One of the best things about NSE is its ability to let users write and share their own scripts, so you’re not limited to relying on the Nmap default NSE scripts. Cymon.io is an excellent one as it searches around 200 different sources.Stay ahead of your digital fingerprint Boost your asset discovery process with Attack Surface Reduction Request access to ASR What is the Nmap Scripting Engine (NSE)?Īs explained in our Nmap Cheat Sheet, NSE stands for Nmap Scripting Engine, and it’s basically a digital library of Nmap scripts that helps to enhance the default Nmap features and report the results in a traditional Nmap output. Active (Nmap) vs Passive (p0f) information gatheringĮ emerging-Block-IPs.txtīelow is a list of threat intelligence websites that you can use.
If you did, please feel free to leave a comment. In this post we looked at the difference between active and passive information gathering from the perspective of network reconnaissance. Let’s use the same command above, but this time we will ask “cut” to use field 2 thus allowing us to see all the unique ports found in the file. In this example, we introduce another Linux utility - “cut”. To find out the various OSes in the file, let’s run that through some additional tools, such as grep, awk, sort and uniq.įrom the above, we see we have a count of all the different systems detected within the pcap. r attack-trace.pcap - use the attack-trace.pcap file as input.įrom above we see a snapshot of the OS, client, server, etc from the pcap. The main difference between the command line arguments when using p0f live vs reading a packet is the “-r” option. Let’s examine some of this creativity.įirst up, let’s run p0f against our downloaded pcap. When running p0f against the pcap file, we can get even more creative. To demonstrate this further, let’s borrow the attack-trace packet capture from honeynet project. pcap file to learn about the environment. While the example above shows how we can use p0f to listen on an interface, we can actually run p0f against an existing.
p - put the interface in promiscuous modeįrom above we see that p0f “learned” that the system 10.0.0.15 is running Windows NT kernel and this was learned via a SYN packet. i eth0 - specify the interface to listen on f /usr/share/p0f/p0f.fp - specify the fingerprint file to use We will use p0f with the following options. Once again, let’s look at this in practice. This can be inline or even seeing the traffic off a SPAN port. Note, for this to work properly, you would need to be in the path of the traffic.
Pn - no need to ping the host, assume it is onlineġ0.0.0.15 - The host we are would like to scanĪlternatively, as we perform “passive” information gathering we can simply start up “p0f” and let it listen on the interface. Let’s “actively” learn about a remote system using Nmap.įrom below we tell Nmap to target the host 10.0.0.15. Basically, you are not doing anything that will cause the remote system(s) to perform any response or any activity based on what you are doing. Note, these examples are specifically from a network perspective. Passive information gathering on the other hand, means you passively “sit” and learn about the system(s) as information passes in your path. An example of active information gathering is when a tool such as Nmap is used. In most cases, while attempting to learn about an environment, you may wish to either actively obtain information about the environment or passively do so.Īctive information gathering means you are in one way or the other directly interacting with the system(s).