Ben, redo this page. I need to repeat these examples with non-state IPs and timestamps. Then add LOTS of explaination throughout the examples. Add a tool-tip function and then set the nuggets in the results illustrations to red and onmouseover popup a detailed description of each nugget.
Ben, also go through all the pre sections and make sure they fit inside the fieldset with no overflow.
| Open | This means that there is an application accepting a TCP connection, UDP datagram, or SCTP association. |
| Closed | This means that although the port is accessible, there is no application listening on that port. |
| Filtered | This means that Nmap cannot determine whether the port is open or not because there is a packet-filtering device blocking the probe to reach the target. |
| Unfiltered | This means that the port is assesible, but Nmap cannot determint whether is is open or closed. |
| Open | Filtered | This means that Nmap is unable to determine whether a port is open or filtered. This happens when a scan to open ports does not give a response. It can be achieved by setting the firewall to drop packets. |
| Closed | Filtered | This means Nmap is unable to determine whether a port is closed or filtered. |
"Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich) used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses." (Ref Wikipedia)
"The software provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection,[3] vulnerability detection, and other features. Nmap is also capable of adapting to network conditions including latency and congestion during a scan. Nmap is under development and refinement by its user community." (Ref Wikipedia)
"Nmap was first published in September 1997, as an article in Phrack Magazine with source-code included. With help and contributions of the computer security community, development continued. Enhancements included operating system fingerprinting, service fingerprinting, code rewrites (C to C++), additional scan types, protocol support (e.g. IPv6, SCTP) and new programs that complement Nmap's core features." (Ref Wikipedia)
Points to be aware of:
443,9999,11965,1279,1580,80,81,18182,1881,2301,2381,49400,19638,2693,3120,3128, 34952,3511,4480,5099,5490,5554,641,653,6588,765,8000,8001,8181,8003,8002,8009, 808,8080,8089,8888,8880,8881,8443,9090,9802,9999
We will look at how to run the nmap command with some of its many parameters. But what about the results we get? How do we intrupret them? In the following section the results of an nmap scan are displayed with many portions colored in RED. These are the item of interest. Position the mouse over each of them to display an explaination.
In the TCP protocol there are several "flags" that indicate the type of packet. The top half of the illustration below shows that 12 bits are use as flags with each bit being binary (0 or 1). Turning on one or more bits sets the packet's type.
For most discussions, the last 6 bits are the ones we are interested in.
In the bottom of of the illustration you see a hex dump of an actual TCP packet. At the right is a printable representation of the binary material and on the left is the hex representation. In the hex portion it takes two hex values to represent one character.
So, 'p' is the printable representation of hex '70'.
For a much more detailed view and dissection of a packet with each of it's parts labeled, use WireShark to view the .pcap file that contains the captured packets (.pcap is the filename suffix for PacketCAPture logs).
Below is are more descriptive information about each flag. Note that more than one flag can be turned on in any single packet. Nmap sets these flags is a variety of combination to perform the different types of scans it supports.
Reference https://en.wikipedia.org/wiki/Transmission_Control_Protocol
The nmap site provides a host you can always portscan for practice. They just request that you go easy on it:
Another point of terminology is "socket". A given host will have a "service" (a program that provides service to other hosts and clients - daemon in *nix) running which has been "bound" to (listening for traffic directed to that point) a specific TCP/UDP port. The combination of the host IP address and a specific port (separated by a colon) is called a socket.
You can always portscan a host that has a VAN currently enforce, and we plan to have a test server online soon that is intended for practicing techniques such as portscanning. So do not run nmap against hosts that are not covered by a VAN because it is likely to raise a red flag and throw an intrusion alert.
Below is a display of the help information for nmap. The more interesting items are highlighted.
C:\>nmap -h Nmap 7.12 ( https://nmap.org ) Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks -iR <num hosts>: Choose random targets --exclude <host1[,host2][,host3],...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan -Pn: Treat all hosts as online -- skip host discovery -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver --traceroute: Trace hop path to each host SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idle scan -sY/sZ: SCTP INIT/COOKIE-ECHO scans -sO: IP protocol scan -b <FTP relay host>: FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 --exclude-ports <port ranges>: Exclude the specified ports from scanning -F: Fast mode - Scan fewer ports than the default scan -r: Scan ports consecutively - don't randomize --top-ports <number>: Scan <number> most common ports --port-ratio <ratio>: Scan ports more common than <ratio> SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info --version-intensity <level>: Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for debugging) SCRIPT SCAN: -sC: equivalent to --script=default --script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts --script-args-file=filename: provide NSE script args in a file --script-trace: Show all data sent and received --script-updatedb: Update the script database. --script-help=<Lua scripts>: Show help about scripts. <Lua scripts> is a comma-separated list of script-files or script-categories. OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively TIMING AND PERFORMANCE: Options which take <time> are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T<0-5>: Set timing template (higher is faster) --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes --min-parallelism/max-parallelism <numprobes>: Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round trip time. --max-retries <tries>: Caps number of port scan probe retransmissions. --host-timeout <time>: Give up on target after this long --scan-delay/--max-scan-delay <time>: Adjust delay between probes --min-rate <number>: Send packets no slower than <number> per second --max-rate <number>: Send packets no faster than <number> per second FIREWALL/IDS EVASION AND SPOOFING: -f; --mtu <val>: fragment packets (optionally w/given MTU) -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address -e <iface>: Use specified interface -g/--source-port <portnum>: Use given port number --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies --data <hex string>: Append a custom payload to sent packets --data-string <string>: Append a custom ASCII string to sent packets --data-length <num>: Append random data to sent packets --ip-options <options>: Send packets with specified ip options --ttl <val>: Set IP time-to-live field --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address --badsum: Send packets with a bogus TCP/UDP/SCTP checksum OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA <basename>: Output in the three major formats at once -v: Increase verbosity level (use -vv or more for greater effect) -d: Increase debugging level (use -dd or more for greater effect) --reason: Display the reason a port is in a particular state --open: Only show open (or possibly open) ports --packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) --append-output: Append to rather than clobber specified output files --resume <filename>: Resume an aborted scan --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --webxml: Reference stylesheet from Nmap.Org for more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w/XML output MISC: -6: Enable IPv6 scanning -A: Enable OS detection, version detection, script scanning, and traceroute --datadir <dirname>: Specify custom Nmap data file location --send-eth/--send-ip: Send using raw ethernet frames or IP packets --privileged: Assume that the user is fully privileged --unprivileged: Assume the user lacks raw socket privileges -V: Print version number -h: Print this help summary page. EXAMPLES: nmap -v -A scanme.nmap.org nmap -v -sn 192.168.0.0/16 10.0.0.0/8 nmap -v -iR 10000 -Pn -p 80 SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
Before we go into nmap scripts, let's examine Nmap's port scanning functions. Below is an example of a basic portscan.
