PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 20:51:30 +00:00
Code Issues Projects Releases Wiki Activity
Files
bb8be37ecea8d11f5093e085bd637afbe7029cc3
nmap/docs/scripting.xml

2442 lines
113 KiB
XML
Raw Blame History

<indexterm class="startofrange" id="nse-indexterm"><primary>Nmap Scripting Engine (NSE)</primary></indexterm>
<indexterm><primary>scripting</primary><see>Nmap Scripting Engine</see></indexterm>
<indexterm><primary>NSE</primary><see>Nmap Scripting Engine</see></indexterm>
<sect1 id="nse-intro">
<title>Introduction</title>
<para>The Nmap Scripting Engine (NSE) is one of Nmap's most
powerful and flexible features. It allows users to write (and
share) simple scripts to automate a wide variety of networking
tasks. Those scripts are then executed in parallel with the speed
and efficiency you expect from Nmap. Users can rely on the
growing and diverse set of scripts distributed with Nmap, or write
their own to meet custom needs.</para>
<para>We designed NSE to be versatile, with the following tasks in mind:</para>
<variablelist>
<varlistentry>
<term>Network discovery</term>
<listitem>
<para>This is Nmap's bread and butter. Examples include
looking up whois data based on the target domain,
querying ARIN, RIPE, or APNIC for the target IP to determine ownership,
performing identd lookups on open ports, SNMP queries, and
listing available NFS/SMB/RPC shares and services.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<indexterm><primary>version detection</primary><secondary>using NSE</secondary></indexterm>
More sophisticated version detection</term>
<listitem>
<para>The Nmap version detection system (<xref linkend="vscan"/>)
is able to recognize thousands of different services through
its probe and regular expression signature based matching system, but it
cannot recognize everything. For example, identifying the Skype v2 service requires two
independent probes, which version detection isn't flexible enough to handle. Nmap could also recognize more SNMP services
if it tried a few hundred different community names by brute
force. Neither of these tasks are well suited to traditional
Nmap version detection, but both are easily accomplished with
NSE. For these reasons, version detection now calls NSE by
default to handle some tricky services. This is described in
<xref linkend="nse-vscan"/>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<indexterm><primary>vulnerability detection</primary></indexterm>
Vulnerability detection</term>
<listitem>
<para>When a new vulnerability is discovered, you often want
to scan your networks quickly to identify vulnerable systems
before the bad guys do. While Nmap isn't a
comprehensive <ulink role="hidepdf" url="http://sectools.org/vuln-scanners.html">vulnerability scanner</ulink>,
NSE is powerful enough to handle even demanding vulnerability
checks. Many vulnerability detection scripts are already available and we plan to distribute more as they are written.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Backdoor detection</term>
<listitem>
<para>
Many attackers and some automated worms leave backdoors to
enable later reentry. Some of these can be detected by
Nmap's regular expression based version detection. For
example, within hours of the MyDoom worm hitting the
Internet, Jay Moran<indexterm><primary>Moran,
Jay</primary></indexterm> posted an Nmap version detection
probe and signature so that others could quickly scan their
networks for MyDoom infections. NSE is needed to reliably
detect more complex worms and backdoors.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Vulnerability exploitation</term>
<listitem>
<para>
As a general scripting language, NSE can even
be used to exploit vulnerabilities rather than just find them.
The capability to add custom exploit scripts may be valuable
for some people (particularly
penetration testers),<indexterm><primary>penetration testing</primary></indexterm>
though we aren't
planning to turn Nmap into an exploitation framework such as
<ulink url="http://www.metasploit.com">Metasploit</ulink>.<indexterm><primary><application>Metasploit</application></primary></indexterm>
</para>
</listitem>
</varlistentry>
</variablelist>
<para>
These listed items were our initial goals, and we expect Nmap
users to come up with even more inventive uses for NSE.
</para>
<para>
Scripts are written in the
embedded
<ulink url="http://www.lua.org/">Lua programming language</ulink>.<indexterm><primary>Lua programming language</primary><seealso>Nmap Scripting Engine</seealso></indexterm>
The language itself is well documented in the books
<web>
<citetitle><ulink url="http://www.amazon.com/exec/obidos/ASIN/8590379825/secbks-20">Programming
in Lua, Second Edition</ulink></citetitle> and
<citetitle><ulink url="http://www.amazon.com/exec/obidos/ASIN/8590379825/secbks-20">Lua
5.1 Reference Manual</ulink></citetitle>.
</web>
<print>
<citetitle>Programming in Lua, Second Edition</citetitle> and
<citetitle>Lua 5.1 Reference Manual</citetitle>.
</print>
The reference manual is also
<ulink url="http://www.lua.org/manual/5.1/">freely available
online</ulink>, as is the
<ulink url="http://www.lua.org/pil/">first edition of <citetitle>Programming in
Lua</citetitle></ulink>. Given the availability of these excellent general
Lua programming references, this document only covers aspects and
extensions specific to Nmap's scripting engine.
</para>
<para>
NSE is activated with the <option>-sC</option> option (or
<option>--script</option> if you wish to specify a custom set of
scripts) and results are integrated into Nmap
normal<indexterm><primary>normal output</primary></indexterm>
and XML output.<indexterm><primary>XML output</primary></indexterm>
Two types of scripts are supported: service and host
scripts. Service scripts relate to a certain open port
(service) on the target host, and any results they produce are included
next to that port in the Nmap output port table. Host scripts,
on the other hand, run no more than once against each target IP
and produce results below the port table. <xref
linkend="nse-ex1" xrefstyle="select: label nopage"/> shows a
typical script scan. Service scripts producing
output in this example are
<literal>ssh-hostkey</literal>, which provides the system's RSA and DSA SSH keys, and <literal>rpcinfo</literal>, which queries
portmapper to enumerate available services. The only host
script producing output in this example
is <literal>smb-os-discovery</literal>, which collects a variety of
information from SMB servers.<indexterm><primary>script names, examples
of</primary></indexterm> Nmap discovered all of this information in a third of a second.</para>
<example id="nse-ex1"><title>Typical NSE output</title><indexterm><primary><option>-sC</option></primary><secondary>example of</secondary></indexterm>
<screen>
# nmap -sC -p22,111,139 -T4 localhost
Starting Nmap ( http://nmap.org )
Interesting ports on flog (127.0.0.1):
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey: 1024 b1:36:0d:3f:50:dc:13:96:b2:6e:34:39:0d:9b:1a:38 (DSA)
|_ 2048 77:d0:20:1c:44:1f:87:a0:30:aa:85:cf:e8:ca:4c:11 (RSA)
111/tcp open rpcbind
| rpcinfo:
| 100000 2,3,4 111/udp rpcbind
| 100024 1 56454/udp status
|_ 100000 2,3,4 111/tcp rpcbind
139/tcp open netbios-ssn
Host script results:
| smb-os-discovery: Unix
| LAN Manager: Samba 3.0.31-0.fc8
|_ Name: WORKGROUP
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
</screen>
</example>
</sect1>
<sect1 id="nse-usage">
<title>Usage and Examples</title>
<para>
While NSE has a complex implementation for efficiency, it is
strikingly easy to use. Simply specify
<option>-sC</option><indexterm><primary><option>-sC</option></primary></indexterm>
to enable the most common scripts. Or specify the
<option>--script</option><indexterm><primary><option>--script</option></primary></indexterm>
option to choose your own scripts to
execute by providing categories, script file names, or the name of
directories full of scripts you wish to execute. You can customize
some scripts by providing arguments to them via the
<option>--script-args</option><indexterm><primary><option>--script-args</option></primary></indexterm>
option. The two remaining options,
<option>--script-trace</option><indexterm><primary><option>--script-trace</option></primary></indexterm>
and <option>--script-updatedb</option>,<indexterm><primary><option>--script-updatedb</option></primary></indexterm>
are generally only used for script debugging and development. Script scanning is also included as part of the <option>-A</option> (aggressive scan) option.
</para>
<sect2 id="nse-categories"><title>Script Categories</title>
<indexterm><primary>script categories</primary></indexterm>
<para>NSE scripts define a list of categories they belong to.
