nmap

Even Deeper Scanning with nmap

nmapIn the prior articles (Getting Started with nmap and Deeper Scanning with nmap), we showed you how to get started, and how to dive deeper with this superb network scanner.  

Let’s go even deeper!

One of the cool things nmap has is the ability to create scripts.  Now doing this from scratch would be boring, so in most systems that have nmap installed, there are a really great set of scripts included.

WARNING!  We have said this before, and we must re-iterate.  You must have authorization to perform scanning tasks on the network.  If you don’t, stop!

The scripting capability is called the nmap Scripting Engine, or NSE for short.

To start with, scripts have names, such as ‘default’ that defines a set of activities/scans that nmap will do.  Usually you will run one of these scripts on a target system.

Let’s start with a quick scan of my network to see what is there:

root@kali:~# nmap -sn 192.168.1.0/24
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-05 14:28 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0068s latency).
MAC Address: 70:77:81:DD:C3:7C (Hon Hai Precision Ind.)
Nmap scan report for 192.168.1.103
Host is up (0.0011s latency).
MAC Address: 3C:07:54:69:2D:CF (Apple)
Nmap scan report for 192.168.1.105
Host is up (0.00021s latency).
MAC Address: 2C:60:0C:0C:97:BC (Quanta Computer)
Nmap scan report for 192.168.1.108
Host is up (0.036s latency).
MAC Address: CC:20:E8:D7:D3:A9 (Apple)
Nmap scan report for 192.168.1.109
Host is up (0.034s latency).
MAC Address: 04:54:53:12:E0:02 (Apple)
Nmap scan report for 192.168.1.111
Host is up (0.34s latency).
MAC Address: 2C:F0:EE:00:6B:4E (Apple)
Nmap scan report for 192.168.1.203
Host is up (0.16s latency).
MAC Address: 18:B4:30:01:A0:18 (Nest Labs)
Nmap scan report for 192.168.1.208
Host is up (0.16s latency).
MAC Address: 18:B4:30:00:6D:9B (Nest Labs)
Nmap scan report for 192.168.1.250
Host is up (0.15s latency).
MAC Address: A0:2B:B8:6C:F7:4E (Hewlett Packard)
Nmap scan report for 192.168.1.251
Host is up (0.0010s latency).
MAC Address: 00:11:32:1E:79:FF (Synology Incorporated)
Nmap scan report for 192.168.1.252
Host is up (0.00074s latency).
MAC Address: 00:11:32:1E:79:FF (Synology Incorporated)
Nmap scan report for 192.168.1.253
Host is up (0.00076s latency).
MAC Address: 00:0E:C9:03:54:33 (Yoko Technology)
Nmap scan report for 192.168.1.2
Host is up.
Nmap done: 256 IP addresses (13 hosts up) scanned in 10.65 seconds

OK great.

I am going to pick on the Synology NAS at 192.168.1.252.

Let’s run the default scan script on that system:

nmap –script=default 192.168.1.252

Here is the result:

root@kali:~# nmap --script=default 192.168.1.252
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-05 14:42 EDT
Nmap scan report for 192.168.1.252
Host is up (0.00045s latency).
Not shown: 986 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
| ssl-cert: Subject: commonName=synology.com/organizationName=Synology Inc./stateOrProvinceName=Taiwan/countryName=TW
| Not valid before: 2013-10-09T21:13:07
|_Not valid after:  2033-06-26T21:13:07
80/tcp   open  http
|_http-title: Hello! Welcome to Synology Web Station!
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
161/tcp  open  snmp
443/tcp  open  https
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=synology.com/organizationName=Synology Inc./stateOrProvinceName=Taiwan/countryName=TW
| Not valid before: 2013-10-09T21:13:07
|_Not valid after:  2033-06-26T21:13:07
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg: 
|_  http/1.1
445/tcp  open  microsoft-ds
548/tcp  open  afp
| afp-serverinfo: 
|   Server Flags: 
|     Flags hex: 0x8f79
|     Super Client: true
|     UUIDs: true
|     UTF8 Server Name: true
|     Open Directory: true
|     Reconnect: false
|     Server Notifications: true
|     TCP/IP: true
|     Server Signature: true
|     Server Messages: true
|     Password Saving Prohibited: false
|     Password Changing: false
|     Copy File: true
|   Server Name: DiskStation
|   Machine Type: Netatalk3.1.1
|   AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3, AFP3.4
|   UAMs: DHX2, DHCAST128
|   Server Signature: 1649739fc2a9edeaa0ab8521a4e071b3
|   Network Addresses: 
|     192.168.1.252
|_  UTF8 Server Name: DiskStation
1723/tcp open  pptp
2049/tcp open  nfs
3261/tcp open  winshadow
3689/tcp open  rendezvous
5000/tcp open  upnp
5001/tcp open  commplex-link
MAC Address: 00:11:32:1E:7A:00 (Synology Incorporated)
Host script results:
|_nbstat: NetBIOS name: DISKSTATION, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
Nmap done: 1 IP address (1 host up) scanned in 12.51 seconds

