1 00:00:00,330 --> 00:00:05,810 In the Nmap lectures we have seen no port scan also known as ping scan, 2 00:00:06,000 --> 00:00:13,260 different ways of scanning ports, SYN scan also known as half-open scanning, TCP scan, also known as TCP 3 00:00:13,260 --> 00:00:21,680 connect scan, UDP scan, service and version detection and operating system detection. 4 00:00:21,690 --> 00:00:29,760 Now let's deep dive and in Nmap. Nmap scripting engine or NSE is one of Nmap's most powerful and flexible 5 00:00:29,760 --> 00:00:30,660 features. 6 00:00:30,660 --> 00:00:36,140 It allows users to write simple scripts to automate a wide variety of networking tasks. 7 00:00:36,150 --> 00:00:40,980 Now those scripts are then executed in parallel with the speed and efficiency you would expect from 8 00:00:40,980 --> 00:00:41,590 Nmap. 9 00:00:41,820 --> 00:00:48,180 Users can rely on the growing and diverse set of scripts distributed Nmap or write their own to 10 00:00:48,180 --> 00:00:50,570 meet customer needs. 11 00:00:50,690 --> 00:00:52,460 So, also a couple of things here. 12 00:00:52,550 --> 00:01:00,420 Scripts are written in the embedded Lua programming language version 5.3. and NSE is activated 13 00:01:00,420 --> 00:01:07,800 with the -sC option (or -­script if you wish to specify a custom set of scripts) and results are 14 00:01:07,830 --> 00:01:12,120 integrated into Nmap normal and XML output. 15 00:01:12,120 --> 00:01:20,720 The default place of Nmap embedded scripts is "/usr/share/nmap/scripts" 16 00:01:20,870 --> 00:01:27,710 NSE was designed to be versatile with the following tasks in mind. Network Discovery: This is 17 00:01:27,710 --> 00:01:30,580 the most powerful part of Nmap. 18 00:01:30,590 --> 00:01:37,730 Examples include looking up whois data based on the target domain, querying RIPE for the target IP to 19 00:01:37,730 --> 00:01:39,240 determine ownership, 20 00:01:39,320 --> 00:01:46,760 SNMP queries, and listing available SMB shares and services. More sophisticated version detection: 21 00:01:47,710 --> 00:01:53,080 The Nmap version detection system is able to recognize thousands of different services through its 22 00:01:53,080 --> 00:01:58,900 probe and regular expression signature based matching system but it cannot recognize everything. 23 00:01:58,960 --> 00:02:06,160 For example identifying the skype version 2 to service requires two independent probes which version detection 24 00:02:06,340 --> 00:02:12,010 isn't flexible enough to handle. Nmap could also recognize more SNMP services 25 00:02:12,010 --> 00:02:18,160 if it tried a few hundred different community names by brute force. But neither of these tasks are 26 00:02:18,160 --> 00:02:27,810 well suited to traditional Nmap version detection but both are easily accomplished with NSE. 27 00:02:27,810 --> 00:02:34,550 Vulnerability detection: when a new vulnerability is discovered you often want to scan your networks quickly. Identify 28 00:02:34,550 --> 00:02:44,000 vulnerable systems before the bad guys do. While Nmap isn't a comprehensive vulnerability scanner NSE is 29 00:02:44,000 --> 00:02:48,820 powerful enough to handle even demanding vulnerability checks. 30 00:02:48,820 --> 00:02:54,910 Remember when the Heartbleed bug infected hundreds of thousands of systems worldwide and Nmap developers 31 00:02:54,910 --> 00:03:05,600 responded with the SSL Heartbleed detection script within hours, under two days. Backdoor detection: Many 32 00:03:05,600 --> 00:03:11,080 attackers in some automated worms leave backdoors to enable later entry. 33 00:03:11,150 --> 00:03:17,450 Some of these can be detected by an Nmap's regular expression based version detection, but more complex 34 00:03:17,450 --> 00:03:25,610 worms and back doors require NSE's advanced capabilities to reliably detect them. Vulnerability 35 00:03:25,700 --> 00:03:33,300 exploitation: As a general scripting language NSE can even be used to exploit vulnerabilities rather 36 00:03:33,300 --> 00:03:34,340 than just find them. 37 00:03:34,350 --> 00:03:39,300 But of course it's not as powerful as exploit frameworks such as Metasploit.