Nmap is without doubt one of the most important tools in security testing. Initially developed as portscanner, the introduction of NSE (Nmap Scripting Language) enhanced the software heavily. NSE scripts allow to create additional tests, which may provide the functionality of a vulnerability scanner. Basic data collected by Nmap and additional network requests can be used to determine software products and security flaws. The talk is discussing the possibilities of NSE scripting, the improvement of professional scanning (with a customer-based example) and current development in the field of NSE programming (my httprecon-nse port and vulscan module). Administrators and auditors will see the their benefits of automated testing.

1. Nmap NSE Hacking for IT Security Professionals Marc Ruef www.scip.ch Security & Risk Conference November 3th - 6th 2010 Lucerne, Switzerland

2. Agenda | Nmap NSE Hacking 7 min Database Processing 10 min Professional Output Handling 5 min Version Info Script 5 min Simple Portscan Scripts 2 min Introduction 4. Outro 3. Output 2. Scripts 1. Intro 3 min Conclusion 5 min Reporting Possibilities 10 min Exploit Script 3 min Nmap Scripting Engine

3. Introduction 1/3: Who am I „ The Art of Penetration Testing“, Computer & Literatur Böblingen, ISBN 3-936546-49-5 Last Book http://www.computec.ch Private Site Co-Owner / CTO, scip AG, Zürich Profession Marc Ruef Name Translation

8. Nmap Scripting Engine 3/3: What produces NSE enable generic script scan script name script output

10. Simple Portscan Script 2/5: How it Looks define one script to run script generates output

12. Simple Portscan Script 4/5: How it is Implemented define when to run write output

15. Version Info Script 2/6: How it Looks enable version detection validated name and version

17. Version Info Script 4/6: How it is Implemented validate service and product validate age of version

19. Version Info Script 6/6: Advanced Example

21. Exploit Script 2/5: How it Looks fetched passwd content

23. Exploit Script 4/5: How it is Implemented another complex portrule http exploit request validation of exploit attempt

28. Professional Output 4/5: Shim Implementation default values for reporting defined report structure

29. Professional Output 5/5: Script Implementation include shim script prepare results generate normalized output

31. Database Processing 2/8: XML Example basic scan data host information port and script data

33. Database Processing 4/8: Database Relations xml output host_id host_ipaddr host_name … hosts secissue_id secissue_title secissue_desc … secissues finding_id host_id secissue_id … findings

37. Database Processing 8/8: Database Example 3 1 1 4 1 2 3 2 3 3 host_id 6 4 secissue_id finding_id

38. Reporting 1/5: Database Example Web Server 2.x Found 192.168.0.10 1 Web Server 2.3 Directory Traversal 192.168.0.10 2 Web Server 2.x Found 192.168.0.11 3 192.168.0.12 tbl_host. host_ipaddr FTP Server 4.2 Found 4 tbl_secissues. secissue_title tbl_findings. finding_id

39. Reporting 2/5: Straight Excel Export

40. Reporting 3/5: Nice Report Document basic secissue information results from nse scans