Gran parte del arsenal para recopilación de información en auditorías o pentesting son Nmap, y aunque la mayoría lo conoce para escaneo de redes, puertos y servicios, no todo el mundo tiene presente sus características potenciadas mediante el uso de scripts (NSE).

Estos scripts o NSE (Nmap Scripting Engine) son pequeños addons escritos en Lua que se aplican a diferentes usos, como por ejemplo búsqueda de vulnerabilidades, con solo invocarlos directamente o por medio de las categorías por las cuales se encuentran agrupados.

Las categorias mas comunes son:

  • Auth: Verifica procesos de autenticación.
  • brute: Obtención de información por medio de fuerza bruta.
  • discovery: Recuperación de información de equipos.
  • dos: Relacionados con ataques del tipo DoS.
  • external: Script que utilizan servicios de terceras partes.
  • intrusive: Utiliza scripts que son considerados intrusivos para la víctima o target.
  • safe: ejecuta scripts “seguros” en cuanto a la intrusión de sistemas.
  • vuln: Verifica la existencia de las vulnerabilidades más conocidas.

Cada una de las categorías esta formada por decenas de scripts, los cuales pueden ser ejecutados directamente. Un ejemplo concreto sería ejecutar nmap para listar los equipos que poseen unidades compartidas con acceso anónimo o con un usuario específico. Para ello el script smb-enum-shares dentro de la categoría discovery es ideal.

$ sudo nmap -f -sS -sV --script smb-enum-shares 10.245.3.111
Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-09 15:34 ART
Nmap scan report for 10.245.3.111
Host is up (0.0012s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE     VERSION
135/tcp  open  msrpc       Microsoft Windows RPC
139/tcp  open  netbios-ssn
445/tcp  open  netbios-ssn
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb-enum-shares: 
|   ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
|   ADMIN$
|     Anonymous access: 
|   C$
|     Anonymous access: 
|   IPC$
|     Anonymous access: READ
|   USERS
|_    Anonymous access: 
 
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.32 seconds


Y especificando un usuario concreto, por ejemplo admin/Clave, podemos verificar que acceso tiene el mismo.

$ sudo nmap -f -sS -sV --script smb-enum-shares --script-args=smbuser=admin,smbpass=Clave 10.245.3.111 
 
Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-09 15:37 ART
Nmap scan report for 10.245.3.111
Host is up (0.0012s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE     VERSION
135/tcp  open  msrpc       Microsoft Windows RPC
139/tcp  open  netbios-ssn
445/tcp  open  netbios-ssn
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb-enum-shares: 
|   ADMIN$
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Admin remota
|     Users: 0, Max: 
|     Path: C:\Windows
|     Anonymous access: 
|     Current user ('admin') access: READ/WRITE
|   C$
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Recurso predeterminado
|     Users: 0, Max: 
|     Path: C:\
|     Anonymous access: 
|     Current user ('admin') access: READ/WRITE
|   IPC$
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC remota
|     Users: 1, Max: 
|     Path: 
|     Anonymous access: READ 
|     Current user ('admin') access: READ 
|   Users
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0, Max: 
|     Path: C:\Users
|     Anonymous access: 
|_    Current user ('admin') access: READ/WRITE
 
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.75 seconds

Con el parámetro vuln ejecutamos todos los scripts de esta categoría, incluyendo un positivo del http-slowloris-check indicando que somos vulnerables a un ataque de DoS conocido desde hace mas de 5 años.

$ sudo nmap -f -sS -sV --script vuln  10.245.3.111
 
Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-09 15:53 ART
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     10.10.55.70
|     10.245.2.8
|     10.245.2.17
|     10.245.2.5
|     10.245.2.11
|     10.245.2.2
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.245.3.111
Host is up (0.0012s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE     VERSION
135/tcp  open  msrpc       Microsoft Windows RPC
139/tcp  open  netbios-ssn
445/tcp  open  netbios-ssn
2869/tcp open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-fileupload-exploiter: 
|_http-frontpage-login: false
|_http-stored-xss: Couldn t find any stored XSS vulnerabilities.
5357/tcp open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-fileupload-exploiter: 
|_http-frontpage-login: false
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: VULNERABLE
|     Description:
|       Slowloris tries to keep many connections to the target web server open and hold them open as long as possible.
|       It accomplishes this by opening connections to the target web server and sending a partial request. By doing 
|       so, it starves the http server s resources causing Denial Of Service. 
|       		
|     Disclosure date: 2009-09-17
|     References:
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn t find any stored XSS vulnerabilities.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
 
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 207.35 seconds

Para mantener actualizados los scripts debemos ejecutar el comando nmap con –script-updatedb como parámetro

En /usr/share/nmap/scripts/ (dependiendo el SO que corremos), se encuentran todos los scripts disponibles.

