No announcement yet.

LUA - Example nmap NSE Script

  • Filter
  • Time
  • Show
Clear All
new posts

  • LUA - Example nmap NSE Script

    Below is a basic NSE (nmap Scripting Engine) script example written in LUA. It contain the most basic parts of what a NSE script should contain.
    When used while running an nmap scan the script will run on any target listening on port 80 or 443 or any other port that nmap identifies as a open and listening web service.
    The script will send a GET request to the target and then go through all the header key/value pairs and output the result.

    Even though this is written in LUA and nmap will accept the .lua extension it is recommended to stay with the .nse extension for NSE scripts.

    File: http-headers-get.nse
    -- Nmap libraries
    local nmap = require "nmap"
    local stdnse = require "stdnse"
    local table = require "table"
    local http = require "http"
    local shortport = require "shortport"
    -- Mandetory description, author, license and categories
    description = [[Lua Nmap Header grapper. This is a fully functional sample service script.]]
    author = "Resheph"
    license = "Same as Nmap--See [URL][/URL]"
    categories = {"discovery", "safe"}
    -- Run this script on port 80, 443 or any other port that is identified as http or https that is an open tcp port
    portrule = shortport.port_or_service({80, 443}, {"http", "https"}, {"tcp", "open"})    
    --[[ This is what is being done when the script is being run.
    Host and port comes from the Nmap Scripting Engine ]]--
    action = function(host, port)
        -- Initialize local variables
        local response = {}                -- Variable for the get request
        local k, v = nil, nil            -- Variables for looping through the header[] key/value pair
        local output = {}                -- Variable for the output
        response = http.get(host, port, "/")        -- Do the request and put the reply in the response variable
        if response.status                            -- If the response.status is not nil
        and response.status ~=404                    -- And not a 404
        then                                        -- then
            for k, v in pairs(response.header) do                                                -- Loop through the headers in the response
                table.insert(output, k:upper() .. ": " .. response.header[k] .. ": " .. v)        -- Put each header key/value pair in the output variable. The key is set to upper case
        table.sort(output)                            -- Sort the output
        return stdnse.format_output(true, output)    -- Return the output to NSE
            return response["status-line"]            -- If something went wrong, send the error message to NSE
    Tamper with it, modify it or make your own version. The purpose of this script is just to get you started if you have not tampered with NSE scripts before. nmap already have similar scripts available so there is no real world use for this except it makes up a simple example.
    LUA is not that hard to learn if you have some programming experience already. Not that I am an expert.
    Visit for more information and remember that any NSE script that comes with nmap can be studied to get inspiration.
    Certified Security Geek