NMAP POST PORT SCANS

In this post we will talk about the steps that follow port-scanning, including service detection, OS detection, Nmap scripting engine and saving the scan results.


Service Detection

Once Nmap discovers open ports, they can be probed to detect running services and therefore for vulnerabilities. Adding the -sV option to an Nmap scan will collect and determine service and version information for the open ports. --version-intensity LEVEL will specify the intensity of the scan, with 0 being lowest and 9 being highest.

Using -sV will force Nmap to use the TCP 3 way handshake. This is because Nmap needs to fully communicate with the target to get information and therefore cannot use the stealth scan -sS .

NOTE: In order to run -sV we need root privileges. 


OS Detection

Nmap can detect the OS based on its behaviour and any telltale signs in its responses by using the -O option. Whilst the OS detection is very convenient, many factors affect its accuracy. In order to have an accurate OS scan, Nmap needs at least one open and one closed port on the target. Furthermore, the guest OS fingerprints might get distorted due to the rising use of virtualisation and similar technologies. Therefore always take the OS version with a grain of salt. 


Traceroute

If we want to find the routers between us and a target, use the --traceroute option. Although it is worth noting that many routers are set to not send ICMP Time-to-Live exceeded, which would prevent us from getting their IP addresses.    


Scripting

List of Nmap scripts.

Functionality can be added to Nmap using scripting with the Lua language in order to add functionality that is not built in. A part of Nmap is the Nmap Scripting Engine (NSE) which allows Nmap to execute Nmap scripts written in Lua.

The Nmap default installation contains close to 600 scripts. The scripts are names starting with the protocol that they target. We can specify to use the default scripts by using --script=default or simply -sC

Categories of scripts available include:

  • auth: Authentication related scripts.
  • broadcast: Discover hosts by sending broadcast messages.
  • brute: Performs brute-force password audits against logins.
  • default: same as -sC
  • discover: Retrieve accessible information such as database tables and DNS names.
  • dos: Detects servers vulnerable to Denial of Service,
  • exploit: Attempts to exploit vulnerable services.
  • external: Checks third-party service, such as Geoplugin and Virustotal.
  • fuzzer: Launch fuzzing attacks
  • intrusive: Intrusive scripts such as brute-force and exploitation.
  • safe: Safe scripts that wont crash a target
  • version: Retrieve service versions.
  • vuln: Check for or exploit vulnerabilities. 
In order to specify a script we need to use --script "SCRIPT_NAME" or a pattern such as --script "ftp*" which would include any scripts beginning with ftp, including ftp-brute .

In order to understand what a script does we can open it with a text editor. It is important to be careful when using scripts as some a very intrusive. Some scripts will only work under certain conditions (for specific servers, for example) so it is worth knowing exactly what the scripts will do and on what. 


Saving the Output

There are three main formats for saving Nmap scans:
  1. Normal
  2. grep
  3. XML
NOTE: We can save the output in all three formats by -oA FILENAME .

Normal
Using the -oN FILENAME option. The N stands for normal.

Grepable
Using the -oG FILENAME option will use grepable format. Grep (Global Regular Expression Printer) makes filtering the scan for specific terms or keywords efficient. Whilst this format is more efficient when using grep , it makes it more difficult to be human readable.

In order to look for specific keywords in the new file, use grep KEYWORD FILE_NAME

XML
We can use the -oX option to save our Nmap scan in XML format. XML would be the most convenient to process the output in other programs. 

Comments

Post a Comment

Popular posts from this blog

BURPSUITE IN-DEPTH

Image
NOTE: This post will be a much deeper and in-depth dive in to some of the functionality of Burp Suite. If you need a quicker overview, please visit my  Burp Suite Basics  post.  Repeater The repeater function of Burp Suite allows us to take a request captured by Proxy, edit it and send the same request repetitively. This makes repeater ideal for any manual poking around at an endpoint. Basic Usage: The repeater interface can be split in the 6 main sections. Refer to the image above: List of requests that are going through Repeater. Controls for the current request, these allow us to send/cancel a hanging request and go forwards/backwards in a request history. Request/Response view. Requests are edited in the Request view and Responses will show up in the Response view. Allows us to change the layout for the Request and Response view. The inspector allows us to break requests apart and analyse and edit them in a more intuitive way than the raw editor. The IP address o...
Read more

FILE INCLUSION

Image
File Inclusion Vulnerabilities is a vulnerability that often affects web applications when a user is allowed to requests files with poor input sanitation or validation. This becomes a risk if the attacker is able to read, edit, or create files on the server. Web applications can be written to request files on a system, such as images or text files, via parameters. Parameters are query parameter strings attached to the URL that can be used to retrieve data or perform actions based on user input. See below for a breakdown of the essential parts of a URL. In this example the user is requesting a file called userCV.pdf via a GET request. File inclusion vulnerabilities occur when a web application is poorly written. The main area of concern where user input is not sanitized or validated when they user controls them. For example, an attacker could visit http://webapp.tbh/get.php?file=userCV.pdf and if there is no authentication that the user who requested the file is allowed the file (for...
Read more

PASSIVE AND ACTIVE RECONNAISSANCE

Image
In this post we will learn about passive and active reconnaissance. Passive reconnaissance lets us gather information about a target without any kind of direct engagement. Active reconnaissance requires us to make some kind of contact with out target. Some Passive Reconnaissance tools we will explore: whois nslookup dig DNSDumpster Shodan.io Some Active Reconnaissance tools we will explore: ping traceroute telnet nc Passive Reconnaissance In passive reconnaissance, we rely on publicly available knowledge that can be accessed without directly engaging the target. Passive recon may include: Looking up DNS records from a public DNS server Checking job ads related to the target website Reading news articles about the target company Visiting social media sites of the company or their employees Whois Whois is a request and response protocol that follows the  RFC 3192  specification. A whois server listens on port 43 for incoming requests. A domain registrar is responsible for mainta...
Read more