What do these scan results tell you?
C:\>nmap -sS -p 21,22,23,25,53,80,433,1403 127.0.0.2 Starting Nmap 7.12 ( https://nmap.org ) at 2019-02-03 11:58 Eastern Daylight Time Nmap scan report for 127.0.0.2 Host is up (0.011s latency). PORT STATE SERVICE 21/tcp closed ftp 22/tcp closed ssh 23/tcp closed telnet 25/tcp closed smtp 53/tcp closed domain 80/tcp open http 433/tcp closed unknown 1403/tcp closed prm-nm-np Nmap done: 1 IP address (1 host up) scanned in 0.95 seconds
In the example below we omit the port numbers, so nmap's default list is used. And the -sV specifies that a "Version" scan is to be run on all open ports. Remember that this can take several minutes to complete.
We see the state of each port: open, filtered, closed...
Each service has been checked for an identifying banner, or a fingerprint that implies the software version.
These results often point to a endpoints (open ports) that are worth investigating
For example, port 2144 automatically downloads a file that contains non-printable characters. This would be work googling to determine the service software and check for vulnerabilities.
For each point of interest you can try opening it with a browser and the telnet utility. Any material sent back should be used to see if it can identify the program listening at that point and then check the NVD for vulnerabilities you can attempt or simply report.
C:\>nmap -sV 127.0.0.2 Starting Nmap 7.12 ( https://nmap.org ) at 2019-02-03 12:06 Eastern Daylight Time Nmap scan report for 127.0.0.2 Host is up (0.029s latency). Not shown: 981 closed ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 135/tcp open msrpc? 139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn 443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 microsoft-ds 1801/tcp open msmq? 2103/tcp open msrpc Microsoft Windows RPC 2105/tcp open msrpc Microsoft Windows RPC 2107/tcp open msrpc Microsoft Windows RPC 2144/tcp open ssl/ajp13 Oracle Containers for J2EE (unauthorized) 3389/tcp open ssl/ms-wbt-server? 4899/tcp filtered radmin 5000/tcp open msrpc Microsoft Windows RPC 5001/tcp open msrpc Microsoft Windows RPC 5002/tcp open msrpc Microsoft Windows RPC 5003/tcp open msrpc Microsoft Windows RPC 5004/tcp open msrpc Microsoft Windows RPC 5009/tcp open msrpc Microsoft Windows RPC 8081/tcp open http McAfee ePolicy Orchestrator Agent Activity Log httpd Service Info: OSs: Windows, Windows 98, Windows Server 2008 R2; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_server_2008:r2 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 156.93 seconds
Below is an example of a "trace route". The result is a list of the switches that stand between us and the target, and consequently the path the packets followed.
This can be used for several purposes, including identifying the switches so that they can be reviewed for security issues. In this case https://205.204.237.11/ identifies this as a Checkpoint "SSL Network Extender". It also has a 2013 copyright date that indicates this is older software. And the last hop identifies itself as a "Microsoft-IIS/8.5" service.
Another use for a traceroute is to determine which switches you can get through and where you are blocked for line-of-site.
FYI - you can also use the tracert program in Windows or traceroute in *nix to determine the same information.
C:\>nmap -sS --traceroute 205.204.237.63 Starting Nmap 7.12 ( https://nmap.org ) at 2019-02-03 12:21 Eastern Daylight Time Nmap scan report for 205.204.237.63 Host is up (0.0071s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 0.00 ms 127.0.0.1 2 ... 3 0.00 ms 10.49.247.129 4 31.00 ms 172.20.140.1 5 31.00 ms 172.25.5.31 6 15.00 ms 172.20.128.150 7 0.00 ms 172.20.128.165 8 0.00 ms 162.114.39.90 9 0.00 ms 172.28.39.2 10 15.00 ms 205.204.237.11 11 16.00 ms 205.204.237.63 Nmap done: 1 IP address (1 host up) scanned in 9.00 seconds
Use the -V option to determine the version of Nmap you are running:
C:\>nmap -V
Nmap version 7.12 ( https://nmap.org )
Platform: i686-pc-windows-windows
Compiled with: nmap-liblua-5.2.4 openssl-1.0.2g nmap-libpcre-7.6 libpcap-4.1.3 n
map-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: select
There are several types of port scans that can be run, each distinguished by the combination of TCP flags that are set. Some are completely irrational, and some are typical but used at an unexpected time. For example, and ACK scan starts by sending a packet received to a host that did not send anything, that then replies with a "I have not sent you anything" type of message revealing the fact that something is listening to and responding from that port.
"SYN scanning is a tactic that a malicious hacker (or cracker) can use to determine the state of a communications port without establishing a full connection. This approach, one of the oldest in the repertoire of crackers, is sometimes used to perform denial-of-service (DoS) attacks. SYN scanning is also known as half-open scanning." (http://searchnetworking.techtarget.com/definition/SYN-scanning)
A SYN scan (which is selected by using the -sS parameter) attempts to establish a TCP connection with a host on a specific port. If the target host replies with a SYN/ACK packet the port can be considered open. If there is a different response, or no response the port can be considered closed.
C:\>nmap -sS --open 127.0.0.2 Starting Nmap 7.12 ( https://nmap.org ) at 2019-09-15 11:38 Eastern Daylight Time Nmap scan report for 127.0.0.2 Host is up (0.0038s latency). Not shown: 995 closed ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 515/tcp open printer 631/tcp open ipp 9100/tcp open jetdirect Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds
The -sO scan is an IP protocol scan. Rather than relying on variations of a TCP handshakes, here the IP protocol is used to query the target for which IP protocols it supports. This can help identify legacy ports.
C:\>nmap -sO --open 45.33.32.156 Starting Nmap 7.12 ( https://nmap.org ) at 2019-09-15 11:44 Eastern Daylight Time Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.019s latency). Not shown: 253 open|filtered protocols PROTOCOL STATE SERVICE 1 open icmp 6 open tcp 17 open udp Nmap done: 1 IP address (1 host up) scanned in 6.21 seconds
The service Version scan -sV attempts to determine the program and version listening at a given port. Because critical vulnerabilities can be isolated to specific components of a server, you should identify as many as possible and research them for known vulnerabilities. The --version-all parameter fine-tunes this scan to look as hard as it can to determine the version of each open port.