Currently defined categories
are <literal>auth</literal>, <literal>default</literal>, <literal>discovery</literal>, <literal>external</literal>,
<literal>intrusive</literal>, <literal>malware</literal>, <literal>safe</literal>, <literal>version</literal>,
and <literal>vuln</literal>. Category names are not case sensitive. The following list describes each category.</para>
<variablelist>
<varlistentry>
<term>
<indexterm><primary sortas="auth script category">&ldquo;<literal>auth</literal>&rdquo; script category</primary></indexterm>
<option>auth</option>
</term>
<listitem>
<para>These scripts try to determine authentication credentials
on the target system, often through a brute-force attack. Examples include <literal>snmp-brute</literal>, <literal>http-auth</literal>, and <literal>ftp-anon</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<indexterm><primary sortas="default script category">&ldquo;<literal>default</literal>&rdquo; script category</primary></indexterm>
<option>default</option>
</term>
<listitem>
<para>These scripts are the default set and are run when
using the <option>-sC</option> or <option>-A</option>
options rather than listing scripts
with <option>--script</option>. This category can also be
specified explicitly like any other
using <option>--script=default</option>. Many factors are
considered in deciding whether a script should be run by
default:</para>
<variablelist>
<varlistentry>
<term>Speed</term>
<listitem><para>A default scan must finish quickly, which excludes brute force authentication crackers, web spiders, and any other scripts which can take minutes or hours to scan a single service.</para></listitem>
</varlistentry>
<varlistentry>
<term>Usefulness</term>
<listitem><para>Default scans need to produce valuable and actionable information. If even the script author has trouble explaining why an average networking or security professional would find the output valuable, the script should not run by default. The script may still be worth including in Nmap so that administrators can run for those occasions when they do need the extra information.</para></listitem>
</varlistentry>
<varlistentry>
<term>Verbosity</term>
<listitem><para>Nmap output is used for a wide variety of
purposes and needs to be readable and concise. A script which
frequently produces pages full of output should not be added
to the <literal>default</literal> category. When there is no
important information to report, NSE scripts (particularly
default ones) should return nothing. Checking for an obscure
vulnerability may be OK by default as long as it only produces output
when that vulnerability discovered.</para></listitem>
</varlistentry>
<varlistentry>
<term>Reliability</term>
<listitem><para>Many scripts use heuristics and fuzzy signature matching to reach conclusions about the target host or service. Examples include <literal>sniffer-detect</literal> and <literal>sql-injection</literal>. If the script is often wrong, it doesn't belong in the <literal>default</literal> category where it may confuse or mislead casual users. Users who specify a script or category directly are generally more advanced and likely know how the script works or at least where to find its documentation.</para></listitem>
</varlistentry>
<varlistentry>
<term>Intrusiveness</term>
<listitem><para>Some scripts are very intrusive because they use significant resources on the remote system, are likely to crash the system or service, or are likely to be perceived as an attack by the remote administrators. The more intrusive a script is, the less suitable it is for the <literal>default</literal> category.</para></listitem>
</varlistentry>
<varlistentry>
<term>Privacy</term>
<listitem><para>Some scripts, particularly those in the <literal>external</literal> category described later, divulge information to third parties by their very nature. For example, the <literal>whois</literal> script must divulge the target IP address to regional whois registries. We have also considered (and decided against) adding scripts which check target SSH and SSL key fingerprints against Internet weak key databases. The more privacy-invasive a script is, the less suitable it is for <literal>default</literal> category inclusion.</para></listitem>
</varlistentry>
</variablelist>
<para>We don't have exact thresholds for each of these criteria,
and many of them are subjective. All of these factors are
considered together when making a decision whether to promote a
script into the <literal>default</literal> category. A few default scripts are <literal>identd-owners</literal> (determines the username running remote services using identd), <literal>http-auth</literal> (obtains authentication scheme and realm of web sites requiring authentication), and <literal>ftp-anon</literal> (tests whether an FTP server allows anonymous access).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<indexterm><primary sortas="discovery script category">&ldquo;<literal>discovery</literal>&rdquo; script category</primary></indexterm>
<option>discovery</option>
</term>
<listitem>
<para>These scripts try to actively discover more about the
network by querying public registries, SNMP-enabled
devices, directory services, and the like. Examples include <literal>html-title</literal> (obtains the title of the root path of web sites), <literal>smb-enum-shares</literal> (enumerates Windows shares), and <literal>snmp-sysdescr</literal> (extracts system details via SNMP).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<indexterm><primary sortas="external script category">&ldquo;<literal>external</literal>&rdquo; script category</primary></indexterm>
<option>external</option>
</term>
<listitem>
<para>Scripts in this category may send data to a
third-party database or other network resource. An example
of this is <literal>whois</literal>, which makes a
connection to
whois<indexterm><primary>whois</primary></indexterm> servers
to learn about the address of the target. There is always
the possibility that operators of the third-party
database will record anything you send to them, which in
many cases will include your IP address and the address of
the target. Most scripts involve traffic strictly between
the scanning computer and the client; any that do not are
placed in this category.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<indexterm><primary sortas="intrusive script category">&ldquo;<literal>intrusive</literal>&rdquo; script category</primary></indexterm>
<option>intrusive</option>
</term>
<listitem>
<para>These are scripts that cannot be classified in the
<literal>safe</literal> category because the risks are too
high that they will crash the target system, use up
significant resources on the target host (such as
bandwidth or CPU time), or otherwise be perceived as
malicious by the target's system administrators. Examples
are <literal>http-open-proxy</literal> (which attempts to
use the target server as an HTTP proxy)
and <literal>snmp-brute</literal> (which tries to guess a
device's SNMP community string by sending common values
such
as <literal>public</literal>, <literal>private</literal>,
and <literal>cisco</literal>).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<indexterm><primary sortas="malware script category">&ldquo;<literal>malware</literal>&rdquo; script category</primary></indexterm>
<option>malware</option>
</term>
<listitem>
<para>These scripts test whether the target platform is
infected by malware or backdoors. Examples include <literal>smtp-strangeport</literal>, which watches for SMTP servers running on unusual port numbers, and <literal>auth-spoof</literal>, which detects identd spoofing daemons which provide a fake answer before even receiving a query. Both of these behaviors are commonly associated with malware infections.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<indexterm><primary sortas="safe script category">&ldquo;<literal>safe</literal>&rdquo; script category</primary></indexterm>
<option>safe</option>
</term>
<listitem>
<para>Scripts
which weren't designed to crash services, use large
amounts of network bandwidth or other resources, or
exploit security holes are categorized as <literal>safe</literal>. These are less likely to offend
remote administrators, though (as with all other Nmap
features) we cannot guarantee that they won't ever cause
adverse reactions. Most of these perform general
network discovery. Examples are
<literal>ssh-hostkey</literal> (retrieves an SSH host key) and
<literal>html-title</literal> (grabs the title from a
web page).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<indexterm><primary sortas="version script category">&ldquo;<literal>version</literal>&rdquo; script category</primary></indexterm>
<indexterm><primary>version detection</primary><seealso>&ldquo;<literal>version</literal>&rdquo; script category</seealso></indexterm>
<option>version</option>
</term>
<listitem>
<para>The scripts in this special category are an
extension to the version detection feature and cannot be
selected explicitly. They are selected to run only if
version detection (<option>-sV</option>) was requested.
Their output cannot be distinguished from version
detection output and they do not produce service or host
script results. Examples
are <literal>skypev2-version</literal>, <literal>pptp-version</literal>,
and <literal>iax2-version</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<indexterm><primary sortas="vuln script category">&ldquo;<literal>vuln</literal>&rdquo; script category</primary></indexterm>
<option>vuln</option>
</term>
<listitem>
<para>These scripts check for specific known vulnerabilities and
generally only report results if they are found. Examples include <literal>realvnc-auth-bypass</literal> and <literal>xampp-default-auth</literal>.</para>
</listitem>
</varlistentry>
</variablelist>
</sect2>
<sect2 id="nse-cmd-line-args">
<title>Command-line Arguments</title>
<para>
These are the five command line arguments specific to script-scanning:
</para>
<variablelist>
<varlistentry>
<term>
<indexterm><primary><option>-sC</option></primary></indexterm>
<option>-sC</option>
</term>
<listitem>
<para>Performs a script scan using the default set of scripts. It is
equivalent to <option>--script=default</option>. Some of the
scripts in this <literal>default</literal> category are considered intrusive and should
not be run against a target network without permission. </para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<indexterm><primary><option>--script</option></primary></indexterm>
<option>--script <replaceable>script-categories</replaceable>|<replaceable>directory</replaceable>|<replaceable>filename</replaceable>|all</option></term>
<listitem>
<para>Runs a script scan (like <option>-sC</option>) using the comma-separated list of
script categories, individual scripts, or directories containing
scripts, rather than the default set. Nmap first tries to interpret the
arguments as categories, then (if that fails) as files or
directories. A script or directory of scripts may be specified as an
absolute or relative path. Absolute paths are used as
supplied. Relative paths are searched for in the following places
until found:<indexterm><primary>data files</primary><secondary>directory search order</secondary></indexterm><indexterm><primary>scripts, location of</primary></indexterm>
<filename>--datadir/</filename>;
<filename>$NMAPDIR/</filename>;<indexterm><primary><envar>NMAPDIR</envar> environment variable</primary></indexterm>
<filename>~/.nmap/</filename> (not searched on Windows);<indexterm><primary sortas="nmap directory"><filename>.nmap</filename> directory</primary></indexterm>
NMAPDATADIR/ or<indexterm><primary>NMAPDATADIR</primary></indexterm>
<filename>./</filename>. A <filename>scripts/</filename> subdirectory
is also tried in each of these.</para>
<para>If a directory is specified and found, Nmap loads all NSE
scripts (any filenames ending with <literal>.nse</literal>) from that
directory. Filenames without the <literal>nse</literal> extension are
ignored. Nmap does not search recursively into subdirectories to find
scripts. If individual file names are specified, the file extension
does not have to be <literal>nse</literal>.</para>
<para>Nmap scripts are stored in a <filename>scripts</filename>
subdirectory of the Nmap data directory by default (see
<xref linkend="data-files"/>). For efficiency, scripts are indexed in
a database stored
in <filename>scripts/script.db</filename>.<indexterm><primary><filename>script.db</filename></primary></indexterm>
which lists the category or categories in which each script belongs.
Give the argument <literal>all</literal> to execute all scripts in the
Nmap script database.</para>
<para>Scripts are not run in a sandbox and thus could accidentally or maliciously damage your system or invade your privacy. Never run scripts from third parties unless you trust the authors or have carefully audited the scripts yourself.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<indexterm><primary><option>--script-args</option></primary></indexterm>
<option>--script-args</option>
</term>
<listitem>
<para>provides arguments to the scripts. See <xref
linkend="nse-args"/> for a detailed explanation.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<indexterm><primary><option>--script-trace</option></primary></indexterm>
<option>--script-trace</option>
</term>
<listitem>
<para>
This option is similar to
<option>--packet-trace</option>, but works at the
application level rather than packet by packet. If this
option is specified, all incoming and outgoing
communication performed by scripts is printed. The
displayed information includes the communication
protocol, source and target addresses, and the
transmitted data. If more than 5% of transmitted data is
unprintable, hex dumps are given instead.
Specifying <option>--packet-trace</option> enables script
tracing too.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<indexterm><primary><option>--script-updatedb</option></primary></indexterm>
<option>--script-updatedb</option>
</term>
<listitem>
<para>This option updates the script database found
in <filename>scripts/script.db</filename> which is used by
Nmap to determine the available default scripts and
categories. It is only necessary to update the database if
you have added or removed NSE scripts from the
default <filename>scripts</filename> directory or if you
have changed the categories of any script. This option is
used by
itself without arguments: <command>nmap --script-updatedb</command>.</para>
</listitem>
</varlistentry>
</variablelist>
<para>
Some other Nmap options have effects on script scans. The most
prominent of these is
<option>-sV</option>.<indexterm><primary><option>-sV</option></primary></indexterm>
A version scan automatically executes
the scripts in the
<literal>version</literal> category.<indexterm><primary sortas="version script category">&ldquo;<literal>version</literal>&rdquo; script category</primary></indexterm>
The scripts
in this category are slightly different than other scripts because their
output blends in with the version scan results and they do not produce any
script scan output.
</para>
<para>
Another option which affects the scripting engine is
<option>-A</option>.<indexterm><primary><option>-A</option></primary><secondary>features enabled by</secondary></indexterm>
The aggressive Nmap mode implies
the <option>-sC</option> option.
</para>
<para>
</para>
</sect2>
<sect2 id="nse-args">
<title>Arguments to Scripts</title>
<indexterm><primary>script arguments</primary></indexterm>
<para>
Arguments may be passed to NSE scripts using the
<option>--script-args</option> option. The script arguments are generally
name-value pairs. They are provided to scripts as a Lua table named
<literal>args</literal> inside <literal><link
linkend="nse-api-registry">nmap.registry</link></literal>.
The argument names are keys for the corresponding values. The values can be
either strings or tables. Subtables can be used to pass arguments to
scripts with finer granularity, such as passing different usernames for
different scripts. Here is a typical Nmap invocation with script arguments:
</para>
<para>
<indexterm><primary><option>--script-args</option></primary><secondary>example of</secondary></indexterm>
<userinput>
$ nmap -sC --script-args user=foo,pass=bar,whois={whodb=nofollow+ripe}
</userinput>
</para>
<para>
The aforementioned command results in this Lua table:
</para>
<programlisting>
{user="foo",pass="bar",whois={whodb="nofollow+ripe"}}
</programlisting>
<para>You could therefore access the username (<literal>foo</literal>)
inside your script with this statement:</para>
<para><literal>local username = nmap.registry.args.user</literal></para>
<para>Subtables used to override
options for scripts are usually named after the script to ease retrieval.
