Advanced NMAP (NSE Scripts)

Prerequisites

  • PFSense/Router VM
  • Domain Controller
  • Kali VM

Goals

  • Understand how to use NSE Scripts
  • Try NSE scripts inside of the lab

Get Started

With the PFSense, Domain Controller and Kali virtual machines booted we’re going to test out a few NSE Scripts. NSE scripts allow NMAP to have additional functionality when talking to different protocols. For example, the “smb-os-discovery” script allows Nmap to identify the target operating system, and what domain it is on.

smb-os-discovery

With the command below we are able to use the smb-os-discovery script.

nmap --script smb-os-discovery <target ip>

In our lab the expected output of running this against the domain controller is below.

http-title

The HTTP Title script is quite an underrated script. It simply retrieves the title of the index page of a web server. This can be extremely useful when you have to scan a large network with a number of web servers. If there was a lot of uninteresting web servers but then a Citrix environment it can quickly identify this.

Command

nmap -p80 --script http-title <target ip>

The output of this against one of our IIS servers is below.

dns-brute

The DNS Brute script is one of my personal favorites. It uses a wordlist and a target domain to brute force subdomains. A script like this has the potentially to uncover administration pages, VPNs and a whole lot more. This can really change the direction of a pentest.

nmap --script dns-brute <target domain>

Further Reading

If you have any NSE Script suggestions, leave them here!