NMAP is an open source all-in-one tool that one can use for port scanning, service identification, banner grabbing, operating system finger printing, vulnerability scanning and many other tasks. It has both Graphical User Interface (Zenmap) and Command Line Interface which can be used to automate the scanning process. Despite getting old, it has full support with open source community contributing and improving it every day.
Nmap Options
Nmap has a lot of great options for effective port and vulnerability scanning, some mostly used options are described here
-A : Aggressive scanning. Includes script scanning, OS identification, version scanning etc -sU : for UDP port scanning -sV : to grab the banner of remote software running on a specific port -sC : Nmap script scanning, includes all default scripts -T<no> : sets the scan speed, -T5 is the fastest -O : enable OS detection, requires root privileges -sn : ping sweep scan
That was just an overview, there are also a lot other options that you can see in Nmap documentation
Nmap Scripts (NSE)
Nmap has a useful feature called Nmap Scripting Engine (NSE), which allows you to write your own scripts in its scripting engine. These scripts can be used to automate variety of tasks like detecting vulnerabilities, fingerprinting software versions, detecting mis-configurations in a network or a host etc. Nmap has a lot of default and third party scripts that add to the efficiency of Nmap while doing network scanning and enumeration. Default Nmap scripts are located in “/usr/share/nmap/scripts” and can be used using “–script” argument. In general, Nmap scripts can be used for the following purposes
-
Brute Forcing services
Nmap scripts can be used to brute force remote services without relying on third party tools like Hydra, Medusa or Metasploit Framework. You can brute-force a lot of services using Nmap scripts including SSH, HTTP, VNC, MySQL, IMAP, SMTP and many others. An example of SSH brute-force using Nmap with dictionaries “users.lst” and “pass.lst” is given below
azad@azad:~$ nmap -p22 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst [IP_ADDRESS] Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-03 16:39 PKT ...snip... NSE: [ssh-brute] Trying username/password pair: donie:secret NSE: [ssh-brute] Trying username/password pair: bob:secret NSE: [ssh-brute] Trying username/password pair: usama:secret NSE: [ssh-brute] Trying username/password pair: azad:secret NSE: [ssh-brute] Trying username/password pair: :secret NSE: [ssh-brute] Trying username/password pair: donie:s3cr4t NSE: [ssh-brute] Trying username/password pair: bob:s3cr4t NSE: [ssh-brute] Trying username/password pair: usama:s3cr4t NSE: [ssh-brute] Trying username/password pair: azad:s3cr4t NSE: [ssh-brute] Trying username/password pair: :s3cr4t NSE: [ssh-brute] Trying username/password pair: donie:s3cr4tp4ssw0rd NSE: [ssh-brute] Trying username/password pair: bob:s3cr4tp4ssw0rd NSE: [ssh-brute] Trying username/password pair: usama:s3cr4tp4ssw0rd NSE: [ssh-brute] Trying username/password pair: azad:s3cr4tp4ssw0rd NSE: [ssh-brute] Trying username/password pair: :s3cr4tp4ssw0rd Nmap scan report for [IP_ADDRESS] Host is up (0.000053s latency). PORT STATE SERVICE 22/tcp open ssh | ssh-brute: | Accounts: | azad:s3cr4tp4ssw0rd - Valid credentials |_ Statistics: Performed 25 guesses in 7 seconds, average tps: 3.6 Nmap done: 1 IP address (1 host up) scanned in 7.24 seconds
-
Mis-configuration detection
Nmap scripts can also be used to detect mis-configurations in remote hosts or networks. The examples of these mis-configurations may include FTP anonymous login enabled, SSH username enumeration, or public access of Samba shares etc. For example, “ftp-anon” script in “/use/share/nmap/scripts” can be used to check whether the anonymous login on remote server is allowed or not.