</para>
</sect2>
<sect2 id="nse-usage-examples">
<title>Usage Examples</title>
<para>
A simple script scan using the default set of scripts:
</para>
<para>
<indexterm><primary><option>-sC</option></primary><secondary>example of</secondary></indexterm>
<userinput>
$ nmap -sC example.com
</userinput>
</para>
<para>
Executing a specific script with tracing enabled:
</para>
<para>
<indexterm><primary><option>--script</option></primary><secondary>example of</secondary></indexterm>
<indexterm><primary><option>--script-trace</option></primary><secondary>example of</secondary></indexterm>
<userinput>
$ nmap --script=./showSSHVersion.nse --script-trace example.com
</userinput>
</para>
<para>
Execute all scripts in the <filename>mycustomscripts</filename> directory as well as all default scripts in the <literal>safe</literal> category:
</para>
<para>
<userinput>
$ nmap --script=mycustomscripts,safe example.com
</userinput>
</para>
</sect2>
</sect1>
<sect1 id="nse-script-format">
<title>Script Format</title>
<para>NSE scripts consist of two&ndash;five descriptive fields along with either a port or host rule defining when the script should be executed and an action block containing the actual script instructions. Values can be assigned to the descriptive fields just as you would assign any other Lua variables. Their names must be lowercase as shown in this section.</para>
<sect2 id="nse-format-description">
<title><literal>description</literal> Field</title>
<indexterm><primary sortas="description script variable">&ldquo;<varname>description</varname>&rdquo; script variable</primary></indexterm>
<para>The <literal>description</literal> field describes what a script is testing
for and any important notes the user should be aware of. Depending on script complexity, the description may vary from a few sentences to a few paragraphs. The first paragraph should be a brief synopsis of the script function suitable for stand-alone presentation to the user. Further paragraphs may provide much more script detail.
</para>
</sect2>
<sect2 id="nse-format-categories">
<title><literal>categories</literal> Field</title>
<indexterm><primary sortas="categories script variable">&ldquo;<varname>categories</varname>&rdquo; script variable</primary></indexterm>
<para>The <literal>categories</literal> field defines one or
more categories to which a script belongs (see
<xref linkend="nse-categories"/>). The categories are case-insensitive and may be specified in any order. They are listed in an array-style Lua table as in this example:</para>
<programlisting>
categories = {"default", "discovery", "safe"}
</programlisting>
</sect2>
<sect2 id="nse-format-author">
<title><literal>author</literal> Field </title>
<indexterm><primary sortas="author script variable">&ldquo;<varname>author</varname>&rdquo; script variable</primary></indexterm>
<para>
The <literal>author</literal> field contains the script authors' names and contact information. If you are worried about spam, feel free to omit or obscure your email address, or give your home page URL instead. This optional field is not used by NSE, but gives script authors due credit or blame.
</para>
</sect2>
<sect2 id="nse-format-license">
<title><literal>license</literal> Field </title>
<indexterm><primary sortas="license script variable">&ldquo;<varname>license</varname>&rdquo; script variable</primary></indexterm>
<indexterm><primary>copyright</primary><secondary>of scripts</secondary></indexterm>
<para>Nmap is a community project and we welcome all sorts of
code contributions, including NSE scripts. So if you write a
valuable script, don't keep it to yourself!
The optional <literal>license</literal> field helps ensure that we have
legal permission to distribute all the scripts which come with Nmap. All of those scripts
currently use the standard Nmap license
(described in <xref linkend="nmap-copyright"/>). They include
the following line:</para>
<programlisting>
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
</programlisting>
<para>The Nmap license is similar to the GNU GPL. Script authors may
use a BSD-style license (no advertising clause) instead if they prefer
that.</para>
</sect2>
<sect2 id="nse-format-runlevel">
<title><literal>runlevel</literal> Field</title>
<indexterm><primary sortas="runlevel script variable">&ldquo;<varname>runlevel</varname>&rdquo; script variable</primary></indexterm>
<indexterm><primary>run level of scripts</primary></indexterm>
<para>
This optional field determines script execution order. When
this section is absent, the run level defaults to 1.0. Scripts with a given <literal>runlevel</literal> execute after any with a lower <literal>runlevel</literal> and before any scripts with a higher <literal>runlevel</literal> against a single target machine. The order of scripts with the same <literal>runlevel</literal> is undefined and they often run concurrently. One
application of run levels is allowing scripts to depend on
each other. If <literal>script A</literal> relies on some
information gathered by <literal>script B</literal>, give
<literal>B</literal> a lower run level than
<literal>A</literal>. <literal>Script B</literal> can store
information in the NSE registry for <literal>A</literal> to
retrieve later. For information on the NSE registry, see
<xref linkend="nse-api-registry"/>.
</para>
</sect2>
<sect2 id="nse-format-rules">
<title>Port and Host Rules</title>
<indexterm><primary sortas="portrule script variable">&ldquo;<varname>portrule</varname>&rdquo; script variable</primary></indexterm>
<indexterm><primary sortas="hostrule script variable">&ldquo;<varname>hostrule</varname>&rdquo; script variable</primary></indexterm>
<indexterm><primary>rules in NSE</primary><see>&ldquo;<varname>portrule</varname>&rdquo; and &ldquo;<varname>hostrule</varname>&rdquo;</see></indexterm>
<para>
Nmap uses the script rules to determine whether a script should be run
against a target. A script contains either a <emphasis>port
rule</emphasis>, which governs which ports of a target the scripts may
run against, or a <emphasis>host rule</emphasis>, which specifies that
the script should be run only once against a target IP and only if
the given conditions are met. A rule is a Lua function that returns
either <literal>true</literal> or <literal>false</literal>. The
script <emphasis>action</emphasis> is only performed if its rule
evaluates to <literal>true</literal>. Host rules accept a host
table as their argument and may test, for example, the IP address or
hostname of the target. A port rule accepts both host and port tables
as arguments for any TCP or UDP port in the
<literal>open</literal><indexterm><primary><literal>open</literal> port state</primary></indexterm>,
<literal>open|filtered</literal><indexterm><primary><literal>open|filtered</literal> port state</primary></indexterm>,
or <literal>unfiltered</literal><indexterm><primary><literal>unfiltered</literal> port state</primary></indexterm> port states. Port rules generally test factors such as the port number, port state, or listening service name in deciding whether to run against a port. Example rules are shown in <xref linkend="nse-tutorial-rule"/>.</para>
</sect2>
<sect2 id="nse-format-action"><title>Action</title>
<indexterm><primary sortas="action script variable">&ldquo;<varname>action</varname>&rdquo; script variable</primary></indexterm>
<para>
The action is the heart of an NSE script. It contains all of the
instructions to be executed when the script's port or host rule
triggers. It is a Lua function which accepts the same arguments as the
rule and can return either <literal>nil</literal> or a string. If a string is returned by a service script, the string and script's filename are printed in the Nmap port table output. A string returned by a host script is printed below the port table. No output is produced if the
script returns <literal>nil</literal>. For an example of an NSE
action refer to <xref linkend="nse-tutorial-action"/>.
</para>
</sect2>
</sect1>
<sect1 id="nse-language">
<title>Script Language</title>
<indexterm><primary>Nmap Scripting Engine (NSE)</primary><secondary>parts of</secondary></indexterm>
<para>
The core of the Nmap Scripting Engine is an embeddable Lua
interpreter. Lua is a lightweight language designed for
extensibility. It offers a powerful and well documented API for
interfacing with other software such as Nmap.
</para>
<indexterm><primary>Nmap Scripting Engine (NSE)</primary><secondary>library</secondary></indexterm>
<para>
The second part of the Nmap Scripting Engine is the NSE Library, which
connects Lua and Nmap. This layer
handles issues such as initialization of the Lua interpreter,
scheduling of parallel script execution, script retrieval and
more. It is also the heart of the NSE network I/O framework and the
exception handling mechanism. It also includes utility libraries to make scripts more powerful and convenient. The utility library modules and extensions are described in <xref linkend="nse-library"/>.</para>
<sect2 id="nse-lua">
<title>Lua Base Language</title>
<indexterm><primary>Lua programming language</primary></indexterm>
<para>
The Nmap scripting language is an embedded <ulink
url="http://www.lua.org/">Lua</ulink> interpreter which was
extended with libraries for interfacing with Nmap. The Nmap
API is in the Lua namespace <literal>nmap</literal>. This
means that all calls to resources provided by Nmap have an
<literal>nmap</literal> prefix.<indexterm><primary><varname>nmap</varname> NSE module</primary></indexterm>
<literal>nmap.new_socket()</literal>, for example, returns a
new socket wrapper object. The Nmap library layer also takes
care of initializing the Lua context, scheduling parallel
scripts and collecting the output produced by completed
scripts.
</para>
<para>
During the planning stages, we considered several programming
languages as the base for Nmap scripting. Another option was to
implement a completely new programming language. Our criteria
were strict: NSE had to be easy to
use, small in size, compatible with the Nmap license,
scalable, fast and parallelizable. Several
previous efforts (by other projects) to design their own security auditing language from scratch
resulted in awkward solutions, so we decided early not to follow that
route. First the Guile Scheme interpreter was considered,
but the preference drifted towards the Elk interpreter due to its more
favorable license. But parallelizing Elk scripts would have been
difficult. In addition, we expect that most Nmap users prefer procedural programming over functional languages such as Scheme. Larger interpreters such as Perl, Python, and
Ruby are well-known and loved, but are difficult to embed
efficiently. In the end, Lua excelled in all of our criteria.
It is small, distributed under the liberal MIT open source license, has
coroutines for efficient parallel script
execution, was designed with embeddability in mind, has
excellent documentation, and is actively developed by a large
and committed community.
Lua is now even embedded in other popular open source security tools including
the <application>Wireshark</application> sniffer and <application>Snort</application> IDS.
</para>
</sect2>
</sect1>
<sect1 id="nse-scripts">
<indexterm><primary>Nmap Scripting Engine (NSE)</primary><secondary>list of scripts</secondary></indexterm>
<title>NSE Scripts</title>
<print>
<para>This section lists (alphabetically) all NSE scripts packaged
with Nmap at the time of this writing. It comes straight from the
script source code thanks to the NSEDoc documentation system
described in <xref linkend="nsedoc"/>. Of course no
paper documentation can stay current with software developed as
actively as NSE is. For the most comprehensive and up-to-date
documentation, see the online NSE Documentation Portal at
<ulink url="http://nmap.org/nsedoc/"/>.
</para>
&nse-scripts;
</print>
<web>
<para>This section (a long list of NSE scripts with brief
summaries) is only provided in the printed edition of this book
because we already provide a better online interface to the
information at the <ulink url="http://nmap.org/nsedoc/">NSE
Documentation Portal</ulink>.</para>
</web>
</sect1>
<sect1 id="nse-library">
<indexterm><primary>Nmap Scripting Engine (NSE)</primary><secondary>list of modules</secondary></indexterm>
<title>NSE Libraries</title>
<para>In addition to the significant built-in capabilities of
Lua, we have written or integrated many extension libraries which make
script writing more powerful and convenient. These libraries (sometimes called modules) are compiled if necessary and installed along with
Nmap. They have their own directory, <filename>nselib</filename>, which
is installed in the configured datadir. Scripts need only
<ulink url="http://www.lua.org/manual/5.1/manual.html#pdf-require">
<literal>require</literal>
</ulink> the default libraries in order to use them.
