Nmap脚本引擎(NSE)渗透测试指南<\/h1>

一、NSE简介<\/h2>
Nmap脚本引擎(NSE)是Nmap功能的重要扩展，于2007年谷歌夏令营期间推出。它通过Lua脚本语言扩展了Nmap的功能，目前包含14个类别的脚本，涵盖从网络发现到安全漏洞检测和利用的广泛任务。<\/p>

NSE基本使用<\/h3>

nmap -sV -sC scanme.nmap.org
<\/span><\/span><\/code><\/pre>
-sV<\/code>: 服务检测<\/li>
-sC<\/code>: 启用默认NSE脚本(等同于--script default<\/code>)<\/li>
默认脚本被认为是安全的，不会干扰目标服务<\/li>
<\/ul>
二、NSE脚本分类<\/h2>



类别<\/th>
描述<\/th>
<\/tr>
<\/thead>


auth<\/td>
用户认证相关脚本<\/td>
<\/tr>

broadcast<\/td>
使用广播收集网络信息<\/td>
<\/tr>

brute<\/td>
暴力破解脚本<\/td>
<\/tr>

default<\/td>
默认脚本(-sC)<\/td>
<\/tr>

discovery<\/td>
主机和服务发现<\/td>
<\/tr>

dos<\/td>
拒绝服务攻击相关<\/td>
<\/tr>

exploit<\/td>
安全漏洞利用<\/td>
<\/tr>

external<\/td>
第三方服务脚本<\/td>
<\/tr>

fuzzer<\/td>
模糊测试脚本<\/td>
<\/tr>

intrusive<\/td>
入侵性脚本<\/td>
<\/tr>

malware<\/td>
恶意软件检测<\/td>
<\/tr>

safe<\/td>
安全脚本<\/td>
<\/tr>

vuln<\/td>
安全漏洞检测和利用<\/td>
<\/tr>

version<\/td>
高级系统脚本<\/td>
<\/tr>
<\/tbody>
<\/table>
三、NSE脚本选择<\/h2>
1. 按名称选择脚本<\/h3>
nmap --script http-title <target>
<\/span><\/span>nmap -p80 --script http-huawei-hg5xx-vuln <target>
<\/span><\/span>nmap --script http-title,http-methods <target>
<\/span><\/span><\/code><\/pre>2. 按类别选择脚本<\/h3>
nmap --script exploit <target>
<\/span><\/span>nmap --script discovery,intrusive <target>
<\/span><\/span><\/code><\/pre>3. 按文件路径选择脚本<\/h3>
nmap --script \/path\/to\/script.nse <target>
<\/span><\/span>nmap --script \/path\/to\/folder\/ <target>
<\/span><\/span><\/code><\/pre>4. 高级选择表达式<\/h3>
# 排除特定类别<\/span>
<\/span><\/span>nmap -sV --script "not exploit"<\/span> <target>
<\/span><\/span>
<\/span><\/span># 组合条件<\/span>
<\/span><\/span>nmap --script "not(intrusive or dos or exploit)"<\/span> -sV <target>
<\/span><\/span>
<\/span><\/span># 通配符选择<\/span>
<\/span><\/span>nmap --script "snmp-*"<\/span> <target>
<\/span><\/span>
<\/span><\/span># 复杂组合<\/span>
<\/span><\/span>nmap --script "http-* and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)"<\/span> <target>
<\/span><\/span><\/code><\/pre>四、NSE脚本参数<\/h2>
基本参数设置<\/h3>
nmap -sV --script http-title --script-args http.useragent=<\/span>"Mozilla 1337"<\/span> <target>
<\/span><\/span><\/code><\/pre>共享参数处理<\/h3>
nmap --script http-majordomo2-dir-traversal,http-axis2-dir-traversal \
<\/span><\/span><\/span><\/span>--script-args http-axis2-dir-traversal.uri=<\/span>\/axis2\/,uri=<\/span>\/majordomo\/ <target>
<\/span><\/span><\/code><\/pre>五、NSE脚本开发基础<\/h2>
Lua语言基础<\/h3>
NSE脚本使用Lua语言编写，需要掌握以下基本概念：<\/p>


注释<\/strong>：<\/p>
-- 单行注释<\/span>
<\/span><\/span>--[[
<\/span><\/span><\/span>    多行注释
<\/span><\/span><\/span>--]]<\/span>
<\/span><\/span><\/code><\/pre><\/li>

