在新的nmap版本中,添加了script功能的使用。在nmap的安装目录的share/nmap/scripts中,已经有将61个写好的脚本提供。
具体的用法可以参考:http://nmap.org/book/nse-usage.html
在这儿举几个具体的例子:
nmap --script=smb-enum-users 192.168.199.9
对192.168.199.9这台机器进行扫描,同时对smb的用户进行枚举。
nmap --script=smb-enum-shares 192.168.199.9
对192.168.199.9所开启的smb共享进行枚举
nmap --script=smb-brute 192.168.199.9
对192.168.199.9的用户名和密码进行暴力猜测
或者还能根据script的类别进行自动扫描,如:
nmap --script auth 192.168.199.9
对192.168.199.9的用户验证方面进行测试,包括 snmp-brute
, http-auth
, 和ftp-anon三类脚本
nmap --script all 192.168.199.9
使用所有脚本进行扫描
将SAM文件Dump出来:
nmap --script=smb-pwdump --script-args=smbuser=epp,smbpass=password 192.168.80.129
使用指定的用户名和密码对smb进行破解:
nmap --script=smb-brute --script-args=userdb=usernames.txt,passdb=password.txt 192.168.80.1/24
目前所有的scripts
address-info.nse ldap-search.nse
afp-brute.nse lexmark-config.nse
afp-ls.nse lltd-discovery.nse
afp-path-vuln.nse modbus-discover.nse
afp-serverinfo.nse mongodb-databases.nse
afp-showmount.nse mongodb-info.nse
asn-query.nse ms-sql-brute.nse
auth-owners.nse ms-sql-config.nse
auth-spoof.nse ms-sql-empty-password.nse
backorifice-brute.nse ms-sql-hasdbaccess.nse
backorifice-info.nse ms-sql-info.nse
banner.nse ms-sql-query.nse
bittorrent-discovery.nse ms-sql-tables.nse
broadcast-avahi-dos.nse ms-sql-xp-cmdshell.nse
broadcast-db2-discover.nse mysql-audit.nse
broadcast-dhcp-discover.nse mysql-brute.nse
broadcast-dns-service-discovery.nse mysql-databases.nse
broadcast-dropbox-listener.nse mysql-empty-password.nse
broadcast-listener.nse mysql-info.nse
broadcast-ms-sql-discover.nse mysql-users.nse
broadcast-netbios-master-browser.nse mysql-variables.nse
broadcast-novell-locate.nse nat-pmp-info.nse
broadcast-ping.nse nbstat.nse
broadcast-upnp-info.nse ncp-enum-users.nse
broadcast-wsdd-discover.nse ncp-serverinfo.nse
citrix-brute-xml.nse netbus-auth-bypass.nse
citrix-enum-apps.nse netbus-brute.nse
citrix-enum-apps-xml.nse netbus-info.nse
citrix-enum-servers.nse netbus-version.nse
citrix-enum-servers-xml.nse nfs-ls.nse
couchdb-databases.nse nfs-showmount.nse
couchdb-stats.nse nfs-statfs.nse
creds-summary.nse nping-brute.nse
cvs-brute.nse nrpe-enum.nse
cvs-brute-repository.nse ntp-info.nse
daap-get-library.nse ntp-monlist.nse
daytime.nse omp2-brute.nse
db2-das-info.nse omp2-enum-targets.nse
db2-discover.nse oracle-brute.nse
dhcp-discover.nse oracle-enum-users.nse
dns-brute.nse oracle-sid-brute.nse
dns-cache-snoop.nse ovs-agent-version.nse
dns-fuzz.nse p2p-conficker.nse
dns-nsec-enum.nse path-mtu.nse
dns-random-srcport.nse pgsql-brute.nse
dns-random-txid.nse pjl-ready-message.nse
dns-recursion.nse pop3-brute.nse
dns-service-discovery.nse pop3-capabilities.nse
dns-update.nse pptp-version.nse
dns-zone-transfer.nse qscan.nse
domcon-brute.nse quake3-info.nse
domcon-cmd.nse quake3-master-getservers.nse
