Nmap Injection Framework
This project is based upon RevOK prototype developed by Andrea Valenza, Gabriele Costa and Alessandro Armando. You can find the paper online at this link: https://arxiv.org/pdf/2006.09769.pdf
This framework is designed to exploit vulnerabilities of the well known scanning tool Nmap. Developed in Java, it consists of 2 executables:
- Nif.jar (Injector_server.jar)
- All_payloads_filter.jar
Nif.jar sets up a server listening on certain ports, waiting for incoming connections by a scanner. Once it receives a request from the client, the server delivers the answer with a proper nmap output formula and injects the web client reading the output.
How does it work:
In green we can see the scan is launched on the machine that is using the server, on port 22, but you don't need to specify a port if you want to scan all ports on the server at the same time. Supported ports at the moment are 20-22-25-80. In blue you can see the reply from the server. In red you can see the reply to the client, correctly injected.
Example scan all ports: 
All_payloads_filter.jar takes a file named top-services-probes.txt (which contains all the probes from nmap-service-probes that belong to top services we manually filtered for, see: match-topservices.txt and extractTopServices.sh) and looks for match directives that can be injected with a certain payload. We use a general payload by default, which contains most of the injection characters known, and we print the output to a file called injectable-service-probes.txt. But if you want you can specify a different payload to filter for as the input of the executable.Here we can see an example usage: 
In red we can see the input file, in blue the output file, and in green the payload to filter for. We obtained a 37 lines file, and we can see some results. This means there are 37 injectable probes that can be injected by the payload "<script>alert(1)</script>".
Update 25/12/22
You can now launch full program (both All_payloads_filter and Nif at the same time) through script.sh. 
You can now input a payload file to Nif.jar. Server will extract a random payload to deliver from input file. 
In green you can see the input file, in blue the payload that got selected to be delivered, in red the delivery.
Update 10/01/23
You can now filter the default file (top-services-probes.txt) by a payload of choice. 
BeEF
NIF can work with BeEF by delivering a payload that gets the scanner's browser hooked to the scanned target's BeEF console. As you can see from the image, we replicate the case in an internal environment by using 2 Kali machines in the same network, for educational purpose.
Step 1: The author starts the scan over the IP address and saves the results in an HTML file.
Step 2: The author opens the scan file to check results, and its browser gets hooked.
Step 3: Beef can now launch commands on the browser:let's prove it.
Docker
You can pull the latest version of the docker image of the tool here : https://hub.docker.com/r/alekira/nmap_injection_framework
Having issues with jar files on Linux?
Try running: java -jar ./filename.jar or use script.sh directly for default settings usage.
Libraries used:
AssertJ : credits to: https://github.com/assertj.
regexp-gen : credits to: https://github.com/Cornutum/regexp-gen
Danial Zahoor
Professional Ethical Hacker and Cybersecurity Researcher with a proven track record in dismantling online threats. Successfully neutralized 4 scammer networks, thwarted 13 phishing schemes, and disrupted 4 kidnapper networks. Committed to ensuring online safety and security, I leverage my expertise to protect individuals and organizations from digital threats. Passionate about cybersecurity education and empowering others to stay safe online.
