在新的nmap版本中,添加了script功能的使用。在nmap的安装目录的share/nmap/scripts中,已经有将61个写好的脚本提供。
具体的用法可以参考:http://nmap.org/book/nse-usage.html
在这儿举几个具体的例子:
nmap --script=smb-enum-users 192.168.199.9
对192.168.199.9这台机器进行扫描,同时对smb的用户进行枚举。
nmap --script=smb-enum-shares 192.168.199.9
对192.168.199.9所开启的smb共享进行枚举
nmap --script=smb-brute 192.168.199.9
对192.168.199.9的用户名和密码进行暴力猜测或者还能根据script的类别进行自动扫描,如:
nmap --script auth 192.168.199.9
对192.168.199.9的用户验证方面进行测试,包括 snmp-brute, http-auth, 和ftp-anon三类脚本
nmap --script all 192.168.199.9
使用所有脚本进行扫描
将SAM文件Dump出来:
nmap --script=smb-pwdump --script-args=smbuser=epp,smbpass=password 192.168.80.129
使用指定的用户名和密码对smb进行破解:
nmap --script=smb-brute --script-args=userdb=usernames.txt,passdb=password.txt 192.168.80.1/24
目前所有的scripts
address-info.nse ldap-search.nse afp-brute.nse lexmark-config.nse afp-ls.nse lltd-discovery.nse afp-path-vuln.nse modbus-discover.nse afp-serverinfo.nse mongodb-databases.nse afp-showmount.nse mongodb-info.nse asn-query.nse ms-sql-brute.nse auth-owners.nse ms-sql-config.nse auth-spoof.nse ms-sql-empty-password.nse backorifice-brute.nse ms-sql-hasdbaccess.nse backorifice-info.nse ms-sql-info.nse banner.nse ms-sql-query.nse bittorrent-discovery.nse ms-sql-tables.nse broadcast-avahi-dos.nse ms-sql-xp-cmdshell.nse broadcast-db2-discover.nse mysql-audit.nse broadcast-dhcp-discover.nse mysql-brute.nse broadcast-dns-service-discovery.nse mysql-databases.nse broadcast-dropbox-listener.nse mysql-empty-password.nse broadcast-listener.nse mysql-info.nse broadcast-ms-sql-discover.nse mysql-users.nse broadcast-netbios-master-browser.nse mysql-variables.nse broadcast-novell-locate.nse nat-pmp-info.nse broadcast-ping.nse nbstat.nse broadcast-upnp-info.nse ncp-enum-users.nse broadcast-wsdd-discover.nse ncp-serverinfo.nse citrix-brute-xml.nse netbus-auth-bypass.nse citrix-enum-apps.nse netbus-brute.nse citrix-enum-apps-xml.nse netbus-info.nse citrix-enum-servers.nse netbus-version.nse citrix-enum-servers-xml.nse nfs-ls.nse couchdb-databases.nse nfs-showmount.nse couchdb-stats.nse nfs-statfs.nse creds-summary.nse nping-brute.nse cvs-brute.nse nrpe-enum.nse cvs-brute-repository.nse ntp-info.nse daap-get-library.nse ntp-monlist.nse daytime.nse omp2-brute.nse db2-das-info.nse omp2-enum-targets.nse db2-discover.nse oracle-brute.nse dhcp-discover.nse oracle-enum-users.nse dns-brute.nse oracle-sid-brute.nse dns-cache-snoop.nse ovs-agent-version.nse dns-fuzz.nse p2p-conficker.nse dns-nsec-enum.nse path-mtu.nse dns-random-srcport.nse pgsql-brute.nse dns-random-txid.nse pjl-ready-message.nse dns-recursion.nse pop3-brute.nse dns-service-discovery.nse pop3-capabilities.nse dns-update.nse pptp-version.nse dns-zone-transfer.nse qscan.nse domcon-brute.nse quake3-info.nse domcon-cmd.nse quake3-master-getservers.nse domino-enum-users.nse realvnc-auth-bypass.nse dpap-brute.nse resolveall.nse drda-brute.nse rmi-dumpregistry.nse drda-info.nse rpcinfo.nse epmd-info.nse script.db finger.nse servicetags.nse firewalk.nse sip-brute.nse ftp-anon.nse sip-enum-users.nse ftp-bounce.nse skypev2-version.nse ftp-brute.nse smb-brute.nse ftp-libopie.nse smb-check-vulns.nse ftp-proftpd-backdoor.nse smb-enum-domains.nse ftp-vsftpd-backdoor.nse smb-enum-groups.nse ftp-vuln-cve2010-4221.nse smb-enum-processes.nse giop-info.nse smb-enum-sessions.nse gopher-ls.nse smb-enum-shares.nse hddtemp-info.nse smb-enum-users.nse hostmap.nse smb-flood.nse http-affiliate-id.nse smb-mbenum.nse http-auth.nse smb-os-discovery.nse http-awstatstotals-exec.nse smb-psexec.nse http-axis2-dir-traversal.nse smb-security-mode.nse http-barracuda-dir-traversal.nse smb-server-stats.nse http-brute.nse smb-system-info.nse http-cakephp-version.nse smbv2-enabled.nse http-date.nse smtp-brute.nse http-default-accounts.nse smtp-commands.nse http-domino-enum-passwords.nse smtp-enum-users.nse http-enum.nse smtp-open-relay.nse http-favicon.nse smtp-strangeport.nse http-form-brute.nse smtp-vuln-cve2010-4344.nse http-google-malware.nse smtp-vuln-cve2011-1720.nse http-headers.nse smtp-vuln-cve2011-1764.nse http-iis-webdav-vuln.nse sniffer-detect.nse http-joomla-brute.nse snmp-brute.nse http-litespeed-sourcecode-download.nse snmp-interfaces.nse http-majordomo2-dir-traversal.nse snmp-ios-config.nse http-malware-host.nse snmp-netstat.nse http-methods.nse snmp-processes.nse http-open-proxy.nse snmp-sysdescr.nse http-passwd.nse snmp-win32-services.nse http-php-version.nse snmp-win32-shares.nse http-robots.txt.nse snmp-win32-software.nse http-title.nse snmp-win32-users.nse http-trace.nse socks-open-proxy.nse http-userdir-enum.nse sql-injection.nse http-vhosts.nse ssh2-enum-algos.nse http-vmware-path-vuln.nse ssh-hostkey.nse http-vuln-cve2011-3192.nse sshv1.nse http-waf-detect.nse ssl-cert.nse http-wordpress-brute.nse ssl-enum-ciphers.nse http-wordpress-enum.nse ssl-google-cert-catalog.nse http-wordpress-plugins.nse ssl-known-key.nse iax2-version.nse sslv2.nse imap-brute.nse stuxnet-detect.nse imap-capabilities.nse svn-brute.nse informix-brute.nse targets-ipv6-multicast-echo.nse informix-query.nse targets-ipv6-multicast-invalid-dst.nse informix-tables.nse targets-ipv6-multicast-slaac.nse ip-geolocation-geobytes.nse targets-sniffer.nse ip-geolocation-geoplugin.nse targets-traceroute.nse ip-geolocation-ipinfodb.nse telnet-brute.nse ip-geolocation-maxmind.nse upnp-info.nse ipidseq.nse vnc-brute.nse irc-info.nse vnc-info.nse irc-unrealircd-backdoor.nse wdb-version.nse iscsi-brute.nse whois.nse iscsi-info.nse wsdd-discover.nse jdwp-version.nse x11-access.nse ldap-brute.nse xmpp-brute.nse ldap-novell-getpass.nse xmpp-info.nse ldap-rootdse.nse |