Nmap脚本引擎(NSE)渗透测试指南<\/h1>

一、NSE简介<\/h2>
Nmap脚本引擎(NSE)是Nmap功能扩展的核心组件，于2007年谷歌夏令营期间推出。它通过Lua脚本语言扩展了Nmap的功能，目前包含14个类别的脚本，覆盖从网络发现到安全漏洞检测和利用的广泛任务。<\/p>

二、NSE基础使用<\/h2>

1. 基本扫描命令<\/h3>

nmap -sV -sC scanme.nmap.org
<\/span><\/span><\/code><\/pre>
-sV<\/code>: 服务版本检测<\/li>
-sC<\/code>: 执行默认类别的NSE脚本（等同于--script default<\/code>）<\/li>
<\/ul>
2. 脚本分类<\/h3>



类别<\/th>
描述<\/th>
<\/tr>
<\/thead>


auth<\/td>
用户认证相关脚本<\/td>
<\/tr>

broadcast<\/td>
使用广播收集网络信息<\/td>
<\/tr>

brute<\/td>
暴力破解脚本<\/td>
<\/tr>

default<\/td>
默认脚本类别(-sC)<\/td>
<\/tr>

discovery<\/td>
主机和服务发现相关<\/td>
<\/tr>

dos<\/td>
拒绝服务攻击相关<\/td>
<\/tr>

exploit<\/td>
漏洞利用脚本<\/td>
<\/tr>

external<\/td>
第三方服务脚本<\/td>
<\/tr>

fuzzer<\/td>
模糊测试脚本<\/td>
<\/tr>

intrusive<\/td>
入侵性脚本<\/td>
<\/tr>

malware<\/td>
恶意软件检测<\/td>
<\/tr>

safe<\/td>
安全脚本(默认类别)<\/td>
<\/tr>

vuln<\/td>
安全漏洞检测和利用<\/td>
<\/tr>

version<\/td>
高级系统脚本<\/td>
<\/tr>
<\/tbody>
<\/table>
三、脚本选择方法<\/h2>
1. 按名称选择脚本<\/h3>
nmap --script http-title <target>
<\/span><\/span>nmap -p80 --script http-huawei-hg5xx-vuln <target>
<\/span><\/span>nmap --script http-title,http-methods <target>
<\/span><\/span><\/code><\/pre>2. 按类别选择脚本<\/h3>
nmap --script exploit <target>
<\/span><\/span>nmap --script discovery,intrusive <target>
<\/span><\/span><\/code><\/pre>3. 按文件路径选择脚本<\/h3>
nmap --script \/path\/to\/script.nse <target>
<\/span><\/span>nmap --script \/path\/to\/folder\/ <target>
<\/span><\/span><\/code><\/pre>4. 高级脚本选择表达式<\/h3>
# 排除exploit类别的脚本<\/span>
<\/span><\/span>nmap -sV --script "not exploit"<\/span> <target>
<\/span><\/span>
<\/span><\/span># 组合条件<\/span>
<\/span><\/span>nmap --script "not(intrusive or dos or exploit)"<\/span> -sV <target>
<\/span><\/span>
<\/span><\/span># 使用通配符<\/span>
<\/span><\/span>nmap --script "snmp-*"<\/span> <target>
<\/span><\/span>
<\/span><\/span># 复杂表达式<\/span>
<\/span><\/span>nmap --script "http-* and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)"<\/span> <target>
<\/span><\/span><\/code><\/pre>四、脚本参数设置<\/h2>
1. 基本参数设置<\/h3>
nmap -sV --script http-title --script-args http.useragent=<\/span>"Mozilla 1337"<\/span> <target>
<\/span><\/span><\/code><\/pre>2. 参数冲突解决<\/h3>
当多个脚本有同名参数时：<\/p>
nmap --script http-majordomo2-dir-traversal,http-axis2-dir-traversal \
<\/span><\/span><\/span><\/span>--script-args http-axis2-dir-traversal.uri=<\/span>\/axis2\/,uri=<\/span>\/majordomo\/ <target>
<\/span><\/span><\/code><\/pre>五、NSE脚本开发基础<\/h2>
1. Lua语言基础<\/h3>
基本语法<\/h4>

单行注释：-- 注释<\/code><\/li>
多行注释：<\/li>
<\/ul>
--[[
<\/span><\/span><\/span>多行注释
<\/span><\/span><\/span>多行注释
<\/span><\/span><\/span>--]]<\/span>
<\/span><\/span><\/code><\/pre>数据类型<\/h4>



