Nmap Injection Framework

This repository is my Thesis project. It's a framework developed to inject the response of the well known scanning tool Nmap. Injecting the response implies that an attacker who accesses the report via browser is going to get injected by a payload.

This project is based upon RevOK prototype developed by Andrea Valenza, Gabriele Costa and Alessandro Armando. You can find the paper online at this link: https://arxiv.org/pdf/2006.09769.pdf

This framework is designed to exploit vulnerabilities of the well known scanning tool Nmap. Developed in Java, it consists of 2 executables:

  1. Nif.jar (Injector_server.jar)
  2. All_payloads_filter.jar

Nif.jar sets up a server listening on certain ports, waiting for incoming connections by a scanner. Once it receives a request from the client, the server delivers the answer with a proper nmap output formula and injects the web client reading the output.

How does it work:

one In green we can see the scan is launched on the machine that is using the server, on port 22, but you don't need to specify a port if you want to scan all ports on the server at the same time. Supported ports at the moment are 20-22-25-80. In blue you can see the reply from the server. In red you can see the reply to the client, correctly injected.

Example scan all ports: three

All_payloads_filter.jar takes a file named top-services-probes.txt (which contains all the probes from nmap-service-probes that belong to top services we manually filtered for, see: match-topservices.txt and extractTopServices.sh) and looks for match directives that can be injected with a certain payload. We use a general payload by default, which contains most of the injection characters known, and we print the output to a file called injectable-service-probes.txt. But if you want you can specify a different payload to filter for as the input of the executable.Here we can see an example usage: two In red we can see the input file, in blue the output file, and in green the payload to filter for. We obtained a 37 lines file, and we can see some results. This means there are 37 injectable probes that can be injected by the payload "<script>alert(1)</script>".

Update 25/12/22

You can now launch full program (both All_payloads_filter and Nif at the same time) through script.sh. scriptsh working

You can now input a payload file to Nif.jar. Server will extract a random payload to deliver from input file. servinput In green you can see the input file, in blue the payload that got selected to be delivered, in red the delivery.

Update 10/01/23

You can now filter the default file (top-services-probes.txt) by a payload of choice. update filter


NIF can work with BeEF by delivering a payload that gets the scanner's browser hooked to the scanned target's BeEF console. As you can see from the image, we replicate the case in an internal environment by using 2 Kali machines in the same network, for educational purpose.

Step 1: The author starts the scan over the IP address and saves the results in an HTML file.


Step 2: The author opens the scan file to check results, and its browser gets hooked.


Step 3: Beef can now launch commands on the browser:let's prove it.



You can pull the latest version of the docker image of the tool here : https://hub.docker.com/r/alekira/nmap_injection_framework

Having issues with jar files on Linux?

Try running: java -jar ./filename.jar or use script.sh directly for default settings usage.

Libraries used:

AssertJ : credits to: https://github.com/assertj.

regexp-gen : credits to: https://github.com/Cornutum/regexp-gen

Download Here

Next Post Previous Post
No Comment
Add Comment
comment url