In the prior articles (Getting Started with nmap and Deeper Scanning with nmap), we showed you how to get started, and how to dive deeper with this superb network scanner.
Let’s go even deeper!
One of the cool things nmap has is the ability to create scripts. Now doing this from scratch would be boring, so in most systems that have nmap installed, there are a really great set of scripts included.
WARNING! We have said this before, and we must re-iterate. You must have authorization to perform scanning tasks on the network. If you don’t, stop!
The scripting capability is called the nmap Scripting Engine, or NSE for short.
To start with, scripts have names, such as ‘default’ that defines a set of activities/scans that nmap will do. Usually you will run one of these scripts on a target system.
Let’s start with a quick scan of my network to see what is there:
root@kali:~# nmap -sn 192.168.1.0/24
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-05 14:28 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0068s latency).
MAC Address: 70:77:81:DD:C3:7C (Hon Hai Precision Ind.)
Nmap scan report for 192.168.1.103
Host is up (0.0011s latency).
MAC Address: 3C:07:54:69:2D:CF (Apple)
Nmap scan report for 192.168.1.105
Host is up (0.00021s latency).
MAC Address: 2C:60:0C:0C:97:BC (Quanta Computer)
Nmap scan report for 192.168.1.108
Host is up (0.036s latency).
MAC Address: CC:20:E8:D7:D3:A9 (Apple)
Nmap scan report for 192.168.1.109
Host is up (0.034s latency).
MAC Address: 04:54:53:12:E0:02 (Apple)
Nmap scan report for 192.168.1.111
Host is up (0.34s latency).
MAC Address: 2C:F0:EE:00:6B:4E (Apple)
Nmap scan report for 192.168.1.203
Host is up (0.16s latency).
MAC Address: 18:B4:30:01:A0:18 (Nest Labs)
Nmap scan report for 192.168.1.208
Host is up (0.16s latency).
MAC Address: 18:B4:30:00:6D:9B (Nest Labs)
Nmap scan report for 192.168.1.250
Host is up (0.15s latency).
MAC Address: A0:2B:B8:6C:F7:4E (Hewlett Packard)
Nmap scan report for 192.168.1.251
Host is up (0.0010s latency).
MAC Address: 00:11:32:1E:79:FF (Synology Incorporated)
Nmap scan report for 192.168.1.252
Host is up (0.00074s latency).
MAC Address: 00:11:32:1E:79:FF (Synology Incorporated)
Nmap scan report for 192.168.1.253
Host is up (0.00076s latency).
MAC Address: 00:0E:C9:03:54:33 (Yoko Technology)
Nmap scan report for 192.168.1.2
Host is up.
Nmap done: 256 IP addresses (13 hosts up) scanned in 10.65 seconds
OK great.
I am going to pick on the Synology NAS at 192.168.1.252.
Let’s run the default scan script on that system:
nmap –script=default 192.168.1.252
Here is the result:
root@kali:~# nmap --script=default 192.168.1.252
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-05 14:42 EDT
Nmap scan report for 192.168.1.252
Host is up (0.00045s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
21/tcp open ftp
| ssl-cert: Subject: commonName=synology.com/organizationName=Synology Inc./stateOrProvinceName=Taiwan/countryName=TW
| Not valid before: 2013-10-09T21:13:07
|_Not valid after: 2033-06-26T21:13:07
80/tcp open http
|_http-title: Hello! Welcome to Synology Web Station!