In this example the --open parameter is introduced. This parameter simply limits the output to ports that are considered open rather than including those that are considered closed or filtered.
C:\>nmap -sV --open --version-all 45.33.32.156 Starting Nmap 7.12 ( https://nmap.org ) at 2019-09-15 11:45 Eastern Daylight Time Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.079s latency). Not shown: 954 closed ports, 42 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux;protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 554/tcp open rtsp? 9929/tcp open nping-echo Nping echo Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 208.50 seconds
Another nice feature of nmap is that while it does not show open ports until the entire scan is finish, you can press enter during a scan to see the progress it is making.
C:\>nmap -sV --open --version-all 127.0.0.2 Starting Nmap 7.12 ( https://nmap.org ) at 2019-09-15 15:47 Eastern Daylight Time Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 1 undergoing Ping Scan Ping Scan Timing: About 100.00% done; ETC: 15:47 (0:00:00 remaining) Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 20.00% done; ETC: 15:48 (0:00:24 remaining) Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 80.00% done; ETC: 15:48 (0:00:05 remaining)
The TCP Null scan sends a packet with none of the TCP flags set. This unexpected condition is intended to illicit a response that would help determine if the port is open or not. Null scans may or may not be helpful - your mileage may vary.
C:\>nmap -sN --open 127.0.0.2 Starting Nmap 7.12 ( https://nmap.org ) at 2019-09-15 15:44 Eastern Daylight Time Nmap scan report for 127.0.0.2 Host is up (0.0034s latency). Not shown: 995 closed ports PORT STATE SERVICE 80/tcp open|filtered http 443/tcp open|filtered https 515/tcp open|filtered printer 631/tcp open|filtered ipp 9100/tcp open|filtered jetdirect Nmap done: 1 IP address (1 host up) scanned in 2.28 seconds
The FIN scan sends a FINish packet to the target without there having been a session established. This unexpected condition can illicit a response from the target that could help determine if the port is open or closed.
C:\>nmap -sF --open 45.33.32.156 Starting Nmap 7.12 ( https://nmap.org ) at 2019-09-15 15:33 Eastern Daylight Time Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.059s latency). All 1000 scanned ports on scanme.nmap.org (45.33.32.156) are closed (954) or ope n|filtered (46) Nmap done: 1 IP address (1 host up) scanned in 12.34 seconds
The Xmas scan scan sends a TCP packed with all of the TCP flags turned on.
This unexpected condition is intended to illicit a response that would help determine if the port is open or not.
C:\>nmap -sX 45.33.32.156 Starting Nmap 7.12 ( https://nmap.org ) at 2019-09-15 15:34 Eastern Daylight Time Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.0058s latency). All 1000 scanned ports on scanme.nmap.org (45.33.32.156) are open|filtered Nmap done: 1 IP address (1 host up) scanned in 4.97 seconds
C:\>nmap -O --open 45.33.32.156 Starting Nmap 7.12 ( https://nmap.org ) at 2019-09-15 11:51 Eastern Daylight Time Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 2.05% done; ETC: 11:52 (0:00:48 remaining) Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 3.00% done; ETC: 11:52 (0:00:32 remaining) Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.075s latency). Not shown: 954 closed ports, 42 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 554/tcp open rtsp 9929/tcp open nping-echo Aggressive OS guesses: Linux 3.10 - 4.1 (96%), Linux 3.16 - 3.19 (95%), Linux 3.2 - 4.4 (94%), Linux 3.2 - 3.8 (93%), Linux 3.13 or 4.2 (92%), Linux 2.6.26 - 2.6.35 (91%), Linux 2.6.32 - 3.13 (91%), Linux 3.13 (91%), Linux 3.13 - 3.16 (91%), Android 5.0 - 5.1 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 21 hops OS detection performed. Please report any incorrect results at https://nmap.org/ submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.00 seconds
Here notice the -T5 parameter. This sets the "speed" or timing. The default is 3. Notice the difference in duration between -T5 and -T1 the two examples below. -T0 is also valid, but INCREDIBLY slow. This is more than a load balancing technique. Many firewalls and switches will watch for SYN scans (in this example), but expect them to occur within a moderately short period of time. Since these devices have to retain the info about each SYN scan packet identified in order to determine behavior rather then anomaly. Tieing up that much memory for more than a very short time will begin to impact on the devices performance. So a stop watch is used to say "If I do not see another SYN from this host in 3 seconds I will clear this watch and free up the memory." Well, if I am patient (and attackers are patient) then they will configure a port scan, that would otherwise be identified and blocked, to run so slowly that the devices do not notice the behavior. One packet per day!
C:\>nmap -sS -T5 --open 127.0.0.2 Starting Nmap 7.12 ( https://nmap.org ) at 2019-09-15 16:01 Eastern Daylight Time Nmap scan report for 127.0.0.2 Host is up (0.0050s latency). Not shown: 995 closed ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 515/tcp open printer 631/tcp open ipp 9100/tcp open jetdirect Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds C:\>nmap -sS -T1 --open 127.0.0.2 Starting Nmap 7.12 ( https://nmap.org ) at 2019-09-15 16:01 Eastern Daylight Time Stats: 0:01:45 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 0.50% done Stats: 0:02:30 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 0.80% done Stats: 0:03:30 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 1.10% done; ETC: 20:57 (4:52:12 remaining) Stats: 0:04:45 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 1.60% done; ETC: 20:43 (4:36:45 remaining) ^C
Putting it all all together so far...
So far we have focused on one or more directives at a time, but you can of course combine practically any number of valid directives together as long as they are not in some way contradictory. This allows you to gather a large amount of information in a very precise way.
