If you've been paying any attention to the open source security software space, you've probably noticed that one of our favorite tools, nmap, ships with a pretty serious scipting engine. NSE allows users to run scripted interactions on discovered services, and lately, the repository of those scripts has exploded. As of the 5.50 release of nmap, there are 177 scripts and 54 supporting libraries, covering all sorts of protocols you're likely run into during a pen-test engagement.

In order to capitalize on this work, I put together a Metasploit mixin to make development of Metasploit-driven NSE scripts pretty easy and straightforward, as well as an example Metasploit module to test for default Oracle database credentials. You can get a hold of these with a checkout from the svn repository:

svn co https://metasploit.com/svn/framework3/trunk msf3

Modules that include Msf::Auxiliary::Nmap will now have a few handy methods available to them; most notably, the nmap_run() and nmap_hosts() methods. The first gets a hold of the locally-installed nmap binary and module-defined arguments, and runs the proscribed nmap scan and scripts configured by the module in a consistent, platform-independent way. Nmap_hosts() takes the XML log file produced by nmap_run(), parses out all the host nodes, and passes those back to the module to deal with as it will -- modules can format and display results on the console, log to the database, or perform more follow-on actions.

I'm really excited about the practical collaboration opportunities this integration creates between the nmap and Metasploit communities. If someone writes a wicked fast NSE script for doing interesting things on the network via nmap, Metasploit users can now pretty easily take advantage of the research. Metasploit has supported importing Nmap scan results for a while now, but this mechanism is more direct, more real-time, and can be more specialized to take advantage of specific NSE scripts.