Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich) [1] used to discover hosts and services on a computer network, thus creating a "map" of the network.
Backtrack 5 R1
Script location in Backtrack /usr/local/share/nmap/scripts
Open Terminal
root@bt:~# nmap -sS -sC (Ip address)
-sP = ping scan
-sS = Syn scan
-sT = Connect scan
-sA = ACK Scan
-sW = Window scan
-sM = Maimon scan
-sV = Version Detection collects information about the specific service running on an open port
-F = Fast Scan top 100 known ports
-T = timing option to slow the scan down. Slower a scan less likely it is to be detected by IDS.
-T<0-5>: Set timing template (higher is faster)
( -T 0 )option waits up to 5 minutes between packets. ( -T 1 ) waits up to 15 seconds between scans
-sN = TCP Null scan
-sF = Fin scan
-sX = Xmas scan
-sO = IP protocol scan
-b = FTP bounce scan
-p (add ports to scan)
-F = Fast scan only top 100
-O = OS detection
-f = Fragment
-D = Decoy
-S = Spoof source address
-6 = Enable IPv6 scan
-A = Enables both OS fingerprinting and version detection
-v = verbosity options
Intense scan
nmap -T4 -A -v ip-address
Intense scan plus udp
nmap -sS -sU -T4 -A -v ip-address
Intense scan, all TCP ports
nmap -p 1-65535 -T4 -A -v ip-address
Intense scan, no ping
nmap -T4 -A -v -Pn ip-address
Ping scan
nmap -sn ip-address
Quick scan
nmap -T4 -F ip-address
Quick scan plus
nmap -sV -T4 -O -F –version-light ip-address
Quick traceroute
nmap -sn –traceroute ip-address
Slow comprehensive scan
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)” ip-address
-d2 = use with -sS -d2 and other switches to show all ports checked.
Fragment (IDS/IPS)
nmap -sS -T4 -A -f -v (ip address)
finger
nmap -sS -sC (ip address)
Creates result like bellow.
8080/tcp open http-proxy
| http-methods: Potentially risky methods: PUT DELETE TRACE
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| NetBIOS computer name:
| Workgroup:
|_ System time:
http://nmap.org/presentations/BHDC10/
scripts
nmap –script auth(ip address)
nmap –script vuln(ip address)
nmap –script external(ip address)
nmap –script discovery (ip address)
nmap –script=http-robots.txt.nse (ip address)
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2011-02-14 01:08 BST
Nmap scan report for (ip address)
Host is up (0.014s latency).
Not shown: 110 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
| http-robots.txt: 4 disallowed entries
|_/email.php /form_submit.php
| /findadmin/ /temp/
Good all round test
nmap -sC -sT -sV -T4 -O –open ip-address
-sC = –script=default
-sT = Connect scan
-sV = Version Detection collects information about the specific service running on an open port
-T4 = -T<0-5>: Set timing template (higher is faster)
-O = OS detection
1. Chanages made to SQLEXPRESS so we could make this lab work.
WinXP with Microsoft SQL Server 2005 RTM
Regedit
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Microsoft SQL Server/MSSQLServer/
DWORD – LoginMode + rightclick Modify Value data: = 2
C:\Documents and Settings\test>osql -E .\SQLEXPRESS
1> ALTER LOGIN sa enable;
2> go
1> ALTER LOGIN sa WITH PASSWORD=”
2> go
Msg 15118, Level 16, State 1, Server TP-A123456789BCD\SQLEXPRESS, Line 1
Password validation failed. The password does not meet Windows policy
requirements because it is not complex enough.
1> ALTER LOGIN sa WITH PASSWORD=”, CHECK_POLICY=OFF
2> go
1>
————————————————————
2. Testing the account works
C:\Documents and Settings\test>osql -S .\SQLEXPRESS -U sa (press enter)
Password: (press enter)