$ ls /usr/share/nmap/scripts/
acarsd-info.nse                       ftp-proftpd-backdoor.nse                informix-tables.nse           redis-brute.nse
address-info.nse                      ftp-vsftpd-backdoor.nse                 ip-forwarding.nse             redis-info.nse
afp-brute.nse                         ftp-vuln-cve2010-4221.nse               ip-geolocation-geobytes.nse   resolveall.nse
afp-ls.nse                            ganglia-info.nse                        ip-geolocation-geoplugin.nse  reverse-index.nse
afp-path-vuln.nse                     giop-info.nse                           ip-geolocation-ipinfodb.nse   rexec-brute.nse
afp-serverinfo.nse                    gkrellm-info.nse                        ip-geolocation-maxmind.nse    riak-http-info.nse
afp-showmount.nse                     gopher-ls.nse                           ipidseq.nse                   rlogin-brute.nse
ajp-auth.nse                          gpsd-info.nse                           ipv6-node-info.nse            rmi-dumpregistry.nse
ajp-brute.nse                         hadoop-datanode-info.nse                ipv6-ra-flood.nse             rmi-vuln-classloader.nse
ajp-headers.nse                       hadoop-jobtracker-info.nse              irc-botnet-channels.nse       rpcap-brute.nse
ajp-methods.nse                       hadoop-namenode-info.nse                irc-brute.nse                 rpcap-info.nse
ajp-request.nse                       hadoop-secondary-namenode-info.nse      irc-info.nse                  rpc-grind.nse
amqp-info.nse                         hadoop-tasktracker-info.nse             irc-sasl-brute.nse            rpcinfo.nse
asn-query.nse                         hbase-master-info.nse                   irc-unrealircd-backdoor.nse   rsync-brute.nse
auth-owners.nse                       hbase-region-info.nse                   iscsi-brute.nse               rsync-list-modules.nse
auth-spoof.nse                        hddtemp-info.nse                        iscsi-info.nse                rtsp-methods.nse
backorifice-brute.nse                 hostmap-bfk.nse                         isns-info.nse                 rtsp-url-brute.nse
backorifice-info.nse                  hostmap-ip2hosts.nse                    jdwp-exec.nse                 samba-vuln-cve-2012-1182.nse
banner.nse                            hostmap-robtex.nse                      jdwp-info.nse                 script.db
bitcoin-getaddr.nse                   http-adobe-coldfusion-apsa1301.nse      jdwp-inject.nse               servicetags.nse
bitcoin-info.nse                      http-affiliate-id.nse                   jdwp-version.nse              sip-brute.nse
bitcoinrpc-info.nse                   http-apache-negotiation.nse             krb5-enum-users.nse           sip-call-spoof.nse
bittorrent-discovery.nse              http-auth-finder.nse                    ldap-brute.nse                sip-enum-users.nse
bjnp-discover.nse                     http-auth.nse                           ldap-novell-getpass.nse       sip-methods.nse
broadcast-ataoe-discover.nse          http-awstatstotals-exec.nse             ldap-rootdse.nse              skypev2-version.nse
broadcast-avahi-dos.nse               http-axis2-dir-traversal.nse            ldap-search.nse               smb-brute.nse
broadcast-bjnp-discover.nse           http-backup-finder.nse                  lexmark-config.nse            smb-check-vulns.nse
broadcast-db2-discover.nse            http-barracuda-dir-traversal.nse        llmnr-resolve.nse             smb-enum-domains.nse
broadcast-dhcp6-discover.nse          http-brute.nse                          lltd-discovery.nse            smb-enum-groups.nse
broadcast-dhcp-discover.nse           http-cakephp-version.nse                maxdb-info.nse                smb-enum-processes.nse
broadcast-dns-service-discovery.nse   http-chrono.nse                         mcafee-epo-agent.nse          smb-enum-sessions.nse
broadcast-dropbox-listener.nse        http-coldfusion-subzero.nse             membase-brute.nse             smb-enum-shares.nse
broadcast-eigrp-discovery.nse         http-comments-displayer.nse             membase-http-info.nse         smb-enum-users.nse
broadcast-igmp-discovery.nse          http-config-backup.nse                  memcached-info.nse            smb-flood.nse
broadcast-listener.nse                http-cors.nse                           metasploit-info.nse           smb-ls.nse
broadcast-ms-sql-discover.nse         http-date.nse                           metasploit-msgrpc-brute.nse   smb-mbenum.nse
broadcast-netbios-master-browser.nse  http-default-accounts.nse               metasploit-xmlrpc-brute.nse   smb-os-discovery.nse
broadcast-networker-discover.nse      http-domino-enum-passwords.nse          mmouse-brute.nse              smb-print-text.nse
