4.1. Scanning a website with NMAP

 

Introduction

In previous lessons, we've already used Nmap to scan a server, which helped us discover some links, server technologies, and open ports. In this lesson, we'll delve deeper into the topic of scanning web servers with Nmap. For scanning, we'll be using the NSE (Nmap Scripting Engine).

Nmap, as installed in Kali, already comes with a set of scripts. Each script performs a specific task, such as scanning for SQL injection vulnerabilities, XSS, and more. You can find the complete list of scripts in the directory /usr/share/nmap/scripts/:

The list of NMAP scripts in Kali

As of the time this article was written, there were 606 scripts in the directory. The script names follow specific conventions, typically starting with the name of the protocol, such as "http" or "ftp," followed by the vulnerability or action the script performs. Since our goal is to scan a web server, we need to find scripts that start with "http." You can use a file manager to browse files or use the terminal. To do this, you can execute the command:

ls -l /usr/share/nmap/scripts/ | grep http

This command will list the scripts that start with "http" in the specified directory:

The list of HTTP NMAP scripts for testing web services

The first command, ls -l, lists all the files in the specified directory along with detailed information about each file. The second command, grep, filters the results based on a keyword or pattern. In this case, it searches for lines that contain the keyword "http" in the output of the first command, effectively narrowing down the list to scripts related to HTTP.

 

Testing for specific vulnerability

As mentioned earlier, Nmap contains scripts for testing specific vulnerabilities. As an example, let's look at testing for the Cross-Site Scripting (XSS) vulnerability. For this example, we'll use the Mutillidae application. To perform the test, we'll use the http-unsafe-output-escaping script. The command would look like this:

nmap --script=http-unsafe-output-escaping --script-args url="/mutillidae" 10.0.2.4 -p 80

Here's an explanation of the command:

--script-args: This option is used to specify input arguments for the script. In our case, the argument is "url," where you specify where the testing should start.

-p: Specifies the port to test. In this course, we are using the standard HTTP port 80.

The result will look something like this:

Scan results with possible XSS vulnerability

The discovered links are likely vulnerable to XSS, but further verification is necessary. We will delve into the details of how to test various vulnerabilities in upcoming lessons. Similarly, we can test other scripts in a similar manner.

 

Scanning by Categories, Running Multiple Scripts

Having many scripts provides more scanning capabilities, but running each script individually can be time-consuming. Is there a way to run multiple scripts at once? Yes, there are three ways:

1st Method:

If you need to run multiple scripts, you can simply specify them separated by commas. The command syntax looks like this:

nmap --script script1,script2,script3

The program will sequentially execute the specified scripts and display the scanning results for each script.

 

2nd Method:

If you have many scripts, you can use a wildcard in the script name. For example, if you want to run all scripts that start with "http," you can use the wildcard "*" after the word "http." The command would look like this:

nmap --script=http-* 10.0.2.4 -p 80

 

3rd Method:

You can run a group of scripts from a specific category. Nmap categorizes scripts into different categories. By specifying a particular category in the command, the program will run the necessary group of scripts. Here's a table of categories:

Category Name

Description

auth

Attempts to crack passwords on login pages using brute force.

discovery

Used to gather detailed information about the target.

dos

Scripts in this category cause denial of service. However, the main goal is to determine if the host is vulnerable to a DoS attack.

exploit

These scripts intentionally attack a remote host using discovered vulnerabilities.

malware

If the remote host is infected with a backdoor or other network-enabled malicious file, the program can detect it.

safe

Safe tests that provide basic information about the target.

vuln

Tests for vulnerabilities.

 

You can specify a particular category in the command to run scripts from that category. For example, to run all scripts in the "vuln" category, you would use the command:

nmap --script-category=vuln 10.0.2.4 -p 80

Nmap scan results from vuln category

If you take a closer look at the program output, you'll notice that the Apache server has a vulnerability, CVE-2011-3192, which can lead to a denial of service (DoS) attack. This vulnerability could also be identified manually by searching for "apache 2.2.14 vulnerability" in a search engine, which would yield a list of vulnerabilities, some of which even have accompanying exploits.

Unfortunately, Nmap, like any other scanner, cannot detect absolutely all existing vulnerabilities because it relies on the availability of specific scripts and plugins. To scan multiple categories at once, you can simply enter their names, separating them with commas. For example:

 nmap --script "vuln,exploit" 10.0.2.4 -p 80

It's important to note that when specifying a category, the program will scan for vulnerabilities across various protocols and types.

 

Adding a new script

What should you do when the script you need is not in the list of installed scripts? You have the option to create your own script if you are familiar with the Lua programming language or download one from external sources like GitHub.

The installation process is quite simple.

If you only need to download a single file, which is the script itself, save it in the directory /usr/share/nmap/scripts/. However, if the script requires additional files to work, it's better to create a separate folder and save all the files there. You will need elevated permissions for all operations in this directory, so use the sudo command for these operations.

Next, update the script database using the command:

sudo nmap --script-updatedb

If the script was saved in the common directory /usr/share/nmap/scripts/, you can run it in the standard way, just like any other script. If the script was saved in a separate folder, for example, /usr/share/nmap/scripts/new_folder/, you can run it as follows:

nmap --script=new_folder/new_script.nse target

In this case, you simply specify the folder where the script file is stored.