nmap-python copied to clipboard
Python Script for most used nmap scripts
A Python wrapper for my most used nmap scripts. It's not a substitute for nmap knowledge but it makes running common scripts fast and easy as you don't have to remember script names. It's easy to edit the code in the case select statements and change the scipts if you want to use different nmap scripts.
Written in Python 3.4.4, it prints the Python version as the first line.
Here is an asciinema screen recording of how to use the script: python3 nmap3.py
asciinema is a cool little python script for recording terminal output. It can be found on github at: asciinema
To execute on windows if the python launcher is installed
python -3 nmap3.py
On Linux
python3 nmap3.py
The script checks to see if you are on a POSIX OS and add sudo to the commands that need root if you are.
To save a default IP address or range, create a file called ip.txt in the same folder as the script. In the file add just the IP Address or IP Address range in Nmap format. When you run the script it will list the IP address in the prompt. Just hit enter to accept the default or type a new IP address and hit enter.
You will then be presented with the following choices:
-1 - Print out script options -- https://nmap.org/book/nse-usage.html, https://nmap.org/book/output-formats-commandline-flags.html
0 - Download Cisco Configs using SNMP -- https://nmap.org/nsedoc/scripts/snmp-ios-config.html
1 - Check Cipher Suites and Certificates using ports 443, 465, 993, 995 and 3389
2 - SSH Scripts
Display SSH fingerprint (Host Keys) on an SSh server - https://nmap.org/nsedoc/scripts/ssh-hostkey.html
Display algorithms that the target SSH2 server offers. - https://nmap.org/nsedoc/scripts/ssh2-enum-algos.html
Check for SSH V1
3 - Performs routing information gathering through Cisco's (EIGRP) Protocol -- https://nmap.org/nsedoc/scripts/broadcast-eigrp-discovery.html
4 - DHCP-Discover scripts
5 - Nmap script to find vulnerable Samba devices such as a printer, NAS or any device that allows Windows clients to connect.
6 - Brute Forcing Telnet with NMAP - Requires files of users and guesses -- https://nmap.org/nsedoc/scripts/telnet-brute.html
7 - EMS - Environmental Monitoring Systems using scripts from https://github.com/digitalbond/Redpoint#enip-enumeratense
8 - DNS Broadcast Discover -- broadcast-dns-service-discovery
9 - Banner Grab using banner-plus from HD Moore -- https://github.com/hdm/scan-tools/blob/master/nse/banner-plus.nse
10 - NTP Monlist - Pull down NTP server information -- https://nmap.org/nsedoc/scripts/ntp-monlist.html
11 - NTP INFO - Pull down general NTP information -- https://nmap.org/nsedoc/scripts/ntp-info.html
12 - DNS Brute - Enumerate DNS hostnames by brute force guessing of common subdomains -- https://nmap.org/nsedoc/scripts/dns-brute.html
13 - SMB - Various scripts for SMB servers. Make sure you are running nmap 7.50+ as there are a lot of fixes in 7.50.
14 - SNMP Scripts
Is SNMP running on a Windows machine -- https://nmap.org/nsedoc/scripts/snmp-processes.html
Grab HP printer password using SNMP
15 - Scan for MS17-010 Wannacry vulnerability -- https://nmap.org/nsedoc/scripts/smb-vuln-ms17-010.html
16 - MSSQL - Attempt to determine version, config info and check for blank password -- https://nmap.org/nsedoc/scripts/ms-sql-info.html
Once you select a number you will be asked for an IP address or SNMP string if the script requires it. The script will output the appropriate nmap command. Copy it and paste into a command line or shell.
Here is an example using choice 0. In this case the ip.txt file conatins but I overrode it with
Input a number to select a script 0
Enter the IP Address []:
Enter SNMP Private Community String private
sudo nmap -sU -p 161 --script snmp-ios-config --script-args creds.snmp=private
You should run nmap --script-updatedb
if you add any of the non-default scripts listed here.
You can use --script-help
with any script to print out its help file.
For example, nmap --script-help smb-vuln-cve-2017-7494
You can use --script-trace
to output the packets sent and received, similar to wireshark
For exmaple, nmap --script ssl-cert,ssl-enum-ciphers --script-trace -p 443,465,993,995