一些渗透中，或者扫描的nmap nse脚本推荐

假如你是手动编译的，可能script的存放路径会有差异

子域名爆破

这个是自带的
使用示例

nmap --script dns-brute --script-args dns-brute.domain=foo.com,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sS -p 80
nmap --script dns-brute www.foo.com

比如百度

root@giantbranch:~# nmap -p 80 --script dns-brute.nse baidu.com
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-14 10:47 CST
Nmap scan report for baidu.com (220.181.57.216)
Host is up (0.15s latency).
Other addresses for baidu.com (not scanned): 123.125.114.144

PORT   STATE    SERVICE
80/tcp filtered http

Host script results:
| dns-brute:
|   DNS Brute-force hostnames:
|     mx.baidu.com - 61.135.163.61
|     admin.baidu.com - 10.26.109.19
|     svn.baidu.com - 10.65.211.174
|     ads.baidu.com - 10.42.4.225
|     mx1.baidu.com - 220.181.50.185
|     mx1.baidu.com - 61.135.165.120
|     id.baidu.com - 103.235.47.123
|     mysql.baidu.com - 10.105.97.153
|     test.baidu.com - 61.135.185.109
|     news.baidu.com - 103.235.46.122
|     images.baidu.com - 182.61.62.50
|     info.baidu.com - 111.206.223.208
|     info.baidu.com - 61.135.185.62
|     alpha.baidu.com - 111.206.223.252
|     dns.baidu.com - 202.108.22.220
|     internet.baidu.com - 103.235.46.122
|     ap.baidu.com - 111.202.114.63
|     ns1.baidu.com - 202.108.22.220
|     ns2.baidu.com - 220.181.33.31
|     ns3.baidu.com - 112.80.248.64
|     dns1.baidu.com - 220.181.38.10
|     app.baidu.com - 103.235.47.17
|     ntp.baidu.com - 10.48.49.44
|     ipv6.baidu.com - 111.13.101.208
|     ipv6.baidu.com - 123.125.114.144
|     ipv6.baidu.com - 220.181.57.216
|     ipv6.baidu.com - 220.181.57.217
|     ipv6.baidu.com - 2400:da00:2:0:0:0:0:29
|     ops.baidu.com - 10.26.3.240
|     ops.baidu.com - 10.46.7.36
|     ops.baidu.com - 10.91.160.44
|     vpn.baidu.com - 12.1.72.36
|     lab.baidu.com - 180.149.132.122
|     lab.baidu.com - 180.149.144.192
|     web.baidu.com - 10.48.30.87
|     owa.baidu.com - 12.0.243.39
|     auth.baidu.com - 111.206.37.69
|     linux.baidu.com - 10.99.31.43
|     whois.baidu.com - 123.125.114.172
|     exchange.baidu.com - 10.26.109.19
|     backup.baidu.com - 10.143.145.28
|     beta.baidu.com - 111.206.37.130
|     log.baidu.com - 10.26.39.14
|     www.baidu.com - 104.193.88.123
|     www.baidu.com - 104.193.88.77
|     mail.baidu.com - 12.0.243.42
|     www2.baidu.com - 111.206.37.231
|     cdn.baidu.com - 10.36.3.156
|     forum.baidu.com - 10.26.109.19
|     shop.baidu.com - 123.125.115.15
|     sip.baidu.com - 12.0.243.54
|     git.baidu.com - 10.42.4.104
|     crs.baidu.com - 123.125.114.205
|     crs.baidu.com - 123.125.114.237
|     help.baidu.com - 112.34.111.18
|     help.baidu.com - 112.34.111.183
|     help.baidu.com - 112.80.255.39
|     help.baidu.com - 112.80.255.43
|     help.baidu.com - 117.185.16.213
|     help.baidu.com - 117.185.16.230
|     help.baidu.com - 180.149.144.165
|     help.baidu.com - 180.149.144.166
|     help.baidu.com - 180.97.33.42
|     help.baidu.com - 180.97.36.81
|     help.baidu.com - 202.106.2.77
|     help.baidu.com - 202.106.2.78
|     mobile.baidu.com - 103.235.47.17
|     monitor.baidu.com - 10.91.161.200
|     database.baidu.com - 10.26.109.19
|     home.baidu.com - 202.106.2.51
|     db.baidu.com - 10.26.109.19
|     demo.baidu.com - 10.73.191.38
|     ssl.baidu.com - 10.58.121.74
|     dev.baidu.com - 111.206.37.39
|     dev.baidu.com - 112.80.255.42
|_    dev.baidu.com - 163.177.151.51

