Nmap scripts eine Seite: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 154: | Zeile 154: | ||
=ssl misc= | =ssl misc= | ||
| − | *[[ | + | ==Fingerprint der Hostkeys== |
| + | *nmap --script ssh-hostkey 192.168.34.1 | ||
| + | <pre> | ||
| + | Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 14:03 CET | ||
| + | Nmap scan report for 192.168.34.1 | ||
| + | Host is up (0.00016s latency). | ||
| + | Not shown: 994 closed tcp ports (conn-refused) | ||
| + | PORT STATE SERVICE | ||
| + | 22/tcp open ssh | ||
| + | | ssh-hostkey: | ||
| + | | 3072 2dc39f82ece37728cbc7b16c4acc6e2e (RSA) | ||
| + | | 256 7bbe487966c2e675dba74b535bbf34a1 (ECDSA) | ||
| + | |_ 256 20efafc3c2991472086ba11c0c8f6cda (ED25519) | ||
| + | 25/tcp open smtp | ||
| + | 53/tcp open domain | ||
| + | 80/tcp open http | ||
| + | 143/tcp open imap | ||
| + | 993/tcp open imaps | ||
| + | |||
| + | Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds | ||
| + | </pre> | ||
| + | ==Welche Authentifizierungsmethoden werden unterstützt== | ||
| + | *nmap --script ssh-auth-methods 192.168.34.1 | ||
| + | <pre> | ||
| + | Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 14:08 CET | ||
| + | Nmap scan report for 192.168.34.1 | ||
| + | Host is up (0.0010s latency). | ||
| + | Not shown: 994 closed tcp ports (conn-refused) | ||
| + | PORT STATE SERVICE | ||
| + | 22/tcp open ssh | ||
| + | | ssh-auth-methods: | ||
| + | | Supported authentication methods: | ||
| + | | publickey | ||
| + | |_ password | ||
| + | 25/tcp open smtp | ||
| + | 53/tcp open domain | ||
| + | 80/tcp open http | ||
| + | 143/tcp open imap | ||
| + | 993/tcp open imaps | ||
| + | |||
| + | Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds | ||
| + | </pre> | ||
| + | =Welche Cipher-Suits werden unterstützt= | ||
| + | *nmap --script ssh2-enum-algos 192.168.34.1 | ||
| + | <pre> | ||
| + | Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 14:09 CET | ||
| + | Nmap scan report for 192.168.34.1 | ||
| + | Host is up (0.00015s latency). | ||
| + | Not shown: 994 closed tcp ports (conn-refused) | ||
| + | PORT STATE SERVICE | ||
| + | 22/tcp open ssh | ||
| + | | ssh2-enum-algos: | ||
| + | | kex_algorithms: (9) | ||
| + | | curve25519-sha256 | ||
| + | | curve25519-sha256@libssh.org | ||
| + | | ecdh-sha2-nistp256 | ||
| + | | ecdh-sha2-nistp384 | ||
| + | | ecdh-sha2-nistp521 | ||
| + | | diffie-hellman-group-exchange-sha256 | ||
| + | | diffie-hellman-group16-sha512 | ||
| + | | diffie-hellman-group18-sha512 | ||
| + | | diffie-hellman-group14-sha256 | ||
| + | | server_host_key_algorithms: (5) | ||
| + | | rsa-sha2-512 | ||
| + | | rsa-sha2-256 | ||
| + | | ssh-rsa | ||
| + | | ecdsa-sha2-nistp256 | ||
| + | | ssh-ed25519 | ||
| + | | encryption_algorithms: (6) | ||
| + | | chacha20-poly1305@openssh.com | ||
| + | | aes128-ctr | ||
| + | | aes192-ctr | ||
| + | | aes256-ctr | ||
| + | | aes128-gcm@openssh.com | ||
| + | | aes256-gcm@openssh.com | ||
| + | | mac_algorithms: (10) | ||
| + | | umac-64-etm@openssh.com | ||
| + | | umac-128-etm@openssh.com | ||
| + | | hmac-sha2-256-etm@openssh.com | ||
| + | | hmac-sha2-512-etm@openssh.com | ||
| + | | hmac-sha1-etm@openssh.com | ||
| + | | umac-64@openssh.com | ||
| + | | umac-128@openssh.com | ||
| + | | hmac-sha2-256 | ||
| + | | hmac-sha2-512 | ||
| + | | hmac-sha1 | ||
| + | | compression_algorithms: (2) | ||
| + | | none | ||
| + | |_ zlib@openssh.com | ||
| + | 25/tcp open smtp | ||
| + | 53/tcp open domain | ||
| + | 80/tcp open http | ||
| + | 143/tcp open imap | ||
| + | 993/tcp open imaps | ||
| + | |||
| + | Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds | ||
| + | </pre> | ||
| + | =ssh Bruteforce= | ||
| + | *nmap --script ssh-brute 192.168.34.1 | ||
| + | <pre> | ||
| + | Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 14:13 CET | ||
| + | NSE: [ssh-brute] Trying username/password pair: root:root | ||
| + | NSE: [ssh-brute] Trying username/password pair: admin:admin | ||
| + | NSE: [ssh-brute] Trying username/password pair: administrator:administrator | ||
| + | NSE: [ssh-brute] Trying username/password pair: webadmin:webadmin | ||
| + | NSE: [ssh-brute] Trying username/password pair: sysadmin:sysadmin | ||
