NMAP POST PORT SCANS

In this post we will talk about the steps that follow port-scanning, including service detection, OS detection, Nmap scripting engine and saving the scan results.


Service Detection

Once Nmap discovers open ports, they can be probed to detect running services and therefore for vulnerabilities. Adding the -sV option to an Nmap scan will collect and determine service and version information for the open ports. --version-intensity LEVEL will specify the intensity of the scan, with 0 being lowest and 9 being highest.

Using -sV will force Nmap to use the TCP 3 way handshake. This is because Nmap needs to fully communicate with the target to get information and therefore cannot use the stealth scan -sS .

NOTE: In order to run -sV we need root privileges. 


OS Detection

Nmap can detect the OS based on its behaviour and any telltale signs in its responses by using the -O option. Whilst the OS detection is very convenient, many factors affect its accuracy. In order to have an accurate OS scan, Nmap needs at least one open and one closed port on the target. Furthermore, the guest OS fingerprints might get distorted due to the rising use of virtualisation and similar technologies. Therefore always take the OS version with a grain of salt. 


Traceroute

If we want to find the routers between us and a target, use the --traceroute option. Although it is worth noting that many routers are set to not send ICMP Time-to-Live exceeded, which would prevent us from getting their IP addresses.    


Scripting

List of Nmap scripts.

Functionality can be added to Nmap using scripting with the Lua language in order to add functionality that is not built in. A part of Nmap is the Nmap Scripting Engine (NSE) which allows Nmap to execute Nmap scripts written in Lua.

The Nmap default installation contains close to 600 scripts. The scripts are names starting with the protocol that they target. We can specify to use the default scripts by using --script=default or simply -sC

Categories of scripts available include:

  • auth: Authentication related scripts.
  • broadcast: Discover hosts by sending broadcast messages.
  • brute: Performs brute-force password audits against logins.
  • default: same as -sC
  • discover: Retrieve accessible information such as database tables and DNS names.
  • dos: Detects servers vulnerable to Denial of Service,
  • exploit: Attempts to exploit vulnerable services.
  • external: Checks third-party service, such as Geoplugin and Virustotal.
  • fuzzer: Launch fuzzing attacks
  • intrusive: Intrusive scripts such as brute-force and exploitation.
  • safe: Safe scripts that wont crash a target
  • version: Retrieve service versions.
  • vuln: Check for or exploit vulnerabilities. 
In order to specify a script we need to use --script "SCRIPT_NAME" or a pattern such as --script "ftp*" which would include any scripts beginning with ftp, including ftp-brute .

In order to understand what a script does we can open it with a text editor. It is important to be careful when using scripts as some a very intrusive. Some scripts will only work under certain conditions (for specific servers, for example) so it is worth knowing exactly what the scripts will do and on what. 


Saving the Output

There are three main formats for saving Nmap scans:
  1. Normal
  2. grep
  3. XML
NOTE: We can save the output in all three formats by -oA FILENAME .

Normal
Using the -oN FILENAME option. The N stands for normal.

Grepable
Using the -oG FILENAME option will use grepable format. Grep (Global Regular Expression Printer) makes filtering the scan for specific terms or keywords efficient. Whilst this format is more efficient when using grep , it makes it more difficult to be human readable.

In order to look for specific keywords in the new file, use grep KEYWORD FILE_NAME

XML
We can use the -oX option to save our Nmap scan in XML format. XML would be the most convenient to process the output in other programs. 

Comments

Post a Comment

Popular posts from this blog

STARTUP

Image
  Startup is a TryHackMe room where there is a fictional new start up company called Spice Hut, their website is under development and they have some security concerns that they wish to test. I began by heading to the website and began manual enumeration of the site. The site had very minimal functionality, I checked the source code and found nothing of interest. There is a contact link, and I was hoping to be able to get an email address by following it, but it was empty. ' I then performed a Gobuster scan to look for any pages that I may be able to access. There is a page with the name files that is of particular interest.  Here I can see there is an FTP folder, upon opening it I can see that it is empty. I made a note of this as I may be able to upload files to it at a later stage, I then opened important.jpg which seemed to be of no particular interest, and notice.txt had the below text. I made a note of the name Maya, which could be a potential user or username in the future.
Read more

BURPSUITE IN-DEPTH

Image
NOTE: This post will be a much deeper and in-depth dive in to some of the functionality of Burp Suite. If you need a quicker overview, please visit my  Burp Suite Basics  post.  Repeater The repeater function of Burp Suite allows us to take a request captured by Proxy, edit it and send the same request repetitively. This makes repeater ideal for any manual poking around at an endpoint. Basic Usage: The repeater interface can be split in the 6 main sections. Refer to the image above: List of requests that are going through Repeater. Controls for the current request, these allow us to send/cancel a hanging request and go forwards/backwards in a request history. Request/Response view. Requests are edited in the Request view and Responses will show up in the Response view. Allows us to change the layout for the Request and Response view. The inspector allows us to break requests apart and analyse and edit them in a more intuitive way than the raw editor. The IP address or domain that is ou
Read more