Nmap done: 1 IP address (1 host up) scanned in 18.66 seconds

http可疑目录枚举，http的服务及banner——http-enum

这个脚本也是自带的

root@giantbranch:~# nmap --script http-enum oldblog.giantbranch.cn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-14 10:54 CST
Nmap scan report for oldblog.giantbranch.cn (162.159.211.67)
Host is up (0.00077s latency).
Other addresses for oldblog.giantbranch.cn (not scanned): 162.159.210.67 2606:4700:32::a29f:d243 2606:4700:32::a29f:d343
Not shown: 996 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
| http-enum:
|   /: WordPress version: 5.1.1
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|_  /index/: Potentially interesting folder
443/tcp  open  https
8080/tcp open  http-proxy
8443/tcp open  https-alt

Nmap done: 1 IP address (1 host up) scanned in 599.45 seconds

漏洞扫描1——Vulscan

安装

$ git clone https://github.com/scipag/vulscan

# for MacOS
$ ln -s `pwd`/vulscan /usr/local/share/nmap/scripts/vulscan

# for Linux
$ ln -s `pwd`/vulscan /usr/share/nmap/scripts/vulscan

使用

root@giantbranch:~# nmap -sV --script=vulscan/vulscan.nse social.u51.com
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-14 11:00 CST
Nmap scan report for social.u51.com (115.238.29.11)
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT    STATE    SERVICE      VERSION
80/tcp  open     http         nginx
|_http-server-header: nginx
| vulscan: VulDB - https://vuldb.com:
| No findings
|
| MITRE CVE - https://cve.mitre.org:
| No findings
|
| SecurityFocus - https://www.securityfocus.com/bid/:
| No findings
|
| IBM X-Force - https://exchange.xforce.ibmcloud.com:
| No findings
|
| Exploit-DB - https://www.exploit-db.com:
| No findings
|
| OpenVAS (Nessus) - http://www.openvas.org:
| No findings
|
| SecurityTracker - https://www.securitytracker.com:
| No findings
|
| OSVDB - http://www.osvdb.org:
| No findings
|_
443/tcp open     ssl/http     nginx
|_http-server-header: nginx
| vulscan: VulDB - https://vuldb.com:
| No findings
|
| MITRE CVE - https://cve.mitre.org:
| No findings
|
| SecurityFocus - https://www.securityfocus.com/bid/:
| No findings
|
| IBM X-Force - https://exchange.xforce.ibmcloud.com:
| No findings
|
| Exploit-DB - https://www.exploit-db.com:
| No findings
|
| OpenVAS (Nessus) - http://www.openvas.org:
| No findings
|
| SecurityTracker - https://www.securitytracker.com:
| No findings
|
| OSVDB - http://www.osvdb.org:
| No findings
|_
445/tcp filtered microsoft-ds

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.83 seconds

漏洞扫描2——vulners

安装

$ wget https://raw.githubusercontent.com/vulnersCom/nmap-vulners/master/vulners.nse