| + | NSE: [ssh-brute] Trying username/password pair: netadmin:netadmin | ||
| + | ... | ||
| + | </pre> | ||
| + | |||
=smtp misc= | =smtp misc= | ||
*[[nmap-scripts-smtp]] | *[[nmap-scripts-smtp]] | ||
Version vom 15. Mai 2025, 16:10 Uhr
Locate the scripts
- locate nse | grep scripts
Finding Vulnerability Scanning Scripts
- locate *vuln*.nse
oder besser
- cd /usr/share/nmap/scripts
- ls
help
- ssh-hostkey
- nmap --script-help=ssh-hostkey
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-01 05:06 CET ssh-hostkey Categories: safe default discovery https://nmap.org/nsedoc/scripts/ssh-hostkey.html Shows SSH hostkeys. Shows the target SSH server's key fingerprint and (with high enough verbosity level) the public key itself. It records the discovered host keys in <code>nmap.registry</code> for use by other scripts. Output can be controlled with the <code>ssh_hostkey</code> script argument. You may also compare the retrieved key with the keys in your known-hosts file using the <code>known-hosts</code> argument. The script also includes a postrule that check for duplicate hosts using the gathered keys.
- nfs-showmount
- nmap --script-help=nfs-showmount.nse
Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-13 07:26 CET nfs-showmount Categories: discovery safe https://nmap.org/nsedoc/scripts/nfs-showmount.html Shows NFS exports, like the <code>showmount -e</code> command.
ssh misc
Fingerprint der Hostkeys
- nmap --script ssh-hostkey 192.168.34.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 14:03 CET Nmap scan report for 192.168.34.1 Host is up (0.00016s latency). Not shown: 994 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 3072 2dc39f82ece37728cbc7b16c4acc6e2e (RSA) | 256 7bbe487966c2e675dba74b535bbf34a1 (ECDSA) |_ 256 20efafc3c2991472086ba11c0c8f6cda (ED25519) 25/tcp open smtp 53/tcp open domain 80/tcp open http 143/tcp open imap 993/tcp open imaps Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
Welche Authentifizierungsmethoden werden unterstützt
- nmap --script ssh-auth-methods 192.168.34.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 14:08 CET Nmap scan report for 192.168.34.1 Host is up (0.0010s latency). Not shown: 994 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh | ssh-auth-methods: | Supported authentication methods: | publickey |_ password 25/tcp open smtp 53/tcp open domain 80/tcp open http 143/tcp open imap 993/tcp open imaps Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
Welche Cipher-Suits werden unterstützt
- nmap --script ssh2-enum-algos 192.168.34.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 14:09 CET Nmap scan report for 192.168.34.1 Host is up (0.00015s latency). Not shown: 994 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh | ssh2-enum-algos: | kex_algorithms: (9) | curve25519-sha256 | curve25519-sha256@libssh.org | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group16-sha512 | diffie-hellman-group18-sha512 | diffie-hellman-group14-sha256 | server_host_key_algorithms: (5) | rsa-sha2-512 | rsa-sha2-256 | ssh-rsa | ecdsa-sha2-nistp256 | ssh-ed25519 | encryption_algorithms: (6) | chacha20-poly1305@openssh.com | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm@openssh.com | aes256-gcm@openssh.com | mac_algorithms: (10) | umac-64-etm@openssh.com | umac-128-etm@openssh.com | hmac-sha2-256-etm@openssh.com | hmac-sha2-512-etm@openssh.com | hmac-sha1-etm@openssh.com | umac-64@openssh.com | umac-128@openssh.com | hmac-sha2-256 | hmac-sha2-512 | hmac-sha1 | compression_algorithms: (2) | none |_ zlib@openssh.com 25/tcp open smtp 53/tcp open domain 80/tcp open http 143/tcp open imap 993/tcp open imaps Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
ssh Bruteforce
- nmap --script ssh-brute 192.168.34.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 14:13 CET NSE: [ssh-brute] Trying username/password pair: root:root NSE: [ssh-brute] Trying username/password pair: admin:admin NSE: [ssh-brute] Trying username/password pair: administrator:administrator NSE: [ssh-brute] Trying username/password pair: webadmin:webadmin NSE: [ssh-brute] Trying username/password pair: sysadmin:sysadmin NSE: [ssh-brute] Trying username/password pair: netadmin:netadmin ...