azad@azad:~$ nmap -p21 --script ftp-anon [IP_ADDRESS] Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-03 16:58 PKT Nmap scan report for [IP_ADDRESS] Host is up (0.00036s latency). PORT STATE SERVICE 21/tcp open ftp |_ftp-anon: Anonymous FTP login allowed (FTP code 230) Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds
-
Version detection/Banner Grabbing
Nmap can recognize hundred different services using signature databases. You can write an Nmap script that will tell you about the software running on the remote server. An example of such Nmap scripts is
azad@azad:~$ nmap -p22 --script banner [IP_ADDRESS] Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-03 17:15 PKT Nmap scan report for [IP_ADDRESS] Host is up (0.00029s latency). PORT STATE SERVICE 22/tcp open ssh |_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
-
Vulnerablity/Backdoor detection
A vulnerability or a backdoor in a remote software or system can be detected using Nmap scripts. Some vulnerabilities or backdoors can be detected using simple signatures while more complex vulnerabilities require complex NSE scripts and dependencies to detect. We’ll explore more about Vulnerability detection later on in this article but here is a quick example of “rmi registry” vulnerability detection using Nmap script “rmi-vuln-classloader”
azad@azad:~$ nmap -p1099 --script rmi-vuln-classloader [IP_ADDRESS] Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-03 18:05 PKT Nmap scan report for [IP_ADDRESS] Host is up (0.0029s latency). PORT STATE SERVICE 1099/tcp open rmiregistry | rmi-vuln-classloader: | VULNERABLE: | RMI registry default configuration remote code execution vulnerability | State: VULNERABLE | Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution. | | References: |_ https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds
Now we’ll discuss more about vulnerability detection and CVEs in the remaining section of the article
More about Vulnerability and CVE detection using Nmap
When a vulnerability or a backdoor is discovered in a software product or a service, it is assigned a CVE (Common Vulnerabilities and Exposures). A CVE is an official documentation of the vulnerability that contains all the technical details about the specific vulnerability exposure. CVE maintains a standard list of entries about publicly discovered vulnerabilities that are found in different software products and services. MITRE organizes and maintains details about CVEs, more information can be found here at https://cve.mitre.org/. This organized information can come in handy for Security Researchers and Pentesters in their daily routine work.
Nmap is a very powerful tool that can also be used to detect CVEs. You can write an Nmap script to detect the vulnerability, some scripts are easier to write and some are complex, varying with the nature of CVE vulnerability. There are a lot of built-in and third party Nmap scripts that can be very useful while doing vulnerability scan during penetration tests. There are even Nmap SMB Scripts to scan and find SMB vulnerabilities. An example of detecting VSFTPD backdoor using Nmap built-in script is given below,
azad@azad:~$ nmap -p21 --script ftp-vsftpd-backdoor 192.168.18.16 Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-04 00:34 PKT Nmap scan report for 192.168.18.16 Host is up (0.00035s latency). PORT STATE SERVICE 21/tcp open ftp | ftp-vsftpd-backdoor: | VULNERABLE: | vsFTPd version 2.3.4 backdoor | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2011-2523 OSVDB:73573 | vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04. | Disclosure date: 2011-07-03 | Exploit results: | Shell command: id | Results: uid=0(root) gid=0(root) | References: | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523 | http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html |_ http://osvdb.org/73573 Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds
The above script tells us about the vulnerability details including CVE and OSVDB ID and other reference details.