标识符<\/strong>：<\/p>

以字母或下划线开头<\/li>
区分大小写<\/li>
避免使用保留关键字<\/li>
<\/ul>
<\/li>

数据类型<\/strong>：<\/p>

nil<\/li>
boolean<\/li>
number<\/li>
string<\/li>
function<\/li>
userdata<\/li>
thread<\/li>
table<\/li>
<\/ul>
<\/li>

变量<\/strong>：<\/p>

全局变量：默认<\/li>
局部变量：使用local<\/code>声明<\/li>
<\/ul>
<\/li>
<\/ol>
NSE脚本结构<\/h3>


导入库<\/strong>：<\/p>
local<\/span> stdnse =<\/span> require "stdnse"<\/span>
<\/span><\/span>local<\/span> http =<\/span> require "http"<\/span>
<\/span><\/span><\/code><\/pre><\/li>

脚本描述<\/strong>：<\/p>
description =<\/span> [[脚本描述]]<\/span>
<\/span><\/span><\/code><\/pre><\/li>

Rule类型<\/strong>：<\/p>

prerule: Nmap扫描前触发<\/li>
hostrule: 主机发现或探测时触发<\/li>
portrule: 端口扫描时触发<\/li>
postrule: Nmap结束时触发<\/li>
<\/ul>
<\/li>

Action函数<\/strong>：执行主要逻辑<\/p>
<\/li>
<\/ol>
Rule类型详解<\/h3>


Prerule示例<\/strong>：<\/p>
prerule =<\/span> function<\/span>(host, port)
<\/span><\/span>    return<\/span> true<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre><\/li>

Hostrule示例<\/strong>：<\/p>
hostrule =<\/span> function<\/span>(host)
<\/span><\/span>    return<\/span> host.os ~=<\/span> nil<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre><\/li>

Portrule示例<\/strong>：<\/p>
portrule =<\/span> function<\/span>(host, port)
<\/span><\/span>    return<\/span> port.protocol ==<\/span> "tcp"<\/span> and<\/span> port.state ==<\/span> "open"<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre><\/li>

Postrule示例<\/strong>：<\/p>
postrule =<\/span> function<\/span>()
<\/span><\/span>    return<\/span> true<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
六、NSE脚本开发实战<\/h2>
1. 获取网站客服电话示例<\/h3>
local<\/span> http =<\/span> require "http"<\/span>
<\/span><\/span>local<\/span> string =<\/span> require "string"<\/span>
<\/span><\/span>
<\/span><\/span>description =<\/span> [[获取网站客服电话]]<\/span>
<\/span><\/span>
<\/span><\/span>portrule =<\/span> function<\/span>(host, port)
<\/span><\/span>    return<\/span> port.service ==<\/span> "http"<\/span> and<\/span> port.state ==<\/span> "open"<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span>
<\/span><\/span>action =<\/span> function<\/span>(host, port)
<\/span><\/span>    local<\/span> response =<\/span> http.get(host, port, "\/"<\/span>)
<\/span><\/span>    local<\/span> phone =<\/span> string.match(response.body, "%d+-%d+"<\/span>)
<\/span><\/span>    if<\/span> phone then<\/span>
<\/span><\/span>        return<\/span> "客服电话: "<\/span> ..<\/span> phone
<\/span><\/span>    end<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre>2. 检测反射型XSS漏洞<\/h3>
local<\/span> http =<\/span> require "http"<\/span>
<\/span><\/span>local<\/span> string =<\/span> require "string"<\/span>
<\/span><\/span>local<\/span> stdnse =<\/span> require "stdnse"<\/span>
<\/span><\/span>
<\/span><\/span>description =<\/span> [[检测zzcms8.2反射型XSS]]<\/span>
<\/span><\/span>
<\/span><\/span>portrule =<\/span> function<\/span>(host, port)
<\/span><\/span>    return<\/span> port.service ==<\/span> "http"<\/span> and<\/span> port.state ==<\/span> "open"<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span>
<\/span><\/span>action =<\/span> function<\/span>(host, port)
<\/span><\/span>    local<\/span> options =<\/span> {
<\/span><\/span>        headers =<\/span> {
<\/span><\/span>            ["Content-Type"<\/span>] =<\/span> "application\/x-www-form-urlencoded"<\/span>
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    local<\/span> postdata =<\/span> {
<\/span><\/span>        admin =<\/span> "admin"<\/span>,
<\/span><\/span>        adminpwdtrue =<\/span> "admin<script>alert(1)<\/script>"<\/span>,
<\/span><\/span>        step =<\/span> 6<\/span>
<\/span><\/span>    }
<\/span><\/span>    local<\/span> response =<\/span> http.post(host, port, "\/install\/index.php"<\/span>, options, nil<\/span>, postdata)
<\/span><\/span>    
<\/span><\/span>    if<\/span> response.status ==<\/span> 200<\/span> and<\/span> string.find(response.body, "alert"<\/span>) then<\/span>
<\/span><\/span>        return<\/span> "存在反射型XSS漏洞"<\/span>
<\/span><\/span>    end<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre>七、调试技巧<\/h2>
使用-d<\/code>选项进行调试：<\/p>
nmap -d 3<\/span> --script your_script.nse <target>
<\/span><\/span><\/code><\/pre>
调试等级越高，输出信息越详细<\/li>
等级3通常足够用于一般调试<\/li>
<\/ul>
八、常用库函数<\/h2>
http库<\/h3>

