Nmap is one of the most widely used open-source tools for network discovery and vulnerability scanning by Pentesters. The Nmap Scripting Engine (NSE), one of the key features of Nmap, enables us to create custom scripts that automate a variety of tasks, from straightforward service checks to intricate vulnerability exploits. In this blog post, I will teach you how to write your own Nmap NSE scripts.
Nmap NSE scripts
Nmap NSE scripts is a powerful feature of Nmap, which allows you to write custom scripts to automate network and vulnerability tasks. It's useful because it extends Nmap's functionality for advanced network discovery, checking for vulnerabilities, and even exploiting flaws in addition to port scanning. It helps in automating complicated tasks, and it's also highly customizable as per our needs.
Nmap NSE Structure and How it Works
Nmap Nse scripts use the Lua light weight programming language. Every Nmap NSE script is Lua file with a specific structure. The key parts include
Metadata and Scripts Discription : The script's description and metadata provide information about its purpose, author, and categories (such as vulnerability, discovery etc).
Execution rules: This determines when the script will execute, for instance, by focusing on particular ports or services. Usually this is done by defining a port rule or a host rule
Main action Function: This is the main core of the script where logic lives. It receives the information like the host, port, etc, then runs the script tasks and returns results. By default on Kali Nmap scripts are stored in /usr/share/nmap/scripts/ and they are categorized according to their functionality and use such as discovery, vulnerability, and brute force.
It's best to use the help feature in Nmap to understand more about the particular script using the help option as below.
nmap --script-help <script-name>
The main objective of this blog post is to help you write your custom Nmap NSE script. To achieve this, I will highly advise you to first look at the default built-in Nmap NSE scripts to understand their structure and functionality. Nmap NSE Script has three main components the Head, the Rule, the Action. For more details, please have a look at the official Nmap NSE guide. Understanding them will make it easier for you to write your own scripts
Custom Nmap NSE Script to Detect Wordpress
The Custom NSE Script finds whether the target website is running on WordPress or not by checking common paths found on WordPress website like /wp-login.php /readme.html and wp-admin to achieve this we first import Lua modules such as http for sending web requests, shortport for selecting which ports to scan and stdnse for handling strings and helper functions. The NSE script is placed in safe and discovery categories. The portrule makes sure that Nmap runs on http ports. portrule uses shortport.http to run the script only on HTTP ports The action which forms the core of the NSE script gets an optional base path "/" then loops through the urls whcih we mentioned above like wp-login.php etc which are found commonly on WordPress websites by sending a HTTP GET request, if any of these URLs return 200 successful it records them and finally at end of the scan says WordPress detected as shown in the image below.
Filed Under: NMAP , Nmap NSE







John is a Cyber Security Enthusiast, Infosec researcher and a blogger.
Srinivas is a Cyber Security Enthusiast, Infosec researcher and a part time blogger.
0 comments : Post Yours! Read Comment Policy ▼
PLEASE NOTE:
We have Zero Tolerance to Spam. Chessy Comments and Comments with Links will be deleted immediately upon our review.