# for MacOS
$ cp vulners.nse /usr/local/share/nmap/scripts/

# for Linux
$ cp vulners.nse /usr/share/nmap/scripts/

使用

root@giantbranch:~# nmap -sV --script vulners 192.168.XXX.XXX

Starting Nmap 7.01 ( https://nmap.org ) at 2019-05-14 11:22 CST
Nmap scan report for 192.168.XXX.XXX
Host is up (0.00043s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| vulners:
|   cpe:/a:openbsd:openssh:7.2p2:
| 	CVE-2016-6515		7.8		https://vulners.com/cve/CVE-2016-6515
| 	CVE-2015-8325		7.2		https://vulners.com/cve/CVE-2015-8325
| 	CVE-2018-15919		5		https://vulners.com/cve/CVE-2018-15919
| 	CVE-2017-15906		5		https://vulners.com/cve/CVE-2017-15906
| 	CVE-2016-10708		5		https://vulners.com/cve/CVE-2016-10708
|_	CVE-2016-6210		4.3		https://vulners.com/cve/CVE-2016-6210
80/tcp   open  http          Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| vulners:
|   cpe:/a:apache:http_server:2.4.18:
| 	CVE-2017-3167		7.5		https://vulners.com/cve/CVE-2017-3167
| 	CVE-2017-7668		7.5		https://vulners.com/cve/CVE-2017-7668
| 	CVE-2017-7679		7.5		https://vulners.com/cve/CVE-2017-7679
| 	CVE-2017-3169		7.5		https://vulners.com/cve/CVE-2017-3169
| 	CVE-2019-0211		7.2		https://vulners.com/cve/CVE-2019-0211
| 	CVE-2018-1312		6.8		https://vulners.com/cve/CVE-2018-1312
| 	CVE-2017-15715		6.8		https://vulners.com/cve/CVE-2017-15715
| 	CVE-2017-15710		5		https://vulners.com/cve/CVE-2017-15710
| 	CVE-2018-17199		5		https://vulners.com/cve/CVE-2018-17199
| 	CVE-2016-8743		5		https://vulners.com/cve/CVE-2016-8743
| 	CVE-2016-4979		5		https://vulners.com/cve/CVE-2016-4979
| 	CVE-2017-9798		5		https://vulners.com/cve/CVE-2017-9798
| 	CVE-2016-8740		5		https://vulners.com/cve/CVE-2016-8740
| 	CVE-2018-1333		5		https://vulners.com/cve/CVE-2018-1333
| 	CVE-2016-1546		4.3		https://vulners.com/cve/CVE-2016-1546
| 	CVE-2018-11763		4.3		https://vulners.com/cve/CVE-2018-11763
| 	CVE-2016-4975		4.3		https://vulners.com/cve/CVE-2016-4975
| 	CVE-2018-1283		3.5		https://vulners.com/cve/CVE-2018-1283
|_	CVE-2016-8612		3.3		https://vulners.com/cve/CVE-2016-8612
3389/tcp open  ms-wbt-server xrdp
MAC Address: FA:16:3E:9A:0C:6F (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.48 seconds

更详细的banner——banner-plus

安装

$ wget https://raw.githubusercontent.com/hdm/scan-tools/master/nse/banner-plus.nse

# for MacOS
$ cp banner-plus.nse /usr/local/share/nmap/scripts/

# for Linux
$ cp banner-plus.nse /usr/share/nmap/scripts/

使用（其实感觉就是将服务器的返回都打印出来了）

root@giantbranch:~# nmap --script banner-plus 192.168.XXX.XXX

Starting Nmap 7.01 ( https://nmap.org ) at 2019-05-14 11:33 CST
Nmap scan report for 192.168.XXX.XXX
Host is up (0.00074s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
|_banner-plus: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8\r\n\x00\x00\x03\xCC\n\x14\xD8\xE9\x80iZ8(\xF2\xB8-\xE7c\xBC^J\xF7\x00\x00\x00\x96curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1\x00\x00\x00Assh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519\x00\x00\x00lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\x00\x00\x00lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\x00\x00\x00\xD5umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\x00\x00\x00\xD5umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\x00\x00\x00\x15none,zlib@openssh.com\x00\x00\x00\x15none,zlib@openssh.com\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
80/tcp   open  http
|_banner-plus: HTTP/1.1 302 Found\r\nDate: Tue, 14 May 2019 03:33:50 GMT\r\nServer: Apache/2.4.18 (Ubuntu)\r\nSet-Cookie: KOD_SESSION_ID_e2e93=99fij5ulv88j14nva2vjf2vuj5; path=/\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate\r\nPragma: no-cache\r\nSet-Cookie: KOD_SESSION_ID_e2e93=99fij5ulv88j14nva2vjf2vuj5; path=/\r\nlocation: ./index.php?user/loginSubmit&name=guest&password=guest\r\nContent-Length: 0\r\nConnection: close\r\nContent-Type: text/html; charset=utf-8\r\n\r\n
3389/tcp open  ms-wbt-server
|_banner-plus: \x03\x00\x00\t\x02\xF0\x80!
MAC Address: FA:16:3E:9A:0C:6F (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 6.90 seconds

reference

https://www.hahwul.com/2019/05/four-nmap-nse-scripts-for-penetration.html