http.get(host, port, path, options)<\/code>: 发起GET请求<\/li>
http.post(host, port, path, options, ignored, postdata)<\/code>: 发起POST请求<\/li>
<\/ul>
stdnse库<\/h3>

stdnse.format_output(true, table)<\/code>: 格式化输出<\/li>
stdnse.get_script_args()<\/code>: 获取脚本参数<\/li>
<\/ul>
string库<\/h3>

string.match(str, pattern)<\/code>: 模式匹配<\/li>
string.find(str, pattern)<\/code>: 查找字符串<\/li>
<\/ul>
九、最佳实践<\/h2>

为脚本添加详细的描述和用法示例<\/li>
使用local<\/code>声明局部变量<\/li>
合理处理错误和异常情况<\/li>
避免使用过于侵入性的脚本<\/li>
为脚本添加适当的分类和标签<\/li>
使用调试模式测试脚本<\/li>
<\/ol>
通过掌握这些NSE脚本开发技术，您可以扩展Nmap的功能，实现自定义的网络探测和安全检测任务。<\/p>

类别<\/th>	描述<\/th> <\/tr> <\/thead>
auth<\/td>	用户认证相关脚本<\/td> <\/tr>
broadcast<\/td>	使用广播收集网络信息<\/td> <\/tr>
brute<\/td>	暴力破解脚本<\/td> <\/tr>
default<\/td>	默认脚本(-sC)<\/td> <\/tr>
discovery<\/td>	主机和服务发现<\/td> <\/tr>
dos<\/td>	拒绝服务攻击相关<\/td> <\/tr>
exploit<\/td>	安全漏洞利用<\/td> <\/tr>
external<\/td>	第三方服务脚本<\/td> <\/tr>
fuzzer<\/td>	模糊测试脚本<\/td> <\/tr>
intrusive<\/td>	入侵性脚本<\/td> <\/tr>
malware<\/td>	恶意软件检测<\/td> <\/tr>
safe<\/td>	安全脚本<\/td> <\/tr>
vuln<\/td>	安全漏洞检测和利用<\/td> <\/tr>
version<\/td>	高级系统脚本<\/td> <\/tr> <\/tbody> <\/table> 三、NSE脚本选择<\/h2> 1. 按名称选择脚本<\/h3> nmap --script http-title <target> <\/span><\/span>nmap -p80 --script http-huawei-hg5xx-vuln <target> <\/span><\/span>nmap --script http-title,http-methods <target> <\/span><\/span><\/code><\/pre>2. 按类别选择脚本<\/h3> nmap --script exploit <target> <\/span><\/span>nmap --script discovery,intrusive <target> <\/span><\/span><\/code><\/pre>3. 按文件路径选择脚本<\/h3> nmap --script \/path\/to\/script.nse <target> <\/span><\/span>nmap --script \/path\/to\/folder\/ <target> <\/span><\/span><\/code><\/pre>4. 高级选择表达式<\/h3> # 排除特定类别<\/span> <\/span><\/span>nmap -sV --script "not exploit"<\/span> <target> <\/span><\/span> <\/span><\/span># 组合条件<\/span> <\/span><\/span>nmap --script "not(intrusive or dos or exploit)"<\/span> -sV <target> <\/span><\/span> <\/span><\/span># 通配符选择<\/span> <\/span><\/span>nmap --script "snmp-"<\/span> <target> <\/span><\/span> <\/span><\/span># 复杂组合<\/span> <\/span><\/span>nmap --script "http- and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)"<\/span> <target> <\/span><\/span><\/code><\/pre>四、NSE脚本参数<\/h2> 基本参数设置<\/h3> nmap -sV --script http-title --script-args http.useragent=<\/span>"Mozilla 1337"<\/span> <target> <\/span><\/span><\/code><\/pre>共享参数处理<\/h3> nmap --script http-majordomo2-dir-traversal,http-axis2-dir-traversal \ <\/span><\/span><\/span><\/span>--script-args http-axis2-dir-traversal.uri=<\/span>\/axis2\/,uri=<\/span>\/majordomo\/ <target> <\/span><\/span><\/code><\/pre>五、NSE脚本开发基础<\/h2> Lua语言基础<\/h3> NSE脚本使用Lua语言编写，需要掌握以下基本概念：<\/p> 