1>
————————————————————
3. Now SQL has been made vulnerable use Nmap to test for MSSQL info.
Backtrack 5 R1
root@bt:~# nmap -p 445 –script ms-sql-info IP-Address
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-09 14:59 BST
Nmap scan report for IP-Address
Host is up (0.00053s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 01:02:03:aA:bB:cC (Micky Computer Systems)
Host script results:
| ms-sql-info:
| Windows server name: TP-A123456789BCD
| [IP-Address\SQLEXPRESS]
| Instance name: SQLEXPRESS
| Version: Microsoft SQL Server 2005 RTM
| Version number: 9.00.1399.00
| Product: Microsoft SQL Server 2005
| Service pack level: RTM
| Post-SP patches applied: No
| TCP port: 1433
|_ Clustered: No
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
————————————————————
4. Nmap to test for MSSQL User name SA password blank (default account) on port 1433
Backtrack 5 R1
root@bt:~# nmap -p 1433 –script ms-sql-empty-password –script-args mssql.instance-all IP-Address
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-09 14:59 BST
Nmap scan report for IP-Address
Host is up (0.00066s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
MAC Address: 01:02:03:aA:bB:cC (Micky Computer Systems)
Host script results:
| ms-sql-empty-password:
| [IP-Address\SQLEXPRESS]
|_ sa: => Login Success
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
————————————————————
5. Nmap to test for MSSQL User name SA password blank (default account) on port 445
Backtrack 5 R1
root@bt:~# nmap -p 445 –script ms-sql-empty-password –script-args mssql.instance-all IP-Address
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-09 15:00 BST
Nmap scan report for IP-Address
Host is up (0.00061s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 01:02:03:aA:bB:cC (Micky Computer Systems)
Host script results:
| ms-sql-empty-password:
| [IP-Address\SQLEXPRESS]
|_ sa: => Login Success
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
————————————————————
6. Nmap queries Microsoft SQL Server (ms-sql) for a list of tables per database.
Backtrack 5 R1
root@bt:~# nmap -p 1433 –script ms-sql-tables –script-args mssql.username=sa,ms-sql-empty-password IP-Address
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-09 15:23 BST
Nmap scan report for IP-Address
Host is up (0.00054s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-tables:
| [IP-Address:1433]
| FoundStone_Bank
| table column type length
| ===== ====== ==== ======
| fsb_accounts account_no numeric 9
| fsb_accounts account_type varchar 50
| fsb_accounts balance_amount numeric 13
| fsb_accounts branch varchar 200
| fsb_accounts creation_date datetime 8
| fsb_accounts currency varchar 5
| fsb_accounts user_id numeric 9
| fsb_users creation_date datetime 8
| fsb_users login_id varchar 20
| fsb_users password varchar 20
| fsb_users user_id numeric 9
| fsb_users user_name varchar 200
|
| Restrictions
| Output restricted to 2 tables (see ms-sql-tables.maxtables)
| Output restricted to 5 databases (see ms-sql-tables.maxdb)
|_ No filter (see ms-sql-tables.keywords)
MAC Address: 01:02:03:aA:bB:cC (Micky Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
————————————————————
7. Nmap queries Microsoft SQL Server (ms-sql) instances for a list of databases a user has access to.
Backtrack 5 R1
root@bt:~# nmap -p 1433 –script ms-sql-hasdbaccess –script-args mssql.username=sa,ms-sql-empty-password IP-Address
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-09 15:49 BST
Nmap scan report for IP-Address
Host is up (0.00051s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-hasdbaccess:
| [IP-Address:1433]
| sa (Showing 5 first results)
| dbname owner
| ====== =====
|_ FoundStone_Bank TP-A123456789BCD\test
MAC Address: 01:02:03:aA:bB:cC (Micky Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
————————————————————
8. Nmap Dumps the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.
Backtrack 5 R1
root@bt:~# nmap -p 1433 IP-Address –script ms-sql-dump-hashes –script-args mssql.username=sa,ms-sql-empty-password
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-09 15:52 BST
Nmap scan report for IP-Address
Host is up (0.00040s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-dump-hashes:
| [IP-Address:1433]
|_ sa:0x01004086CEB608F48FAECCE50524FAB7AEF778643C96B8F83E03
MAC Address: 01:02:03:aA:bB:cC (Micky Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
root@bt:~/tor-browser_en-US#
————————————————————
9. Nmap queries Microsoft SQL Server (ms-sql) instances for a list of databases, linked servers, and configuration settings.
