Daniel Miller ✝ Profile picture
Jan 9, 2018 19 tweets 13 min read Read on X
#Nmap comes with 586 #NSE scripts. 148 of them are default (-sC) or version (-sV) scripts. The rest (438) have to be invoked directly or by category, so many folks don't use them. Here are my top 18 NSE scripts you should run in 2018: #DiscoveringNSE
#DiscoveringNSE 1/18: Fingerprint 100s of web apps and embedded devices with http-enum. Got Nikto? http-enum uses that fingerprint file, too. nmap.org/nsedoc/scripts… Found a device with a web interface? Check for default creds with http-default-accounts. nmap.org/nsedoc/scripts…
#DiscoveringNSE 2/18: Import a list of targets to scan directly from the XML output of another scan with targets-xml. Lots of scripts that discover new addresses let you scan them in the same command with --script-args newtargets nmap.org/nsedoc/scripts…
#DiscoveringNSE 3/18: Enumerate subdomains with dns-brute. Brute-force resolve common hostnames and SRV records against discovered DNS servers. nmap.org/nsedoc/scripts…
#DiscoveringNSE 4/18: All 38 scripts in the "broadcast and safe" categories. Find targets & discover services like ATAoE, DB2, DHCP, DNSSD, Dropbox, NetBIOS, OSPF2, UPnP, WPAD, and XDMCP on your local LAN: --script 'broadcast and safe' nmap.org/nsedoc/categor…
#DiscoveringNSE 5/18: Use Hollywood-style byte-by-byte bruteforce to find #IPv6 PTR DNS records with dns-ip6-arpa-scan. nmap.org/nsedoc/scripts…
#DiscoveringNSE 6/18: IPv6 network address ranges are absurdly large. Find and scan #IPv6 targets on your local LAN with targets-ipv6-multicast-* scripts. nmap.org/nsedoc/scripts…
#DiscoveringNSE 7/18: Find internal/private IP addresses leaked in some HTTP services and SSL certificates with http-bigip-cookie, ssl-cert-intaddr, http-internal-ip-disclosure nmap.org/nsedoc/scripts…
#DiscoveringNSE 8/18: Hack the Gibson or other IBM mainframe systems with scripts by @mainframed767: tn3270-screen, tso-enum, tso-brute, vtam-enum, cics-info, cics-enum, cics-user-enum, cics-brute nmap.org/nsedoc/scripts…
#DiscoveringNSE 9/18: Shameless self-promotion: I've done a bunch to improve auth support for #VNC scripts, adding Apple Remote Desktop, VeNCrypt, Tight, and TLS types. Enumerate with vnc-info, brute force with vnc-brute, grab screen info with vnc-title. nmap.org/nsedoc/scripts…
#DiscoveringNSE 10/18: Check general web security with fast scripts & deep spiders like http-security-headers, http-cookie-flags, http-crossdomainxml, http-csrf, http-errors, http-dombased-xss, http-fileupload-exploiter, http-rfi-spider nmap.org/nsedoc/scripts…
#DiscoveringNSE 11/18: Formidible SSH security checks with new libssh2-based scripts: ssh-publickey-acceptance, ssh-run, ssh-auth-methods, ssh-brute nmap.org/nsedoc/scripts…
#DiscoveringNSE 12/18: Enumerate all SMB versions with smb-protocols. nmap.org/nsedoc/scripts… Then take advantage of awesome new SMB2 support by @calderpwn: smb2-vuln-uptime, smb2-capabilities, smb2-security-mode, smb2-time nmap.org/nsedoc/scripts…
#DiscoveringNSE 13/18: The "external" NSE category contains scripts that query third-party services. Use shodan-api to query @shodanhq with Nmap: nmap.org/nsedoc/scripts… (Other fun external scripts: http-xssed, http-google-malware, targets-asn, asn-query)
#DiscoveringNSE 14/18: Geolocate your targets and plot them on @googlemaps, thanks to @mak_kolybabi. Run one of the ip-geolocation scripts along with ip-geolocation-map-kml (or use your API key with -google or -bing). nmap.org/nsedoc/scripts…
#DiscoveringNSE 15/18: NSE has 73 #BruteForce credential testing scripts. Why not check out http-form-brute, which can handle all sorts of complicated CSRF and cookie schemes, and works great against Django, Wordpress, MediaWiki, Joomla, and Drupal. nmap.org/nsedoc/scripts…
#DiscoveringNSE 16/18: Spider a site for emails, IP addresses, #creditcard numbers, SSN, or write your own custom patterns with http-grep nmap.org/nsedoc/scripts…
#DiscoveringNSE 17/18: Check for weak TLS/SSL configurations everywhere, even SMTP, RDP, VNC, etc. with ssl-enum-ciphers (Related scripts include ssl-dh-params, ssl-heartbleed, ssl-poodle, tls-ticketbleed, etc.) nmap.org/nsedoc/scripts…
#DiscoveringNSE 18/18: Keep up with the latest big #vulnerabilities like #Struts RCE (http-vuln-cve2017-5638), Intel #AMT privesc (http-vuln-cve2017-5689), MS17-010 (smb-vuln-ms17-010), and lots more. nmap.org/nsedoc/scripts…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Daniel Miller ✝

Daniel Miller ✝ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(