注释<\/strong>：<\/p> -- 单行注释<\/span> <\/span><\/span>--[[ <\/span><\/span><\/span> 多行注释 <\/span><\/span><\/span>--]]<\/span> <\/span><\/span><\/code><\/pre><\/li> 标识符<\/strong>：<\/p> 以字母或下划线开头<\/li> 区分大小写<\/li> 避免使用保留关键字<\/li> <\/ul> <\/li> 数据类型<\/strong>：<\/p> nil<\/li> boolean<\/li> number<\/li> string<\/li> function<\/li> userdata<\/li> thread<\/li> table<\/li> <\/ul> <\/li> 变量<\/strong>：<\/p> 全局变量：默认<\/li> 局部变量：使用local<\/code>声明<\/li> <\/ul> <\/li> <\/ol> NSE脚本结构<\/h3> 导入库<\/strong>：<\/p> local<\/span> stdnse =<\/span> require "stdnse"<\/span> <\/span><\/span>local<\/span> http =<\/span> require "http"<\/span> <\/span><\/span><\/code><\/pre><\/li> 脚本描述<\/strong>：<\/p> description =<\/span> [[脚本描述]]<\/span> <\/span><\/span><\/code><\/pre><\/li> Rule类型<\/strong>：<\/p> prerule: Nmap扫描前触发<\/li> hostrule: 主机发现或探测时触发<\/li> portrule: 端口扫描时触发<\/li> postrule: Nmap结束时触发<\/li> <\/ul> <\/li> Action函数<\/strong>：执行主要逻辑<\/p> <\/li> <\/ol> Rule类型详解<\/h3> Prerule示例<\/strong>：<\/p> prerule =<\/span> function<\/span>(host, port) <\/span><\/span> return<\/span> true<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre><\/li> Hostrule示例<\/strong>：<\/p> hostrule =<\/span> function<\/span>(host) <\/span><\/span> return<\/span> host.os ~=<\/span> nil<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre><\/li> Portrule示例<\/strong>：<\/p> portrule =<\/span> function<\/span>(host, port) <\/span><\/span> return<\/span> port.protocol ==<\/span> "tcp"<\/span> and<\/span> port.state ==<\/span> "open"<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre><\/li> Postrule示例<\/strong>：<\/p> postrule =<\/span> function<\/span>() <\/span><\/span> return<\/span> true<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 六、NSE脚本开发实战<\/h2> 1. 获取网站客服电话示例<\/h3> local<\/span> http =<\/span> require "http"<\/span> <\/span><\/span>local<\/span> string =<\/span> require "string"<\/span> <\/span><\/span> <\/span><\/span>description =<\/span> [[获取网站客服电话]]<\/span> <\/span><\/span> <\/span><\/span>portrule =<\/span> function<\/span>(host, port) <\/span><\/span> return<\/span> port.service ==<\/span> "http"<\/span> and<\/span> port.state ==<\/span> "open"<\/span> <\/span><\/span>end<\/span> <\/span><\/span> <\/span><\/span>action =<\/span> function<\/span>(host, port) <\/span><\/span> local<\/span> response =<\/span> http.get(host, port, "\/"<\/span>) <\/span><\/span> local<\/span> phone =<\/span> string.match(response.body, "%d+-%d+"<\/span>) <\/span><\/span> if<\/span> phone then<\/span> <\/span><\/span> return<\/span> "客服电话: "<\/span> ..<\/span> phone <\/span><\/span> end<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre>2. 