• Lucifer

Advance scanning with Nmap

In this post we will cover some of the more advanced Nmap scan types and also cover Nmap Scripting Engine (NSE), one of the most powerful features of Nmap.

First, let's start our NGINX SSL server with the following command (don't forget sudo):

Advance scanning with Nmap

Step 1: Starting NGINX Server


sudo /usr/local/nginx/sbin/nginx

Advance scanning with Nmap

Step 2: Version Detection


Nmap database contains information that allows it to recognize specific version of some services. The -sV option will run a "Version Detection" scan. It has several additional options, but even without them we can gather a lot of useful information.

Run a version detection scan on our target system as follows:


Note: skillsetlocal.com is not a live website, it's a website hosted locally.

nmap -sV skillsetlocal.com

Advance scanning with Nmap

This is very useful for a pentest. We get the versions and names for most services on the system, so we can greatly narrow down our attack methods by looking for vulnerabilities specific to those versions. We will focus specifically on the HTTP and HTTPS servers and on MySQL database.


Also Check: Mcafee True Key Password Manager (80% off) than official price.


Step 3: Gathering SSL Information


The NSE is one of Nmap's most powerful features, which allows users to automate a wide variety of networking tasks. The standard Nmap installation includes lots of scripts, and you can also use custom scripts created by other experts, or even create your own. In this lab, we will use several scripts included with Nmap, and then take a look at creating and using a custom script.

The first script we will use is ssl-enum-ciphers. This script repeatedly tries SSLv3/TLS connections using a new cipher each time, then returns a list of all the ciphersuites and compressors accepted by the server, graded from A to F based on the strength. As you can see, this is already taking us beyond network recon into vulnerability identification.

To run this script on our target server, issue the following command:


nmap --script ssl-enum-ciphers -p 443 skillsetlocal.com

Advance scanning with Nmap

Nmap displays results starting with the least secure ciphersuite and graded all individual ciphers (with D being the lowest grade for this server).


Step 4: Checking for Shellshock


NSE can also be used very effectively to identify specific vulnerabilities. We used it to identify Heartbleed in the Heartbleed Exploitation post. Now let's use a script that checks for another common Linux vulnerability: Shellshock.

Some scripts accept additional arguments. In our case we need to specify the URI for the script that we think may be vulnerable. (We can even try running a specific command by using the cmd argument.)

Enter the following command:


nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/vulnscript.sh skillsetlocal.com

Advance scanning with Nmap

Step 5: Brute-forcing MySQL


We can take it even further and perform some of the basic exploitation tasks with NSE. For example, we can try and guess login credentials for the MySQL database we found earlier by using the mysql-brute script. Enter the following command:


nmap -p 3306 --script mysql-brute skillsetlocal.com

Advance scanning with Nmap

As you can see, Nmap found a pair of valid credentials without a problem.


Nmap can brute-force other services as well, including SNMP, FTP, telnet, and others.


Step 6: Using Custom Scripts - Creating a Script


As we mentioned earlier, you can use custom scripts with NSE, and even create your own. We saved an example script in our home directory, so we can see how they are built. Open the script with cat as follows:


cat http_options_example.nse | more

Advance scanning with Nmap

Use the Enter key to go though the entire script and see if you can understand the concepts behind writing it, then read the explanation below.

When starting to write a NSE script, we must first define the fields description, categories, dependencies, license and author. This can be seen below:


description = [[ Attempts to find the HTTP methods available on the target HTTP server. ]] author = "Dejan Lukan" license = "GPL 2.0" categories = {"default"}


The rule of the script should decide if the script will be executed or not. If we don’t receive the correct host and port information that are passed into the script, we can simply quit the execution of the script and do nothing. In the rule function, we need to take a look at the host and port number and decide whether that specified port is indeed TCP and open (usually the HTTP port is 80). A script must contain one of the following rules that determine if the script will be run or not: prerule, hostrule, portrule or postrule. In our case we can use portrule to determine whether the port number is opened and running the HTTP service. We can do this with the following code:


-- returns true if port is likely to be HTTP, false otherwise portrule = shortport.http


This will return true whenever Nmap thinks that the port is using HTTP protocol. After that, we only need to specify the action rules, which contain the actions to be done when the script is run.


Step 7: Using Custom Scripts - Running a Custom Script


OK, now let's use the script and see if it works:


nmap -p 80 --script=http_options_example.nse skillsetlocal.com

Advance scanning with Nmap

We received the information we needed.


As you can see, NSE allows to greatly extend already powerful features of Nmap. It is definitely worthwhile for a pentester to invest some time into learning how to write NSE scripts.

Also Watch: Get office 365 and OneDrive 1TB account for free


That's it for this post hope you like it and please subscribe or sign up to our blog for more knowledge like this and for more amazing stuff visit our shop at Payground, or directly visit HERE.

 
Join Telegram Group

©2020 by Payground. Proudly created with Wix.com