Scanning with nmap

Nmap is very popular tool for security engineers. Nmap scan mostly used for ports scanning, OS detection, detection of used software version and in some other cases for example like vulnerability scanning.

Let’s see 2 popular scanning techniques which can be commonly used for services enumeration and vulnerability assessment.

You can easily use those approaches both for console nmap installation and graphical version called Zenmap.

Below see example of banners gabbing scan:

root@kali:~/LABS# nmap -sV -T5 -F 10.11.1.115 --script banner
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 03:27 EST
Nmap scan report for 10.11.1.115
Host is up (0.082s latency).
Not shown: 89 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 1.1.3
|_banner: 220 (vsFTPd 1.1.3)
22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99)
|_banner: SSH-1.99-OpenSSH_3.5p1
25/tcp open smtp?
80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux))
|_http-server-header: Apache/2.0.40 (Red Hat Linux)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo: 
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 32768/tcp status
| 100024 1 32768/udp status
|_ 391002 2 32769/tcp sgi_fam
139/tcp open netbios-ssn Samba smbd (workgroup: oMYGROUP)
143/tcp open imap UW imapd 2001.315rh
| banner: * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS AUTH=LOGIN]
|_ tophat.acme.local IMAP4rev1 2001.315rh at Tue, 5 Feb 2019 10:19:14 ...
199/tcp open smux Linux SNMP multiplexer
443/tcp open ssl/http Apache httpd 2.0.40 ((Red Hat Linux))
|_http-server-header: Apache/2.0.40 (Red Hat Linux)
3306/tcp open mysql MySQL (unauthorized)
| banner: D\x00\x00\x00\xFFj\x04Host '10.11.0.105' is not allowed to conn
|_ect to this MySQL server
32768/tcp open status 1 (RPC #100024)
MAC Address: 00:50:56:B8:6E:A2 (VMware)
Service Info: Host: tophat.acme.local; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 184.24 seconds

After we have information about current services with their type and version, as next step with can try to find and exploit vulnerabilities or execute brute force attack.

Also on next step we can try to use nmap vulnerability scanning script which may help us finding some actual vulnerabilities. Can be used against server and web application, but in first case results will be more accurate.

