1
00:00:00,330 --> 00:00:03,840
Here is another example source of an Nmap script.

2
00:00:03,990 --> 00:00:09,810
In addition to the code part which is to execute the job of the script. It includes some additional sections

3
00:00:09,810 --> 00:00:14,920
such as description, categories, usage, author license type etc..

4
00:00:15,840 --> 00:00:21,250
Instead of probing the script code to understand the details of an Nmap script you can use -­script­help parameter

5
00:00:21,370 --> 00:00:23,810
of Nmap command.

6
00:00:24,610 --> 00:00:30,670
You will see the name, the categories, the link, to deep search and the description sections as the result

7
00:00:31,030 --> 00:00:33,100
of the ­-script­help query.

8
00:00:33,280 --> 00:00:39,610
So you've heard me say before but I really need to emphasize the importance of the service and version

9
00:00:39,610 --> 00:00:40,170
detection

10
00:00:40,180 --> 00:00:47,200
once again in this Nmap scripting lecture. As you know, if you don't run the version detection

11
00:00:47,200 --> 00:00:54,940
Nmap supposes that the default service is running on that port. In a script scan, Nmap supposes the default

12
00:00:54,940 --> 00:01:00,260
services running on the port so it runs the scripts as if they are suitable for that service.

13
00:01:00,280 --> 00:01:02,700
It's easy to see it in an Nmap query.

14
00:01:03,070 --> 00:01:03,460
OK.

15
00:01:03,460 --> 00:01:05,700
Open a terminal screen in Kali.

16
00:01:05,920 --> 00:01:13,540
I use netstat command to see the listening ports. As you see, SSH service is running, but it's not running

17
00:01:13,540 --> 00:01:14,590
on port 22.

18
00:01:14,620 --> 00:01:21,370
Instead it's running on port 443 and as you know 443 is the default port of

19
00:01:21,370 --> 00:01:22,430
HTTPS service.

20
00:01:23,110 --> 00:01:28,420
So if I run a port scan for my Kali's port 443 without adding the version detection option,

21
00:01:32,830 --> 00:01:36,580
Nmap signs the port as running an HTTPS service.

22
00:01:36,580 --> 00:01:44,960
Now if I had the SSH scripts in this query using “-­script ssh*”,  without the version detection, not

23
00:01:44,960 --> 00:01:51,620
any of the scripts run. Because Nmap thinks that this service is HTTPS, not SSH and does not run the

24
00:01:51,620 --> 00:01:53,430
SSH scripts.

25
00:01:53,630 --> 00:01:59,310
So I call the latest Nmap query and version detection using the "-sV" this time.

26
00:01:59,400 --> 00:02:06,640
Like that, SSH scripts are started with the version detection option Nmap finds that the

27
00:02:06,640 --> 00:02:10,490
service is SSH and not HTTPS.

28
00:02:11,050 --> 00:02:12,160
Very important.

29
00:02:12,190 --> 00:02:12,590
OK.

30
00:02:12,760 --> 00:02:17,250
SSH brute script takes a long time to run.

31
00:02:17,260 --> 00:02:20,830
We already got the point so no need to wait for the results of the scripts.