类型<\/th>
描述<\/th>
<\/tr>
<\/thead>


nil<\/td>
无效值<\/td>
<\/tr>

boolean<\/td>
true\/false<\/td>
<\/tr>

number<\/td>
双精度浮点数<\/td>
<\/tr>

string<\/td>
字符串<\/td>
<\/tr>

function<\/td>
函数<\/td>
<\/tr>

userdata<\/td>
C数据结构<\/td>
<\/tr>

thread<\/td>
协程<\/td>
<\/tr>

table<\/td>
关联数组<\/td>
<\/tr>
<\/tbody>
<\/table>
变量<\/h4>

全局变量：直接声明<\/li>
局部变量：使用local<\/code>关键字<\/li>
<\/ul>
2. NSE脚本结构<\/h3>
description =<\/span> [[脚本描述]]<\/span>
<\/span><\/span>
<\/span><\/span>---<\/span>
<\/span><\/span>-- @usage 使用示例<\/span>
<\/span><\/span>-- @output 输出示例<\/span>
<\/span><\/span>---<\/span>
<\/span><\/span>
<\/span><\/span>author =<\/span> "作者"<\/span>
<\/span><\/span>license =<\/span> "Same as Nmap"<\/span>
<\/span><\/span>categories =<\/span> {"category1"<\/span>, "category2"<\/span>}
<\/span><\/span>
<\/span><\/span>-- 规则函数<\/span>
<\/span><\/span>rule =<\/span> function<\/span>(host, port)
<\/span><\/span>    return<\/span> true<\/span>\/<\/span>false<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span>
<\/span><\/span>-- 执行函数<\/span>
<\/span><\/span>action =<\/span> function<\/span>(host, port)
<\/span><\/span>    -- 脚本逻辑<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre>3. Rule类型<\/h3>



类型<\/th>
触发时机<\/th>
示例<\/th>
<\/tr>
<\/thead>


prerule<\/td>
Nmap扫描前<\/td>
prerule = function() return true end<\/code><\/td>
<\/tr>

hostrule<\/td>
主机发现或探测时<\/td>
hostrule = function(host) return true end<\/code><\/td>
<\/tr>

portrule<\/td>
端口扫描时<\/td>
portrule = function(host, port) return port.state == "open" end<\/code><\/td>
<\/tr>

postrule<\/td>
Nmap扫描结束时<\/td>
postrule = function() return true end<\/code><\/td>
<\/tr>
<\/tbody>
<\/table>
4. 常用库<\/h3>

stdnse<\/code>: 标准输出库<\/li>
http<\/code>: HTTP请求库<\/li>
shortport<\/code>: 端口处理库<\/li>
string<\/code>: 字符串处理库<\/li>
table<\/code>: 表格处理库<\/li>
<\/ul>
六、实战脚本开发示例<\/h2>
1. 检测反射型XSS漏洞<\/h3>
local<\/span> http =<\/span> require "http"<\/span>
<\/span><\/span>local<\/span> shortport =<\/span> require "shortport"<\/span>
<\/span><\/span>local<\/span> string =<\/span> require "string"<\/span>
<\/span><\/span>local<\/span> stdnse =<\/span> require "stdnse"<\/span>
<\/span><\/span>local<\/span> table =<\/span> require "table"<\/span>
<\/span><\/span>
<\/span><\/span>description =<\/span> [[Detecting reflective xss in zzcms8.2]]<\/span>
<\/span><\/span>
<\/span><\/span>author =<\/span> "HongRi yumu"<\/span>
<\/span><\/span>license =<\/span> "Same as Nmap"<\/span>
<\/span><\/span>categories =<\/span> {"default"<\/span>, "safe"<\/span>, "discovery"<\/span>, "version"<\/span>}
<\/span><\/span>
<\/span><\/span>portrule =<\/span> function<\/span>(host, port)
<\/span><\/span>    return<\/span> port.protocol ==<\/span> "tcp"<\/span> and<\/span> port.state ==<\/span> "open"<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span>
<\/span><\/span>action =<\/span> function<\/span>(host, port)
<\/span><\/span>    local<\/span> table_input =<\/span> {}
<\/span><\/span>    local<\/span> xss_exit =<\/span> "Reflective xss exists"<\/span>
<\/span><\/span>    local<\/span> xss_not_exit =<\/span> "Reflective xss does not exist"<\/span>
<\/span><\/span>    local<\/span> basepath =<\/span> stdnse.get_script_args(SCRIPT_NAME..<\/span>".url-path"<\/span>) or<\/span> '\/install\/index.php'<\/span>
<\/span><\/span>    
<\/span><\/span>    local<\/span> options =<\/span> {
<\/span><\/span>        headers =<\/span> {
<\/span><\/span>            ["User-Agent"<\/span>] =<\/span> "Mozilla\/5.0"<\/span>,
<\/span><\/span>            ["Host"<\/span>] =<\/span> host.name,
<\/span><\/span>            ["Referer"<\/span>] =<\/span> "http:\/\/"<\/span>..<\/span>host.name..<\/span>"\/install\/index.php"<\/span>,
<\/span><\/span>            ["Content-Type"<\/span>] =<\/span> "application\/x-www-form-urlencoded"<\/span>
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    local<\/span> postdata =<\/span> {
<\/span><\/span>        ["admin"<\/span>] =<\/span> "admin"<\/span>,
<\/span><\/span>        ["adminpwdtrue"<\/span>] =<\/span> "admin<script>alert(1)<\/script>"<\/span>,
<\/span><\/span>        ["step"<\/span>] =<\/span> 6<\/span>
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    local<\/span> response =<\/span> http.post(host, port, basepath, options, nil<\/span>, postdata)
<\/span><\/span>    
<\/span><\/span>    if<\/span> response.status and<\/span> response.body then<\/span>
<\/span><\/span>        if<\/span> response.status ==<\/span> 200<\/span> and<\/span> string.find(response.body, "alert"<\/span>) ~=<\/span> nil<\/span> then<\/span>
<\/span><\/span>            table.insert(table_input, string.format("Final Results: %s"<\/span>, xss_exit))
<\/span><\/span>            return<\/span> stdnse.format_output(true<\/span>, table_input)
<\/span><\/span>        else<\/span>
<\/span><\/span>            table.insert(table_input, string.format("Final Results: %s"<\/span>, xss_not_exit))
<\/span><\/span>            return<\/span> stdnse.format_output(true<\/span>, table_input)
<\/span><\/span>        end<\/span>
<\/span><\/span>    end<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre>2. 获取网站客服电话<\/h3>
local<\/span> stdnse =<\/span> require "stdnse"<\/span>
<\/span><\/span>local<\/span> http =<\/span> require "http"<\/span>
<\/span><\/span>local<\/span> string =<\/span> require "string"<\/span>
<\/span><\/span>local<\/span> shortport =<\/span> require "shortport"<\/span>
<\/span><\/span>
<\/span><\/span>description =<\/span> [[Get the phone number of the customer service]]<\/span>
<\/span><\/span>
<\/span><\/span>author =<\/span> "HongRi yumu"<\/span>
<\/span><\/span>license =<\/span> "Same as Nmap"<\/span>
<\/span><\/span>categories =<\/span> {"default"<\/span>, "safe"<\/span>}
<\/span><\/span>
<\/span><\/span>portrule =<\/span> shortport.http
<\/span><\/span>
<\/span><\/span>function<\/span> action<\/span>(host, port)
<\/span><\/span>    local<\/span> telephone_number, baseurl
<\/span><\/span>    baseurl =<\/span> "\/"<\/span>
<\/span><\/span>    response =<\/span> http.get(host, port, baseurl)
<\/span><\/span>    telephone_number =<\/span> string.match(response.body, "%d+-%d+"<\/span>)
<\/span><\/span>    
<\/span><\/span>    if<\/span> telephone_number ~=<\/span> nil<\/span> then<\/span>
<\/span><\/span>        return<\/span> "consumer hotline:"<\/span>..<\/span>telephone_number
<\/span><\/span>    else<\/span>
<\/span><\/span>        return<\/span> "Not found"<\/span>
<\/span><\/span>    end<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre>七、调试技巧<\/h2>
使用-d<\/code>选项进行调试：<\/p>
nmap -d 3<\/span> --script your_script.nse <target>
<\/span><\/span><\/code><\/pre>调试等级说明：<\/p>

