Nmap:Penggunaan: Difference between revisions
Created page with "Let’s get to know a few useful command-line based best Nmap scans that can be performed. ===1. Basic Nmap Scan against IP or host=== nmap 1.1.1.1 Now, if you want to scan..." |
No edit summary |
||
| Line 1: | Line 1: | ||
__NOTOC__ | |||
Let’s get to know a few useful command-line based best Nmap scans that can be performed. | Let’s get to know a few useful command-line based best Nmap scans that can be performed. | ||
| Line 121: | Line 123: | ||
80/tcp filtered http | 80/tcp filtered http | ||
===10. Scan + OS and service detection with fast execution== | ===10. Scan + OS and service detection with fast execution=== | ||
Using the “<code>-A</code>” parameter enables you to perform OS and service detection, and at the same time we are combining this with “<code>-T4</code>” for faster execution. See the example below: | |||
Using the “- | nmap -A -T4 cloudflare.com | ||
nmap -A -T4 cloudflare.com | |||
11. Detect service/daemon versions | ===11. Detect service/daemon versions=== | ||
This can be done by using <code>-sV</code> parameters | |||
This can be done by using -sV parameters | nmap -sV localhost | ||
nmap -sV localhost | |||
As you can see here: | As you can see here: | ||
[root@securitytrails:~]nmap -sV localhost | |||
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:28 -03 | |||
Nmap scan report for localhost (127.0.0.1) | |||
Host is up (0.000020s latency). | |||
Other addresses for localhost (not scanned): ::1 | |||
Not shown: 997 closed ports | |||
PORT STATE SERVICE VERSION | |||
111/tcp open rpcbind 2-4 (RPC #100000) | |||
631/tcp open ipp CUPS 2.2 | |||
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP) | |||
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |||
Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds | |||
===12. Scan using TCP or UDP protocols=== | |||
12. Scan using TCP or UDP protocols | |||
One of the things we love most about Nmap is the fact that it works for both TCP and UDP protocols. And while most services run on TCP, you can also get a great advantage by scanning UDP-based services. Let’s see some examples. | One of the things we love most about Nmap is the fact that it works for both TCP and UDP protocols. And while most services run on TCP, you can also get a great advantage by scanning UDP-based services. Let’s see some examples. | ||
Standard TCP scanning output: | Standard TCP scanning output: | ||
[root@securitytrails:~]nmap -sT 192.168.1.1 | |||
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:33 -03 | |||
Nmap scan report for 192.168.1.1 | |||
Host is up (0.58s latency). | |||
Not shown: 995 closed ports | |||
PORT STATE SERVICE | |||
80/tcp open http | |||
1900/tcp open upnp | |||
20005/tcp open btx | |||
49152/tcp open unknown | |||
49153/tcp open unknown | |||
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds | |||
UDP scanning results using “<code>-sU</code>” parameter: | |||
[root@securitytrails:~]nmap -sU localhost | |||
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:37 -03 | |||
Nmap scan report for localhost (127.0.0.1) | |||
Host is up (0.000021s latency). | |||
Other addresses for localhost (not scanned): ::1 | |||
Not shown: 997 closed ports | |||
PORT STATE SERVICE | |||
68/udp open|filtered dhcpc | |||
111/udp open rpcbind | |||
5353/udp open|filtered zeroconf | |||
UDP scanning results using “- | |||
[root@securitytrails:~]nmap -sU localhost | |||
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:37 -03 | |||
Nmap scan report for localhost (127.0.0.1) | |||
Host is up (0.000021s latency). | |||
Other addresses for localhost (not scanned): ::1 | |||
Not shown: 997 closed ports | |||
PORT STATE SERVICE | |||
68/udp open|filtered dhcpc | |||
111/udp open rpcbind | |||
5353/udp open|filtered zeroconf | |||
===13. CVE detection using Nmap=== | |||
One of Nmap’s greatest features that not all the network and systems administrators know about is something called “Nmap Scripting Engine” (known as NSE). This scripting engine allows users to use a pre-defined set of scripts, or write their own using Lua programming language. | One of Nmap’s greatest features that not all the network and systems administrators know about is something called “Nmap Scripting Engine” (known as NSE). This scripting engine allows users to use a pre-defined set of scripts, or write their own using Lua programming language. | ||