In the scan below we include the directives to do the following:
. do not perform pings to determine if the host is responsive
. enable OS detection, version detection, script scanning, and traceroute
. perform a SYN scan
. probe open ports to determine service/version info
. only show open (or possibly open) ports
. try every single probe
. set timing template (very fast)
. ports 1 through 65535
. output normal style to a file named '192.168.2.6.nmap.full.versions.txt'
. and finally, the target is at IP 192.168.2.6
# Nmap 7.60 scan initiated Tue Sep 24 12:02:44 2019 as: nmap -Pn -A -sS -sV --open --version-all -T4 -p 1-65535 -oN 192.168.2.6.nmap.full.versions.txt 192.168.2.6 Nmap scan report for wintermute (192.168.2.6) Host is up (0.0000070s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.7 - 3.10 Network Distance: 0 hops Host script results: |_nbstat: NetBIOS name: WINTERMUTE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: wintermute | NetBIOS computer name: WINTERMUTE\x00 | Domain name: \x00 | FQDN: wintermute |_ System time: 2019-09-24T12:03:05-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-09-24 12:03:05 |_ start_date: 1600-12-31 19:03:58 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Sep 24 12:03:05 2019 -- 1 IP address (1 host up) scanned in 21.25 seconds
Nmap comes with hundreds of scripts that it can use to perform specialized functions. To make sure you have the latest copies of these scripts along with any new scripts, run the following command:
C:\>nmap --script-updatedb Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-19 18:22 Eastern Daylight Time NSE: Updating rule database. NSE: Script Database updated successfully. Nmap done: 0 IP addresses (0 hosts up) scanned in 7.38 seconds
Nmap script are text files with a .nse suffix (Nmap Scripting Engine). By default they are located in the C:\Program Files\Nmap\scripts\ directory.
So given those hundreds of nmap scripts available to run, How can we make sense of them all? Not to worry, we can run nmap with the proper parameters to display a help screen for each script.
If you are interested in a script named "http-vuln-cve2013-0156.nse", the following command will display that script's help information.
C:\>nmap -script-help http-vuln-cve2013-0156.nse Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-23 17:26 Eastern Daylight Time http-vuln-cve2013-0156 Categories: exploit vuln https://nmap.org/nsedoc/scripts/http-vuln-cve2013-0156.html Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156) All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 are vulnerable. This script sends 3 harmless YAML payloads to detect vulnerable installations. If the malformed object receives a status 500 response, the server is processing YAML objects and therefore is likely vulnerable. References: https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156', https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ', http://cvedetails.com/cve/2013-0156/ ---------------- C:\>nmap -script-help ssl-enum-ciphers.nse Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-23 17:28 Eastern Daylight Time ssl-enum-ciphers Categories: discovery intrusive https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html This script repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphersuites and compressors that a server accepts. Each ciphersuite is shown with a letter grade (A through F) indicating the strength of the connection. The grade is based on the cryptographic strength of the key exchange and of the stream cipher. The message integrity (hash) algorithm choice is not a factor. The output line beginning with <code>Least strength</code> shows the strength of the weakest cipher offered. SSLv3/TLSv1 requires more effort to determine which ciphers and compression methods a server supports than SSLv2. A client lists the ciphers and compressors that it is capable of supporting, and the server will respond with a single cipher and compressor chosen, or a rejection notice. Some servers use the client's ciphersuite ordering: they choose the first of the client's offered suites that they also support. Other servers prefer their own ordering: they choose their most preferred suite from among those the client offers. In the case of server ordering, the script makes extra probes to discover the server's sorted preference list. Otherwise, the list is sorted alphabetically. The script will warn about certain SSL misconfigurations such as MD5-signed certificates, low-quality ephemeral DH parameters, and the POODLE vulnerability. This script is intrusive since it must initiate many connections to a server, and therefore is quite noisy.
This will determine which SSL/TLS protocols are supported by this service:
C:\>nmap --script ssl-enum-ciphers -p 443 127.0.0.2 Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2019-08-19 17:35 Eastern Daylight Time Nmap scan report for 127.0.0.2 Host is up (0.00s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A | TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A | compressors: | NULL | cipher preference: server | warnings: | Ciphersuite uses MD5 for message integrity | Weak cipher RC4 in TLSv1.1 or newer not needed for BEAST mitigation | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ec 256) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ec 256) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A | TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A | compressors: | NULL | cipher preference: server | warnings: | Ciphersuite uses MD5 for message integrity | Key exchange parameters of lower strength than certificate key | Weak cipher RC4 in TLSv1.1 or newer not needed for BEAST mitigation |_ least strength: C Nmap done: 1 IP address (1 host up) scanned in 8.75 seconds
Each ciphersuite is shown with a letter grade (A through F) indicating the strength of the connection. The grade is based on the cryptographic strength of the key exchange and of the stream cipher. The message integrity (hash) algorithm choice is not a factor. The output line beginning with Least strength shows the strength of the weakest cipher offered.
SSLv3/TLSv1 requires more effort to determine which ciphers and compression methods a server supports than SSLv2. A client lists the ciphers and compressors that it is capable of supporting, and the server will respond with a single cipher and compressor chosen, or a rejection notice.
Some servers use the client's ciphersuite ordering: they choose the first of the client's offered suites that they also support. Other servers prefer their own ordering: they choose their most preferred suite from among those the client offers. In the case of server ordering, the script makes extra probes to discover the server's sorted preference list. Otherwise, the list is sorted alphabetically.
The script will warn about certain SSL misconfigurations such as MD5-signed certificates, low-quality ephemeral DH parameters, and the POODLE vulnerability.
This script is intrusive since it must initiate many connections to a server, and therefore is quite noisy.
Here the "http-auth" script is used to identify the types of authentication a web service supports.
C:\>nmap --script http-auth --script-args http-auth.path=/IdentityManagement/asp x/users/AllPersons.aspx -p80 127.0.0.93 Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-22 15:51 Eastern Daylight Time Nmap scan report for 127.0.0.93 Host is up (0.0056s latency). PORT STATE SERVICE 80/tcp open http | http-auth: | HTTP/1.1 401 Unauthorized | Negotiate |_ NTLM Nmap done: 1 IP address (1 host up) scanned in 2.64 seconds
In the example below port 80 is specifically specified, so it is the only tcp port queried for the HTTP Methods it supports.
As a general rule, only GET and POST and maybe HEAD should be supported. The OPTIONS method is a minor problem, but others like PUT, DELETE, and COPY are problematic.
C:\>nmap --script http-methods -p 80 45.33.32.156 Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-22 16:55 Eastern Daylight Time Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.00s latency). PORT STATE SERVICE 80/tcp open http | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS Nmap done: 1 IP address (1 host up) scanned in 2.79 seconds
C:\>nmap --script http-methods -p 80 205.204.132.139 Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-22 15:58 Eastern Daylight Time Nmap scan report for dayglo.state.ky.us (205.204.132.139) Host is up (0.0055s latency). PORT STATE SERVICE 80/tcp open http | http-methods: |_ Supported Methods: HEAD GET POST OPTIONS Nmap done: 1 IP address (1 host up) scanned in 2.40 seconds
In this next example, no ports are specified so nmap scans several common ports quering for the HTTP Methods that are supported.