Another short example of detecting “distccd” CVE-2004-2687 using “distcc-cve2004-2687.nse” built-in script is as follows
azad@azad:~$ nmap -p3632 --script distcc-cve2004-2687 192.168.18.16 Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-04 00:38 PKT Nmap scan report for 192.168.18.16 Host is up (0.00027s latency). PORT STATE SERVICE 3632/tcp open distccd | distcc-cve2004-2687: | VULNERABLE: | distcc Daemon Command Execution | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2004-2687 | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Allows executing of arbitrary commands on systems running distccd 3.1 and | earlier. The vulnerability is the consequence of weak service configuration. | | Disclosure date: 2002-02-01 | Extra information: | | uid=1(daemon) gid=1(daemon) groups=1(daemon) | | References: | http://distcc.googlecode.com/svn/trunk/doc/web/security.html | http://http://www.osvdb.org/13378 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687 |_ http://http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2687 Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
After execution, above script tells us about the risk factor, disclosure details and CVE of the vulnerability in the software running on the remote system
Third Party Scripts
Nmap built-in scripts are good but there are some other great third party scripts like “Vulscan” and “Nmap-vulners” that use their own local CVE databases to fingerprint vulnerabilities. They can be integrated with Nmap to enhance its security scanning capabilities. You can download Vulscan scripts from github, type the following
git clone https://github.com/scipag/vulscan.git cd vulscan
Now you can run the following command to scan the remote system
azad@azad:~$ nmap -sV --script scipag_vulscan/vulscan.nse [IP_ADDRESS] Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-04 13:42 PKT Nmap scan report for [IP_ADDRESS] Host is up (0.0014s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.21 ((Unix) DAV/2) |_http-server-header: Apache/2.2.21 (Unix) DAV/2 | vulscan: VulDB - https://vuldb.com: | [4583] Apache HTTP Server up to 2.2.21 Threaded MPM denial of service | [4582] Apache HTTP Server up to 2.2.21 protocol.c information disclosure | [134290] Apache UIMA DUCC up to 2.2.2 cross site scripting | [102697] Apache HTTP Server 2.2.24/2.2.32 HTTP Strict Parsing ap_find_token Request Header memory corruption | [9891] Apache HTTP Server 2.2.22 suEXEC Feature .htaccess information disclosure | [63646] Apache HTTP Server up to 2.2.23/2.4.3 mod_proxy_balancer.c balancer_handler cross site scripting | | MITRE CVE - https://cve.mitre.org: | [CVE-2012-4557] The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection of a long request-processing time, which allows remote attackers to cause a denial of service (worker consumption) via an expensive request. | [CVE-2012-0053] protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad R equest (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malfo rmed header in conjunction with crafted web script. | [CVE-2012-0031] scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid call to the free function. | [CVE-2012-0021] The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a thr eaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a cook ie that lacks both a name and a value. ...snip... | | SecurityFocus - https://www.securityfocus.com/bid/: | [42102] Apache 'mod_proxy_http' 2.2.9 for Unix Timeout Handling Information Disclosure Vulnerability | [27237] Apache HTTP Server 2.2.6, 2.0.61 and 1.3.39 'mod_status' Cross-Site Scripting Vulnerability | | IBM X-Force - https://exchange.xforce.ibmcloud.com: | [75211] Debian GNU/Linux apache 2 cross-site scripting | | Exploit-DB - https://www.exploit-db.com: | [28365] Apache 2.2.2 CGI Script Source Code Information Disclosure Vulnerability | [31052] Apache <= 2.2.6 'mod_negotiation' HTML Injection and HTTP Response Splitting Vulnerability | [30901] Apache HTTP Server 2.2.6 Windows Share PHP File Extension Mapping Information Disclosure Vulnerability | [30835] Apache HTTP Server <= 2.2.4 413 Error HTTP Request Method Cross-Site Scripting Weakness | [27915] Apache James 2.2 SMTP