root@bt:~# nmap -p 1433 –script ms-sql-config –script-args mssql.username=sa,ms-sql-empty-password IP-Address
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-09 15:56 BST
Nmap scan report for IP-Address
Host is up (0.00053s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-config:
| [IP-Address:1433]
| Databases
| name db_size owner
| ==== ======= =====
| FoundStone_Bank 2.73 MB TP-A123456789BCD\test
| Configuration
| name value inuse description
| ==== ===== ===== ===========
| SQL Mail XPs 0 0 Enable or disable SQL Mail XPs
| Database Mail XPs 0 0 Enable or disable Database Mail XPs
| SMO and DMO XPs 1 1 Enable or disable SMO and DMO XPs
| Ole Automation Procedures 0 0 Enable or disable Ole Automation Procedures
| Web Assistant Procedures 0 0 Enable or disable Web Assistant Procedures
| xp_cmdshell 0 0 Enable or disable command shell
| Ad Hoc Distributed Queries 0 0 Enable or disable Ad Hoc Distributed Queries
|_ Replication XPs 0 0 Enable or disable Replication XPs
MAC Address: 01:02:03:aA:bB:cC (Micky Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
————————————————————
10. SSL cipher strength
root@bt:~# nmap –script ssl-enum-ciphers -p 443 IP-Address
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-11 12:58 BST
Nmap scan report for test-pc (IP-Address)
Host is up (0.00039s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
|_ Least strength = strong
MAC Address: 11:22:33:a1:2b:3d
Nmap done: 1 IP address (1 host up) scanned in 431.46 seconds
————————————————————
11. Nmap attempts to retrieve the target’s NetBIOS names and MAC address.
root@bt:~# nmap -sU –script nbstat.nse -p137 IP-Addres
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1421-02-10 14:47 BST
Nmap scan report for IP-Addres
Host is up (0.00048s latency).
PORT STATE SERVICE
137/udp open netbios-ns
MAC Address: 01:02:03:aA;bB:cC (PC
Host script results:
| nbstat:
| NetBIOS name: Test-PC, NetBIOS user: , NetBIOS MAC: 01:02:03:aA;bB:cC (PC
| Names
| Test-PC Flags:
| Name Flags:
| Test-PC Flags:
| Name Flags:
| Name Flags:
|_ \x01\x02__MSBROWSE__\x02 Flags:
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
————————————————————
12. Nmap attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked.
root@bt:~# nmap –script smb-enum-shares.nse -p445 IP-Addres
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1421-02-10 14:55 BST
Nmap scan report for IP-Addres
Host is up (0.00063s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 01:02:03:aA;bB:cC (PC
Host script results:
| smb-enum-shares:
| ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
| ADMIN$
| Anonymous access:
| C$
| Anonymous access:
| IPC$
|_ Anonymous access: READ
Nmap done: 1 IP address (1 host up) scanned in 3.62 seconds
————————————————————
13. Nmap checks whether or not a server is running the SMBv2 protocol.
root@bt:~# nmap –script smbv2-enabled.nse -p445 IP-Addres
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1421-02-10 14:58 BST
Nmap scan report for IP-Addres
Host is up (0.00087s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 01:02:03:aA;bB:cC (PC
Host script results:
|_smbv2-enabled: Server doesn’t support SMBv2 protocol
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
————————————————————
14. Nmap finds lots!
root@bt:~# nmap -sV -sC IP-Addres
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1421-02-10 15:06 BST
Nmap scan report for IP-Addres
Host is up (0.00016s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
23/tcp open telnet Microsoft Windows XP telnetd
25/tcp open smtp Microsoft ESMTP 6.0.2600.5512
| smtp-commands: Test-PC.Name.com Hello [10.255.245.135], SIZE 2097152, PIPELINING, DSN, ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, OK,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT VRFY
80/tcp open http Microsoft IIS httpd 5.1
|_http-title: Directory Listing Denied
| http-methods: Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_See http://nmap.org/nsedoc/scripts/http-methods.html
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1027/tcp open msrpc Microsoft Windows RPC
1433/tcp open ms-sql-s Microsoft SQL Server 2005 9.00.1399.00; RTM
3389/tcp open microsoft-rdp Microsoft Terminal Service
MAC Address: 01:02:03:aA;bB:cC (PC
Service Info: Host: Test-PC.Name.com; OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_nbstat: NetBIOS name: Test-PC, NetBIOS user: , NetBIOS MAC: 01:02:03:aA;bB:cC (PC
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn’t support SMBv2 protocol
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| Computer name: Test-PC
| Domain name: Name.com
| Forest name: Name.com
| FQDN: Test-PC.Name.com
| NetBIOS computer name: Test-PC
| NetBIOS domain name: Name
|_ System time: 1421-02-10 15:06:51 UTC+1
| ms-sql-info:
| Windows server name: Test-PC
| [IP-Addres\SQLEXPRESS]
| Instance name: SQLEXPRESS
| Version: Microsoft SQL Server 2005 RTM
| Version number: 9.00.1399.00
| Product: Microsoft SQL Server 2005
| Service pack level: RTM
| Post-SP patches applied: No
| TCP port: 1433
|_ Clustered: No
————————————————————
myexploit 