The Nmap Scripting Engine (NSE) is an incredibly powerful feature that enhances Nmap’s core functionality, allowing users to automate and perform advanced network scanning. In this guide, you’ll learn how to use NSE in Termux, along with real-world use cases, examples, and explanations of the output.
Before proceeding, make sure you have Nmap installed in your Termux environment. You can follow our Nmap installation guide here for step-by-step instructions.
Caveat: Ethical Hacking
It’s important to note that while the Nmap Scripting Engine is a powerful tool for network diagnostics and vulnerability assessment, it should only be used for ethical purposes. You must have explicit permission from the network owner before running any scans. Unauthorized scanning of networks or systems can be illegal and lead to serious consequences. Always ensure that your actions are in compliance with local laws and ethical standards in cybersecurity.
Table of Contents
- What is Nmap Scripting Engine (NSE)?
- How to Run NSE Scripts
- Use Cases for NSE
- Creating Custom NSE Scripts
- Conclusion
What is Nmap Scripting Engine (NSE)?
The Nmap Scripting Engine (NSE) enables users to run pre-written scripts for more specialized network tasks such as vulnerability detection, brute-force attacks, service enumeration, and more. These scripts, written in Lua, can drastically enhance the information-gathering process during a network scan.
Internal link: Learn more about basic Nmap commands in our Basic Network Scans with Nmap in Termux guide.
How to Run NSE Scripts
To execute an NSE script in Termux, you simply add the --script flag to your Nmap command. You can run individual scripts or a group of them by using categories. For example:
$ nmap --script http-enum <target>You can also specify multiple scripts by separating them with commas:
$ nmap --script http-enum,dns-brute <target>Now, let’s explore some use cases with real-world examples.
Use Cases for NSE
The following examples demonstrate how to use NSE scripts in different scenarios.
Example 1: Enumerating Web Directories
NSE can be used to enumerate directories on a web server using the http-enum script. This is useful for uncovering hidden directories or sensitive files on a target web application.
$ nmap --script http-enum -p 80 <target>Output:
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /admin/ [Status: 403, Size: 304]
| /backup/ [Status: 200, Size: 1024]
| /test/ [Status: 404, Size: 512]Explanation:
This output shows that Nmap has scanned port 80 of the target and used the http-enum script to find available directories. The /admin/ directory returned a 403 Forbidden status, meaning it exists but is restricted. The /backup/ directory is accessible with a 200 OK status, while /test/ does not exist (404 Not Found). This type of information is essential when performing web application testing to discover sensitive or overlooked files.
Example 2: Brute-forcing DNS Records
Another useful NSE script is dns-brute, which brute-forces DNS subdomains. This is helpful for uncovering subdomains that are not listed in public records.
$ nmap --script dns-brute <target>Output:
Starting dns-brute scan against target.com
| dns-brute:
| www.target.com - 93.184.216.34
| mail.target.com - 93.184.216.34
| ftp.target.com - 93.184.216.34
| dev.target.com - No record foundExplanation:
Here, the dns-brute script found the subdomains www.target.com, mail.target.com, and ftp.target.com, all pointing to the IP 93.184.216.34. The script did not find any records for dev.target.com. Subdomain enumeration is vital in a penetration test, as it reveals additional attack surfaces that could be exploited.
Example 3: Vulnerability Detection
One of the most powerful features of NSE is the ability to use scripts for vulnerability detection. The vuln category groups multiple scripts designed to detect known vulnerabilities in services.
$ nmap --script vuln -p 80,443 <target>Output:
PORT STATE SERVICE
80/tcp open http
| http-vuln-cve2017-5638:
| VULNERABLE:
| Apache Struts CVE-2017-5638 Remote Code Execution
| State: VULNERABLE
| Risk factor: High
| Description:
| Apache Struts 2 vulnerability allows remote attackers to execute arbitrary code.
|
|_http-vuln-cve2017-9805:
| VULNERABLE:
| Apache Struts CVE-2017-9805 Remote Code ExecutionExplanation:
In this example, Nmap detected vulnerabilities on port 80. Specifically, it found CVE-2017-5638 and CVE-2017-9805, both associated with Apache Struts. These vulnerabilities allow remote code execution, making them critical issues that should be addressed immediately. The vuln script set is useful for auditing systems and detecting unpatched services.
Creating Custom NSE Scripts
In addition to the built-in scripts, you can also write your own NSE scripts for custom tasks. This is particularly useful if you need to perform highly specialized scans. NSE scripts are written in Lua, and Termux allows you to easily manage and execute your own scripts.
Here’s an example of a simple custom NSE script:
description = [[
A custom script to ping hosts and report status.
]]
categories = {"discovery"}
action = function(host)
return "Host " .. host.ip .. " is up!"
endSave the script in your Nmap scripts folder and run it like so:
$ nmap --script my_custom_script.nse <target>Output:
Host 192.168.1.1 is up!
Host 192.168.1.2 is up!Explanation:
This basic custom script checks if a host is alive and returns a simple message indicating that it’s reachable. Custom scripts can be tailored to specific needs, making NSE a flexible and powerful tool.
Conclusion
The Nmap Scripting Engine (NSE) unlocks a world of possibilities for advanced network scanning and auditing. By using pre-written scripts or creating your own, you can automate complex tasks like vulnerability detection, subdomain enumeration, and web directory scanning. However, remember that all scans must be conducted ethically and with proper authorization.
Call to action: For more advanced scanning techniques, check out our guide on Advanced Nmap Scanning in Termux.
Ethical Hacking Archive
Welcome to the Termux Ethical Hacking Archive. This dedicated archive is your go-to resource for everything related to ethical hacking using Termux, a powerful terminal emulator for Android. Whether you’re a beginner or looking to deepen your expertise, this archive provides a complete collection of articles to guide you through the essential aspects of ethical hacking with Termux.