检测反射型XSS漏洞<\/h3> local<\/span> http =<\/span> require "http"<\/span> <\/span><\/span>local<\/span> string =<\/span> require "string"<\/span> <\/span><\/span>local<\/span> stdnse =<\/span> require "stdnse"<\/span> <\/span><\/span> <\/span><\/span>description =<\/span> [[检测zzcms8.2反射型XSS]]<\/span> <\/span><\/span> <\/span><\/span>portrule =<\/span> function<\/span>(host, port) <\/span><\/span> return<\/span> port.service ==<\/span> "http"<\/span> and<\/span> port.state ==<\/span> "open"<\/span> <\/span><\/span>end<\/span> <\/span><\/span> <\/span><\/span>action =<\/span> function<\/span>(host, port) <\/span><\/span> local<\/span> options =<\/span> { <\/span><\/span> headers =<\/span> { <\/span><\/span> ["Content-Type"<\/span>] =<\/span> "application\/x-www-form-urlencoded"<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> local<\/span> postdata =<\/span> { <\/span><\/span> admin =<\/span> "admin"<\/span>, <\/span><\/span> adminpwdtrue =<\/span> "admin<script>alert(1)<\/script>"<\/span>, <\/span><\/span> step =<\/span> 6<\/span> <\/span><\/span> } <\/span><\/span> local<\/span> response =<\/span> http.post(host, port, "\/install\/index.php"<\/span>, options, nil<\/span>, postdata) <\/span><\/span> <\/span><\/span> if<\/span> response.status ==<\/span> 200<\/span> and<\/span> string.find(response.body, "alert"<\/span>) then<\/span> <\/span><\/span> return<\/span> "存在反射型XSS漏洞"<\/span> <\/span><\/span> end<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre>七、调试技巧<\/h2> 使用-d<\/code>选项进行调试：<\/p> nmap -d 3<\/span> --script your_script.nse <target> <\/span><\/span><\/code><\/pre> 调试等级越高，输出信息越详细<\/li> 等级3通常足够用于一般调试<\/li> <\/ul> 八、常用库函数<\/h2> http库<\/h3> http.get(host, port, path, options)<\/code>: 发起GET请求<\/li> http.post(host, port, path, options, ignored, postdata)<\/code>: 发起POST请求<\/li> <\/ul> stdnse库<\/h3> stdnse.format_output(true, table)<\/code>: 格式化输出<\/li> stdnse.get_script_args()<\/code>: 获取脚本参数<\/li> <\/ul> string库<\/h3> string.match(str, pattern)<\/code>: 模式匹配<\/li> string.find(str, pattern)<\/code>: 查找字符串<\/li> <\/ul> 九、最佳实践<\/h2> 为脚本添加详细的描述和用法示例<\/li> 使用local<\/code>声明局部变量<\/li> 合理处理错误和异常情况<\/li> 避免使用过于侵入性的脚本<\/li> 为脚本添加适当的分类和标签<\/li> 使用调试模式测试脚本<\/li> <\/ol> 通过掌握这些NSE脚本开发技术，您可以扩展Nmap的功能，实现自定义的网络探测和安全检测任务。<\/p>

Nmap脚本引擎(NSE)渗透测试指南<\/h1>

一、NSE简介<\/h2> Nmap脚本引擎(NSE)是Nmap功能的重要扩展，于2007年谷歌夏令营期间推出。它通过Lua脚本语言扩展了Nmap的功能，目前包含14个类别的脚本，涵盖从网络发现到安全漏洞检测和利用的广泛任务。<\/p>

三、NSE脚本选择<\/h2>

四、NSE脚本参数<\/h2>

五、NSE脚本开发基础<\/h2>

六、NSE脚本开发实战<\/h2>

八、常用库函数<\/h2>

一、NSE简介<\/h2>
Nmap脚本引擎(NSE)是Nmap功能的重要扩展，于2007年谷歌夏令营期间推出。它通过Lua脚本语言扩展了Nmap的功能，目前包含14个类别的脚本，涵盖从网络发现到安全漏洞检测和利用的广泛任务。<\/p>