Monday, February 13, 2012

Making Nmap Scripting Engine stealthier

  Nmap comes with NSE: a fully integrated scripting engine with many useful libraries. The http library is one I've come to use oftenbut I noticed that the default value for the user agent header is Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)
This is obviously a value you wouldn't like to be used, as it would give your presence away on the battlefield. Additionally, it is easily detected and blocked (Unique to Nmap's NSE http library).

A ModSecurity rule that detects and blocks this default user agent is: 

SecRule REQUEST_HEADERS:User-Agent "@streq Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)" deny

  According to the Nmap devs this value is left by "design" and that if you want to change it you have to use --script-args http.useragent="some ua" when launching your Nmap scans. The problem is that this is burdensome to add (and remember)  everytime you need it.

 You can find the default value in /usr/share/nmap/nselib/http.lua (At the beginning of the file, a couple of lines after the comments)

local USER_AGENT = stdnse.get_script_args('http.useragent') or "Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)"

and change it to something more stealthy (default User Agent of Firefox on Windows 7 for example).

  By the way, if you happen to read this blog post before February, 18th and you're around Algiers on that day, I'm doing a free "Web Hacking / Security Testing" workshop at ESI college as part of our activities at the OWASP Algeria Student Chapter. It's mainly for students with some background in web development, but everyone is welcome. Just register here.