111/tcp open rpcbind
139/tcp open netbios-ssn
161/tcp open snmp
443/tcp open https
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=synology.com/organizationName=Synology Inc./stateOrProvinceName=Taiwan/countryName=TW
| Not valid before: 2013-10-09T21:13:07
|_Not valid after: 2033-06-26T21:13:07
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg:
|_ http/1.1
445/tcp open microsoft-ds
548/tcp open afp
| afp-serverinfo:
| Server Flags:
| Flags hex: 0x8f79
| Super Client: true
| UUIDs: true
| UTF8 Server Name: true
| Open Directory: true
| Reconnect: false
| Server Notifications: true
| TCP/IP: true
| Server Signature: true
| Server Messages: true
| Password Saving Prohibited: false
| Password Changing: false
| Copy File: true
| Server Name: DiskStation
| Machine Type: Netatalk3.1.1
| AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3, AFP3.4
| UAMs: DHX2, DHCAST128
| Server Signature: 1649739fc2a9edeaa0ab8521a4e071b3
| Network Addresses:
| 192.168.1.252
|_ UTF8 Server Name: DiskStation
1723/tcp open pptp
2049/tcp open nfs
3261/tcp open winshadow
3689/tcp open rendezvous
5000/tcp open upnp
5001/tcp open commplex-link
MAC Address: 00:11:32:1E:7A:00 (Synology Incorporated)
Host script results:
|_nbstat: NetBIOS name: DISKSTATION, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
Nmap done: 1 IP address (1 host up) scanned in 12.51 seconds
We have learned a lot about what ports are open, the web services, and much more.
There are a ton of scripts – you can get a verbose output and description with the following command:
nmap –script-help {script name}
Here is a fun script to “discover” your network:
root@kali:~# nmap --script discovery
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-05 14:48 EDT
Pre-scan script results:
| broadcast-igmp-discovery:
| 192.168.1.105
| Interface: eth0
| Version: 2
| Group: 224.0.0.252
| Description: Link-local Multicast Name Resolution (rfc4795)
| 192.168.1.108
| Interface: eth0
| Version: 2
| Group: 224.0.0.251
| Description: mDNS (rfc6762)
| 192.168.1.251
| Interface: eth0
| Version: 2
| Group: 224.0.0.251
| Description: mDNS (rfc6762)
| 192.168.1.250
| Interface: eth0
| Version: 2
| Group: 224.0.1.1
| Description: NTP Network Time Protocol (rfc5905)
| 192.168.1.250
| Interface: eth0
| Version: 2
| Group: 224.0.1.60
| Description: hp-device-disc
| 192.168.1.250
| Interface: eth0
| Version: 2
| Group: 239.255.255.250
| Description: Organization-Local Scope (rfc2365)
|_ Use the newtargets script-arg to add the results as targets
| broadcast-ping:
| IP: 192.168.1.103 MAC: 3c:07:54:69:2d:cf
| IP: 192.168.1.109 MAC: 04:54:53:12:e0:02
|_ Use --script-args=newtargets to add the results as targets
| ipv6-multicast-mld-list:
| fe80::654:53ff:fe12:e002:
| device: eth0
| mac: 04:54:53:12:e0:02
| multicast_ips:
| ff02::1:ff00:a (Solicited-Node Address)
| ff02::2:ff47:a15c (Node Information Queries)
| ff02::1:ff8b:d30a (Solicited-Node Address)
| ff02::1:ff12:e002 (NDP Solicited-node)
| fe80::1063:24d5:6acb:8fa3:
| device: eth0
| mac: cc:20:e8:d7:d3:a9
| multicast_ips:
| ff02::fb (mDNSv6)
| fe80::7277:81ff:fedd:c37a:
| device: eth0
| mac: 70:77:81:dd:c3:7a
| multicast_ips:
| ff02::1:ffad:b373 (Solicited-Node Address)
| ff02::1:ffdd:c37a (NDP Solicited-node)
| fe80::211:32ff:fe1e:7a00:
| device: eth0
| mac: 00:11:32:1e:7a:00
| multicast_ips:
| ff02::fb (mDNSv6)
| fe80::a481:9984:8d99:96dd:
| device: eth0
