Nmap NSE Scripts
The following scripts are available in official Nmap repositories:
- ip-https-discover.nse
- knx-gateway-discover.nse
- knx-gateway-info.nse
- sstp-discover.nse
knx-gateway-info.nse
This script establishes a unicast connection to a specific device in order to retrieve information. This can be used to e.g. retrieve gateways information over the Internet.
Usage
# nmap -sU -p3671 --script ./knx-gateway-info.nse 192.168.178.11
Note: Increase verbosity/debug to see full message contents:
# nmap -sU -p3671 -d --script ./knx-gateway-info.nse 192.168.178.11
Sample Output
# nmap -sU -p3671 --script ./knx-gateway-info.nse 192.168.178.11
Starting Nmap 6.49SVN ( https://nmap.org ) at 2015-08-12 20:21 CEST
Nmap scan report for 192.168.178.11
Host is up (0.00042s latency).
PORT STATE SERVICE
3671/udp open|filtered efcp
| knx-gateway-info:
| Body:
| DIB_DEV_INFO:
| KNX address: 15.15.255
| Decive serial: 00ef2650065c
| Multicast address: 0.0.0.0
| Device friendly name: IP-Viewer
| DIB_SUPP_SVC_FAMILIES:
| KNXnet/IP Core version 1
| KNXnet/IP Device Management version 1
| KNXnet/IP Tunnelling version 1
|_ KNXnet/IP Object Server version 1
knx-gateway-discover.nse
This script uses a multicast packet to discover all local gateways. According to the KNX specification every device must support this. This script can only be used to discover local KNX gateways.
Usage
# nmap -e eth0 --script ./knx-gateway-discover.nse
Note: Increase verbosity/debug to see full message contents:
# nmap -e eth0 -v -d --script ./knx-gateway-discover.nse
The script supports the following script-args:
- timeout: Defines how long the script waits for responses
- newtargets: Add found gateways to target list
Sample Output
Default
# nmap -e eth0 --script ./knx-gateway-discover.nse
Starting Nmap 6.49SVN ( https://nmap.org ) at 2015-08-12 20:19 CEST
Pre-scan script results:
| knx-gateway-discover:
| 192.168.178.11:
| Body:
| HPAI:
| Port: 3671
| DIB_DEV_INFO:
| KNX address: 15.15.255
| Decive serial: 00ef2650065c
| Multicast address: 0.0.0.0
| Device MAC address: 00:05:26:50:06:5c
| Device friendly name: IP-Viewer
| DIB_SUPP_SVC_FAMILIES:
| KNXnet/IP Core version 1
| KNXnet/IP Device Management version 1
| KNXnet/IP Tunnelling version 1
|_ KNXnet/IP Object Server version 1
Debug
# nmap -d -e eth0 --script ./knx-gateway-discover.nse
Starting Nmap 6.49SVN ( https://nmap.org ) at 2015-08-12 20:20 CEST
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.2.
NSE: Arguments from CLI:
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 20:20
NSE: Starting knx-gateway-discover.
NSE: Finished knx-gateway-discover.
NSE: Finished knx-gateway-discover.
NSE: Finished knx-gateway-discover.
Completed NSE at 20:20, 3.08s elapsed
Pre-scan script results:
| knx-gateway-discover:
| 192.168.178.11:
| Header:
| Header length: 6
| Protocol version: 16
| Service type: SEARCH_RESPONSE (0x0202)
| Total length: 78
| Body:
| HPAI:
| Protocol code: 01
| IP address: 192.168.178.11
| Port: 3671
| DIB_DEV_INFO:
| Description type: Device Information
| KNX medium: KNX TP1
| Device status: 00
| KNX address: 15.15.255
| Project installation identifier: 0000
| Decive serial: 00ef2650065c
| Multicast address: 0.0.0.0
| Device MAC address: 00:05:26:50:06:5c
| Device friendly name: IP-Viewer
| DIB_SUPP_SVC_FAMILIES:
| KNXnet/IP Core version 1
| KNXnet/IP Device Management version 1
| KNXnet/IP Tunnelling version 1
|_ KNXnet/IP Object Server version 1
mop-discover.nse
Check if the Maintenance Operation Protocol (MOP) is enabled on Cisco devices. Please refer to this post for further information.
Checking if a device supports MOP is as easy as this:
nmap --script mop-discover.nse 192.168.1.1
In case there is just layer 2 connectivity, the MAC address can be specified as follows:
nmap --script mop-discover.nse --script-args target=01:02:03:04:05:06 -e eth0
Note: This might requires to set an IP address on the defined interface or else Nmap won't be able to use it. However, any IP will do.
ssl-heartbleed-dump.nse
Discovers/Exploits Heartbleed (CVE-2014-0160). This script is basically like the Heartbleed detection script included in official Nmap repositories with the ability to dump the leaked memory to an outfile or print a hexdump by increasing Nmap's debug output.
Check if a host is vulnerable to Heartbleed (checks every SSL-enabled HTTP, FTP, SMTP and/or XMPP port):
$ nmap --script ./ssl-heartbleed-dump.nse 192.168.1.1
Print out a hexdump of leaked memory by increasing Nmap's debug level with the -d flag:
$ nmap -d --script=./ssl-heartbleed-dump.nse 192.168.1.1
Dump leaked memory into an outfile:
$ nmap --script ./ssl-heartbleed-dump.nse --script-args 'ssl-heartbleed-dump.dumpfile=/tmp/heartbleed.dump' 192.168.1.1
Run ssl-heartbleed-dump.nse against every open port, regardless if the servie was detected or not:
$ nmap --script +./ssl-heartbleed-dump.nse 192.168.1.1