Home page logo

nmap-dev logo Nmap Development mailing list archives

Nmap/Metasploit Integration
From: Fyodor <fyodor () insecure org>
Date: Tue, 15 Mar 2011 16:59:51 -0700

Hi Folks.  This message just popped up on the Metasploit blog:


It basically says that they are impressed by NSE and have added an
auxiliary module for better Nmap integration.  Their first module to
use this integration is oracle_login, which calls Nmap with the
oracle_brute (http://nmap.org/nsedoc/scripts/oracle-brute.html) script
and then parse the results.

I grabbed the latest oracle_login.rb from their svn repository and it
doesn't look like they give Nmap or oracle_brute author Patrik
Karlsson any credit in the script description, etc.  I'll bug them
about that :).  OpenVAS does a much better job at at least crediting
Nmap when they use our scripts.

Hopefully this integration leads to Metasploit contributors seeing the
value of writing new scripts upstream in Nmap so that they can be used
by both products.  If they only make use of our existing scripts, that
doesn't really help the Nmap project (though it could still help our
many shared users).

Anyway, it is an interesting development.  Here is the text of their
blog post:

Nmap? In my Metasploit? It's more likely than you'd think!

If you've been paying any attention to the open source security
software space, you've probably noticed that one of our favorite
tools, nmap, ships with a pretty serious scipting engine. NSE allows
users to run scripted interactions on discovered services, and lately,
the repository of those scripts has exploded. As of the 5.50 release
of nmap, there are 177 scripts and 54 supporting libraries, covering
all sorts of protocols you're likely run into during a pen-test

In order to capitalize on this work, I put together a Metasploit mixin
to make development of Metasploit-driven NSE scripts pretty easy and
straightforward, as well as an example Metasploit module to test for
default Oracle database credentials. You can get a hold of these with
a checkout from the svn repository:

svn co https://metasploit.com/svn/framework3/trunk msf3

Modules that include Msf::Auxiliary::Nmap will now have a few handy
methods available to them; most notably, the nmap_run() and
nmap_hosts() methods. The first gets a hold of the locally-installed
nmap binary and module-defined arguments, and runs the proscribed nmap
scan and scripts configured by the module in a consistent,
platform-independent way. Nmap_hosts() takes the XML log file produced
by nmap_run(), parses out all the host nodes, and passes those back to
the module to deal with as it will -- modules can format and display
results on the console, log to the database, or perform more follow-on

I'm really excited about the practical collaboration opportunities
this integration creates between the nmap and Metasploit
communities. If someone writes a wicked fast NSE script for doing
interesting things on the network via nmap, Metasploit users can now
pretty easily take advantage of the research. Metasploit has supported
importing Nmap scan results for a while now, but this mechanism is
more direct, more real-time, and can be more specialized to take
advantage of specific NSE scripts.  Generated by todb at 3:02:00 PM

Generated by todb at 3:02:00 PM.  Tuesday, March 15, 2011
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]