</para>
<sect2 id="nse-library-list">
<title>List of All Libraries</title>
<para>
This list is just an overview to give an idea of what libraries
are available. Developers will want to consult the complete
documentation at <ulink url="http://nmap.org/nsedoc/"/>.
</para>
&nse-modules;
</sect2>
<sect2 id="nse-library-c-modules">
<title>Adding C Modules to Nselib</title>
<indexterm><primary>Nmap Scripting Engine (NSE)</primary><secondary>C modules</secondary></indexterm>
<para>
A few of the modules included in nselib are written in C or C++
rather than Lua. Two examples are <literal>bit</literal>
and <literal>pcre</literal>. We recommend that modules
be written in Lua if possible, but C and C++ may be more
appropriate if performance is critical or (as with
the <literal>pcre</literal> and <literal>openssl</literal>
modules) you are linking to an existing C library. This section
describes how to write your own compiled extensions to nselib.
</para>
<para>
The Lua C API is described at length in
<web><ulink url="http://www.amazon.com/exec/obidos/ASIN/8590379825/secbks-20"><citetitle>Programming in Lua, Second Edition</citetitle></ulink>,</web>
<print><citetitle>Programming in Lua, Second Edition</citetitle>,</print>
so this is a short summary. C modules consist of functions that
follow the protocol of the
<ulink url="http://www.lua.org/manual/5.1/manual.html#lua_CFunction"><type>lua_CFunction</type></ulink>
type. The functions are registered with Lua and assembled into a
library by calling the
<function>luaL_register</function><indexterm><primary><function>luaL_register</function></primary></indexterm>
function. A special initialization function provides the interface
between the module and the rest of the NSE code. By convention the
initialization function is named in the form
<function>luaopen_<replaceable>module</replaceable></function>.
</para>
<para>
The smallest compiled module that comes with NSE is
<literal>bit</literal>,<indexterm><primary><varname>bit</varname> NSE module</primary></indexterm>
and one of the most straightforward is
<literal>openssl</literal>.<indexterm><primary><varname>openssl</varname> NSE module</primary></indexterm>
These modules serve as good examples for a beginning module
writer. The
source code for <literal>bit</literal> is found in
<filename>nse_bit.cc</filename> and
<filename>nse_bit.h</filename>, while the
<literal>openssl</literal> source is in <filename>nse_openssl.cc</filename> and
<filename>nse_openssl.h</filename>. Most of the other compiled modules
follow this <literal>nse_<replaceable>module name</replaceable>.cc</literal> naming convention.
</para>
<para>
Reviewing the <literal>openssl</literal> module shows that one of the
functions in <filename>nse_openssl.cc</filename> is
<function>l_md5</function>, which calculates an MD5 digest. Its
function prototype is:</para>
<programlisting>
static int l_md5(lua_State *L);
</programlisting>
<para>The prototype shows that <function>l_md5</function> matches the
<type>lua_CFunction</type> type. The function is static because it
does not have to be visible to other compiled code. Only an address is required
to register it with Lua. Later in the file,
<function>l_md5</function> is entered into an array of type
<type>luaL_reg</type> and associated with the name
<function>md5</function>:</para>
<programlisting>
static const struct luaL_reg openssllib[] = {
{ "md5", l_md5 },
{ NULL, NULL }
};
</programlisting>
<para>This function will now be known as <function>md5</function> to NSE. Next the library is registered with a call to
<function>luaL_register</function> inside the initialization
function <function>luaopen_openssl</function>, as shown
next. Some lines relating to the registration of
OpenSSL <type>BIGNUM</type> types have been omitted:</para>
<programlisting>
LUALIB_API int luaopen_openssl(lua_State *L) {
luaL_register(L, OPENSSLLIBNAME, openssllib);
return 1;
}
</programlisting>
<para>The function <function>luaopen_openssl</function>
is the only function in the file that is exposed in
<filename>nse_openssl.h</filename>. <varname>OPENSSLLIBNAME</varname> is simply the string
<literal>"openssl"</literal>.
</para>
<para>
After a compiled module is written, it must be added to NSE by including
it in the list of standard libraries in
<filename>nse_init.cc</filename>. Then the module's
source file names must be added to
<filename>Makefile.in</filename> in the appropriate places. For both these tasks you can
simply follow the example of the other C modules. For the
Windows build, the new source files must be added to the
<filename>mswin32/nmap.vcproj</filename> project file using MS Visual Studio (see <xref linkend="inst-win-source"/>).
</para>
</sect2>
</sect1>
<sect1 id="nse-api">
<title>Nmap API</title>
<indexterm class="startofrange" id="nse-nmap-indexterm"><primary><varname>nmap</varname> NSE module</primary></indexterm>
<indexterm><primary>Nmap Scripting Engine (NSE)</primary><secondary>API</secondary></indexterm>
<para>
NSE scripts have access to several Nmap facilities for writing
flexible and elegant scripts. The API provides target host
details such as port states and version detection results. It
also offers an interface to the Nsock<indexterm><primary>Nsock</primary></indexterm>
library
for efficient network I/O.
</para>
<sect2 id="nse-api-arguments">
<title>Information Passed to a Script</title>
<para>
An effective Nmap scripting engine requires more than just a
Lua interpreter. Users need easy access to the information
Nmap has learned about the target hosts. This data is passed
as arguments to the NSE script's
<literal>action</literal> method.<indexterm><primary sortas="action script variable">&ldquo;<varname>action</varname>&rdquo; script variable</primary></indexterm>
The arguments, <literal>host</literal> and
<literal>port</literal>, are Lua tables which contain
information on the target against which the script is
executed. If a script matched a hostrule, it gets only the
<literal>host</literal> table, and if it matched a portrule it
gets both <literal>host</literal> and <literal>port</literal>.
The following list describes each variable in these two tables.
</para>
<para>
<variablelist>
<varlistentry>
<term><option>host</option>
</term>
<listitem>
<para>
This table is passed as a parameter to the rule and action
functions. It contains information on the operating system run by
the host (if the <option>-O</option> switch was supplied), the
IP address and the host name of the scanned target.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>host.os</option>
</term>
<listitem>
<para>
The <literal>os</literal> entry in the host table is
an array of strings. The strings (as many as eight) are the
names of the operating systems the target is possibly
running. Strings are only entered in this array if the
target machine is a perfect match for one or more OS
database entries. If Nmap was run without the
<option>-O</option> option, then
<literal>host.os</literal> is <literal>nil</literal>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>host.ip</option>
</term>
<listitem>
<para>Contains a string representation of the IP address of the
target host. If the scan was run against a host name and the
reverse DNS query returned more than one IP addresses then the
same IP address is used as the one chosen for the scan.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>host.name</option>
</term>
<listitem>
<para>Contains the reverse DNS entry of the scanned target host
represented as a string. If the host has no reverse DNS entry,
the value of the field is an empty string.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>host.targetname</option>
</term>
<listitem>
<para>Contains the name of the host as specified on the command line.
If the target given on the command line contains a netmask or is an IP
address the value of the field is <literal>nil</literal>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>host.directly_connected</option>
</term>
<listitem>
<para> A Boolean value indicating whether or not the target host is
directly connected to (i.e. on the same network segment as) the host running Nmap.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>host.mac_addr</option>
</term>
<listitem>
<para>MAC address<indexterm><primary>MAC address</primary></indexterm>
of the destination host (six-byte long binary
string) or <literal>nil</literal>, if the host is not directly connected.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>host.mac_addr_src</option>
</term>
<listitem>
<para>Our own MAC address, which was used to connect to the
host (either our network card's, or (with
<option>--spoof-mac</option>)<indexterm><primary><option>--spoof-mac</option></primary></indexterm>
the spoofed address).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>host.interface</option>
</term>
<listitem>
<para>A string containing the interface name
(dnet-style)<indexterm><primary>libdnet</primary></indexterm>
through
which packets to the host are sent.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>host.bin_ip</option>
</term>
<listitem>
<para>The target host's IPv4 address as a 32-bit binary value.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>host.bin_ip_src</option>
</term>
<listitem>
<para>Our host's (running Nmap) source IPv4 address as a 32-bit binary value.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>port</option>
</term>
<listitem>
<para>
The port table is passed to an NSE service script (i.e. only those with a portrule rather than a hostrule) in the same
fashion as the host table. It contains information about the port
against which the script is running. While this table is not passed to host scripts, port states on the target can still be requested from Nmap
using the <literal>nmap.get_port_state()</literal> call.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>port.number</option>
</term>
<listitem>
<para>
Contains the port number of the target port.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>port.protocol</option>
</term>
<listitem>
<para>
Defines the protocol of the target port. Valid values are
<literal>"tcp"</literal> and <literal>"udp"</literal>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>port.service</option>
</term>
<listitem>
<para>
Contains a string representation of the service running on
<literal>port.number</literal> as detected by the Nmap service
detection. If the <literal>port.version</literal> field is
<literal>nil</literal>, Nmap has guessed the service based
on the port number. Otherwise version detection was able to determine the listening service and this field is equal to
<literal>port.version.name</literal>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>port.version</option>
</term>
<listitem>
<para>
This entry is a table which contains information
retrieved by the Nmap version scanning engine. Some
of the values (such as service name, service type
confidence, and the RPC-related values) may be retrieved by
Nmap even if a version scan was not performed. Values
which were not determined default to
<literal>nil</literal>. The meaning of each value is given in the following table:</para>
<table id="scripting-tbl-port-version-values">
<title><literal>port.version</literal> values</title>
<tgroup cols="2">
<colspec colwidth="2*" />
<colspec colwidth="5*" />
<thead><row>
<entry>Name</entry>
<entry>Description</entry>
</row></thead>
<tbody>
<row>
<entry><literal>name</literal></entry>
<entry>Contains the service name Nmap decided on for the port.</entry>
</row>
<row>
<entry><literal>name_confidence</literal></entry>
<entry>Evaluates how confident Nmap is about the accuracy of <literal>name</literal>, from 1 (least confident) to 10.</entry>
</row>
<row>
<entry><literal>product</literal>, <literal>version</literal>, <literal>extrainfo</literal>, <literal>hostname</literal>, <literal>ostype</literal>, <literal>devicetype</literal></entry>
<entry>These five variables are described in <xref linkend="vscan-versioninfo"/>.
</entry>
</row>
<row>
<entry><literal>service_tunnel</literal></entry>
<entry>Contains the string <literal>"none"</literal> or <literal>"ssl"</literal> based on whether or not Nmap used SSL tunneling to detect the service.</entry>
</row>
<row>
<entry><literal>service_fp</literal></entry>
<entry>The service fingerprint, if any, is provided in this value. This is described in
<xref linkend="vscan-community"/>.