broadcast-novell-locate.nse           http-drupal-enum-users.nse              mmouse-exec.nse               smb-psexec.nse
broadcast-pc-anywhere.nse             http-drupal-modules.nse                 modbus-discover.nse           smb-security-mode.nse
broadcast-pc-duo.nse                  http-email-harvest.nse                  mongodb-brute.nse             smb-server-stats.nse
broadcast-pim-discovery.nse           http-enum.nse                           mongodb-databases.nse         smb-system-info.nse
broadcast-ping.nse                    http-exif-spider.nse                    mongodb-info.nse              smbv2-enabled.nse
broadcast-pppoe-discover.nse          http-favicon.nse                        mrinfo.nse                    smb-vuln-ms10-054.nse
broadcast-rip-discover.nse            http-fileupload-exploiter.nse           msrpc-enum.nse                smb-vuln-ms10-061.nse
broadcast-ripng-discover.nse          http-form-brute.nse                     ms-sql-brute.nse              smtp-brute.nse
broadcast-sybase-asa-discover.nse     http-form-fuzzer.nse                    ms-sql-config.nse             smtp-commands.nse
broadcast-tellstick-discover.nse      http-frontpage-login.nse                ms-sql-dac.nse                smtp-enum-users.nse
broadcast-upnp-info.nse               http-generator.nse                      ms-sql-dump-hashes.nse        smtp-open-relay.nse
broadcast-versant-locate.nse          http-git.nse                            ms-sql-empty-password.nse     smtp-strangeport.nse
broadcast-wake-on-lan.nse             http-gitweb-projects-enum.nse           ms-sql-hasdbaccess.nse        smtp-vuln-cve2010-4344.nse
broadcast-wpad-discover.nse           http-google-malware.nse                 ms-sql-info.nse               smtp-vuln-cve2011-1720.nse
broadcast-wsdd-discover.nse           http-grep.nse                           ms-sql-query.nse              smtp-vuln-cve2011-1764.nse
broadcast-xdmcp-discover.nse          http-headers.nse                        ms-sql-tables.nse             sniffer-detect.nse
cassandra-brute.nse                   http-huawei-hg5xx-vuln.nse              ms-sql-xp-cmdshell.nse        snmp-brute.nse
cassandra-info.nse                    http-icloud-findmyiphone.nse            mtrace.nse                    snmp-hh3c-logins.nse
cccam-version.nse                     http-icloud-sendmsg.nse                 murmur-version.nse            snmp-interfaces.nse
citrix-brute-xml.nse                  http-iis-webdav-vuln.nse                mysql-audit.nse               snmp-ios-config.nse
citrix-enum-apps.nse                  http-joomla-brute.nse                   mysql-brute.nse               snmp-netstat.nse
citrix-enum-apps-xml.nse              http-litespeed-sourcecode-download.nse  mysql-databases.nse           snmp-processes.nse
citrix-enum-servers.nse               http-majordomo2-dir-traversal.nse       mysql-dump-hashes.nse         snmp-sysdescr.nse
citrix-enum-servers-xml.nse           http-malware-host.nse                   mysql-empty-password.nse      snmp-win32-services.nse
couchdb-databases.nse                 http-methods.nse                        mysql-enum.nse                snmp-win32-shares.nse
couchdb-stats.nse                     http-method-tamper.nse                  mysql-info.nse                snmp-win32-software.nse
creds-summary.nse                     http-open-proxy.nse                     mysql-query.nse               snmp-win32-users.nse
cups-info.nse                         http-open-redirect.nse                  mysql-users.nse               socks-auth-info.nse
cups-queue-info.nse                   http-passwd.nse                         mysql-variables.nse           socks-brute.nse
cvs-brute.nse                         http-phpmyadmin-dir-traversal.nse       mysql-vuln-cve2012-2122.nse   socks-open-proxy.nse
cvs-brute-repository.nse              http-phpself-xss.nse                    nat-pmp-info.nse              ssh2-enum-algos.nse
daap-get-library.nse                  http-php-version.nse                    nat-pmp-mapport.nse           ssh-hostkey.nse
daytime.nse                           http-proxy-brute.nse                    nbstat.nse                    sshv1.nse
db2-das-info.nse                      http-put.nse                            ncp-enum-users.nse            ssl-cert.nse
db2-discover.nse                      http-qnap-nas-info.nse                  ncp-serverinfo.nse            ssl-date.nse
dhcp-discover.nse                     http-rfi-spider.nse                     ndmp-fs-info.nse              ssl-enum-ciphers.nse
dict-info.nse                         http-robots.txt.nse                     ndmp-version.nse              ssl-google-cert-catalog.nse
distcc-cve2004-2687.nse               http-robtex-reverse-ip.nse              nessus-brute.nse              ssl-known-key.nse
