Can you share all the available nmap scripts list?

539    Asked by UnaManning in Cyber Security , Asked on Oct 17, 2022

 I need to do a scan, for example with http-sql-injection.nse nmap script.

I already know that I should use --script-args to set arguments. How can I look at the whole pack of arguments that this script (or any of nmap's scripts) can take?


According to the nmap scripts list documentation in "Example 9.2. script help", the nmap's parameter that displays help about the script is:


  nmap --script-help 

Namely:

nmap --script-help http-sql-injection.nse

If you look at NSE documentation written by own Nmap's creator:

3.1. description Field

The description field describes what a script is testing for and any important notes the user should be aware of. Depending on script complexity, the description may vary from a few sentences to a few paragraphs. The first paragraph should be a brief synopsis of the script function suitable for stand-alone presentation to the user. Further paragraphs may provide much more script detail.

Fyodor explains that the "description" field is used to describe everything about the complexity that the script itself might have. So, go ahead and look deeper into how the script was made:

 $ vi /usr/share/nmap/scripts/http-sql-injection.nse

...

 11 description = [[

 12 Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL

 13 injection attack. It also extracts forms from found websites and tries to identify

 14 fields that are vulnerable.

 15

 16 The script spiders an HTTP server looking for URLs containing queries. It then

 17 proceeds to combine crafted SQL commands with susceptible URLs in order to

 18 obtain errors. The errors are analysed to see if the URL is vulnerable to

 19 attack. This uses the most basic form of SQL injection but anything more

 20 complicated is better suited to a standalone tool.

 21

 22 We may not have access to the target web server's true hostname, which can prevent access to

 23 virtually hosted sites.

 24 ]]

This explains why the http-sql-injection.nse script does not show "usage options" whether that's what you expected to see.

The NSE script has a tradition to include "usage options" inside the comments. Such thing that was documented on the section "8.1 The Head":

Next comes NSEDoc information. This script is missing the common @usage and @args tags since it is so simple, but it does have an NSEDoc @output tag:

---

--@output

-- 21/tcp open ftp ProFTPD 1.3.1

-- |_ auth-owners: nobody

-- 22/tcp open ssh OpenSSH 4.3p2 Debian 9 tech2 (protocol 2.0)

-- |_ auth-owners: root

-- 25/tcp open smtp Postfix smtpd

-- |_ auth-owners: postfix

-- 80/tcp open http Apache httpd 2.0.61 ((Unix) PHP/4.4.7 ...)

-- |_ auth-owners: apache

-- 113/tcp open auth?

-- |_ auth-owners: nobody

-- 587/tcp open submission Postfix smtpd

-- |_ auth-owners: postfix

-- 5666/tcp open unknown

-- |_ auth-owners: root

Since the documentation does not explicitly show the use of "@usage", look yourself in /usr/share/nmap/scripts/:

$ grep -iR -A5 "@usage" /usr/share/nmap/scripts/  
/usr/share/nmap/scripts/ajp-brute.nse:-- @usage
/usr/share/nmap/scripts/ajp-brute.nse--- nmap -p 8009 --script ajp-brute
/usr/share/nmap/scripts/ajp-brute.nse---
/usr/share/nmap/scripts/ajp-brute.nse--- @output
/usr/share/nmap/scripts/ajp-brute.nse--- PORT STATE SERVICE
/usr/share/nmap/scripts/ajp-brute.nse--- 8009/tcp open ajp13


Your Answer

Interviews

Parent Categories