domino-enum-users.nse realvnc-auth-bypass.nse
dpap-brute.nse resolveall.nse
drda-brute.nse rmi-dumpregistry.nse
drda-info.nse rpcinfo.nse
epmd-info.nse script.db
finger.nse servicetags.nse
firewalk.nse sip-brute.nse
ftp-anon.nse sip-enum-users.nse
ftp-bounce.nse skypev2-version.nse
ftp-brute.nse smb-brute.nse
ftp-libopie.nse smb-check-vulns.nse
ftp-proftpd-backdoor.nse smb-enum-domains.nse
ftp-vsftpd-backdoor.nse smb-enum-groups.nse
ftp-vuln-cve2010-4221.nse smb-enum-processes.nse
giop-info.nse smb-enum-sessions.nse
gopher-ls.nse smb-enum-shares.nse
hddtemp-info.nse smb-enum-users.nse
hostmap.nse smb-flood.nse
http-affiliate-id.nse smb-mbenum.nse
http-auth.nse smb-os-discovery.nse
http-awstatstotals-exec.nse smb-psexec.nse
http-axis2-dir-traversal.nse smb-security-mode.nse
http-barracuda-dir-traversal.nse smb-server-stats.nse
http-brute.nse smb-system-info.nse
http-cakephp-version.nse smbv2-enabled.nse
http-date.nse smtp-brute.nse
http-default-accounts.nse smtp-commands.nse
http-domino-enum-passwords.nse smtp-enum-users.nse
http-enum.nse smtp-open-relay.nse
http-favicon.nse smtp-strangeport.nse
http-form-brute.nse smtp-vuln-cve2010-4344.nse
http-google-malware.nse smtp-vuln-cve2011-1720.nse
http-headers.nse smtp-vuln-cve2011-1764.nse
http-iis-webdav-vuln.nse sniffer-detect.nse
http-joomla-brute.nse snmp-brute.nse
http-litespeed-sourcecode-download.nse snmp-interfaces.nse
http-majordomo2-dir-traversal.nse snmp-ios-config.nse
http-malware-host.nse snmp-netstat.nse
http-methods.nse snmp-processes.nse
http-open-proxy.nse snmp-sysdescr.nse
http-passwd.nse snmp-win32-services.nse
http-php-version.nse snmp-win32-shares.nse
http-robots.txt.nse snmp-win32-software.nse
http-title.nse snmp-win32-users.nse
http-trace.nse socks-open-proxy.nse
http-userdir-enum.nse sql-injection.nse
http-vhosts.nse ssh2-enum-algos.nse
http-vmware-path-vuln.nse ssh-hostkey.nse
http-vuln-cve2011-3192.nse sshv1.nse
http-waf-detect.nse ssl-cert.nse
http-wordpress-brute.nse ssl-enum-ciphers.nse
http-wordpress-enum.nse ssl-google-cert-catalog.nse
http-wordpress-plugins.nse ssl-known-key.nse
iax2-version.nse sslv2.nse
imap-brute.nse stuxnet-detect.nse
imap-capabilities.nse svn-brute.nse
informix-brute.nse targets-ipv6-multicast-echo.nse
informix-query.nse targets-ipv6-multicast-invalid-dst.nse
informix-tables.nse targets-ipv6-multicast-slaac.nse
ip-geolocation-geobytes.nse targets-sniffer.nse
ip-geolocation-geoplugin.nse targets-traceroute.nse
ip-geolocation-ipinfodb.nse telnet-brute.nse
ip-geolocation-maxmind.nse upnp-info.nse
ipidseq.nse vnc-brute.nse
irc-info.nse vnc-info.nse
irc-unrealircd-backdoor.nse wdb-version.nse
iscsi-brute.nse whois.nse
iscsi-info.nse wsdd-discover.nse
jdwp-version.nse x11-access.nse
ldap-brute.nse xmpp-brute.nse
ldap-novell-getpass.nse xmpp-info.nse
ldap-rootdse.nse