap -sU -sS --script smb-os-discovery.nse -p U:137,T:139 192.168.111.112 -PN
    
    Starting Nmap 5.21 ( http://nmap.org ) at 2010-01-28 12:00 CET
    NSE: Script Scanning completed.
    Nmap scan report for 192.168.111.112
    Host is up (0.00088s latency).
    PORT    STATE SERVICE
    139/tcp open  netbios-ssn
    137/udp open  netbios-ns

    Host script results:
    | smb-os-discovery:
    |   OS: Windows Server 2003 R2 3790 Service Pack 2 (Windows Server 2003 R2 5.2)
    |   Name: WORKGROUP\MSSQL2005
    |_  System time: 2010-01-28 12:00:08 UTC+1
    
    Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds




--[ 4. Creating custom scripts ]----------------------------------------

 Custom scripts can be easliy created by using the LUA language
 (http://www.lua.org/), and the libraries shipped with nmap (nselibs).

 For example, the following source code performs a request on a SIP device in
 order to discover available SIP methods on this host:


    -- -------------- Script NSE SIPOptions -------------- --
    id = "SIPOptions"
    
    description = "Attempts to extract SIP Options on SIP service"
    author = "Jean-Baptiste Aviat <Jean-Baptiste.Aviat@hsc.fr>"
    license = "See nmaps COPYING for licence"
    categories = {"discovery", "safe"}
    require "shortport"
    portrule = shortport.portnumber(5060, "udp", {"open", "open|filtered"})
    
    action = function(host, port)
    
    	local status, s, methods, socket, request
    
    	socket = nmap.new_socket()
    	socket:set_timeout(5000)
    	
    	local catch = function()
    		socket:close()
    	end
    	local try = nmap.new_try(catch)
    
    	try(socket:connect(host.ip, port.number, "udp"))
    	
    	request = "INFO sip:test@hsc.fr SIP/2.0"
    	request = request .. "Via: SIP/2.0/TCP hsc.fr:5060\r\n"
    	request = request .. "From: <sip:test@hsc.fr>;tag=d3f423d\r\n"
    	request = request .. "To: <sip:test@hsc.fr>;tag=8942\r\n"
    	request = request .. "Call-ID: 312352\r\n"
    	request = request .. "CSeq: 5 INFO\r\n"
    	request = request .. "Content-Length: 0\r\n\r\n"
    	
    	socket:send(request)
    	
    	while true do
    		status, s = socket:receive_lines(1)
    		methods = string.match(s, "Allow: *([ A-Z,]+)")
    		if not status or string.len(methods)> 0 then
    			break
    		end
    	end
    	socket:close()
    
    	-- inform nmap the UDP port is opened
    	nmap.set_port_state(host, port, "open")
    	
    	return methods
    end
    -- ------------------------------------------------------



--[ 5. Usage ]----------------------------------------------------------

 An nmap session that uses this script provides the following output (here
 targeting an Asterisk SIP server):


  $ sudo nmap --script=./SIPOptions.nse localhost -sU -p 5060
  
  Starting Nmap 5.21 ( http://nmap.org ) at 2010-01-28 13:45 CET
  Interesting ports on localhost (127.0.0.1):
  PORT     STATE SERVICE
  5060/udp open  sip
  |_ SIPOptions: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
  
  Nmap done: 1 IP address (1 host up) scanned in 2.108 seconds



 And here against the Ekiga softphone:


  $ sudo nmap --script=./SIPOptions.nse localhost -sU -p 5060

  Starting Nmap 5.21 ( http://nmap.org ) at 2010-01-28 13:47 CET
  Interesting ports on dhcp2.hsc.fr (192.70.106.122):
  PORT     STATE SERVICE
  5060/udp open  unknown
  |_ SIPOptions: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE
  



--[ 6. References ]-----------------------------------------------------


    - Nmap       : http://nmap.org/
    - NSE        : http://nmap.org/nse/
    - SIP / INFO : http://www.ietf.org/rfc/rfc2976.txt
    - LUA        : http://www.lua.org/



Last modified on 2 February 2010 at 10:09:40 CET - webmaster@hsc.fr
Mentions légales - Information on this server - © 1989-2013 Hervé Schauer Consultants