Enhance security audits with Nmap and NSE scripts

Background: Nmap and the Nmap Scripting Engine

Learning to use Nmap effectively enables system, network and security admins to explore and audit their environments, proving compliance and validating configurations. Begin by learning Nmap basics before exploring the NSE.

What is Nmap?

Nmap is a revolutionary tool that has aided network admins and pen testers for decades. It scans network environments and generates reports on host discovery, open ports, OSes, service enumeration and more.

Review the following basic Nmap examples to understand the command syntax.

Basic scan of a single host using the top 1000 ports:

nmap 192.168.2.200

Basic scan of an entire subnet:

nmap 192.168.2.0/24

Advanced and aggressive stealth and detection scan:

nmap -sS -sV -O -A -p- 192.168.2.200

Many admins generate a large amount of useful information with these simple scans, and some never use Nmap beyond these fundamental capabilities. However, Nmap includes far more functionality, including automation options.

What is the Nmap Scripting Engine?

NSE is a Lua-based framework built into Nmap to automate workflows and extend the tool's functionality beyond standard discovery scans. It enables users to share scripts that turn Nmap into an even more helpful tool. The NSE is an official component of Nmap and can be found at the primary Nmap homepage. It includes extensive documentation.

Scripts are identified by one or more categories to help admins find them and understand their use. Category examples include the following:

• auth examines authentication credentials.
• brute attempts brute-force authentication.
• discovery queries additional resources to find more detailed target information.
• fuzzer sends unexpected information to targets to test capabilities.
• safe contains scripts not designed to disrupt services.
• vuln checks for and reports known vulnerabilities without disrupting services.

The default category consists of a standard set of automated tasks. Explore its capabilities before running it on production systems. Check out the full list of NSE script categories.

Call these scripts by adding the -sC or --script options to standard Nmap commands. Follow the options with the script name. The -sC option automatically runs the default scripts against the targets. Use caution until you understand exactly what a script does in your environment.

The --script option enables you to specify a comma-separated list of scripts or categories to execute against the specified target. For example, run nmap --script=default,safe to load all scripts in the two specified categories.

What is the ssh-brute NSE script?

One great example of using the NSE to audit your security environment is the ssh-brute script. It detects SSH targets and runs a brute-force password attack against them. It falls under the brute and intrusive categories.

Consider the following use cases for this script:

• Authorized pen testing to validate password strength and identify weak or default credentials.
• Security audits to verify policy compliance, especially key-based authentication settings.
• Testing the functionality of hardening or defensive configurations, such as Fail2ban or account lockout policies.
• Demonstrating brute-force risks and capabilities in cybersecurity training or other controlled environments.

How the ssh-brute script works

The script follows a logical, controlled workflow to accomplish its tasks. The steps are:

1. Scans and discovers open SSH services.
2. Attempts to authenticate using specified username and password lists or supplied credentials.
3. Respects configurable thresholds, such as timeouts or success detection.

The command syntax follows the standard Nmap structure. For example, to scan host 192.168.2.200, type:

nmap --script=ssh-brute 192.168.2.200

Understand and interpret the results

The script results reflect the attempts to authenticate to the target's SSH service. The result structure varies depending on what the script finds and the number of hosts targeted. All results are listed under the ssh-brute header. Next, it specifies the results of the scan and brute-force attempt on a per-target basis. It includes the following information:

• Account results with successful or failed attempts.
• Statistics on timeouts and the number of guesses attempted.
• Timing and performance data.

Note that successful attempts are displayed in plain text and are therefore subject to interception or viewing using tools such as tcpdump and Wireshark.

One of the most important results is whether the SSH service accepts password-based authentication. Most organizations have standardized key-based authentication for additional security and streamlined automation. The Nmap ssh-brute script helps detect systems that are misconfigured to permit password-based logins.

Targeting other services

After completing an SSH audit, consider running the following similar automated brute-force tests against other protocols:

• http-brute audits standard HTTP authentication credentials.
• http-form-brute audits HTTP form-based credentials.
• http-auth audits HTTP authentication credentials.
• ftp-brute audits FTP credentials.
• rdp-brute audits RDP credentials.
• mysql-brute, mssql-brute, pgsql-brute audits database credentials.

Other brute-force auditing scripts exist, but these are the most useful.

Limits and risks of NSE brute-force scripts

As with any pen testing activity, exercise caution to avoid service disruptions or generate unanticipated alerts. Ensure you have explicit authorization before starting any scans or brute-force attempts. The ssh-brute script is easily detected and logged. In addition, the risk of locking accounts is high, which could easily result in blocked access and service downtime.

Brute-force attack mitigations

Note that the scan is not effective against systems with key-based authentication enabled and password logins disabled. It also doesn't avoid IP-based blocking mechanisms. However, these are often the defenses you're trying to validate.

Once you complete the ssh-brute discovery phase, use the following mitigations to address identified systems:

• Configure and enforce key-based authentication.
• Disable password authentication.
• Integrate additional defensive tools, such as Fail2ban.
• Change the default SSH port from 22 to a nonstandard port number.
• Monitor logs for SSH-oriented password authentication.

Elevate your security audits

Nmap is an incredibly useful tool for admins. Extending its functionality with the NSE only enhances its ability to improve your organization's security posture and take security audits to the next level.

Don't forget that it's imperative to have explicit authorization before attempting any automated system attacks. Be sure to prepare responses for services that could become locked during the audit.

Take this opportunity to test your security configurations today.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA Blogs.