We have learned a lot about what ports are open, the web services, and much more.

There are a ton of scripts – you can get a verbose output and description with the following command:

nmap –script-help {script name}

Here is a fun script to “discover” your network:

root@kali:~# nmap --script discovery
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-05 14:48 EDT
Pre-scan script results:
| broadcast-igmp-discovery: 
|   192.168.1.105
|     Interface: eth0
|     Version: 2
|     Group: 224.0.0.252
|     Description: Link-local Multicast Name Resolution (rfc4795)
|   192.168.1.108
|     Interface: eth0
|     Version: 2
|     Group: 224.0.0.251
|     Description: mDNS (rfc6762)
|   192.168.1.251
|     Interface: eth0
|     Version: 2
|     Group: 224.0.0.251
|     Description: mDNS (rfc6762)
|   192.168.1.250
|     Interface: eth0
|     Version: 2
|     Group: 224.0.1.1
|     Description: NTP Network Time Protocol (rfc5905)
|   192.168.1.250
|     Interface: eth0
|     Version: 2
|     Group: 224.0.1.60
|     Description: hp-device-disc
|   192.168.1.250
|     Interface: eth0
|     Version: 2
|     Group: 239.255.255.250
|     Description: Organization-Local Scope (rfc2365)
|_  Use the newtargets script-arg to add the results as targets
| broadcast-ping: 
|   IP: 192.168.1.103  MAC: 3c:07:54:69:2d:cf
|   IP: 192.168.1.109  MAC: 04:54:53:12:e0:02
|_  Use --script-args=newtargets to add the results as targets
| ipv6-multicast-mld-list: 
|   fe80::654:53ff:fe12:e002: 
|     device: eth0
|     mac: 04:54:53:12:e0:02
|     multicast_ips: 
|       ff02::1:ff00:a            (Solicited-Node Address)
|       ff02::2:ff47:a15c         (Node Information Queries)
|       ff02::1:ff8b:d30a         (Solicited-Node Address)
|       ff02::1:ff12:e002         (NDP Solicited-node)
|   fe80::1063:24d5:6acb:8fa3: 
|     device: eth0
|     mac: cc:20:e8:d7:d3:a9
|     multicast_ips: 
|       ff02::fb                  (mDNSv6)
|   fe80::7277:81ff:fedd:c37a: 
|     device: eth0
|     mac: 70:77:81:dd:c3:7a
|     multicast_ips: 
|       ff02::1:ffad:b373         (Solicited-Node Address)
|       ff02::1:ffdd:c37a         (NDP Solicited-node)
|   fe80::211:32ff:fe1e:7a00: 
|     device: eth0
|     mac: 00:11:32:1e:7a:00
|     multicast_ips: 
|       ff02::fb                  (mDNSv6)
|   fe80::a481:9984:8d99:96dd: 
|     device: eth0
|     mac: 2c:60:0c:0c:97:bc
|     multicast_ips: 
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|   fe80::3e07:54ff:fe69:2dcf: 
|     device: eth0
|     mac: 3c:07:54:69:2d:cf
|     multicast_ips: 
|       ff02::1:ff77:9c66         (Solicited-Node Address)
|       ff02::2:ff47:a15c         (Node Information Queries)
|       ff02::1:ff51:67ca         (Solicited-Node Address)
|       ff02::1:ff00:e            (Solicited-Node Address)