In this example notice the open ports of interest (ftp, smtp...)
As a side point, in the report below notice that there is a "lockd" service. Traditionally, any name that ends with a "d" is a "daemon" in Linux or service in Windows. So this is the "lock" service. And below that you will notice sever "rpc" services. That stands for Remote Procedure Call, a way for one application to request services or action of another applications.
C:\>nmap --script http-methods ky.gov Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2019-08-19 17:48 Eastern Daylight Time Nmap scan report for ky.gov (205.204.132.139) Host is up (0.0033s latency). rDNS record for 205.204.132.139: dayglo.state.ky.us Not shown: 843 closed ports, 147 filtered ports PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp open http |_http-methods: HEAD GET 2001/tcp open dc 4045/tcp open lockd 7100/tcp open font-service 32777/tcp open sometimes-rpc17 32778/tcp open sometimes-rpc19 32781/tcp open unknown 32782/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 36.06 seconds
Below we run the "banner" script to gather application banners. In many cases if you create a session with a service it will automatically send you a banner identifying itself and possibly other information that is information leakage that could assist an attacker.
C:\>nmap --script banner 45.33.32.156 Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-22 16:56 Eastern Daylight Time Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.067s latency). Not shown: 954 closed ports, 42 filtered ports PORT STATE SERVICE 22/tcp open ssh |_banner: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 80/tcp open http 554/tcp open rtsp 9929/tcp open nping-echo | banner: \x01\x01\x00\x18O\xCBi\x0BW\xBBg\x12\x00\x00\x00\x00'K\x8F]\xEC |_\x0A\xA7"\xF7\xD9.\x04\x8B\x99":VM\xF8\x04b \xD6t\xE4\xB0z0\x87IM\xA... Nmap done: 1 IP address (1 host up) scanned in 19.11 seconds
C:\>nmap -sV --script=banner -p 80 127.0.0.2 Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2019-08-19 17:53 Eastern Daylight Time Nmap scan report for 127.0.0.2 Host is up (0.00s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 |_http-server-header: Microsoft-IIS/8.5 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.09 seconds
Interestingly, this is a banner scan of the state's homepage.
C:\>nmap -sV --script=banner -p 80 205.204.132.139 Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-22 16:05 Eastern Daylight Time Nmap scan report for dayglo.state.ky.us (205.204.132.139) Host is up (0.0057s latency). PORT STATE SERVICE VERSION 80/tcp open http Sun ONE Web Server 6.1 |_http-server-header: Sun-ONE-Web-Server/6.1 Service detection performed. Please report any incorrect results at https://nmap .org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.35 seconds
As if it could not get any better, here is a script that you can point at a webpage and the results are a list of the comments on that page.
http-comments-displayer
Extracts and outputs HTML and JavaScript comments from HTTP responses.
C:\>nmap -p80 --script http-comments-displayer williambellamy.com
Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-22 16:11 Eastern Daylight Time
Nmap scan report for williambellamy.com (67.51.200.169)
Host is up (0.0029s latency).
rDNS record for 67.51.200.169: hblnxweb06.hostbaby.com
PORT STATE SERVICE
80/tcp open http
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=williambellamy.com
|
| Path: http://williambellamy.com/css/style.comic.css
| Line number: 1
| Comment:
| /* Generated by Font Squirrel (http://www.fontsquirrel.com)
on February 12, 2014 */
|
| Path: http://williambellamy.com/css/style.css
| Line number: 27
| Comment:
| /*
| The horizontal offset of the shadow.
| The vertical offset of the shadow.
| The blur radius of the shadow.
| The color of the shadow.
| box-shadow: h-shadow v-shadow blur spread color inset;
| */
|
| Path: http://williambellamy.com/css/style.css
| Line number: 57
| Comment:
| /*
| The horizontal offset of the shadow.
| The vertical offset of the shadow.
| The blur radius of the shadow.
| The color of the shadow.
|
| box-shadow: h-shadow v-shadow blur spread color inset;
| */
|
| Path: http://williambellamy.com/css/style.css
| Line number: 111
| Comment:
|_ /* text-indent: 32px; */
Nmap done: 1 IP address (1 host up) scanned in 3.56 seconds
C:\>nmap -p80 --script http-comments-displayer 45.33.32.156 Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-29 12:12 Eastern Daylight Time Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.00s latency). PORT STATE SERVICE 80/tcp open http | http-comments-displayer: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=scanme.nmap.org | | Path: http://scanme.nmap.org/ | Line number: 101 | Comment: | <!-- These can come back if I ever update them ... | <li><a href="http://insecure.org/links.html">Exceptional Links</a></li> | <li><a href="http://insecure.org/reading.html">Good Reading</a></li> | <li><a href="http://insecure.org/sploits.html">Exploit World</a></li> | --> | | Path: http://scanme.nmap.org/ | Line number: 148 | Comment: | <!-- Modified random image selection code - original version at | http://www.bravenet.com/reviews/archives/tips.php?view=8 --> | Nmap done: 1 IP address (1 host up) scanned in 2.89 seconds
And here we query a service for default accounts. In this case, none were identified.
Tests for access with default credentials used by a variety of web applications and devices.
C:\>nmap --script=http-default-accounts scanme.nmap.org
Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-29 11:54 Eastern Daylight Time
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.066s latency).
Not shown: 953 closed ports, 43 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
554/tcp open rtsp
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 19.33 seconds
In the next example we check a web service to see if it provides WebDAV, a framework for distributed/collective development. WebDAV often adds HTTP methods that pose significant risk.
C:\>nmap --script http-webdav-scan -p80,8080 205.204.132.139
Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-22 16:43 Eastern Daylight Time
Nmap scan report for dayglo.state.ky.us (205.204.132.139)
Host is up (0.0045s latency).
PORT STATE SERVICE
80/tcp open http
8080/tcp closed http-proxy
Nmap done: 1 IP address (1 host up) scanned in 2.35 seconds
http-robots.txt
Checks for disallowed entries in /robots.txt on a web server. While there is very good reasons to use a robots.txt file, it should never be used as a security measure. Spiders and Robots that index pages for search engines, if they are well behaved, will read the robots.txt file and exclude the branches listed as "disallowed", if they are well behaved...