Denial of Service Vulnerability | [18984] Apache Struts <= 2.2.1.1 - Remote Command Execution | [17691] Apache Struts < 2.2.0 - Remote Command Execution | [15319] Apache 2.2 (Windows) Local Denial of Service | [11650] Apache 2.2.14 mod_isapi Dangling Pointer Remote SYSTEM Exploit | [2237] Apache < 1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow PoC | | OpenVAS (Nessus) - http://www.openvas.org: | [100858] Apache 'mod_proxy_http' 2.2.9 for Unix Timeout Handling Information Disclosure Vulnerability | | SecurityTracker - https://www.securitytracker.com: | [1008196] Apache 2.x on Windows May Return Unexpected Files For URLs Ending With Certain Characters | [1007143] Apache 2.0 Web Server May Use a Weaker Encryption Implementation Than Specified in Some Cases | [1006444] Apache 2.0 Web Server Line Feed Buffer Allocation Flaw Lets Remote Users Deny Service | [1005963] Apache Web Server 2.x Windows Device Access Flaw Lets Remote Users Crash the Server or Possibly Execute Arbitrary Code | [1004770] Apache 2.x Web Server ap_log_rerror() Function May Disclose Full Installation Path to Remote Users | | OSVDB - http://www.osvdb.org: | [20897] PHP w/ Apache 2 SAPI virtual() Function Unspecified INI Setting Disclosure |_ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.13 second
The above scan showed us with all vulnerability details related to the the software service running on the remote system. Also you can make your own vulnerability scan database in CSV and use it with vulscan script by using “–script-args vulscandb=local-vuln-db”
Similarly, there is another powerful script “Nmap-vulners” that can be used to detect CVEs. You can download it from github, type
git clone https://github.com/vulnersCom/nmap-vulners.git cd nmap-vulners
Now run it using the nmap script command
azad@azad:~$ nmap -sV --script vulners.nse 192.168.10.177 Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-04 14:32 PKT Nmap scan report for 192.168.10.177 Host is up (0.00018s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.21 ((Unix) DAV/2) |_http-server-header: Apache/2.2.21 (Unix) DAV/2 | vulners: | cpe:/a:apache:http_server:2.2.21: | CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679 | CVE-2017-7668 7.5 https://vulners.com/cve/CVE-2017-7668 | CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169 | CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167 | CVE-2013-2249 7.5 https://vulners.com/cve/CVE-2013-2249 | CVE-2012-0883 6.9 https://vulners.com/cve/CVE-2012-0883 | CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312 | CVE-2013-1862 5.1 https://vulners.com/cve/CVE-2013-1862 | CVE-2014-0231 5.0 https://vulners.com/cve/CVE-2014-0231 | CVE-2014-0098 5.0 https://vulners.com/cve/CVE-2014-0098 | CVE-2013-6438 5.0 https://vulners.com/cve/CVE-2013-6438 | CVE-2012-4557 5.0 https://vulners.com/cve/CVE-2012-4557 | CVE-2011-3368 5.0 https://vulners.com/cve/CVE-2011-3368 | CVE-2011-3607 4.4 https://vulners.com/cve/CVE-2011-3607 | CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975 | CVE-2013-1896 4.3 https://vulners.com/cve/CVE-2013-1896 | CVE-2012-4558 4.3 https://vulners.com/cve/CVE-2012-4558 | CVE-2012-3499 4.3 https://vulners.com/cve/CVE-2012-3499 | CVE-2012-0053 4.3 https://vulners.com/cve/CVE-2012-0053 | CVE-2011-4317 4.3 https://vulners.com/cve/CVE-2011-4317 | CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612 | CVE-2012-2687 2.6 https://vulners.com/cve/CVE-2012-2687 | CVE-2012-0021 2.6 https://vulners.com/cve/CVE-2012-0021 |_ CVE-2011-4415 1.2 https://vulners.com/cve/CVE-2011-4415 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.99 seconds
The script shows all related CVEs, vulnerability details and reference.
Conclusion
Nmap is not just a regular port scanner or service identifier, it is a comprehensive tool that can be used to perform multiple network related tasks. The power of Nmap can be greatly enhanced using it NSE scripting language. You can write your own brute-forcing, vulnerability scanning and CVE detection scripts that can be used with Nmap for effective security testing. You can also use third party scripts like “vulscan” or “Nmap-vulners” from github to identify CVEs.
Leave a Reply