WEBVTT

0
00:01.830 --> 00:10.650
The  Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features and not 

1
00:10.660 --> 00:14.760
sysadmins or pentesters know about it.

2
00:14.760 --> 00:21.270
It allows you to write and share simple scripts using Lua programming language  to automate a wide


3
00:21.270 --> 00:29.430
variety of networking tasks. Using NSE is crucial in order to automate system and vulnerability


4
00:29.450 --> 00:30.780
scans.

5
00:30.810 --> 00:39.320
In particular you'll be able to perform any sort of DNS enumeration, brute force attack,OS fingerprint

6
00:39.390 --> 00:47.520
and banner grabbing, vulnerability detection and exploitation, backdoor identification, malware discovery, and 


7
00:47.520 --> 00:56.120
much more. In this lecture we’ll use only nmap nse scripts that come with the default installation of 


8
00:56.210 --> 01:05.580
nmap. There are approximately 600 scripts available; if you want to see the scripts available on

9
01:05.580 --> 01:10.670
your machine you search for them using the locate come comment like this:

10
01:10.800 --> 01:17.430
First we ran the updatedb to update the file database used by locate:


11
01:20.570 --> 01:29.510
and thenlocate *.nse
I'm searching for all n ac files.

12
01:29.510 --> 01:33.800
These are the scripts; let's count them!

13
01:33.830 --> 01:38.170
Let's see how many scripts are available wc -l

14
01:39.310 --> 01:50.020
So on this machine there are 579 nse scripts available. Among the most useful nse

15
01:50.020 --> 01:58.090
scripts are the vulnerability scanning scripts; these scripts are usually designed to find a specific

16
01:58.090 --> 02:06.880
vulnerability of the running services on a target that can be later exploited by a hacker. To search

17
02:06.880 --> 02:08.260
for those scripts

18
02:08.260 --> 02:14.440
we run locate *vuln*.nse


19
02:17.310 --> 02:25.360
These are vulnerabilities scanning scripts. And for example if we want to run a full vulnerability test

20
02:25.510 --> 02:36.700
against a target we execute nmap --script voln -T4 
it will run faster and the

21
02:36.700 --> 02:37.210
target

22
02:40.240 --> 02:49.880
This scan can take a few tens of secundes or maximum one minute. I am posing the recording until it's

23
02:49.880 --> 02:50.210
over;

24
03:01.210 --> 03:08.350
and we are presented with a full report of vulnerabilities discovered for the services that are running

25
03:08.620 --> 03:09.550
on that host.

26
03:12.680 --> 03:21.380
The scan has detected  Common Vulnerabilities and Exposures or CVE. CVE stands for the common

27
03:21.380 --> 03:23.990
vulnerabilities and exposures

28
03:24.170 --> 03:32.000
and in plain English it simply means that's a way of organizing and categorizing software vulnerabilities.

29
03:32.000 --> 03:38.960
This information can be highly useful for security researchers and penetration testers in their daily

30
03:38.960 --> 03:44.230
tasks. With hundreds of NSC scripts available

31
03:44.340 --> 03:49.120
we may need some help in determining what they do and how they work.

32
03:49.140 --> 03:53.110
Let's find all available scripts related to ssh 

33
03:58.620 --> 03:58.930
And

34
03:58.930 --> 04:08.450
now let's see the help of this one nmap --script -help and the name of the script

35
04:14.690 --> 04:20.680
and we see the help of the script. As a last example of this lecture

36
04:20.720 --> 04:30.390
let's lunch a brute force attack on an ftp server. This is the target and a ftp server called professional

37
04:30.420 --> 04:32.310
ftp demon is running

38
04:37.160 --> 04:46.430
I want to see its logs in real time tail -f /var/log/proftpd/proftpd.log These are the logs of


39
04:46.430 --> 04:53.360
the server and I'm starting the brute force attack nmap --

40
04:53.430 --> 04:54.060
script

41
04:56.790 --> 05:02.660
ftp-brut-p 21 the port and the target.

42
05:09.700 --> 05:14.730
And on the target host will see the ftp server logs in real time.

43
05:14.770 --> 05:20.280
We notice the brute force attack that's in progress.

44
05:20.360 --> 05:28.460
Note that the many nse scripts do not simulate the attack but really lunch it. Take care not to break

45
05:28.460 --> 05:34.130
systems when testing nmap nse scripts! Okay!

46
05:34.150 --> 05:42.100
That's all! In this lecture we saw that nmap is one of the most valuable reconnaissance tools used

47
05:42.100 --> 05:44.670
both by black and white hat hackers.