dns-blacklist.nse                     http-robtex-shared-ns.nse               nessus-xmlrpc-brute.nse       sslv2.nse
dns-brute.nse                         http-sitemap-generator.nse              netbus-auth-bypass.nse        stun-info.nse
dns-cache-snoop.nse                   http-slowloris-check.nse                netbus-brute.nse              stun-version.nse
dns-check-zone.nse                    http-slowloris.nse                      netbus-info.nse               stuxnet-detect.nse
dns-client-subnet-scan.nse            http-sql-injection.nse                  netbus-version.nse            svn-brute.nse
dns-fuzz.nse                          http-stored-xss.nse                     nexpose-brute.nse             targets-asn.nse
dns-ip6-arpa-scan.nse                 http-title.nse                          nfs-ls.nse                    targets-ipv6-multicast-echo.nse
dns-nsec3-enum.nse                    http-tplink-dir-traversal.nse           nfs-showmount.nse             targets-ipv6-multicast-invalid-dst.nse
dns-nsec-enum.nse                     http-trace.nse                          nfs-statfs.nse                targets-ipv6-multicast-mld.nse
dns-nsid.nse                          http-traceroute.nse                     nping-brute.nse               targets-ipv6-multicast-slaac.nse
dns-random-srcport.nse                http-unsafe-output-escaping.nse         nrpe-enum.nse                 targets-sniffer.nse
dns-random-txid.nse                   http-userdir-enum.nse                   ntp-info.nse                  targets-traceroute.nse
dns-recursion.nse                     http-vhosts.nse                         ntp-monlist.nse               teamspeak2-version.nse
dns-service-discovery.nse             http-virustotal.nse                     omp2-brute.nse                telnet-brute.nse
dns-srv-enum.nse                      http-vlcstreamer-ls.nse                 omp2-enum-targets.nse         telnet-encryption.nse
dns-update.nse                        http-vmware-path-vuln.nse               openlookup-info.nse           tftp-enum.nse
dns-zeustracker.nse                   http-vuln-cve2009-3960.nse              openvas-otp-brute.nse         tls-nextprotoneg.nse
dns-zone-transfer.nse                 http-vuln-cve2010-0738.nse              oracle-brute.nse              traceroute-geolocation.nse
domcon-brute.nse                      http-vuln-cve2010-2861.nse              oracle-brute-stealth.nse      unusual-port.nse
domcon-cmd.nse                        http-vuln-cve2011-3192.nse              oracle-enum-users.nse         upnp-info.nse
domino-enum-users.nse                 http-vuln-cve2011-3368.nse              oracle-sid-brute.nse          url-snarf.nse
dpap-brute.nse                        http-vuln-cve2012-1823.nse              ovs-agent-version.nse         ventrilo-info.nse
drda-brute.nse                        http-vuln-cve2013-0156.nse              p2p-conficker.nse             versant-info.nse
drda-info.nse                         http-waf-detect.nse                     path-mtu.nse                  vmauthd-brute.nse
duplicates.nse                        http-waf-fingerprint.nse                pcanywhere-brute.nse          vnc-brute.nse
eap-info.nse                          http-wordpress-brute.nse                pgsql-brute.nse               vnc-info.nse
epmd-info.nse                         http-wordpress-enum.nse                 pjl-ready-message.nse         voldemort-info.nse
eppc-enum-processes.nse               http-wordpress-plugins.nse              pop3-brute.nse                vuze-dht-info.nse
finger.nse                            iax2-brute.nse                          pop3-capabilities.nse         wdb-version.nse
firewalk.nse                          iax2-version.nse                        pptp-version.nse              whois.nse
firewall-bypass.nse                   icap-info.nse                           qscan.nse                     wsdd-discover.nse
flume-master-info.nse                 ike-version.nse                         quake3-info.nse               x11-access.nse
ftp-anon.nse                          imap-brute.nse                          quake3-master-getservers.nse  xdmcp-discover.nse
ftp-bounce.nse                        imap-capabilities.nse                   rdp-enum-encryption.nse       xmpp-brute.nse
ftp-brute.nse                         informix-brute.nse                      rdp-vuln-ms12-020.nse         xmpp-info.nse
ftp-libopie.nse                       informix-query.nse                      realvnc-auth-bypass.nse

En http://nmap.org/nsedoc/categories/default.html tenemos la lista completa categorizada de los scripts disponibles.

Demás esta decir que esto es sólo el comienzo de Namp Scripting Engine y corre por nuestra cuenta sumar horas y horas para sacarle el máximo provecho.