</entry>
</row>
<row>
<entry><literal>rpc_status</literal></entry>
<entry>Contains a string value of <literal>good_prog</literal> if
we were able to determine the program number of an RPC service
listening on the port, <literal>unknown</literal> if the port
appears to be RPC but we couldn't determine the program
number, <literal>not_rpc</literal> if the port doesn't appear be
RPC, or <literal>untested</literal> if we haven't checked for RPC
status.</entry>
</row>
<row>
<entry><literal>rpc_program</literal>, <literal>rpc_lowver</literal>, <literal>rpc_highver</literal></entry>
<entry>The detected RPC program number and the range of version
numbers supported by that program. These will be
<literal>nil</literal> if <literal>rpc_status</literal> is
anything other than <literal>good_prog</literal>.</entry>
</row>
</tbody></tgroup></table>
</listitem>
</varlistentry>
<varlistentry>
<term><option>port.state</option>
</term>
<listitem>
<para>
Contains information on the state of the port.
Service scripts are only run against ports in the
<literal>open</literal> or
<literal>open|filtered</literal> states, so
<literal>port.state</literal> generally contains one
of those values. Other values might appear if the port
table is a result of the
<literal>get_port_state</literal> function. You can
adjust the port state using the
<literal>nmap.set_port_state()</literal> call. This is
normally done when an <literal>open|filtered</literal>
port is determined to be <literal>open</literal>.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</sect2>
<sect2 id="nse-api-networkio">
<title>Network I/O API</title>
<para>
To allow for efficient and parallelizable network I/O, NSE
provides an interface to Nsock, the Nmap socket library. The
smart callback mechanism Nsock uses is fully transparent to
NSE scripts. The main benefit of NSE's sockets is that they
never block on I/O operations, allowing many scripts to be run in parallel.
The I/O parallelism is fully transparent to authors of NSE scripts.
In NSE you can either program as if you were using a single
non-blocking socket or you can program as if your connection is
blocking. Even blocking I/O calls return once a
specified timeout has been exceeded. Two flavors of Network I/O are
supported: connect-style and raw packet.
</para>
<sect3 id="nse-api-networkio-connect">
<title>Connect-style network I/O</title>
<indexterm><primary>sockets in NSE</primary></indexterm>
<para>This part of the network API should be suitable for most
classical network uses: Users create a socket, connect it to a
remote address, send and receive data and finally close the socket.
Everything up to the Transport layer (which is either TCP, UDP or
SSL) is handled by the library.
</para>
<para>
An NSE socket is created by calling
<function>nmap.new_socket</function>, which returns a socket object.
The socket object supports the usual <function>connect</function>,
<function>send</function>, <function>receive</function>, and
<function>close</function> methods. Additionally the functions
<function>receive_bytes</function>,
<function>receive_lines</function>, and
<function>receive_buf</function> allow greater control
over data reception.
<xref linkend="nse-api-networkio-connect-example" xrefstyle="select: label nopage"/>
shows the use of connect-style network operations. The
<function>try</function> function is used for error handling, as described in
<xref linkend="nse-exceptions"/>.
</para>
<example id="nse-api-networkio-connect-example">
<title>Connect-style I/O</title>
<programlisting>
require("nmap")
local socket = nmap.new_socket()
socket:set_timeout(1000)
try = nmap.new_try(function() socket:close() end)
try(socket:connect(host.ip, port.number))
try(socket:send("login"))
response = try(socket:receive())
socket:close()
</programlisting>
</example>
</sect3>
<sect3 id="nse-api-networkio-raw">
<title>Raw packet network I/O</title>
<indexterm><primary>raw packets</primary><secondary>in NSE</secondary></indexterm>
<para>For those cases where the connection-oriented approach is too high-level,
NSE provides script developers with the
option of raw packet network I/O.</para>
<para>Raw packet reception is handled through a
Libpcap<indexterm><primary>libpcap</primary></indexterm>
wrapper inside the Nsock
library.<indexterm><primary>Nsock</primary></indexterm>
The steps are to open a capture device, register listeners
with the device, and then process packets as they are
received.</para>
<para>The <function>pcap_open</function> method creates a handle for raw socket reads from an
ordinary socket object. This method takes a
callback function, which computes a packet hash from
a packet (including its headers). This hash can return any
binary string, which is later compared to the strings
registered with the <function>pcap_register</function>
function. The packet hash callback will normally extract some
portion of the packet, such as its source address.</para>
<para>The pcap reader is instructed to listen for certain
packets using the <function>pcap_register</function> function.
The function takes a binary string which is compared against
the hash value of every packet received. Those packets whose
hashes match any registered strings will be returned by the
<function>pcap_receive</function> method. Register the empty
string to receive all packets.</para>
<para>A script receives all packets for which a listener has
been registered by calling the
<function>pcap_receive</function> method. The method blocks
until a packet is received or a timeout occurs.</para>
<para>The more general the packet hash computing function is
kept, the more scripts may receive the packet and proceed with
their execution. To handle packet capture inside your
script you first have to create a socket with
<function>nmap.new_socket</function> and later close the socket
with <function>socket_object:close</function>&mdash;just like
with the connection-based network I/O.</para>
<para>
Receiving raw packets is important, but sending them is a key feature as well. To accomplish this, NSE can
access a wrapper around the
<literal>libdnet</literal> library.<indexterm><primary>libdnet</primary></indexterm> Raw packet writes do not
use a standard socket object like reads do. Instead, call the function
<function>nmap.new_dnet</function> to create a dnet object
with ethernet sending methods. Then open an interface with the
<function>ethernet_open</function> method. Raw ethernet
frames can then be sent
with <function>ethernet_send</function>. When you're done,
close the ethernet handle
with <function>ethernet_close</function>.</para>
<para>Sometimes the easiest ways to understand complex APIs
is by example. The <filename>sniffer-detect.nse</filename>
script included with Nmap uses raw packet capture and
sending in an attempt to detect promiscuous-mode machines on
the network (those running sniffers).</para>
</sect3>
</sect2>
<sect2 id="nse-mutex">
<title>Thread Mutexes</title>
<indexterm><primary>threads in NSE</primary></indexterm>
<indexterm><primary>mutexes in NSE</primary></indexterm>
<para>
Each script execution thread (e.g. <literal>ftp-anon</literal> running against an FTP server on the target host) yields to other
scripts whenever it makes a call on network objects (sending or receiving
data). Some scripts require finer concurrency control over thread execution. An
example is the <literal>whois</literal> script which queries
whois<indexterm><primary>whois</primary></indexterm>
servers for each target IP address. Because many concurrent queries often result in
getting one's IP banned for abuse, and because a single query may return additional
information for targets other threads are running against, it is useful
to have other threads pause while one thread performs a query.
</para>
<para>
To solve this problem, NSE includes a
<literal>mutex</literal> function which provides a
<ulink url="http://en.wikipedia.org/wiki/Mutual_exclusion">mutex</ulink>
(mutual exclusion object) usable by scripts. The mutex allows
for only one thread to be working on an object. Competing threads
waiting to work on this object are put in the waiting queue
until they can get a "lock" on the mutex. A solution for
the <literal>whois</literal> problem above is to have each
thread block on a mutex using a common string, thus ensuring
that only one thread is querying whois servers at once. That
thread can store the results in the NSE registry before
releasing unlocking the mutex. The next script in the waiting
queue can then run. It will first check the registry and only
query whois servers if the previous results were insufficient.
</para>
<para>The first step is to create a mutex object using a statement such as:</para>
<para><literal>mutexfn = nmap.mutex(object)</literal></para>
<para>The <literal>mutexfn</literal> returned is a function
which works as a mutex for the <literal>object</literal> passed
in. This object can be any
<ulink role="hidepdf"
url="http://www.lua.org/manual/5.1/manual.html#2.2">Lua data
type</ulink> except <literal>nil</literal>,
<literal>booleans</literal>, and <literal>numbers</literal>.
The returned function allows you to lock, try to lock, and
release the mutex. Its first and only parameter must be one of
the following:</para>
<variablelist>
<varlistentry>
<term><literal>"lock"</literal></term>
<listitem><para>Make a blocking lock on the mutex. If the mutex is busy (another thread has a lock on it), then the thread will yield and wait. The function returns with the mutex locked.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>"trylock"</literal></term>
<listitem><para>Makes a non-blocking lock on the mutex. If the mutex is
busy then it immediately returns with a return value of
<literal>false</literal>. Otherwise the mutex locks the
mutex and returns <literal>true</literal>.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>"done"</literal></term>
<listitem><para>Releases the mutex and allows
another thread to lock it. If the thread does not have a lock on the mutex, an
error will be raised.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>"running"</literal></term>
<listitem><para>Returns the thread locked
on the mutex or <literal>nil</literal> if the mutex is not
locked. This should only be used for debugging as it
interferes with garbage collection of finished threads.</para></listitem>
</varlistentry>
</variablelist>
<para>A simple example of using the API is provided in <xref linkend="nse-mutex-handling" xrefstyle="select: label nopage"/>. For real-life examples, read the <filename>asn-query.nse</filename> and <filename>whois.nse</filename> scripts in the Nmap distribution.</para>
<example id="nse-mutex-handling">
<title>Mutex manipulation</title>
<programlisting>
local mutex = nmap.mutex("My Script's Unique ID");
function action(host, port)
mutex "lock";
-- Do critical section work - only one thread at a time executes this.
mutex "done";
return script_output;
end
</programlisting>
</example>
</sect2>
<sect2 id="nse-exceptions">
<title>Exception Handling</title>
<indexterm><primary>exceptions in NSE</primary></indexterm>
<para>
NSE provides an exception handling mechanism which is not present in
the base Lua language. It is tailored
specifically for network I/O operations, and
follows a functional programming paradigm rather than an
object oriented one. The <function>nmap.new_try</function> API method is used to
create an exception handler. This method returns a function which takes a variable
number of arguments that are assumed to be the return values of
another function. If an exception is detected in the return
values (the first return value is false),
then the script execution is aborted and no
output is produced. Optionally, you can pass a function to
<function>new_try</function> which will be called
if an exception is caught. The function would generally perform any required cleanup operations.
</para>
<para>
<xref linkend="nse-exception-handling" xrefstyle="select: label nopage"/> shows cleanup
exception handling at work. A new function named
<function>catch</function> is defined to simply close the
newly created socket in case of an error. It is then used
to protect connection and communication attempts on that
socket. If no catch function is specified, execution of the
script aborts without further ado&mdash;open sockets will
remain open until the next run of Lua's garbage
collector. If the verbosity level is at least one or if the
scan is performed in debugging mode a description of the
uncaught error condition is printed on standard output.
Note that it is currently not easily possible to group
several statements in one try block.
</para>
<example id="nse-exception-handling">
<title>Exception handling example</title>
<programlisting>
local result, socket, try, catch
result = ""
socket = nmap.new_socket()
catch = function()
socket:close()
end
try = nmap.new_try(catch)
try(socket:connect(host.ip, port.number))
result = try(socket:receive_lines(1))
try(socket:send(result))
</programlisting>
</example>
<para>
Writing a function which is treated properly by the
try/catch mechanism is straightforward. The function should
return multiple values. The first value should be a Boolean
which is <literal>true</literal> upon successful completion of the function and
<literal>false</literal> otherwise. If the function completed successfully, the try
construct consumes the indicator value and returns the
remaining values. If the function failed then the second
returned value must be a string describing the error
condition. Note that if the value is not
<literal>nil</literal> or <literal>false</literal> it is
treated as <literal>true</literal> so you can return your
value in the normal case and return <literal>nil, <replaceable>error description</replaceable></literal>
if an error occurs.