root@kali:~/LABS# nmap -sV -T5 -F 10.11.1.115 --script vuln
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 03:40 EST
Stats: 0:09:12 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.86% done; ETC: 03:49 (0:00:01 remaining)
Stats: 0:11:05 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.93% done; ETC: 03:51 (0:00:00 remaining)
Stats: 0:11:07 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.93% done; ETC: 03:51 (0:00:00 remaining)
Nmap scan report for 10.11.1.115
Host is up (0.081s latency).
Not shown: 89 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 1.1.3
|_sslv2-drown: 
22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99)
25/tcp open smtp?
|_sslv2-drown: 
80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux))
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.11.1.115
| Found the following possible CSRF vulnerabilities: 
| 
| Path: http://10.11.1.115:80/manual/index.html
| Form id: 
| Form action: http://search.apache.org/
| 
| Path: http://10.11.1.115:80/manual/
| Form id: 
|_ Form action: http://search.apache.org/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
| /webmail/src/login.php: SquirrelMail
| /webmail/images/sm_logo.png: SquirrelMail
| /icons/: Potentially interesting directory w/ listing on 'apache/2.0.40'
| /manual/: Potentially interesting folder
|_ /usage/: Potentially interesting folder
|_http-server-header: Apache/2.0.40 (Red Hat Linux)
| http-slowloris-check: 
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
| 
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
| http-vuln-cve2011-3192: 
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: OSVDB:74721 CVE:CVE-2011-3192
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
| http://osvdb.org/74721
| http://seclists.org/fulldisclosure/2011/Aug/175
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|_ http://nessus.org/plugins/index.php?view=single&id=55976
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo: 
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 32768/tcp status
| 100024 1 32768/udp status
|_ 391002 2 32769/tcp sgi_fam
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
143/tcp open imap UW imapd 2001.315rh
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown: 
199/tcp open smux?
443/tcp open ssl/http Apache httpd 2.0.40 ((Red Hat Linux))
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.11.1.115
| Found the following possible CSRF vulnerabilities: 
| 
| Path: https://10.11.1.115:443/manual/index.html
| Form id: 
|_ Form action: http://search.apache.org/
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.0.40 (Red Hat Linux)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
| http-vuln-cve2011-3192: 
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: OSVDB:74721 CVE:CVE-2011-3192
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
| http://osvdb.org/74721
| http://seclists.org/fulldisclosure/2011/Aug/175
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|_ http://nessus.org/plugins/index.php?view=single&id=55976
| ssl-ccs-injection: 
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
| 
| References:
| http://www.openssl.org/news/secadv_20140605.txt
| http://www.cvedetails.com/cve/2014-0224
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
| ssl-dh-params: 
| VULNERABLE:
| Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
| State: VULNERABLE
| IDs: OSVDB:122331 CVE:CVE-2015-4000
| The Transport Layer Security (TLS) protocol contains a flaw that is
| triggered when handling Diffie-Hellman key exchanges defined with
| the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
| to downgrade the security of a TLS session to 512-bit export-grade
| cryptography, which is significantly weaker, allowing the attacker
| to more easily break the encryption and monitor or tamper with
| the encrypted stream.
| Disclosure date: 2015-5-19
| Check results:
| EXPORT-GRADE DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: mod_ssl 2.0.x/512-bit MODP group with safe prime modulus
| Modulus Length: 512
| Generator Length: 8
| Public Key Length: 512
| References:
| http://osvdb.org/122331
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
| https://weakdh.org
| 
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: mod_ssl 2.0.x/1024-bit MODP group with safe prime modulus
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
| ssl-poodle: 
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: OSVDB:113251 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| https://www.imperialviolet.org/2014/10/14/poodle.html
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_ http://osvdb.org/113251
| sslv2-drown: 
| ciphers: 
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| vulns: 
| CVE-2016-0703: 
| title: OpenSSL: Divide-and-conquer session key recovery in SSLv2
| state: VULNERABLE
| ids: 
| CVE:CVE-2016-0703
| description: 
| The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in
| OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before
| 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary
| cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value
| and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a
| related issue to CVE-2016-0800.
| 
| refs: 
| https://www.openssl.org/news/secadv/20160301.txt
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0703
| CVE-2016-0800: 
| title: OpenSSL: Cross-protocol attack on TLS using SSLv2 (DROWN)
| state: VULNERABLE
| ids: 
| CVE:CVE-2016-0800
| description: 
| The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and
| other products, requires a server to send a ServerVerify message before establishing
| that a client possesses certain plaintext RSA data, which makes it easier for remote
| attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding
| oracle, aka a "DROWN" attack.
| 
| refs: 
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
|_ https://www.openssl.org/news/secadv/20160301.txt
3306/tcp open mysql MySQL (unauthorized)
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
32768/tcp open status 1 (RPC #100024)
MAC Address: 00:50:56:B8:6E:A2 (VMware)
Service Info: Host: tophat.acme.local; OS: Unix

Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14]
| smb-vuln-cve2009-3103: 
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
| 
| Disclosure date: 2009-09-08
| References:
| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14]

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 671.27 seconds

Above in our results we already have found some kind of vulnerabilities which in future we can try to apply for this target.

Better split scans for 2-3 parts like:

  1. List hosts detection
  2. Services enumeration
  3. Vulnerability scanning

With this results you will be able to do system security assessment faster and in more efficient way.

About keys we used in our nmap scans nmap -sV -T5 -F 10.11.1.115:

  • -sV key tells nmap to scan server and show detected services with version
  • -T5 means to execute quick scan (T0-T5) – though it may not always be accurate and sometimes better use T0 or T1, by default nmap uses T3
  • -F – fast scan, it will scan for common and most popular ports (http, https, ftp, ssh etc)
  • in the end we setting script required for each iteration of scang: –script banner will help you get more details about target system and services, –script vuln will execute vulnerability scan with all available scripts for all detected and open ports (services).