1
00:00:00,580 --> 00:00:00,970
OK.

2
00:00:00,990 --> 00:00:02,140
So let's get to it.

3
00:00:02,270 --> 00:00:10,650
NSE is activated with the "-sC" option or "--script". If you wish to specify a custom set of script.

4
00:00:10,650 --> 00:00:16,500
Script scanning is normally done in combination with a port scan because scripts may be run or not run depending

5
00:00:16,500 --> 00:00:20,190
on the ports states found by the scan.

6
00:00:20,300 --> 00:00:25,630
You can use "-sC" to perform a script scan using the default set of scripts.

7
00:00:25,970 --> 00:00:30,480
It is equivalent to -­­script=default

8
00:00:30,480 --> 00:00:32,630
Now wait a second what is this "default"?

9
00:00:32,790 --> 00:00:37,210
Well it is one of the categories of Nmap scripts.

10
00:00:37,290 --> 00:00:38,050
Let me show you.

11
00:00:39,380 --> 00:00:44,560
Nmap scripting engine and NSE script define a list of categories that they belong to.

12
00:00:44,850 --> 00:00:56,320
So currently defined categories are auth, broadcast, brute, default. discovery, dos, exploit, external, fuzzer,

13
00:00:56,950 --> 00:01:04,739
intrusive, malware, safe, version, and vuln.  Category names are not case sensitive.

14
00:01:04,970 --> 00:01:06,310
So let's give you a little detail.

15
00:01:06,320 --> 00:01:13,720
Default scripts are the default set and are run when using the "-sC" rather than listing scripts with

16
00:01:14,050 --> 00:01:22,930
"--script". This category can also be specified explicitly like any other using "-­script=default"

17
00:01:22,930 --> 00:01:30,460
auth scripts deal with authentication credentials or co-incidentally bypassing them on the target system.

18
00:01:30,460 --> 00:01:39,160
Examples include oracle-­enumusers. brute script use brute force attacks to guess authentication credentials

19
00:01:39,160 --> 00:01:47,410
of a remote server. Nmap contains scripts for brute forcing dozens of protocols including http-­brute,

20
00:01:47,770 --> 00:01:51,510
oracle-­brute, snmp-­brute, etc.

21
00:01:51,700 --> 00:01:55,800
dos scripts may cause a denial of service.

22
00:01:55,840 --> 00:02:01,890
Sometimes this is done to test vulnerability to a denial of service method but more commonly it's an

23
00:02:02,050 --> 00:02:08,080
undesired by necessary side effect of testing for a traditional vulnerability.

24
00:02:08,080 --> 00:02:19,040
These tests sometimes crash vulnerable services. exploit scripts aim to actively exploit some vulnerability.

25
00:02:19,480 --> 00:02:27,190
Examples include http-­shellshock. Scripts which weren't designed to crash services use large amounts

26
00:02:27,190 --> 00:02:34,210
of network bandwidth or other resources or exploit security holes that are usually categorized as safe.

27
00:02:35,730 --> 00:02:42,120
intrusive scripts or those that cannot be classified in the safe category, because the risks are just

28
00:02:42,120 --> 00:02:48,060
too high that they're going to crash the target system. Use up significant resources on a target host

29
00:02:48,240 --> 00:02:54,580
such as bandwidth or CPU time or otherwise be perceived as malicious by the target system administrators.

30
00:02:56,130 --> 00:03:06,360
malware script test whether the target platform is infected by malware or backdoors. version scripts are

31
00:03:06,450 --> 00:03:13,410
an extension to the version detection feature and cannot be selected explicitly. They're selected to

32
00:03:13,410 --> 00:03:13,740
run

33
00:03:13,770 --> 00:03:16,320
only if version detection.

34
00:03:16,370 --> 00:03:24,570
That's as (sV) was requested and vuln script check for specific known vulnerabilities and generally

35
00:03:24,630 --> 00:03:26,810
only report results if they're found.

36
00:03:27,060 --> 00:03:33,590
You can alternatively use --script parameter to run a script scan using the comma separated list of file

37
00:03:33,590 --> 00:03:41,070
names, script categories and directories each element in the list may also be a boolean expression describing

38
00:03:41,070 --> 00:03:43,330
a more complex set of script.

39
00:03:43,350 --> 00:03:49,650
For example if you use script parameter using the "default and safe expression" the scripts which are

40
00:03:49,650 --> 00:03:53,670
in both default and safe categories run

41
00:03:56,510 --> 00:04:04,160
-­script-­updatedb option updates the script database found in scripts/script.db which is used

42
00:04:04,160 --> 00:04:10,220
by Nmap to determine the available default scripts and categories. It is only necessary to update the database,

43
00:04:10,310 --> 00:04:17,029
if you have added or removed NSE scripts from the default scripts directory or if you change the categories

44
00:04:17,029 --> 00:04:20,890
of any script. This option is used by itself without argument.

