Nmap Nâng Cao: NSE Scripts, OS Detection và Bypass Firewall

~2 min readby

Nmap không chỉ là port scanner. Với Nmap Scripting Engine (NSE), nó trở thành một vulnerability scanner, service enumerator và thậm chí exploit framework nhỏ gọn.

Cheatsheet Nmap cơ bản

# Scan phổ biến nhất
nmap -sC -sV -oA output 192.168.1.1

# Flags quan trọng:
# -sC: default scripts
# -sV: version detection
# -sU: UDP scan
# -p-: all 65535 ports
# -T4: timing (0-5, mặc định 3)
# -A: aggressive (OS + version + scripts + traceroute)
# -oA: output all formats (nmap, xml, gnmap)
# --open: chỉ show open ports
# -Pn: skip host discovery (skip ping)

NSE Scripts hay nhất

# HTTP enumeration
nmap -p 80,443 --script http-enum target
nmap -p 80,443 --script http-methods target
nmap -p 80,443 --script http-robots.txt target

# SMB enumeration (Windows)
nmap -p 445 --script smb-enum-shares,smb-enum-users target
nmap -p 445 --script smb-vuln-ms17-010 target  # EternalBlue check

# SSH
nmap -p 22 --script ssh-hostkey,ssh-auth-methods target

# Database
nmap -p 3306 --script mysql-info,mysql-databases target
nmap -p 5432 --script pgsql-brute target

# Vulnerability scanning
nmap --script vuln target
nmap --script exploit target  # CAREFUL!

# SSL/TLS
nmap -p 443 --script ssl-cert,ssl-enum-ciphers target

Bypass Firewall và IDS

# Fragmented packets
nmap -f target

# Decoy scan — giả mạo source IP
nmap -D RND:10 target
nmap -D 1.2.3.4,5.6.7.8,ME target

# Idle scan — zombie host
nmap -sI zombie_ip target

# Source port manipulation
nmap --source-port 53 target

# Slow scan để tránh IDS
nmap -T1 --max-retries 1 target

# Custom MTU
nmap --mtu 24 target

# Randomize host order
nmap --randomize-hosts 192.168.1.0/24

Viết NSE Script đơn giản

-- Custom NSE: check for specific HTTP header
description = [[Checks if server exposes X-Powered-By header]]
categories = {"discovery", "safe"}

local http = require "http"
local shortport = require "shortport"

portrule = shortport.http

action = function(host, port)
    local response = http.get(host, port, "/")
    if response and response.header then
        local powered = response.header["x-powered-by"]
        if powered then
            return "X-Powered-By: " .. powered
        end
    end
end

Kết hợp với các tool khác

# Nmap → Metasploit
nmap -oX scan.xml target
msfconsole -q -x "db_import scan.xml; vulns"

# Nmap → Searchsploit
nmap -sV target | grep "open" | \
  awk '{print $5, $6, $7}' | \
  xargs -I{} searchsploit {}

# Nmap → httpx để filter live web
nmap -p 80,443,8080,8443 --open 192.168.1.0/24 -oG - | \
  grep "open" | awk '{print $2}' | \
  httpx -silent

Leave a Comment