</para>
</sect2>
<sect2 id="nse-api-registry">
<title>The Registry</title>
<indexterm><primary>registry (NSE)</primary></indexterm>
<para>
The registry is a Lua table (accessible
as <literal>nmap.registry</literal>) with the special property
that it is visible by all scripts and retains its state
between script executions. The registry is transient&mdash;it
is not stored between Nmap executions. Every script can read
and write to the registry. Scripts commonly use it to save
information for other instances of the same script. For
example, the <literal>whois</literal>
and <literal>asn-query</literal> scripts may query one IP
address, but receive information which may apply to tens of
thousands of IPs on that network. Saving the information in
the registry may prevent other script threads from having to
repeat the query.</para>
<para>The registry may also be used to hand
information to completely different scripts. For example,
the <literal>snmp-brute</literal> script saves a discovered
community name in the registry where it may be used by other
SNMP scripts. Scripts which leave information behind for a
second script must have a lower <literal>runlevel</literal>
than that second script, or there is no guarantee that they
will run first.<indexterm><primary>run level of
scripts</primary></indexterm>
</para>
<para>Because every script can write to the registry table, it
is important to avoid conflicts by choosing keys wisely
(uniquely).</para>
</sect2>
<indexterm class="endofrange" startref="nse-nmap-indexterm"/>
</sect1>
<sect1 id="nse-tutorial">
<title>Script Writing Tutorial</title>
<indexterm class="startofrange" id="nse-tutorial-indexterm"><primary>Nmap Scripting Engine (NSE)</primary><secondary>tutorial</secondary></indexterm>
<para>
Suppose that you are convinced of the power of NSE. How do you
go about writing your own script? Let's say
that you want to extract information from an identification
server<indexterm><primary>auth service</primary></indexterm> to determine the owner of the process listening on a TCP port.
This is not really the purpose of identd (it is meant for querying the owner of outgoing connections, not listening daemons), but many identd servers allow it anyway. Nmap used to have this functionality (called ident scan), but it was removed
while transitioning to a new scan engine architecture. The protocol identd uses is pretty simple, but still too
complicated to handle with Nmap's version detection
language. First, you connect to the identification server and
send a query of the form <literal><replaceable>port-on-server</replaceable>,
<replaceable>port-on-client</replaceable></literal> and
terminated with a newline character. The server should then
respond with a string containing the server port, client port,
response type, and address information. The address information
is omitted if there is an error. More details are available
in <ulink role="hidepdf"
url="http://www.rfc-editor.org/rfc/rfc1413.txt">RFC
1413</ulink>, but this description is sufficient for our
purposes. The protocol cannot be modeled in Nmap's version
detection language for two reasons. The first is that you need
to know both the local and the remote port of a
connection. Version detection does not provide this data. The
second, more severe obstacle, is that you need two open
connections to the target&mdash;one to the identification server
and one to the listening port you wish to query. Both obstacles
are easily overcome with NSE.</para>
<para>
The anatomy of a script is described in <xref linkend="nse-script-format"/>.
In this section we will show how the described structure is utilized.
</para>
<sect2 id="nse-tutorial-head">
<title>The Head</title>
<para>
The head of the script is essentially its meta information. This
includes the
fields: <literal>description</literal>, <literal>categories</literal>, <literal>runlevel</literal>, <literal>author</literal>, and <literal>license</literal> as well as
initial NSEDoc information such as usage, args, and output
tags (see <xref linkend="nsedoc"/>).
</para>
<para>
The description field should contain a paragraph or more describing what the script does. If anything about the script results might confuse or mislead users, and you can't eliminate the issue by improving the script or results text, it should be documented in the <literal>description</literal>. If there are multiple paragraphs, the first is used as a short summary where necessary. Make sure that first paragraph can serve as a stand alone abstract. This description is short because it is such a simple script:
</para>
<para>
<indexterm><primary><literal>auth-owners</literal> script</primary></indexterm>
<indexterm><primary sortas="description script variable">&ldquo;<varname>description</varname>&rdquo; script variable</primary></indexterm>
<programlisting>
description = [[
Attempts to find the owner of an open TCP port by querying an auth
(identd - port 113) daemon which must also be open on the target system.
]]
</programlisting>
</para>
<para>Next comes NSEDoc information. This script is missing the
common <literal>@usage</literal> and <literal>@args</literal> tags
since it is so simple, but it does have an
NSEDoc <literal>@output</literal> tag:</para>
<programlisting>
---
--@output
-- 21/tcp open ftp ProFTPD 1.3.1
-- |_ auth-owners: nobody
-- 22/tcp open ssh OpenSSH 4.3p2 Debian 9etch2 (protocol 2.0)
-- |_ auth-owners: root
-- 25/tcp open smtp Postfix smtpd
-- |_ auth-owners: postfix
-- 80/tcp open http Apache httpd 2.0.61 ((Unix) PHP/4.4.7 ...)
-- |_ auth-owners: dhapache
-- 113/tcp open auth?
-- |_ auth-owners: nobody
-- 587/tcp open submission Postfix smtpd
-- |_ auth-owners: postfix
-- 5666/tcp open unknown
-- |_ auth-owners: root
</programlisting>
<para>
Next come the <literal>author</literal>, <literal>license</literal>, and <literal>categories</literal> tags.
This script belongs to the
<literal>safe</literal><indexterm><primary><literal>safe</literal>
script category</primary></indexterm> because we are not using
the service for anything it was not intended for. Because this
script is one that should run by default it is also in the
<literal>default</literal><indexterm><primary><literal>default</literal>
script category</primary></indexterm>
category. Here are the variables in context:</para>
<indexterm><primary sortas="categories script variable">&ldquo;<varname>categories</varname>&rdquo; script variable</primary></indexterm>
<programlisting>
author = "Diman Todorov &lt;diman.todorov@gmail.com&gt;"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "safe"}
</programlisting>
</sect2>
<sect2 id="nse-tutorial-rule">
<title>The Rule</title>
<para>
The rule section is a Lua method which decides whether to skip
or execute the script's action method against a particular service or host.
This decision is usually based on the host and port
information passed to the rule function. In the case of the
identification script, it is slightly more complicated than
that. To decide whether to run the identification script against a
given port we need to know if there is an auth
server running on the target machine. In other words, the
script should be run only if the currently scanned TCP port is open and
TCP port 113 is also open. For now we will rely on the fact that
identification servers listen on TCP port 113. Unfortunately NSE
only gives us information about the currently scanned port.</para>
<para>To find out if port 113 is open, we use the
<function>nmap.get_port_state</function> function. If the auth
port was not scanned, the <literal>get_port_state</literal>
function returns <literal>nil</literal>. So we check that
the table is not <literal>nil</literal>. We also
check that both ports are in the <literal>open</literal> state.
If this is the case, the action is executed, otherwise we skip
the action.
</para>
<para>
<indexterm><primary sortas="portrule script variable">&ldquo;<varname>portrule</varname>&rdquo; script variable</primary></indexterm>
<programlisting>
portrule = function(host, port)
local auth_port = { number=113, protocol="tcp" }
local identd = nmap.get_port_state(host, auth_port)
if
identd ~= nil
and identd.state == "open"
and port.protocol == "tcp"
and port.state == "open"
then
return true
else
return false
end
end
</programlisting>
</para>
</sect2>
<sect2 id="nse-tutorial-action">
<title>The Mechanism</title>
<para>
At last we implement the actual functionality! The script
first connects to the port on which we expect to find the
identification server, then it will connect to the port we
want information about. Doing so involves first creating two socket options by calling <function>nmap.new_socket</function>. Next we define an error-handling <function>catch</function> function which closes those sockets if failure is detected. At this point we can safely use object methods such as <function>open</function>,
<function>close</function>,
<function>send</function> and
<function>receive</function> to operate on the network socket. In this case we call <function>connect</function> to make the connections. NSE's exception handling mechanism.<indexterm><primary>exceptions in NSE</primary></indexterm>
is used to avoid excessive error-handling code. We simply wrap the networking calls in a <function>try</function> call which will in turn call our <function>catch</function> function if anything goes wrong.</para>
<para>If the two connections succeed, we construct a query string
and parse the response. If we received a satisfactory
response, we return the retrieved information.
</para>
<para>
<indexterm><primary sortas="action script variable">&ldquo;<varname>action</varname>&rdquo; script variable</primary></indexterm>
<programlisting>
action = function(host, port)
local owner = ""
local client_ident = nmap.new_socket()
local client_service = nmap.new_socket()
local catch = function()
client_ident:close()
client_service:close()
end
local try = nmap.new_try(catch)
try(client_ident:connect(host.ip, 113))
try(client_service:connect(host.ip, port.number))
local localip, localport, remoteip, remoteport =
try(client_service:get_info())
local request = port.number .. ", " .. localport .. "\n"
try(client_ident:send(request))
owner = try(client_ident:receive_lines(1))
if string.match(owner, "ERROR") then
owner = nil
else
owner = string.match(owner, "USERID : .+ : (.+)\n", 1)
end
try(client_ident:close())
try(client_service:close())
return owner
end
</programlisting>
</para>
<para>Note that because we know that the remote port is stored
in <literal>port.number</literal>, we could have ignored the last two
return values of <literal>client_service:get_info()</literal> like
this:</para>
<programlisting>
local localip, localport = try(client_service:get_info())
</programlisting>
<para>In this example we exit quietly if the service responds with an error. This is done by assigning <literal>nil</literal> to the <varname>owner</varname> variable which will be returned. NSE scripts generally only return messages when they succeed, so they don't flood the user with pointless alerts.</para>
</sect2>
<indexterm class="endofrange" startref="nse-tutorial-indexterm"/>
</sect1>
<sect1 id="nsedoc">
<title>Writing Script Documentation (NSEDoc)</title>
<indexterm class="startofrange" id="nsedoc-indexterm"><primary>Nmap Scripting Engine (NSE)</primary><secondary>documentation in</secondary></indexterm>
<indexterm class="startofrange" id="nse-nsedoc-indexterm"><primary>NSEDoc</primary></indexterm>
<para>
Scripts are used by more than just their authors, so they require good
documentation. NSE modules need documentation so developers can
use them in their scripts. NSE's documentation system, described in
this section, aims to meet both these needs. While reading this
section, you may want to browse NSE's online documentation, which is
generated using this system. It is at
<ulink url="http://nmap.org/nsedoc/"/>.
</para>
<para>
NSE uses a customized version of the
<ulink url="http://luadoc.luaforge.net/">LuaDoc</ulink><indexterm><primary>LuaDoc</primary></indexterm>
documentation system called NSEDoc.
The documentation for scripts
and modules is contained in their source code, as
comments with a special form.
<xref linkend="nsedoc-comment" xrefstyle="select: label nopage"/>
is an NSEDoc comment taken from the
<function>stdnse.print_debug()</function> function.