Too often, the robots.txt file is simply a list of directories where "the good stuff" can be found!
C:\>nmap --script http-robots.txt -p80 205.204.132.139 Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-22 16:44 Eastern Daylight Time Nmap scan report for dayglo.state.ky.us (205.204.132.139) Host is up (0.0030s latency). PORT STATE SERVICE 80/tcp open http | http-robots.txt: 2 disallowed entries |_/mlm/woogle/ /kystandards/ Nmap done: 1 IP address (1 host up) scanned in 2.41 seconds
http-sitemap-generator
Spiders a web server and displays its directory structure along with number and types of files in each folder. Note that files listed as having an 'Other' extension are ones that have no extension or that are a root document.
C:\>nmap -script http-sitemap-generator -p80,8080 45.33.32.156
Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-29 12:22 Eastern Daylight Time
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.011s latency).
PORT STATE SERVICE
80/tcp open http
| http-sitemap-generator:
| Directory structure:
| /
| Other: 1
| /images/
| png: 1
| /shared/css/
| css: 1
| /shared/images/
| gif: 1; png: 1
| /shared/images/Acunetix/
| gif: 1
| /shared/images/netsparker/
| gif: 1
| /shared/images/tenable/
| gif: 1
| Longest directory structure:
| Depth: 3
| Dir: /shared/images/tenable/
| Total files found (by extension):
|_ Other: 1; css: 1; gif: 4; png: 2
8080/tcp closed http-proxy
Nmap done: 1 IP address (1 host up) scanned in 3.54 seconds
Here the "http-headers" will return only the HTTP headers sent by the server.
C:\>nmap -sV --script=http-headers -p 80 45.33.32.156 Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-22 17:01 Eastern Daylight Time Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.00s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-headers: | Date: Mon, 22 Aug 2019 21:01:33 GMT | Vary: Accept-Encoding | Server: Apache/2.4.7 (Ubuntu) | Connection: Close | Content-Type: text/html | Accept-Ranges: bytes | |_ (Request type: HEAD) |_http-server-header: Apache/2.4.7 (Ubuntu) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.60 seconds
In the following examples all of the insightful information this one command can provide!
C:\>nmap -sV --script=http-headers -p 80 127.0.0.2 Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-22 16:39 Eastern Daylight Time Nmap scan report for 127.0.0.2 Host is up (0.0020s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-headers: | Content-Length: 326 | Content-Type: text/html | Last-Modified: Tue, 03 Mar 2015 14:07:37 GMT | Accept-Ranges: bytes | ETag: "59e4567bb55d01:0" | Server: Microsoft-IIS/8.5 | Set-Cookie: BlueStripe.PVN=3d3400009d36; path=/ | X-Powered-By: ASP.NET | X-Frame-Options: SAMEORIGIN | Date: Mon, 22 Aug 2019 20:39:51 GMT | Connection: close | Set-Cookie: BigIPEnc=!wMouJJR4CSpoHindem3K19lTDo9ixXprVWVDeu6xXYRAuJs 8csKFnuSmWI70drUdQSxhU9ZuWg==; path=/ | |_ (Request type: HEAD) |_http-server-header: Microsoft-IIS/8.5 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.04 seconds
The http-brute script will perform a brute force password auditing attack against http basic, digest and ntlm authentication methods.
Running scripts by category
Up to this point we have been running a single script at a time. You can however run a group of scripts based on their category. Below the "discovery" category is invoked.
C:\>nmap --script discovery 127.0.0.2 Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-23 16:47 Eastern Daylight Time Pre-scan script results: | broadcast-igmp-discovery: | 127.0.0.113 | Interface: eth2 | Version: 2 | Group: 224.0.5.128 | Description: SIAC Market Service | 127.0.0.97 | Interface: eth1 | Version: 2 | Group: 127.0.0.251 | Description: mDNS | 127.0.0.154 | Interface: eth1 | Version: 2 | Group: 127.0.0.252 | Description: Link-local Multicast Name Resolution (rfc4795) | 127.0.0.176 | Interface: eth1 | Version: 2 | Group: 127.0.0.251 | Description: mDNS | 127.0.0.248 | Interface: eth1 | Version: 2 | Group: 127.0.0.252 | Description: Link-local Multicast Name Resolution (rfc4795) | 127.0.0.249 | Interface: eth1 | Version: 2 | Group: 127.0.0.252 | Description: Link-local Multicast Name Resolution (rfc4795) | 127.0.0.118 | Interface: eth1 | Version: 2 | Group: 127.0.0.252 | Description: Link-local Multicast Name Resolution (rfc4795) | 127.0.0.221 | Interface: eth1 | Version: 2 | Group: 127.0.0.251 | Description: mDNS | 127.0.0.79 | Interface: eth1 | Version: 2 | Group: 127.0.0.250 | Description: Organization-Local Scope (rfc2365) | 127.0.0.97 | Interface: eth1 | Version: 2 | Group: 127.0.0.250 | Description: Organization-Local Scope (rfc2365) |_ Use the newtargets script-arg to add the results as targets | broadcast-ping: | IP: 127.0.0.67 MAC: 78:fd:94:0a:b9:f7 | IP: 127.0.0.201 MAC: 6c:72:e7:bc:05:b0 | IP: 127.0.0.116 MAC: b8:44:d9:15:38:95 | IP: 127.0.0.113 MAC: 00:20:85:eb:70:37 | IP: 127.0.0.206 MAC: a0:99:9b:34:e2:f1 | IP: 127.0.0.119 MAC: a4:f1:e8:18:bd:ac | IP: 127.0.0.244 MAC: a4:f1:e8:18:7b:a7 | IP: 127.0.0.24 MAC: 00:20:85:eb:6f:67 | IP: 127.0.0.63 MAC: 54:ae:27:22:1f:a2 | IP: 127.0.0.194 MAC: a0:18:28:41:49:b9 | IP: 127.0.0.174 MAC: 70:3e:ac:9a:f6:7e | IP: 127.0.0.186 MAC: 30:63:6b:bc:b7:89 | IP: 127.0.0.116 MAC: f4:37:b7:23:cb:99 | IP: 127.0.0.221 MAC: d0:a6:37:60:0f:e6 | IP: 127.0.0.58 MAC: 00:88:65:52:1a:3e | IP: 127.0.0.255 MAC: 58:16:26:b6:ea:01 | IP: 127.0.0.182 MAC: 78:3a:84:a3:fa:1f | IP: 127.0.0.23 MAC: 68:db:ca:8a:1a:50 | IP: 127.0.0.96 MAC: 80:00:6e:94:4f:c4 | IP: 127.0.0.176 MAC: a8:66:7f:50:9f:10 | IP: 127.0.0.62 MAC: fc:e9:98:04:b6:35 |_ Use --script-args=newtargets to add the results as targets |_mrinfo: ERROR: Script execution failed (use -d to debug) | targets-asn: |_ targets-asn.asn is a mandatory parameter
