Nmap doesn’t perform the script supplied as an argument

Posted on

Problem :

I’m running Kali Linux and I’m trying to run a nmap script against a host in the lab. The command I’m entering and the output is:

root@kali:/usr/share/nmap/scripts# nmap --script dns-fuzz --script-args timelimit=2h -d

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-24 18:44 CET
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
NSE: Using Lua 5.2.
NSE: Script Arguments seen from CLI: timelimit=2h
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating ARP Ping Scan at 18:44
Scanning [1 port]
Packet capture filter (device eth0): arp and arp[18:4] = 0x000C2905 and arp[22:2] = 0x57E5
Completed ARP Ping Scan at 18:44, 0.01s elapsed (1 total hosts)
Overall sending rates: 114.85 packets / s, 4823.71 bytes / s.
mass_rdns: Using DNS server
mass_rdns: Using DNS server
Initiating Parallel DNS resolution of 1 host. at 18:44
mass_rdns: 0.02s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 18:44, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 18:44
Scanning [1000 ports]
Packet capture filter (device eth0): dst host and (icmp or icmp6 or ((tcp or udp or sctp) and (src host
Discovered open port 22/tcp on
Discovered open port 53/tcp on
Completed SYN Stealth Scan at 18:44, 0.04s elapsed (1000 total ports)
Overall sending rates: 26565.36 packets / s, 1168876.02 bytes / s.
NSE: Script scanning
NSE: Starting runlevel 1 (of 1) scan.
Nmap scan report for
Host is up, received arp-response (0.00030s latency).
Scanned at 2014-01-24 18:44:48 CET for 0s
Not shown: 998 closed ports
Reason: 998 resets
22/tcp open  ssh     syn-ack
53/tcp open  domain  syn-ack
MAC Address: 00:0C:29:7B:5E:8E (VMware)
Final times for host: srtt: 299 rttvar: 23  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
           Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.036KB)

This problem not only occurs with this particular script, but with all.

The same question with the same setting was asked here as well: Nmap doesn’t use the script supplied in argument

But I could not comment, due to too less reputation with the “-d” – Output, so I decided to ask a new question. I hope, that’s okay.

Solution :

Nmap Scripting Engine (NSE) scripts decide when to run based on a function called the rule. In the case of dns-fuzz, the rule is:

portrule = shortport.portnumber(53, "udp")

Using the shortport library, the script requests to be run only for hosts which have port 53 UDP open.

Your example scan is a TCP scan. Since no UDP ports are scanned, the dns-fuzz script will never run. DNS can use TCP as a transport, so there shouldn’t be a problem converting this script to work for both. There are a few conversions that must happen before it will work (removing explicit proto="udp", for instance), but it should be an easy project.

EDIT: TCP support was added to this script on January 31, 2014, and is available in Nmap 6.45 and later.

Leave a Reply

Your email address will not be published. Required fields are marked *