2

I am trying to understand how Nmap NSE script work. I use a few scripts scan a host but all of them just does not show anything, does not even say no result find. is that normal what Nmap do? example as below, I run 3 different script but they all return the same thing.

s# nmap -T4 --script ftp-proftpd-backdoor.nse 192.168.13.205

Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-18 01:34 EDT
Nmap scan report for 192.168.13.205
Host is up (0.22s latency).
Not shown: 982 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
1026/tcp open  LSA-or-nterm
1029/tcp open  ms-lsa
1030/tcp open  iad1
1036/tcp open  nsstp
1521/tcp open  oracle
2030/tcp open  device2
2100/tcp open  amiganetfs
3372/tcp open  msdtc
3389/tcp open  ms-wbt-server
4443/tcp open  pharos
7778/tcp open  interwise
8080/tcp open  http-proxy
MAC Address: 00:50:56:AF:3E:05 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 15.21 seconds
root@kali:/usr/share/nmap/scripts# nmap -T4 --script ftp-vuln-cve2010-4221.nse 192.168.13.205

Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-18 01:35 EDT
Nmap scan report for 192.168.13.205
Host is up (0.22s latency).
Not shown: 982 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
1026/tcp open  LSA-or-nterm
1029/tcp open  ms-lsa
1030/tcp open  iad1
1036/tcp open  nsstp
1521/tcp open  oracle
2030/tcp open  device2
2100/tcp open  amiganetfs
3372/tcp open  msdtc
3389/tcp open  ms-wbt-server
4443/tcp open  pharos
7778/tcp open  interwise
8080/tcp open  http-proxy
MAC Address: 00:50:56:AF:3E:05 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 16.65 seconds
root@kali:/usr/share/nmap/scripts# 
s# nmap -T4 --script ftp-anon 192.168.13.205

Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-18 01:45 EDT
Nmap scan report for 192.168.13.205
Host is up (0.22s latency).
Not shown: 983 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
1026/tcp open  LSA-or-nterm
1029/tcp open  ms-lsa
1030/tcp open  iad1
1036/tcp open  nsstp
1521/tcp open  oracle
2030/tcp open  device2
2100/tcp open  amiganetfs
3372/tcp open  msdtc
4443/tcp open  pharos
7778/tcp open  interwise
8080/tcp open  http-proxy
MAC Address: 00:50:56:AF:3E:05 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 16.21 seconds
root@kali:/usr/share/nmap/scripts#
Linsong Guo
  • 37
  • 1
  • 1
  • 6

1 Answers1

7

There are 3 situations under which a NSE script will produce no output:

  1. The rule function returned false, so the script's action was not run. This is the case for probably 999 out of the 1000 ports you scanned, since they are not the target ports or services for that script.

    If you want a script to run against a service that's on a non-standard port, you should use the -sV option to invoke the version detection scan.

  2. The script had nothing interesting to report. This can be the case when the service is not what was expected (web server on port 22, for instance) or when the service is configured to not respond to the types of queries and probes that the script is sending. Most scripts will not show a "negative" result, but some will do so at higher verbosity levels (more -v options). You can also get useful information with the -d debugging flag.

    One notable exception to this rule is the "vuln" category of scripts, or more precisely, those scripts which use the vulns NSE library. To get "not vulnerable" output from these scripts, use --script-args vulns.showall.

  3. The script crashed from unexpected input. This should not happen but does on occasion. If you used -d, you'll see a Lua stack traceback that you can send to the Nmap developers (dev@nmap.org).

Community
  • 1
  • 1
bonsaiviking
  • 5,825
  • 1
  • 20
  • 35