等级越高，输出信息越详细<\/li>
等级3通常足够用于脚本调试<\/li>
<\/ul>
八、最佳实践<\/h2>

脚本分类<\/strong>：根据脚本功能正确分类<\/li>
参数设计<\/strong>：考虑灵活性和可配置性<\/li>
错误处理<\/strong>：完善的错误处理和日志输出<\/li>
性能优化<\/strong>：避免不必要的网络请求和计算<\/li>
文档完善<\/strong>：包含使用示例和输出说明<\/li>
<\/ol>
九、资源链接<\/h2>

Lua教程<\/a><\/li>
Nmap官方文档<\/a><\/li>
NSE脚本库<\/a><\/li>
<\/ol>

Nmap脚本引擎(NSE)渗透测试指南<\/h1>

一、NSE简介<\/h2> Nmap脚本引擎(NSE)是Nmap功能扩展的核心组件，于2007年谷歌夏令营期间推出。它通过Lua脚本语言扩展了Nmap的功能，目前包含14个类别的脚本，覆盖从网络发现到安全漏洞检测和利用的广泛任务。<\/p>

二、NSE基础使用<\/h2>

三、脚本选择方法<\/h2>

四、脚本参数设置<\/h2>

五、NSE脚本开发基础<\/h2>

1. Lua语言基础<\/h3>

六、实战脚本开发示例<\/h2>

九、资源链接<\/h2> Lua教程<\/a><\/li> Nmap官方文档<\/a><\/li> NSE脚本库<\/a><\/li> <\/ol>

一、NSE简介<\/h2>
Nmap脚本引擎(NSE)是Nmap功能扩展的核心组件，于2007年谷歌夏令营期间推出。它通过Lua脚本语言扩展了Nmap的功能，目前包含14个类别的脚本，覆盖从网络发现到安全漏洞检测和利用的广泛任务。<\/p>

九、资源链接<\/h2>

Lua教程<\/a><\/li>
Nmap官方文档<\/a><\/li>
NSE脚本库<\/a><\/li> <\/ol>