Intro to NMAP - Part 1
Site: https://nmap.org/
Github: https://github.com/nmap/nmap
What is NMAP : (Network Mapper) is a free and open-source network scanner
created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich).[3]
Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.
That says most of it ... but it can also be used to scan remote servers ect.
This is one of the most powerful tools for any hackers. Recon and Footprinting is more important then the hack itself some time.
With nmap you can audit systems. See what OS/s , what services and what ports are open ect.
So yes this is one of those tools that your sysadmin does not want you running on your laptop and please don't scan your work network - you can get fired
I suggest creating windows target machines using Vmware or Oracle Virtual Box at home to play with and hack.
So lets start.
Install installing Nmap
1. Download from site.
2. Using APT on Linux
On Linux run the following command:
sudo apt install -y nmap
This will install it on any Linux system.
I have created a Windows 7 VM that we will use for an exercise.
A.The basics
Basic network scan :
nmap 14.56.1.0/24
nmap 192.168.0.1/24
This will display all devices on your network with what ports are open on devices.
Let use my Windows 7 VM as an example
Basic device scan :
nmap 14.56.1.110
This failed with the following error :
Most new OS's blocks this kind of scan so adding the -Pn
-Pn: Treat all hosts as online -- skip host discovery
nmap -Pn 14.56.1.110
As you can see the host is up and we can see a service (program that uses a specific port to communicate on network to other machines)
Port 5357 - Web Services for Devices (WSDAPI) (only provided by Windows Vista, Windows 7 and Server 2008)
And
Port 3389 - Windows Remote Desktop
| 3389 | tcp | rdp | Port is IANA registered for Microsoft WBT Server, used for Windows Remote Desktop and Remote Assistance connections (RDP - Remote Desktop Protocol). Also used by Windows Terminal Server. See also: MS Security Bulletin [MS02-051] and [MS01-040]. Trojans using this port: Backdoor.Win32.Agent.cdm [Symantec-2005-050114-4234-99], TSPY_AGENT.ADDQ This port is vulnerable to Denial of Service Attack Against Windows NT Terminal Server. A remote attacker can quickly cause a server to reach full memory utilization by creating a large number of normal TCP connections to port 3389. Individual connections will timeout, but a low bandwidth continuous attack will maintain a terminal server at maximum memory utilization and prevent new connections from a legitimate source from taking place. Legitimate new connections will fail at this point with an error of either a connection timeout, or the terminal server has ended the connection. References: [CVE-1999-0680] A vulnerability exists in the Remote Desktop Protocol (RDP), where an attacker could send a specially crafted sequence of packets to TCP port 3389 which can result in RDP to accessing an object in memory after it has been deleted. References: [CVE-2012-2526] Zmodo Geovision also uses port 3389 (TCP/UDP) |
For the purpose of the exercise I will enable Windows Remote desktop and we will exploit a know vun. called "Bluekeep" (part2 of nmap)
Info on "Bluekeep"
BlueKeep (CVE-2019-0708) is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.
First reported in May 2019, it is present in all unpatched Windows NT-based versions of Microsoft Windows from Windows 2000 through Windows Server 2008 R2 and Windows 7. Microsoft issued a security patch (including an out-of-band update for several versions of Windows that have reached their end-of-life, such as Windows XP) on 14 May 2019. On 13 August 2019, related BlueKeep security vulnerabilities, collectively named DejaBlue, were reported to affect newer Windows versions, including Windows 7 and all recent versions up to Windows 10 of the operating system, as well as the older Windows versions.[3] On 6 September 2019, a Metasploit exploit of the wormable BlueKeep security vulnerability was
Wikipedia: https://en.wikipedia.org/wiki/BlueKeep
Github: https://github.com/0xeb-bp/bluekeep
https://github.com/Ekultek/BlueKeep
https://github.com/robertdavidgraham/rdpscan
Some switches of nmap that I Always Use
-sS This sends only a TCP SYN packet and waits for a TCP ACK. If it receives an ACK on the specific probed port, it means the port exist on the machine. This is fast and pretty accurate.
-sT This creates a full TCP connection with the host (full TCP handshake). This is considered more accurate than SYN scan but slower and noisier. noiser means network sniffer will pick you up while you do scan.
-sP This is for fast checking which hosts reply to ICMP ping packets (useful if you are on the same subnet as the scanned range and want a fast result about how many live hosts are connected).
-Input
nmap -iL hosts.txt Scan the IP addresses listed in text file “hosts.txt”
-Output
nmap -oN [filename] [IP hosts] Normal text format
nmap -oG [filename] [IP hosts] Grepable file (useful to search inside file)
nmap -oX [filename] [IP hosts] XML file
nmap -oA [filename] [IP hosts] Output in all 3 formats supported
Read up about nmap on using Google and Linux man (manual) pages. Command on terminal:man nmap
sudo nmap -Pn -sS -A 14.56.1.110
and
sudo nmap -Pn -sS -O 14.56.1.110
The scan shows that the port is open and that or OS is running on a Oracle Virtual Machine - This is important for later.
The fun stuff....
FYI DO NOT DO THIS AT YOUR WORK....!!!
B.Using nmap for Vulnerability Scans
Info: https://securitytrails.com/blog/nmap-vulnerability-scan
https://github.com/scipag/vulscan
https://github.com/vulnersCom/nmap-vulners
https://nmap.org/nsedoc/categories/vuln.html
Please look at the Github pages on how to install for diff OS's
The NMAP has a script engine - This will point out vulnerabilities - So yes this can
be used for good and bad.
So lets start by Using Vulscan
sudo nmap -sV --script=vulscan/vulscan.nse 14.56.1.110
Alot of Output ... mmmm lets try something else
Use the -oX switch this will output to a XML file.
sudo nmap -sV --script=vulscan/vulscan.nse -oX Windows7.xml 14.56.1.110
I suggest playing around and use the switches
Examples:
sudo nmap -Pn --script vuln 14.56.1.110
sudo nmap -sV -Pn --script=vulscan/cve.csv 14.56.1.110 -p 3389
https://nmap.org/nsedoc/categories/vuln.html
Checking 3389 for Bluekeep
https://nmap.org/nsedoc/scripts/rdp-vuln-ms12-020.html
sudo nmap -sV -Pn --script=rdp-vuln-ms12-020 -p 3389 14.56.1.110
Your exersice :
Scan home network ranges.
By using the output switch create a file with all ip's and open ports
Create spreadsheet by range with all IP's in first column and ports in the next
Your homework :
Hackers use weak protocal ports to exploit networks. Read up about Port knocking.
Also learn more about ports on your network example: port 21 - FTP , port 22 -SSH
All programs use ports over a network to comminicate. Its our work to protect them
Some other examples :
Command on terminal:nmap 10.1.1.5-100 Scan the range of IPs between 10.1.1.5 up to 10.1.1.100
Command on terminal:nmap -iL hosts.txt Scan the IP addresses listed in text file “hosts.txt”
Command on terminal:nmap 10.1.1.3 10.1.1.6 10.1.1.8 Scan the 3 specified IPs only
Command on terminal:nmap www.somedomain.com First resolve the IP of the domain and then scan its IP address
In Part2 I will explain how to "weaponize" nmap and we will see how we can run a exploit.