|       ff02::1:ff69:2dcf         (NDP Solicited-node)
|   fe80::a22b:b8ff:fe6c:f74e: 
|     device: eth0
|     mac: a0:2b:b8:6c:f7:4e
|     multicast_ips: 
|       ff02::c                   (SSDP)
|       ff02::1:ff00:3            (Solicited-Node Address)
|       ff02::fb                  (mDNSv6)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::1:ff6c:f74e         (NDP Solicited-node)
|   fe80::7277:81ff:fedd:c37c: 
|     device: eth0
|     mac: 70:77:81:dd:c3:7c
|     multicast_ips: 
|       ff02::1:ffdd:c37c         (NDP Solicited-node)
|   fe80::211:32ff:fe1e:79ff: 
|     device: eth0
|     mac: 00:11:32:1e:79:ff
|     multicast_ips: 
|_      ff02::fb                  (mDNSv6)
| lltd-discovery: 
|   192.168.1.105
|     Hostname: CellStream-PC
|     Mac: 0a:00:27:00:00:13 (Unknown)
|     IPv6: 2605:6001:e7c9:7500:0000:0000:0000:0007
|_  Use the newtargets script-arg to add the results as targets
| targets-asn: 
|_  targets-asn.asn is a mandatory parameter
| targets-ipv6-multicast-echo: 
|   IP: 2605:6001:e7c9:7500:7277:81ff:fedd:c37c  MAC: 70:77:81:dd:c3:7c  IFACE: eth0
|   IP: 2605:6001:e7c9:7500:3e07:54ff:fe69:2dcf  MAC: 3c:07:54:69:2d:cf  IFACE: eth0
|   IP: 2605:6001:e7c9:7500:211:32ff:fe1e:79ff   MAC: 00:11:32:1e:79:ff  IFACE: eth0
|   IP: fe80::7277:81ff:fedd:c37c                MAC: 70:77:81:dd:c3:7c  IFACE: eth0
|   IP: fe80::211:32ff:fe1e:79ff                 MAC: 00:11:32:1e:79:ff  IFACE: eth0
|   IP: fe80::211:32ff:fe1e:7a00                 MAC: 00:11:32:1e:7a:00  IFACE: eth0
|   IP: fe80::3e07:54ff:fe69:2dcf                MAC: 3c:07:54:69:2d:cf  IFACE: eth0
|_  Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-invalid-dst: 
|   IP: fe80::211:32ff:fe1e:7a00                 MAC: 00:11:32:1e:7a:00  IFACE: eth0
|   IP: 2605:6001:e7c9:7500:211:32ff:fe1e:79ff   MAC: 00:11:32:1e:79:ff  IFACE: eth0
|   IP: 2605:6001:e7c9:7500:3e07:54ff:fe69:2dcf  MAC: 3c:07:54:69:2d:cf  IFACE: eth0
|   IP: fe80::211:32ff:fe1e:79ff                 MAC: 00:11:32:1e:79:ff  IFACE: eth0
|   IP: fe80::3e07:54ff:fe69:2dcf                MAC: 3c:07:54:69:2d:cf  IFACE: eth0
|_  Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-mld: 
|   IP: fe80::1063:24d5:6acb:8fa3  MAC: cc:20:e8:d7:d3:a9  IFACE: eth0
|   IP: fe80::211:32ff:fe1e:79ff   MAC: 00:11:32:1e:79:ff  IFACE: eth0
|   IP: fe80::211:32ff:fe1e:7a00   MAC: 00:11:32:1e:7a:00  IFACE: eth0
|   IP: fe80::3e07:54ff:fe69:2dcf  MAC: 3c:07:54:69:2d:cf  IFACE: eth0
|   IP: fe80::654:53ff:fe12:e002   MAC: 04:54:53:12:e0:02  IFACE: eth0
|   IP: fe80::7277:81ff:fedd:c37a  MAC: 70:77:81:dd:c3:7a  IFACE: eth0
|   IP: fe80::7277:81ff:fedd:c37c  MAC: 70:77:81:dd:c3:7c  IFACE: eth0
|   IP: fe80::a22b:b8ff:fe6c:f74e  MAC: a0:2b:b8:6c:f7:4e  IFACE: eth0
|   IP: fe80::a481:9984:8d99:96dd  MAC: 2c:60:0c:0c:97:bc  IFACE: eth0