| mac: 2c:60:0c:0c:97:bc
| multicast_ips:
| ff02::1:3 (Link-local Multicast Name Resolution)
| ff02::1:3 (Link-local Multicast Name Resolution)
| ff02::1:3 (Link-local Multicast Name Resolution)
| ff02::1:3 (Link-local Multicast Name Resolution)
| ff02::1:3 (Link-local Multicast Name Resolution)
| ff02::1:3 (Link-local Multicast Name Resolution)
| ff02::1:3 (Link-local Multicast Name Resolution)
| ff02::1:3 (Link-local Multicast Name Resolution)
| fe80::3e07:54ff:fe69:2dcf:
| device: eth0
| mac: 3c:07:54:69:2d:cf
| multicast_ips:
| ff02::1:ff77:9c66 (Solicited-Node Address)
| ff02::2:ff47:a15c (Node Information Queries)
| ff02::1:ff51:67ca (Solicited-Node Address)
| ff02::1:ff00:e (Solicited-Node Address)
| ff02::1:ff69:2dcf (NDP Solicited-node)
| fe80::a22b:b8ff:fe6c:f74e:
| device: eth0
| mac: a0:2b:b8:6c:f7:4e
| multicast_ips:
| ff02::c (SSDP)
| ff02::1:ff00:3 (Solicited-Node Address)
| ff02::fb (mDNSv6)
| ff02::1:3 (Link-local Multicast Name Resolution)
| ff02::1:ff6c:f74e (NDP Solicited-node)
| fe80::7277:81ff:fedd:c37c:
| device: eth0
| mac: 70:77:81:dd:c3:7c
| multicast_ips:
| ff02::1:ffdd:c37c (NDP Solicited-node)
| fe80::211:32ff:fe1e:79ff:
| device: eth0
| mac: 00:11:32:1e:79:ff
| multicast_ips:
|_ ff02::fb (mDNSv6)
| lltd-discovery:
| 192.168.1.105
| Hostname: CellStream-PC
| Mac: 0a:00:27:00:00:13 (Unknown)
| IPv6: 2605:6001:e7c9:7500:0000:0000:0000:0007
|_ Use the newtargets script-arg to add the results as targets
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
| targets-ipv6-multicast-echo:
| IP: 2605:6001:e7c9:7500:7277:81ff:fedd:c37c MAC: 70:77:81:dd:c3:7c IFACE: eth0
| IP: 2605:6001:e7c9:7500:3e07:54ff:fe69:2dcf MAC: 3c:07:54:69:2d:cf IFACE: eth0
| IP: 2605:6001:e7c9:7500:211:32ff:fe1e:79ff MAC: 00:11:32:1e:79:ff IFACE: eth0
| IP: fe80::7277:81ff:fedd:c37c MAC: 70:77:81:dd:c3:7c IFACE: eth0
| IP: fe80::211:32ff:fe1e:79ff MAC: 00:11:32:1e:79:ff IFACE: eth0
| IP: fe80::211:32ff:fe1e:7a00 MAC: 00:11:32:1e:7a:00 IFACE: eth0
| IP: fe80::3e07:54ff:fe69:2dcf MAC: 3c:07:54:69:2d:cf IFACE: eth0
|_ Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-invalid-dst:
| IP: fe80::211:32ff:fe1e:7a00 MAC: 00:11:32:1e:7a:00 IFACE: eth0
| IP: 2605:6001:e7c9:7500:211:32ff:fe1e:79ff MAC: 00:11:32:1e:79:ff IFACE: eth0
| IP: 2605:6001:e7c9:7500:3e07:54ff:fe69:2dcf MAC: 3c:07:54:69:2d:cf IFACE: eth0
| IP: fe80::211:32ff:fe1e:79ff MAC: 00:11:32:1e:79:ff IFACE: eth0
| IP: fe80::3e07:54ff:fe69:2dcf MAC: 3c:07:54:69:2d:cf IFACE: eth0
|_ Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-mld:
| IP: fe80::1063:24d5:6acb:8fa3 MAC: cc:20:e8:d7:d3:a9 IFACE: eth0
| IP: fe80::211:32ff:fe1e:79ff MAC: 00:11:32:1e:79:ff IFACE: eth0
| IP: fe80::211:32ff:fe1e:7a00 MAC: 00:11:32:1e:7a:00 IFACE: eth0
| IP: fe80::3e07:54ff:fe69:2dcf MAC: 3c:07:54:69:2d:cf IFACE: eth0
| IP: fe80::654:53ff:fe12:e002 MAC: 04:54:53:12:e0:02 IFACE: eth0
| IP: fe80::7277:81ff:fedd:c37a MAC: 70:77:81:dd:c3:7a IFACE: eth0
| IP: fe80::7277:81ff:fedd:c37c MAC: 70:77:81:dd:c3:7c IFACE: eth0
| IP: fe80::a22b:b8ff:fe6c:f74e MAC: a0:2b:b8:6c:f7:4e IFACE: eth0
| IP: fe80::a481:9984:8d99:96dd MAC: 2c:60:0c:0c:97:bc IFACE: eth0
|
|_ Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-slaac:
| IP: fe80::a481:9984:8d99:96dd MAC: 2c:60:0c:0c:97:bc IFACE: eth0
| IP: fe80::1404:eaa0:6fe7:9959 MAC: 2c:60:0c:0c:97:bc IFACE: eth0
| IP: fe80::211:32ff:fe1e:79ff MAC: 00:11:32:1e:79:ff IFACE: eth0
