Free MP3 Music Header Free MP3 Music Header Free MP3 Music Header
Chrome Strip
Chrome Strip
NMAP

=====================================================================
NMAP:
=====================================================================

NMAP - ACTIVE INFORMATION GATHERING: Nmap

The nmap man page is a must read in order to understand the tool and it's various possibilities.

NMAP MAN PAGE:
#man nmap

NMAP HELP:
#nmap -h

NMAP CONFIGURATION FILES:
#cd /usr/share/nmap

In the configuration directory there are files such as nmap-services which when read includes a list of port names, number of transport protocols and even a field which lists the probability of this port being open. Often there is also a comment describing the service usually found on this port.

NMAP - ACTIVE INFORMATION GATHERING: Traffic Accountability

Lets understand the volume of traffic generated by a simple tcp scan, scanning top 1000 ports.

Below is a script using iptables to monitor the traffic sent to a specific host: iptables-counters.sh

---------------------------------------------------
#!/bin/bash

# reset all counters and iptable rules
iptables -Z && iptables -F
# measure incoong traffic to 192.168.31.220
iptables -I INPUT 1 -s192.168.31.220 -j ACCEPT
# mesaure outgoing traffic to 192.168.220
iptables -I OUTPUT -d 192.168.31.220 -j ACCEPT
---------------------------------------------------

Check the amount of traffic generated by this scan.
#iptables -vn -L

this reveals around 46 KB sent for 1000 ports to be scanned. In order to scan all tcp ports this would be around 3MB or more. 254 computers would generate around 1GB of traffic.

NMAP ACTIVE INFORMATION GATHERING: Network Sweeping

To quickly find machines on the network without sending large amounts of traffic over the network, network sweeping is used. We will look at using nmap to perform a similar task to the earlier ping sweepwe.

#nmap -sn 10.11.1.250-254

The output is a bit hard to understand. Nmap provides several output formats tosave files to disc for later examination.

Nmap's greppable output parameter is -oG

#nmap -sn 10.11.1.250-254 -oG ping-sweep-Nmap.txt
The output can be cleanly grepped.
Sweeping for comon ports / services
#nmap -p 80 10.11.1.250-254 -oG web-sweep.txt
The result here provides a list of servers with port 80 open.

The scan below will run a scan of the most common 20 ports as noted by nmap and put this in greppable output.
#nmap -sT --top-ports 20 10.11.1.200-254 -oG top-port-sweep.txt

Machines that appear to be rich in open ports would then be more extensively scanned.

NMAP - ACTIVE INFORMATION GATHERING: Nmap OS and Banner Discovery
Extracting more than just TCP and UDP port states with namp such as Operating System and port banners.

-sV for banner grabbing
-O for OS fingerprinting
-A which includes both checks and some protocol specific checks

#nmap -A 10.11.1.13
This scan shows a lot of output. Open tcp ports, banners, and OS fingerprinting guesses.
The earlier scan output 46KB. The scan using -A output around 100KB. More than double the amount of network traffic.


NMAP ACTIVE INFORMATION GATHERING: Nmap NSE Scripts

Nmap Scripting Engine: NSE

Scripts includes a long list of utilities from:
- service enumeration scripts
- brute force and attacks scripts
- vulnerability identification scripts

*********************************
All of these scripts can be found here:
#cd /usr/share/nmap/scripts
*********************************

Checking the comments and usage instructions in these files is a useful experience.


NMAP - ACTIVE INFORMATION GATHERING: SMB NSE Scripts
**WINDOWS XP (SP1) AND WINDOWS 2000 SERVERS ARE THE MAIN TARGETS (BUT NOT LIMITED TOO) IN THE LABS HERE.

NMAP also includes several SMB scripts which can run a variety of SMB protocol checks.

To list these scripts, we can list the nse scripts directory and then grep for SMB.
************************************
# ls -l /usr/share/nmap/scripts |grep smb
************************************

In order to use the smb-enum-users script: This will try to enumerate user names via a null sessions on a given machine as part of the nmap scan.
eg:
#nmap -p 139,445 --script smb-enum-users 192.168.31.206

************************************
Another useful NMAP SMB script is the nse-check-vulns script which checks for the existence of several SMB vulnerabilities.
Eg:
#nmap -p 139,445 --script=smb-check-vulns --script-args=unsafe=1 192.168.31.229

MODERN SYNTAX for this:
#nmap -p 139,445 --script=smb-vuln* --script-args=unsafe=1 192.168.31.229

I have created a list of all IPs that appear to exist called IPs.txt Below I use this txt file list to search all machines for SMB vulnerabilities.
#nmap -p 139,445 --script=smb-vuln* --script-args=unsafe=1 -iL IPs.txt
************************************

SMB ports are not usually exposed to the internet as they are known to be vulnerable. Many ISPs even filter out this traffic, as a result you are more likely to find these vulnerabilities in internal network environments. Finding an SMB port exposed to the internet will be either a security oversight or a lack of proper port filtering on their side.

NMAP - Vulnerability Scanners - Vulnerability Scanning with NSE scripts

All scripts are located here:
/usr/share/nmap/scripts

The list of scripts often grows with each new release of nmap.

These scripts can be used one at a time or it is possible to run all of the nse scripts against a target at once.

**************************
Example 1: known directory traversal vulnerability in cold fusion servers:
#nmap -v -p 80 --script http-vuln-cve2010-2861 192.168.31.210

When reviewing the output of this scan, we see the salt and hash for the admin password.

Example 2: Scan for FTP servers that allow anonymous access
#nmap -v -p 21 --script ftp-anon.nse 10.11.1.1-254

Example 3: Check the SMB security mode:
#nmap -v -p 139,445 --script smb-security-ode 10.11.1.236

Example 4: run all scripts against a target - thus scanning for multiple vulnerabilities at once. This is INTENSE! Depending on a number of factors including bandwidth speed, a single IP scan like this may take over an hour to complete.
#nmap -v -p 80 --script all 192.168.31.210
**************************


NMAP - ACTIVE INFORMATION GATHERING: SMB Enumeration
Server Message Block: SMB Protocol

Many security vulnerabilities identified in this protocol from:
- SMB unauthenticated NULL Sessions in Windows 2000 and XP
- Plenty of Microsoft and RPC bugs and vulnerabilities over the years.

The SMB protocol has also undergone many changes and improvements over the years to help improve security, especially it's default implementation.

Listens on port 445 and tcp port 139 and several UDP ports when using windows netbios api.

using nmap to identify what machines have SMB ports open:
#nmap -p139,445 10.11.1.200-254 --open

There are other tools specifically for identify what machines are running the SMB or netbios services.
- nbtscan - netbios name server scanner.

#man nbtscan

***************************
#nbtscan 10.11.1.200-254
***************************
nbtscan can even list logged in users if they are present.