|_  Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-slaac: 
|   IP: fe80::a481:9984:8d99:96dd  MAC: 2c:60:0c:0c:97:bc  IFACE: eth0
|   IP: fe80::1404:eaa0:6fe7:9959  MAC: 2c:60:0c:0c:97:bc  IFACE: eth0
|   IP: fe80::211:32ff:fe1e:79ff   MAC: 00:11:32:1e:79:ff  IFACE: eth0
|   IP: fe80::3192:44d5:bb77:9c66  MAC: 3c:07:54:69:2d:cf  IFACE: eth0
|   IP: fe80::211:32ff:fe1e:7a00   MAC: 00:11:32:1e:7a:00  IFACE: eth0
|   IP: fe80::3e07:54ff:fe69:2dcf  MAC: 3c:07:54:69:2d:cf  IFACE: eth0
|_  Use --script-args=newtargets to add the results as targets
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 11.18 seconds

You can combine scripts as well.  I have written a separate article on scripting with nmap here.

Let’s say you wanted to combine the discovery script with the default script:

nmap –script “discovery or default” 192.168.1.252

There are also serious penetration testing scripts that execute malicious attacks using nmap!

Here are some examples:

nmap –script=exploit 192.168.1.252

nmap –script=brute 192.168.1.252

nmap –script=dos 192.168.1.252

nmap –script=malware 192.168.1.252

There are also some shortcuts – for example you can run the default script by simply using the following command:

nmap -sC 192.168.1.252

You can find the OS and version of a system with:

nmap -A 192.168.1.252

Lastly, you can get version and vulnerability information using scripts.

Let’s run the version script on that same NAS system:

root@kali:~# nmap --script=version 192.168.1.252
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-05 14:57 EDT
Nmap scan report for 192.168.1.252
Host is up (0.00052s latency).
Not shown: 986 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
|_http-server-header: nginx
111/tcp  open  rpcbind
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3         2049/udp  nfs
|   100003  2,3,4       2049/tcp  nfs
|   100005  1,2,3        892/tcp  mountd
|   100005  1,2,3        892/udp  mountd
|   100021  1,3,4      53017/tcp  nlockmgr
|   100021  1,3,4      56205/udp  nlockmgr
|   100024  1          33519/tcp  status
|_  100024  1          44012/udp  status
139/tcp  open  netbios-ssn
161/tcp  open  snmp
443/tcp  open  https
|_http-server-header: nginx
445/tcp  open  microsoft-ds
548/tcp  open  afp
1723/tcp open  pptp
2049/tcp open  nfs
3261/tcp open  winshadow
3689/tcp open  rendezvous
5000/tcp open  upnp
5001/tcp open  commplex-link
MAC Address: 00:11:32:1E:7A:00 (Synology Incorporated)
Service Info: Host: local
Nmap done: 1 IP address (1 host up) scanned in 3.13 seconds

Now, let’s see if there are any vulnerabilities:

root@kali:~# nmap --script=vuln 192.168.1.252
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-05 14:59 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.1.252
Host is up (0.00094s latency).
Not shown: 986 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
|_sslv2-drown: 
80/tcp   open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /blog/: Blog
|_http-fileupload-exploiter: 
|_http-frontpage-login: false
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
161/tcp  open  snmp
443/tcp  open  https
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /blog/: Blog
|_http-fileupload-exploiter: 
|_http-frontpage-login: false
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_sslv2-drown: 
445/tcp  open  microsoft-ds
548/tcp  open  afp
1723/tcp open  pptp
2049/tcp open  nfs
3261/tcp open  winshadow
3689/tcp open  rendezvous
5000/tcp open  upnp
5001/tcp open  commplex-link
MAC Address: 00:11:32:1E:7A:00 (Synology Incorporated)
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCOUNT_DISABLED
| smb-vuln-cve2009-3103: 
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, 
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a 
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE 
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, 
|           aka "SMBv2 Negotiation Vulnerability." 
|           
|     Disclosure date: 2009-09-08
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: No accounts left to try
Nmap done: 1 IP address (1 host up) scanned in 52.51 seconds

Superb!

As I said previously, there are many more options with  nmap.  

We hope this helps. 

 

Leave a Comment

Contact Us Here


Please verify.
Validation complete :)
Validation failed :(
 
Your contact request has been received. We usually respond within an hour, but please be patient. We will get back to you very soon.
Scroll to Top