| IP: fe80::3192:44d5:bb77:9c66 MAC: 3c:07:54:69:2d:cf IFACE: eth0
| IP: fe80::211:32ff:fe1e:7a00 MAC: 00:11:32:1e:7a:00 IFACE: eth0
| IP: fe80::3e07:54ff:fe69:2dcf MAC: 3c:07:54:69:2d:cf IFACE: eth0
|_ Use --script-args=newtargets to add the results as targets
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 11.18 seconds
You can combine scripts as well. I have written a separate article on scripting with nmap here.
Let’s say you wanted to combine the discovery script with the default script:
nmap –script “discovery or default” 192.168.1.252
There are also serious penetration testing scripts that execute malicious attacks using nmap!
Here are some examples:
nmap –script=exploit 192.168.1.252
nmap –script=brute 192.168.1.252
nmap –script=dos 192.168.1.252
nmap –script=malware 192.168.1.252
There are also some shortcuts – for example you can run the default script by simply using the following command:
nmap -sC 192.168.1.252
You can find the OS and version of a system with:
nmap -A 192.168.1.252
Lastly, you can get version and vulnerability information using scripts.
Let’s run the version script on that same NAS system:
root@kali:~# nmap --script=version 192.168.1.252
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-05 14:57 EDT
Nmap scan report for 192.168.1.252
Host is up (0.00052s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
|_http-server-header: nginx
111/tcp open rpcbind
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3,4 2049/tcp nfs
| 100005 1,2,3 892/tcp mountd
| 100005 1,2,3 892/udp mountd
| 100021 1,3,4 53017/tcp nlockmgr
| 100021 1,3,4 56205/udp nlockmgr
| 100024 1 33519/tcp status
|_ 100024 1 44012/udp status
139/tcp open netbios-ssn
161/tcp open snmp
443/tcp open https
|_http-server-header: nginx
445/tcp open microsoft-ds
548/tcp open afp
1723/tcp open pptp
2049/tcp open nfs
3261/tcp open winshadow
3689/tcp open rendezvous
5000/tcp open upnp
5001/tcp open commplex-link
MAC Address: 00:11:32:1E:7A:00 (Synology Incorporated)
Service Info: Host: local
Nmap done: 1 IP address (1 host up) scanned in 3.13 seconds
Now, let’s see if there are any vulnerabilities:
root@kali:~# nmap --script=vuln 192.168.1.252
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-05 14:59 EDT
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.1.252
Host is up (0.00094s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
21/tcp open ftp
|_sslv2-drown:
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /blog/: Blog
|_http-fileupload-exploiter:
|_http-frontpage-login: false
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
111/tcp open rpcbind
139/tcp open netbios-ssn
161/tcp open snmp
443/tcp open https
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /blog/: Blog
|_http-fileupload-exploiter:
|_http-frontpage-login: false
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_sslv2-drown:
445/tcp open microsoft-ds
548/tcp open afp
1723/tcp open pptp
2049/tcp open nfs
3261/tcp open winshadow
3689/tcp open rendezvous
5000/tcp open upnp
5001/tcp open commplex-link
MAC Address: 00:11:32:1E:7A:00 (Synology Incorporated)
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCOUNT_DISABLED
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: No accounts left to try
Nmap done: 1 IP address (1 host up) scanned in 52.51 seconds
Superb!
As I said previously, there are many more options with nmap.
We hope this helps.