C:\>nmap --script default 127.0.0.93 Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-23 16:55 Eastern Daylight Time Nmap scan report for 127.0.0.93 Host is up (0.014s latency). Not shown: 983 filtered ports PORT STATE SERVICE 80/tcp open http | http-auth: | HTTP/1.1 401 Unauthorized | Negotiate |_ NTLM | http-ntlm-info: | Target_Name: EAS | NetBIOS_Domain_Name: EAS | NetBIOS_Computer_Name: ENT1VP-WS001 | DNS_Domain_Name: eas.ds.ky.gov | DNS_Computer_Name: ENT1VP-WS001.eas.ds.ky.gov | DNS_Tree_Name: ds.ky.gov |_ Product_Version: 6.3.9600 |_http-title: Site doesn't have a title. 135/tcp open msrpc 443/tcp open https |_http-title: Not Found | ssl-cert: Subject: commonName=iamportal.ky.gov/organizationName=Commonwealth of Kentucky/stateOrProvinceName=Kentucky/countryName=US | Not valid before: 2019-03-08T15:43:50 |_Not valid after: 2019-09-29T16:13:49 445/tcp open microsoft-ds 808/tcp open ccproxy-http 1801/tcp open msmq 2103/tcp open zephyr-clt 2105/tcp open eklogin 2107/tcp open msmq-mgmt 2701/tcp open sms-rcinfo 3389/tcp open ms-wbt-server | ssl-cert: Subject: commonName=ENT1VP-WS001.eas.ds.ky.gov | Not valid before: 2019-07-16T01:18:48 |_Not valid after: 2017-01-15T01:18:48 |_ssl-date: 2019-08-23T20:56:06+00:00; 0s from scanner time. 8081/tcp open blackice-icecap 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49167/tcp open unknown Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server supports SMBv2 protocol Nmap done: 1 IP address (1 host up) scanned in 49.91 seconds
Here the "safe" category of scripts is run.
C:\>nmap --script safe 127.0.0.93 Starting Nmap 7.12 ( https://nmap.org ) at 2019-08-23 17:01 Eastern Daylight Time Pre-scan script results: | broadcast-dhcp-discover: | Response 1 of 1: | IP Offered: 127.0.0.66 | Server Identifier: 172.24.15.21 | Subnet Mask:127.0.0.128 | Domain Name Server: 10.49.100.12, 172.23.1.150, 172.23.14.151 | NetBIOS Name Server: 172.23.5.13, 172.23.5.14 | Domain Name: ky.gov |_ Router: 127.0.0.1 | broadcast-igmp-discovery: | 127.0.0.24 | Interface: eth2 | Version: 2 | Group: 224.0.5.128 | Description: SIAC Market Service |_ Use the newtargets script-arg to add the results as targets | broadcast-listener: | ether | ARP Request | sender ip sender mac target ip | 127.0.0.1 00:21:62:FE:22:2A 127.0.0.66 | 127.0.0.68 34:E6:D7:79:02:08 127.0.0.1 | 127.0.0.41 F0:1F:AF:52:C4:B3 127.0.0.1 | EIGRP Update | | udp | Netbios | Query | ip query | 127.0.0.68 | DHCP | srv ip cli ip mask gw dns vendor | 127.0.0.2 127.0.0.39 127.0.0.128 127.0.0.1 10.49.100.12, 172.23.1.150, 172.23.14.151 - | 127.0.0.2 127.0.0.39 127.0.0.128 127.0.0.1 10.49.100.12, 172.23.1.150, 172.23.14.151 - | 127.0.0.1 127.0.0.66 127.0.0.128 127.0.0.1 10.49.100.12, 172.23.1.150, 172.23.14.151 - | Browser | ip src dst | 127.0.0.68 | SSDP | ip uri | 127.0.0.41 urn:schemas-upnp-org:device:InternetGatewayDevice:1 |_ 127.0.0.28 urn:dial-multiscreen-org:service:dial:1 | broadcast-netbios-master-browser: | ip server domain |_127.0.0.19 COTJBD4R190R1 FIN | broadcast-ping: | IP:127.0.0.255 MAC: 00:21:62:fe:22:2a | IP: 127.0.0.24 MAC: 00:20:85:eb:6f:67 | IP: 127.0.0.113 MAC: 00:20:85:eb:70:37 |_ Use --script-args=newtargets to add the results as targets |_eap-info: please specify an interface with -e |_mrinfo: ERROR: Script execution failed (use -d to debug) | targets-asn: |_ targets-asn.asn is a mandatory parameter Stats: 0:02:57 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 99.92% done; ETC: 17:04 (0:00:00 remaining) Nmap scan report for 127.0.0.93 Host is up (0.010s latency). Not shown: 983 filtered ports PORT STATE SERVICE 80/tcp open http | http-auth: | HTTP/1.1 401 Unauthorized | Negotiate |_ NTLM |_http-comments-displayer: Couldn't find any comments. |_http-date: Tue, 23 Aug 2019 21:02:05 GMT; +4s from local time. |_http-fetch: Please enter the complete path of the directory to save data in. |_http-frontpage-login: false | http-headers: | Content-Type: text/html; charset=us-ascii | Server: Microsoft-HTTPAPI/2.0 | Date: Tue, 23 Aug 2019 21:02:09 GMT | Connection: close | Content-Length: 339 | |_ (Request type: GET) |_http-mobileversion-checker: No mobile version detected. |_http-referer-checker: Couldn't find any cross-domain scripts. |_http-title: Bad Request | http-useragent-tester: | | Allowed User Agents: | Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html) | libwww | lwp-trivial | libcurl-agent/1.0 | PHP/ | Python-urllib/2.5 | GT::WWW | Snoopy | MFC_Tear_Sample | HTTP::Lite | PHPCrawl | URI::Fetch | Zend_Http_Client | http client | PECL::HTTP | Wget/1.13.4 (linux-gnu) | WWW-Mechanize/1.34 |_ |_http-xssed: No previously reported XSS vuln. 135/tcp open msrpc 443/tcp open https |_http-comments-displayer: Couldn't find any comments. |_http-date: Tue, 23 Aug 2019 21:02:07 GMT; +4s from local time. |_http-fetch: Please enter the complete path of the directory to save data in. |_http-frontpage-login: false | http-headers: | Content-Type: text/html; charset=us-ascii | Server: Microsoft-HTTPAPI/2.0 | Date: Tue, 23 Aug 2019 21:02:21 GMT | Connection: close | Content-Length: 315 | |_ (Request type: GET) |_http-mobileversion-checker: No mobile version detected. |_http-referer-checker: Couldn't find any cross-domain scripts. |_http-title: Not Found | http-useragent-tester: | Allowed User Agents: | Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html) | libwww | lwp-trivial | libcurl-agent/1.0 | PHP/ | Python-urllib/2.5 | GT::WWW | Snoopy | MFC_Tear_Sample | HTTP::Lite | PHPCrawl | URI::Fetch | Zend_Http_Client | http client | PECL::HTTP | Wget/1.13.4 (linux-gnu) | WWW-Mechanize/1.34 |_ |_http-xssed: No previously reported XSS vuln. | ssl-cert: Subject: commonName=iamportal.ky.gov/organizationName=Commonwealth of Kentucky/stateOrProvinceName=Kentucky/countryName=US | Not valid before: 2019-03-08T15:43:50 |_Not valid after: 2019-09-29T16:13:49 | ssl-dh-params: | VULNERABLE: | Diffie-Hellman Key Exchange Insufficient Group Strength | State: VULNERABLE | Transport Layer Security (TLS) services that use Diffie-Hellman groups of | insufficient strength, especially those using one of a few commonly shared | groups, may be susceptible to passive eavesdropping attacks. | Check results: | WEAK DH GROUP 1 | Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | Modulus Type: Safe prime | Modulus Source: RFC2409/Oakley Group 2 | Modulus Length: 1024 | Generator Length: 1024 | Public Key Length: 1024 | References: |_ https://weakdh.org | ssl-google-cert-catalog: |_ No DB entry | ssl-poodle: | VULNERABLE: | SSL POODLE information leak | State: VULNERABLE | IDs: OSVDB:113251 CVE:CVE-2014-3566 | The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and | other products, uses nondeterministic CBC padding, which makes it easier | for man-in-the-middle attackers to obtain cleartext data via a | padding-oracle attack, aka the "POODLE" issue. | Disclosure date: 2014-10-14 | Check results: | TLS_RSA_WITH_3DES_EDE_CBC_SHA | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 | https://www.openssl.org/~bodo/ssl-poodle.pdf | http://osvdb.org/113251 |_ https://www.imperialviolet.org/2014/10/14/poodle.html 445/tcp open microsoft-ds 808/tcp open ccproxy-http 1801/tcp open msmq 2103/tcp open zephyr-clt 2105/tcp open eklogin 2107/tcp open msmq-mgmt 2701/tcp open sms-rcinfo |_banner: "\x00\x00\x80 \x00S\x00T\x00A\x00R\x00T\x00_\x00H\x00A\x00N\... 3389/tcp open ms-wbt-server | rdp-enum-encryption: | Security layer | CredSSP: SUCCESS | Native RDP: SUCCESS | SSL: SUCCESS | RDP Encryption level: Unknown |_ 128-bit RC4: SUCCESS | ssl-cert: Subject: commonName=ENT1VP-WS001.eas.ds.ky.gov | Not valid before: 2019-07-16T01:18:48 |_Not valid after: 2017-01-15T01:18:48 |_ssl-date: 2019-08-23T21:02:02+00:00; -3s from scanner time. | ssl-dh-params: | VULNERABLE: | Diffie-Hellman Key Exchange Insufficient Group Strength | State: VULNERABLE | Transport Layer Security (TLS) services that use Diffie-Hellman groups of | insufficient strength, especially those using one of a few commonly shared | groups, may be susceptible to passive eavesdropping attacks. | Check results: | WEAK DH GROUP 1 | Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | Modulus Type: Safe prime | Modulus Source: RFC2409/Oakley Group 2 | Modulus Length: 1024 | Generator Length: 1024 | Public Key Length: 1024 | References: |_ https://weakdh.org | ssl-google-cert-catalog: |_ No DB entry 8081/tcp open blackice-icecap 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49167/tcp open unknown Host script results: |_fcrdns: FAIL (No PTR record) |_ipidseq: Unknown |_msrpc-enum: No accounts left to try |_path-mtu: PMTU == 1500 | qscan: | PORT FAMILY MEAN (us) STDDEV LOSS (%) | 80 0 99100.00 274783.73 0.0% | 135 0 561100.00 1727988.00 0.0% | 443 0 1323000.00 4146100.55 0.0% | 445 0 3461000.00 10905291.25 0.0% | 808 0 2611500.00 8221045.33 0.0% | 1801 0 14900.00 7140.65 0.0% | 2103 0 12500.00 5421.15 0.0% |_2105 0 12100.00 4909.18 0.0% | smb-mbenum: |_ ERROR: Failed to connect to browser service: No accounts left to try | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server supports SMBv2 protocol _tor-consensus-checker: 127.0.0.93 not found in Tor consensus | unusual-port: |_ WARNING: this script depends on Nmap's service/version detection (-sV) Post-scan script results: | reverse-index: | 80/tcp: 127.0.0.93 | 135/tcp: 127.0.0.93 | 443/tcp: 127.0.0.93 | 445/tcp: 127.0.0.93 | 808/tcp: 127.0.0.93 | 1801/tcp: 127.0.0.93 | 2103/tcp: 127.0.0.93 | 2105/tcp: 127.0.0.93 | 2107/tcp: 127.0.0.93 | 2701/tcp: 127.0.0.93 | 3389/tcp: 127.0.0.93 | 8081/tcp: 127.0.0.93 | 49152/tcp: 127.0.0.93 | 49153/tcp: 127.0.0.93 | 49154/tcp: 127.0.0.93 | 49155/tcp: 127.0.0.93 |_ 49167/tcp: 127.0.0.93 Nmap done: 1 IP address (1 host up) scanned in 194.17 seconds