45
00:04:21,950 --> 00:04:25,140
OK so let's see some of these scripts and try to use them

46
00:04:28,480 --> 00:04:35,040
open a terminal screen in Kali to find out the scripts use the "locate" Linux command.

47
00:04:35,420 --> 00:04:43,550
Since the file extension of Nmap scripts are .nse type "locate *.nse" and hit enter. It will

48
00:04:43,550 --> 00:04:46,500
locate the files which end ".nse".

49
00:04:46,700 --> 00:04:50,210
This is where the Nmap scripts are located in Kali by default.

50
00:04:50,510 --> 00:04:52,710
Go to the folder using the "cd" command.

51
00:04:53,060 --> 00:04:59,110
I select the path and press the middle button of my mouse to copy and paste it and hit enter.

52
00:04:59,120 --> 00:05:00,270
Now let's look at the script.db

53
00:05:00,290 --> 00:05:04,250
file first, which is a script database used by Nmap.

54
00:05:04,430 --> 00:05:05,660
It's in this folder.

55
00:05:06,410 --> 00:05:10,750
I use less command to look at the content of the file.

56
00:05:11,270 --> 00:05:15,960
Every row contains a script file name and its categories.

57
00:05:16,010 --> 00:05:18,780
So now we can see the usage of Nmap script.

58
00:05:19,010 --> 00:05:25,400
I want to try SSH scripts on my Metasploitable VM. First with the help of Linux "grep" command once

59
00:05:25,400 --> 00:05:29,230
again I want to list the ssh scripts.

60
00:05:29,270 --> 00:05:35,500
Here are the scripts that have the ssh word in their names. To analyze the content of a script,

61
00:05:35,560 --> 00:05:37,320
I use "less" command.

62
00:05:37,390 --> 00:05:39,160
Now let's look at a file for example.

63
00:05:39,160 --> 00:05:41,860
ssh-­hostkey.nse

64
00:05:42,190 --> 00:05:49,260
The script file has a description or usage section and many more lines. I want to show

65
00:05:49,260 --> 00:05:55,440
the category section of the script. In the last command you can use a / key to search a word /

66
00:05:55,620 --> 00:05:58,620
type "cate" and hit enter.

67
00:05:58,750 --> 00:06:02,920
Here it found "cate" in the word duplicate.

68
00:06:02,930 --> 00:06:04,840
This is not what we're looking for.

69
00:06:05,090 --> 00:06:12,770
So press the "n" key to find the next "cate" word again duplicate press "n" once again and we found the

70
00:06:12,770 --> 00:06:15,110
category section.

71
00:06:15,110 --> 00:06:22,130
Alternatively you can use this "--script-help" and Nmap parameter to get help about an Nmap script.

72
00:06:22,550 --> 00:06:26,360
Type “nmap -­scripthelp”

73
00:06:26,610 --> 00:06:30,240
and then the script name. File extension is optional here

74
00:06:30,450 --> 00:06:33,000
It's OK if you don't use the extension.

75
00:06:33,020 --> 00:06:39,810
Here's a brief summary of the ssh-hostkey script: script name, a link to learn more about it and the description

76
00:06:39,810 --> 00:06:41,200
of the script.

77
00:06:41,220 --> 00:06:44,970
Now look at the description of the ssh-hostkey script.

78
00:06:44,970 --> 00:06:51,600
It shows that target SSH server's key fingerprint and with high enough verbosity level the public key

79
00:06:51,600 --> 00:06:53,140
itself.

80
00:06:53,140 --> 00:06:58,880
Now let's run a few Nmap commands and use scripts prepare the nmap command:

81
00:06:59,050 --> 00:07:02,610
TCP SYN scan

82
00:07:02,810 --> 00:07:06,380
don't forget to define the port of your interest.

83
00:07:06,380 --> 00:07:14,600
First I want to run the default SSH scripts using the "-sC" parameter ssh-­hostkey is the default script

84
00:07:14,600 --> 00:07:21,760
for SSH Service and here are the target SSH server's key fingerprints. In the description of the script,

85
00:07:21,770 --> 00:07:27,870
we saw that if the verbosity level is high enough the script will show the public key itself.

86
00:07:28,200 --> 00:07:29,210
To see it.

87
00:07:29,390 --> 00:07:36,740
I want to run the Nmap command again but this time I use the "-vvv" to increase the verbosity

88
00:07:36,740 --> 00:07:37,250
level.

89
00:07:39,520 --> 00:07:42,790
Now we have the public keys as well as the fingerprints.