ssl misc
Fingerprint der Hostkeys
- nmap --script ssh-hostkey 192.168.34.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 14:03 CET Nmap scan report for 192.168.34.1 Host is up (0.00016s latency). Not shown: 994 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 3072 2dc39f82ece37728cbc7b16c4acc6e2e (RSA) | 256 7bbe487966c2e675dba74b535bbf34a1 (ECDSA) |_ 256 20efafc3c2991472086ba11c0c8f6cda (ED25519) 25/tcp open smtp 53/tcp open domain 80/tcp open http 143/tcp open imap 993/tcp open imaps Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
Welche Authentifizierungsmethoden werden unterstützt
- nmap --script ssh-auth-methods 192.168.34.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 14:08 CET Nmap scan report for 192.168.34.1 Host is up (0.0010s latency). Not shown: 994 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh | ssh-auth-methods: | Supported authentication methods: | publickey |_ password 25/tcp open smtp 53/tcp open domain 80/tcp open http 143/tcp open imap 993/tcp open imaps Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
Welche Cipher-Suits werden unterstützt
- nmap --script ssh2-enum-algos 192.168.34.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 14:09 CET Nmap scan report for 192.168.34.1 Host is up (0.00015s latency). Not shown: 994 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh | ssh2-enum-algos: | kex_algorithms: (9) | curve25519-sha256 | curve25519-sha256@libssh.org | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group16-sha512 | diffie-hellman-group18-sha512 | diffie-hellman-group14-sha256 | server_host_key_algorithms: (5) | rsa-sha2-512 | rsa-sha2-256 | ssh-rsa | ecdsa-sha2-nistp256 | ssh-ed25519 | encryption_algorithms: (6) | chacha20-poly1305@openssh.com | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm@openssh.com | aes256-gcm@openssh.com | mac_algorithms: (10) | umac-64-etm@openssh.com | umac-128-etm@openssh.com | hmac-sha2-256-etm@openssh.com | hmac-sha2-512-etm@openssh.com | hmac-sha1-etm@openssh.com | umac-64@openssh.com | umac-128@openssh.com | hmac-sha2-256 | hmac-sha2-512 | hmac-sha1 | compression_algorithms: (2) | none |_ zlib@openssh.com 25/tcp open smtp 53/tcp open domain 80/tcp open http 143/tcp open imap 993/tcp open imaps Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
ssh Bruteforce
- nmap --script ssh-brute 192.168.34.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 14:13 CET NSE: [ssh-brute] Trying username/password pair: root:root NSE: [ssh-brute] Trying username/password pair: admin:admin NSE: [ssh-brute] Trying username/password pair: administrator:administrator NSE: [ssh-brute] Trying username/password pair: webadmin:webadmin NSE: [ssh-brute] Trying username/password pair: sysadmin:sysadmin NSE: [ssh-brute] Trying username/password pair: netadmin:netadmin ...
smtp misc
proxy misc
http misc
wordpress-version misc
Alle Schwachstellen
- nmap -sV --script vulners 10.0.10.104
NFS Check
- nmap -sV --script=nfs-showmount.nse 10.82.10.40
SMB Check
- nmap -p 445 --script smb-os-discovery 10.82.10.40
Traceroute Geolocation
- nmap --traceroute --script traceroute-geolocation.nse -p 80 www.facebook.com
FTP Bannergrabbing
- nmap -sV -p 21 --script=banner 10.3.4.12
Update the Script Database
- nmap --script-updatedb
links
- https://hackertarget.com/7-nmap-nse-scripts-recon/
- http://resources.infosecinstitute.com/nmap-scripting-example/#gref
- https://null-byte.wonderhowto.com/how-to/hack-like-pro-using-nmap-scripting-engine-nse-for-reconnaissance-0158681/
- https://pentestlab.blog/2012/03/08/nmap-scripting-engine-basic-usage-2/