Example 3-18. Scripts with nmap
root@rosebud:~# nmap -sS -T
3
-p
80
-oN http.txt --script http* 192.168.86.35
Nmap scan report
for
rosebud.lan
(
192.168.86.35
)
Host is up
(
0.000075s latency
)
.
PORT STATE SERVICE
80/tcp open http
| http-apache-server-status:
| Heading: Apache Server Status
for
rosebud.lan
(
via 192.168.86.35
)
| Server Version: Apache/2.4.29
(
Debian
)
OpenSSL/1.1.0g
| Server Built: 2017-10-23T14:46:55
| Server Uptime:
36
days
47
minutes
32
seconds
| Server Load: 0.00 0.00 0.00
| VHosts:
|_ rosebud.washere.com:80
| http-brute:
|_ Path
"/"
does not require authentication
|_http-chrono: Request
times
for
/; avg: 11.60ms; min: 2.61ms; max: 29.73ms
| http-comments-displayer:
| Spidering limited to:
maxdepth
=
3;
maxpagecount
=
20;
withinhost
=
rosebud.lan
You can see from the example that the scan was limited to a single host on a single
port. If I’m going to be running HTTP-based scripts, I may as well restrict my
searches to just the HTTP ports. You certainly can run scripts like that with a normal
scan of 1,000 ports. The difference is going to be in parsing the output. You’ll have to
look through all the other results to find the script output for the web servers.
In addition to running scripts and the basic port scanning,
nmap
will provide infor‐
mation about the target and the services that are running. If you specify
-A
on the
command line for
nmap
, it will run an operating system detection and a version
detection. It will also run scripts based on the ports found to be open. Finally,
nmap
will run a traceroute to give you the network path between you and the target host.
