Network Security Consulting Agency Since 1989 - Specialized in Unix, Windows, TCP/IP and Internet
Text mode: access to the page content
Hervé Schauer Consultants
You are here: Home > Resources > Tips > Etendre les fonctionnalités de nmap et réaliser un scan au niveau applicatif
Go to: HSC Trainings
Télécharger le catalogue des formations
Version française
o Skills & Expertise
o Consulting
o ISO 27001 services
o Audit & Assessment
o Penetration tests
o Vunerability assessment (TSAR)
o Forensics
o Training courses
o E-learning
o Agenda
o Past events
o Tutorials
o Thematic index
o Tips
o Lectures
o Courses
o Articles
o Tools (download)
o Vulnerability watch
o Hervé Schauer
o Team
o Job opportunities
o Credentials
o History
o Partnerships
o Associations
   Press and
o HSC Newsletter
o Bulletin juridique HSC
o Press review
o Press releases
o Publications
o How to reach us
o Specific inquiries
o Directions to our office
o Hotels near our office
|>|Etendre les fonctionnalités de nmap et réaliser un scan au niveau applicatif   

by Julien Raeis et Jean-Baptiste Aviat (13/01/10)


Extending nmap functionalities to perform layer 7 scans

Cet article est diponible en français à nmap-script.html.fr.

--[ 1. Introduction ]---------------------------------------------------

    Nmap includes, since version 4.21, a scripting engine called NSE, based upon
 the LUA programming language (http://nmap.org/nse/). This article shows how
 it is possible, according to open ports revealed during scanning, to go deeper
 into information discovery.

--[ 2. Scripts integration ]--------------------------------------------

 On Linux systems, scripts are stored into the /usr/share/nmap/scripts/
 directory and indexed into the scripts.db database, which can be updated by
 the command "nmap --script-updatedb". Scripts are sorted by categories. Each
 script declares the categories it belongs to by the mean of the following

    -- Extract from the rpcinfo.nse file:
    categories = {"default","safe","discovery"}

 The scripting engine is activated by using the "-sC" option with nmap. This
 switch launches the scripts categorized as "intrusive" and "safe". It is
 recommended, when operating on a production environment, to disable the
 "intrusive" category, because some scripts in this category may for example
 automatically try SQL injections. To activate different categories, nmap may be
 invocated with the option "--script" as follows:

    For safe scripts:
    $ sudo nmap --script safe
    for any available script (be careful, might be dangerous!):
    $ sudo nmap --script all
    A single script may also be invocated:
    $ sudo nmap --script nom_du_script.nse

 It is reasonable to use only scripts categorized as "safe" in order to minimize
 the risk to crash applications on the tested systems.

--[ 3. Default scripts ]------------------------------------------------

 By default, nmap 5.20 is shipped with 80 scripts analyzing mostly Apache and
 SSH servers banners, requesting available services from RPC servers or
 performing Whois queries. The script "smb-os-discovery.nse" identifies
 the version of a Windows system by fingerprinting its NetBIOS/SMB stack:

    $ sudo nmap -sU -sS --script smb-os-discovery.nse -p U:137,T:139 -PN
    Starting Nmap 5.21 ( http://nmap.org ) at 2010-01-28 12:00 CET
    NSE: Script Scanning completed.
    Nmap scan report for
    Host is up (0.00088s latency).
    139/tcp open  netbios-ssn
    137/udp open  netbios-ns

    Host script results:
    | smb-os-discovery:
    |   OS: Windows Server 2003 R2 3790 Service Pack 2 (Windows Server 2003 R2 5.2)
    |   Name: WORKGROUP\MSSQL2005
    |_  System time: 2010-01-28 12:00:08 UTC+1
    Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds

--[ 4. Creating custom scripts ]----------------------------------------

 Custom scripts can be easliy created by using the LUA language
 (http://www.lua.org/), and the libraries shipped with nmap (nselibs).

 For example, the following source code performs a request on a SIP device in
 order to discover available SIP methods on this host:

    -- -------------- Script NSE SIPOptions -------------- --
    id = "SIPOptions"
    description = "Attempts to extract SIP Options on SIP service"
    author = "Jean-Baptiste Aviat <Jean-Baptiste.Aviat@hsc.fr>"
    license = "See nmaps COPYING for licence"
    categories = {"discovery", "safe"}
    require "shortport"
    portrule = shortport.portnumber(5060, "udp", {"open", "open|filtered"})
    action = function(host, port)
    	local status, s, methods, socket, request
    	socket = nmap.new_socket()
    	local catch = function()
    	local try = nmap.new_try(catch)
    	try(socket:connect(host.ip, port.number, "udp"))
    	request = "INFO sip:test@hsc.fr SIP/2.0"
    	request = request .. "Via: SIP/2.0/TCP hsc.fr:5060\r\n"
    	request = request .. "From: <sip:test@hsc.fr>;tag=d3f423d\r\n"
    	request = request .. "To: <sip:test@hsc.fr>;tag=8942\r\n"
    	request = request .. "Call-ID: 312352\r\n"
    	request = request .. "CSeq: 5 INFO\r\n"
    	request = request .. "Content-Length: 0\r\n\r\n"
    	while true do
    		status, s = socket:receive_lines(1)
    		methods = string.match(s, "Allow: *([ A-Z,]+)")
    		if not status or string.len(methods)> 0 then
    	-- inform nmap the UDP port is opened
    	nmap.set_port_state(host, port, "open")
    	return methods
    -- ------------------------------------------------------

--[ 5. Usage ]----------------------------------------------------------

 An nmap session that uses this script provides the following output (here
 targeting an Asterisk SIP server):

  $ sudo nmap --script=./SIPOptions.nse localhost -sU -p 5060
  Starting Nmap 5.21 ( http://nmap.org ) at 2010-01-28 13:45 CET
  Interesting ports on localhost (
  5060/udp open  sip
  Nmap done: 1 IP address (1 host up) scanned in 2.108 seconds

 And here against the Ekiga softphone:

  $ sudo nmap --script=./SIPOptions.nse localhost -sU -p 5060

  Starting Nmap 5.21 ( http://nmap.org ) at 2010-01-28 13:47 CET
  Interesting ports on dhcp2.hsc.fr (
  5060/udp open  unknown

--[ 6. References ]-----------------------------------------------------

    - Nmap       : http://nmap.org/
    - NSE        : http://nmap.org/nse/
    - SIP / INFO : http://www.ietf.org/rfc/rfc2976.txt
    - LUA        : http://www.lua.org/

Last modified on 2 February 2010 at 10:09:40 CET - webmaster@hsc.fr
Mentions légales - Information on this server - © 1989-2013 Hervé Schauer Consultants