</para>
<!-- From stdnse.lua. -->
<!-- Be careful to change <code> to &lt;code&gt; when you copy code.
<code> is a DocBook tag so it will disappear within a programlisting! -->
<example id="nsedoc-comment">
<title>An NSEDoc comment for a function</title>
<programlisting>
--- Prints a formatted debug message if the current verbosity level is greater
-- than or equal to a given level.
--
-- This is a convenience wrapper around
-- &lt;code&gt;nmap.print_debug_unformatted()&lt;/code&gt;. The first optional numeric
-- argument, &lt;code&gt;verbosity&lt;/code&gt;, is used as the verbosity level necessary
-- to print the message (it defaults to 1 if omitted). All remaining arguments
-- are processed with Lua's &lt;code&gt;string.format()&lt;/code&gt; function.
-- @param level Optional verbosity level.
-- @param fmt Format string.
-- @param ... Arguments to format.
</programlisting>
</example>
<para>
Documentation comments start with three dashes:
<literal>---</literal>. The body of the comment is the description
of the following code. The first paragraph of the description should
be a brief summary, with the following paragraphs providing more
detail. Special tags starting with <literal>@</literal> mark off
other parts of the documentation. In the above example you see
<literal>@param</literal>, which is used to describe each parameter
of a function. A complete list of the documentation tags is found
in <xref linkend="nsedoc-tags"/>.
</para>
<para>
Text enclosed in the HTML-like <literal>&lt;code&gt;</literal> and
<literal>&lt;/code&gt;</literal> tags will be rendered in a
monospace font. This should be used for variable and function names,
as well as multi-line code examples. When a sequence of lines start
with the characters <quote><literal>* </literal></quote>, they will
be rendered as a bulleted list.
</para>
<para>
It is good practice to document every public function and table in a
script or module. Additionally every script and module should have
its own file-level documentation. A documentation comment at the
beginning of a file (one that is not followed by a function or table
definition) applies to the entire file. File-level documentation can
and should be several paragraphs long, with all the high-level
information useful to a developer using a module or a user running a
script.
<xref linkend="nsedoc-module" xrefstyle="select: label nopage"/>
shows documentation for the <literal>comm</literal> module (with a
few paragraphs removed to save space).
</para>
<example id="nsedoc-module">
<title>An NSEDoc comment for a module</title>
<programlisting>
--- Common communication functions for network discovery tasks like
-- banner grabbing and data exchange.
--
-- These functions may be passed a table of options, but it's not required. The
-- keys for the options table are &lt;code&gt;"bytes"&lt;/code&gt;, &lt;code&gt;"lines"&lt;/code&gt;,
-- &lt;code&gt;"proto"&lt;/code&gt;, and &lt;code&gt;"timeout"&lt;/code&gt;. &lt;code&gt;"bytes"&lt;/code&gt; sets
-- a minimum number of bytes to read. &lt;code&gt;"lines"&lt;/code&gt; does the same for
-- lines. &lt;code&gt;"proto"&lt;/code&gt; sets the protocol to communicate with,
-- defaulting to &lt;code&gt;"tcp"&lt;/code&gt; if not provided. &lt;code&gt;"timeout"&lt;/code&gt;
-- sets the socket timeout (see the socket function &lt;code&gt;set_timeout()&lt;/code&gt;
-- for details).
-- @author Kris Katterjohn 04/2008
-- @copyright Same as Nmap--See http://nmap.org/book/man-legal.html
</programlisting>
</example>
<para>
There are some special considerations for documenting scripts rather than
functions and modules. In particular, scripts have special variables for some information which
would otherwise belongs in @-tag comments (script variables are described in
<xref linkend="nse-script-format"/>). In particular, a script's
description belongs in the <varname>description</varname> variable
rather than in a documentation comment, and the information that
would go in <literal>@author</literal> and
<literal>@copyright</literal> belong in the variables
<varname>author</varname> and <varname>license</varname> instead.
NSEDoc knows about these variables and will use them in preference
to fields in the comments. Scripts should also have an
<varname>@output</varname> tag showing sample output, as well as <varname>@args</varname> and <varname>@usage</varname> where appropriate.
<xref linkend="nsedoc-script" xrefstyle="select: label nopage"/>
shows proper form for script-level documentation, using a
combination of documentation comments and NSE variables.
</para>
<!-- From asn-query.nse. -->
<example id="nsedoc-script">
<title>An NSEDoc comment for a script</title>
<programlisting>
description = [[
Maps IP addresses to autonomous system (AS) numbers.
The script works by sending DNS TXT queries to a DNS server which in
turn queries a third-party service provided by Team Cymru
(team-cymru.org) using an in-addr.arpa style zone set up especially for
use by Nmap.
]]
---
-- @usage
-- nmap --script asn-query.nse [--script-args dns=&lt;DNS server&gt;] &lt;target&gt;
-- @args dns The address of a recursive nameserver to use (optional).
-- @output
-- Host script results:
-- | AS Numbers:
-- | BGP: 64.13.128.0/21 | Country: US
-- | Origin AS: 10565 SVCOLO-AS - Silicon Valley Colocation, Inc.
-- | Peer AS: 3561 6461
-- | BGP: 64.13.128.0/18 | Country: US
-- | Origin AS: 10565 SVCOLO-AS - Silicon Valley Colocation, Inc.
-- |_ Peer AS: 174 2914 6461
author = "jah, Michael"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery", "external"}
</programlisting>
</example>
<indexterm><primary>NSEDoc</primary><secondary>for C modules</secondary></indexterm>
<para>
Compiled NSE modules are also documented with NSEDoc, even though
they have no Lua source code. Each compiled module has a file
<filename><replaceable>modulename</replaceable>.luadoc</filename><indexterm><primary sortas="luadoc filename extension"><filename>.luadoc</filename> filename extension</primary></indexterm>
that is kept in the <filename>nselib</filename> directory alongside
the Lua modules. This file lists and documents the functions and
tables in the compiled module as though they were written in Lua.
Only the name of each function is required, not its definition (not
even <literal>end</literal>). You must use the
<literal>@name</literal> and <literal>@class</literal> tags when
documenting a table to assist the documentation parser in
identifying it. There are several examples of this method of
documentation in the Nmap source distribution (including <literal>nmap.luadoc</literal>, <literal>bit.luadoc</literal>, and <literal>pcre.luadoc</literal>).
</para>
<sect2 id="nsedoc-tags">
<title>NSE Documentation Tags</title>
<para>
The following tags are understood by NSEDoc:
</para>
<variablelist>
<varlistentry>
<term><option>@param</option></term>
<listitem>
<para>
Describes a function parameter. The first word following
<literal>@param</literal> is the name of the parameter
being described. The tag should appear once for each
parameter of a function.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>@see</option></term>
<listitem>
<para>
Adds a cross-reference to another function or table.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>@return</option></term>
<listitem>
<para>
Describes a return value of a function.
<literal>@return</literal> may be used multiple times for
multiple return values.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>@usage</option></term>
<listitem>
<para>
Provides a usage example of a function or script. In
the case of a function, the example is Lua code; for a
script it is an Nmap command line.
<literal>@usage</literal> may be given more than once.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>@name</option></term>
<listitem>
<para>
Defines a name for the function or table being documented.
This tag is normally not necessary because NSEDoc infers
names through code analysis.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>@class</option></term>
<listitem>
<para>
Defines the <quote>class</quote> of the object being
modified: <literal>function</literal>,
<literal>table</literal>, or <literal>module</literal>.
Like <literal>@name</literal>, this is normally inferred
automatically.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>@field</option></term>
<listitem>
<para>
In the documentation of a table, <varname>@field</varname> describes the value of a
named field.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>@args</option></term>
<listitem>
<para>
Describes a script argument, as used with the
<option>--script-args</option> option (see
<xref linkend="nse-args"/>). The first word after
<literal>@args</literal> is the name of the argument, and
everything following that is the description. This tag is
special to script-level comments.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>@output</option></term>
<listitem>
<para>
This tag, which is exclusive to
script-level comments, shows sample output from a script.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>@author</option></term>
<listitem>
<para>
This tag, which may be given multiple times, lists the authors of an NSE module. For scripts, use the
<varname>author</varname> variable instead.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>@copyright</option></term>
<listitem>
<para>
This tag describes the copyright status of a module. For scripts,
use the <varname>license</varname>
variable instead.
</para>
</listitem>
</varlistentry>
</variablelist>
<!-- These tags are undocumented here: @description, @summary, and
@release. @documentation and @summary are automatically extracted
from the contents of a comment. @release has not been used with
NSEDoc. -->
</sect2>
<indexterm class="endofrange" startref="nsedoc-indexterm"/>
<indexterm class="endofrange" startref="nse-nsedoc-indexterm"/>
</sect1>
<sect1 id="nse-vscan">
<title>Version Detection Using NSE</title>
<indexterm class="startofrange" id="nse-sample-indexterm"><primary>Nmap Scripting Engine (NSE)</primary><secondary>sample scripts</secondary></indexterm>
<indexterm><primary>version detection</primary><secondary>using NSE</secondary></indexterm>
<para>
The version detection system built into Nmap was designed to
efficiently recognize the vast majority of protocols with a simple
probe and pattern matching syntax. Some protocols require more
complex communication than version detection can handle. A
generalized scripting language as provided by NSE is perfect for
these tough cases.
</para>
<para>
NSE's <literal>version</literal><indexterm><primary><varname>version</varname> script category</primary></indexterm>
category contains scripts that enhance standard version
detection. Scripts in this category are run whenever you request
version detection with <option>-sV</option>; you don't need to use
<option>-sC</option> to run these. This cuts
the other way too: if you use <option>-sC</option>, you won't get
<literal>version</literal> scripts unless you also use
<option>-sV</option>.
</para>
<para>
One protocol which we were unable to detect with normal version
detection is Skype version 2. The protocol was likely designed to
frustrate detection out of a fear that telecom-affiliated Internet
service providers might consider Skype competition and interfere
with the traffic. Yet we did find one way to detect it. If Skype
receives an HTTP GET request, it pretends to be a web server and
returns a 404 error. But for other requests, it sends back
a chunk of random-looking data. Proper identification requires
sending two probes and comparing the two responses&mdash;an ideal
task for NSE. The simple NSE script which accomplishes this is
shown in <xref linkend="nse-skypev2-script" xrefstyle="select:
label nopage"/>.
</para>
<example id="nse-skypev2-script">
<title>A typical version detection script (Skype version 2 detection)</title>
<programlisting>
description = [[
Detects the Skype version 2 service.
]]
author = "Brandon Enright &lt;bmenrigh@ucsd.edu&gt;"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"version"}
require "comm"
portrule = function(host, port)
return (port.number == 80 or port.number == 443 or
port.service == nil or port.service == "" or
port.service == "unknown")
and port.protocol == "tcp" and port.state == "open"
and port.service ~= "http" and port.service ~= "ssl/http"
end
action = function(host, port)
local status, result = comm.exchange(host, port,
"GET / HTTP/1.0\r\n\r\n", {bytes=26, proto=port.protocol})
if (not status) then
return
end
if (result ~= "HTTP/1.0 404 Not Found\r\n\r\n") then
return
end
-- So far so good, now see if we get random data for another request
status, result = comm.exchange(host, port,
"random data\r\n\r\n", {bytes=15, proto=port.protocol})
if (not status) then
return
end
if string.match(result, "[^%s!-~].*[^%s!-~].*[^%s!-~]") then
-- Detected
port.version.name = "skype2"
port.version.product = "Skype"
nmap.set_port_version(host, port, "hardmatched")
return
end
return
end
</programlisting>
</example>
<para>
If the script detects Skype, it augments its <varname>port</varname>
table with now-known <varname>name</varname> and
<varname>product</varname> fields. It then sends this new
information to Nmap by calling
<function>nmap.set_port_version</function>. Several other version
fields are available to be set if they are known, but in this case
we only have the name and product. For the full list of version
fields, refer to the <ulink role="hidepdf" url="http://nmap.org/nsedoc/modules/nmap.html"><function>nmap.set_port_version</function> documentation</ulink>.
</para>
<para>
Notice that this script does nothing unless it detects the protocol.
A script shouldn't
produce output (other than debug output) just to say it didn't learn
anything.
</para>
</sect1>
<sect1 id="nse-example-scripts">
<title>Example Script: <filename>finger.nse</filename></title>
<indexterm><primary><literal>finger</literal> script</primary></indexterm>
<para>The finger script (<filename>finger.nse</filename>) is a perfect
example of a short and simple NSE script.
</para>
<para>First the information fields are assigned.
A detailed description of what the script
actually does goes in the <literal>description</literal> field.</para>
<programlisting>
description = [[
Attempts to get a list of usernames via the finger service.
]]<indexterm><primary sortas="description script variable">&ldquo;<varname>description</varname>&rdquo; script variable</primary></indexterm>
author = "Eddie Bell &lt;ejlbell@gmail.com&gt;"<indexterm><primary>Bell, Eddie</primary></indexterm><indexterm><primary sortas="author script variable">&ldquo;<varname>author</varname>&rdquo; script variable</primary></indexterm>
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"<indexterm><primary sortas="license script variable">&ldquo;<varname>license</varname>&rdquo; script variable</primary></indexterm>
</programlisting>
<para>The <literal>categories</literal> field is a table
containing all the categories the script belongs to&mdash;These are used for
script selection with the <option>--script</option> option:</para>
<programlisting>
categories = {"default", "discovery"}
</programlisting>
<para>You can use the facilities provided by the nselib (<xref
linkend="nse-library"/>) with <literal>require</literal>. Here
we want to use common communication functions and shorter port rules:</para>
<programlisting>
require "comm"
require "shortport"
</programlisting>
<para>We want to run the script against the finger service. So we
test whether it is using the well-known finger port (<literal>79/tcp</literal>), or
whether the service is named <quote>finger</quote> based on version
detection results or in the port number's listing
in <filename>nmap-services</filename>:</para>
<programlisting>
portrule = shortport.port_or_service(79, "finger")<indexterm><primary sortas="portrule script variable">&ldquo;<varname>portrule</varname>&rdquo; script variable</primary></indexterm>
</programlisting>
<para>First, the script uses <function>nmap.new_try</function> to
create an exception handler that will quit the script in case of an
error. Next, it passes control to <function>comm.exchange</function>,
which handles the network transaction. Here we have asked to wait in the communication exchange until we receive at least 100 lines, wait at least 5 seconds, or until the remote side closes the connection. Any errors are handled by the
<function>try</function> exception handler. The script returns a string
if the call to <literal>comm.exchange()</literal> was successful.</para>
<programlisting>
action = function(host, port)
local try = nmap.new_try()
return try(comm.exchange(host, port, "\r\n",
{lines=100, proto=port.protocol, timeout=5000}))
end
</programlisting>
<indexterm class="endofrange" startref="nse-sample-indexterm"/>
</sect1>
<sect1 id="nse-implementation">
<title>Implementation Details</title>
<indexterm><primary>Nmap Scripting Engine (NSE)</primary><secondary>implementation</secondary></indexterm>
<para>
Now it is time to explore the NSE implementation details in
depth. Understanding how NSE works is useful for designing
efficient scripts and libraries. The canonical reference to
the NSE implementation is the source code, but this section
provides an overview of key details. It should be valuable to
folks trying to understand and extend the NSE source code, as
well as to script authors who want to better-understand how
their scripts are executed.
</para>
<sect2 id="nse-implementation-init">
<title>Initialization Phase</title>
<para>
During its initialization stage, Nmap loads the Lua interpreter and its provided libraries. These libraries are fully documented in the <ulink url="http://www.lua.org/manual/5.1/manual.html">Lua Reference Manual</ulink>. Here is a summary of the libraries, listed alphabetically by their namespace name:</para>
<variablelist>
<varlistentry>
<term><literal>debug</literal></term>
<listitem>
<para>The <ulink role="hidepdf" url="http://www.lua.org/manual/5.1/manual.html#5.9">debug library</ulink> provides a low-level API to the Lua interpreter, allowing you to access functions along
the execution stack, retrieve function closures and object metatables,
and more.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>io</literal></term>
<listitem>
<para>The <ulink role="hidepdf" url="http://www.lua.org/manual/5.1/manual.html#5.7">Input/Output library</ulink> offers functions such as reading from files or from the output from programs you execute.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>math</literal></term>
<listitem>
<para>Numbers in Lua usually correspond to the <literal>double</literal> C type, so the <ulink role="hidepdf" url="http://www.lua.org/manual/5.1/manual.html#5.6">math library</ulink> provides access to rounding functions, trigonometric functions, random number generation, and more.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>os</literal></term>
<listitem>
<para>The
<ulink role="hidepdf" url="http://www.lua.org/manual/5.1/manual.html#5.8">Operating System library</ulink> provides system facilities such as filesystem operations (including file renaming or removal and temporary file creation) and system environment access.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>package</literal></term>
<listitem>
<para>Among the functions provided by Lua's
<ulink role="hidepdf" url="http://www.lua.org/manual/5.1/manual.html#5.3">package-lib</ulink> is <literal>require</literal>, which is used to load nselib modules.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>string</literal></term>
<listitem>
<para>The <ulink role="hidepdf" url="http://www.lua.org/manual/5.1/manual.html#5.4">
string library</ulink> provides functions for manipulating
Lua strings, including printf-style
string formatting, pattern matching using Lua-style patterns,
substring extraction, and more.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>table</literal></term>
<listitem>
<para>The
<ulink role="hidepdf" url="http://www.lua.org/manual/5.1/manual.html#5.5">table manipulation library</ulink> is essential for operating on Lua's central data structure (tables).
</para>
</listitem>
</varlistentry>
</variablelist>
<para>In addition to loading the libraries provided by Lua,
the <literal>nmap</literal> namespace functions are loaded. The
search paths are the same directories that Nmap searches for its data
files, except that the <literal>nselib</literal> directory
is appended to each. At this stage any provided script arguments are
stored inside the registry.<indexterm><primary>registry
(NSE)</primary></indexterm></para>
<para>
The next phase of NSE initialization is loading the selected
scripts, based on the defaults or arguments provided to the
<option>--script</option><indexterm><primary><option>--script</option></primary></indexterm>
option. The
<literal>version</literal><indexterm><primary><varname>version</varname> script category</primary></indexterm>
category scripts are loaded as well if version detection was enabled.
NSE first tries to interpret each <option>--script</option> argument as a category.
This is done with a Lua C function
in <filename>nse_init.cc</filename> named <literal>entry</literal> based on data from
the <filename>script.db</filename> script categorization database.<indexterm><primary><filename>script.db</filename></primary><seealso><option>--script-updatedb</option></seealso></indexterm>
If the category is found, those scripts are loaded.
Otherwise Nmap tries to interpret <option>--script</option> arguments as
files or directories. If no files or directories with a given name are found in Nmap's search path,
an error is raised and the Script Engine aborts.
</para>
<para>
If a directory is specified, all of the <literal>.nse</literal> files inside it are
loaded. Each loaded file is executed by Lua. If a
<emphasis>portrule</emphasis> is present, it is saved in the
<emphasis>porttests</emphasis> table with a portrule key and file
closure value. Otherwise, if the script has a
<emphasis>hostrule</emphasis>, it is saved in the <emphasis>hosttests</emphasis> table
in the same manner.
</para>
</sect2>
<sect2 id="nse-implementation-match">
<title>Matching Scripts with Targets</title>
<para>
After initialization is finished, the
<literal>hostrules</literal><indexterm><primary sortas="hostrule script variable">&ldquo;<varname>hostrule</varname>&rdquo; script variable</primary></indexterm>
and <literal>portrules</literal><indexterm><primary sortas="portrule script variable">&ldquo;<varname>portrule</varname>&rdquo; script variable</primary></indexterm>
are evaluated for each host in the current
target group.
The rules of every chosen script is tested against every host and (in the case of service scripts) each <literal>open</literal><indexterm><primary><literal>open</literal> port state</primary></indexterm>
and <literal>open|filtered</literal><indexterm><primary><literal>open|filtered</literal> port state</primary></indexterm>
port on the hosts. The combination can grow quite large, so portrules should be kept as simple as possible. Save any heavy computation for the script's <literal>action</literal>.</para>
<para>Next, a <ulink url="http://www.lua.org/manual/5.1/manual.html#2.11">Lua thread</ulink> is created for each of the matching script-target combinations. Each thread
is stored with pertinent information such as the runlevel, target, target port (if applicable), host and port tables
(passed to the <literal>action</literal>), and the script type (service or host script).
The <function>mainloop</function> function then processes each runlevel grouping of threads in order.
</para>
</sect2>
<sect2 id="nse-implementation-execute">
<title>Script Execution</title>
<para>
Nmap performs NSE script scanning in
parallel<indexterm><primary>parallelism</primary><secondary>in NSE</secondary></indexterm>
by taking advantage of Nmap's Nsock parallel I/O library and the Lua
<ulink url="http://www.lua.org/manual/5.1/manual.html#2.11">coroutines
</ulink> language feature. Coroutines offer collaborative multi-threading so that scripts can suspend themselves at defined points and allow other coroutines to execute. Network I/O, particularly waiting for responses from
remote hosts, often involves long wait times, so
this is when scripts yield to others.
Key functions of the Nsock wrapper
cause scripts to yield (pause). When Nsock finishes processing such a request, it makes a callback
which causes the script to be pushed from the waiting queue back into the
running queue so it can resume operations when its turn comes up again.</para>
<para>
The <function>mainloop</function> function moves threads between the waiting and running queues as needed.
A thread which yields is moved from the running queue into the waiting list. Running threads execute until they either
yield, complete, or fail with an error. Threads are made ready to run (placed in the running queue) by calling
<literal>process_waiting2running</literal>. This process of scheduling running
threads and moving threads between queues continues
until no threads exist in either queue.</para>
</sect2>
</sect1>
<indexterm class="endofrange" startref="nse-indexterm"/>
Reference in New Issue View Git Blame Copy Permalink