Using Nmap scripts is crucial in order to automate system and vulnerability scans. For example, if you want to run a full vulnerability test against your target, you can use these parameters: | Using Nmap scripts is crucial in order to automate system and vulnerability scans. For example, if you want to run a full vulnerability test against your target, you can use these parameters: | ||
nmap -Pn --script vuln 192.168.1.105 | |||
nmap -Pn --script vuln 192.168.1.105 | |||
Output example: | Output example: | ||
[root@securitytrails:~]nmap -Pn --script vuln 192.168.1.105 | |||
[root@securitytrails:~]nmap -Pn --script vuln 192.168.1.105 | Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:46 -03 | ||
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-01 09:46 -03 | Pre-scan script results: | ||
Pre-scan script results: | | broadcast-avahi-dos: | ||
| broadcast-avahi-dos: | | Discovered hosts: | ||
| Discovered hosts: | | 224.0.0.251 | ||
| 224.0.0.251 | | After NULL UDP avahi packet DoS (CVE-2011-1002). | ||
| After NULL UDP avahi packet DoS (CVE-2011-1002). | |_ Hosts are all up (not vulnerable). | ||
|_ Hosts are all up (not vulnerable). | Nmap scan report for 192.168.1.105 | ||
Nmap scan report for 192.168.1.105 | Host is up (0.00032s latency). | ||
Host is up (0.00032s latency). | Not shown: 995 closed ports | ||
Not shown: 995 closed ports | PORT STATE SERVICE | ||
PORT STATE SERVICE | 80/tcp open http | ||
80/tcp open http | |_http-csrf: Couldn't find any CSRF vulnerabilities. | ||
|_http-csrf: Couldn't find any CSRF vulnerabilities. | |_http-dombased-xss: Couldn't find any DOM based XSS. | ||
|_http-dombased-xss: Couldn't find any DOM based XSS. | | http-slowloris-check: | ||
| http-slowloris-check: | | VULNERABLE: | ||
| VULNERABLE: | | Slowloris DOS attack | ||
| Slowloris DOS attack | | State: LIKELY VULNERABLE | ||
| State: LIKELY VULNERABLE | | IDs: CVE:CVE-2007-6750 | ||
| IDs: CVE:CVE-2007-6750 | | Slowloris tries to keep many connections to the target web server open and hold | ||
| Slowloris tries to keep many connections to the target web server open and hold | | them open as long as possible. It accomplishes this by opening connections to | ||
| them open as long as possible. It accomplishes this by opening connections to | | the target web server and sending a partial request. By doing so, it starves | ||
| the target web server and sending a partial request. By doing so, it starves | | the http server's resources causing Denial Of Service. | ||
| the http server's resources causing Denial Of Service. | | | ||
| | | Disclosure date: 2009-09-17 | ||
| Disclosure date: 2009-09-17 | | References: | ||
| References: | | http://ha.ckers.org/slowloris/ | ||
| http://ha.ckers.org/slowloris/ | |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 | ||
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 | |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | ||
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | |_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug) | ||
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug) | 1900/tcp open upnp | ||
1900/tcp open upnp | 20005/tcp open btx | ||
20005/tcp open btx | 49152/tcp open unknown | ||
49152/tcp open unknown | 49153/tcp open unknown | ||
49153/tcp open unknown | |||
As you can see, in this vulnerability test we were able to detect one CVE (Slowloris DOS attack). | As you can see, in this vulnerability test we were able to detect one CVE (Slowloris DOS attack). | ||
===14. Launching DOS with Nmap=== | |||
Nmap features never seem to end, and thanks to the NSE, that even allows us to launch DOS attacks against our network testings. | Nmap features never seem to end, and thanks to the NSE, that even allows us to launch DOS attacks against our network testings. | ||
In our previous example (#12) we found the host was vulnerable to Slowloris attack, and now we’ll try to exploit that vulnerability by launching a DOS attack in a forever loop: | In our previous example (#12) we found the host was vulnerable to Slowloris attack, and now we’ll try to exploit that vulnerability by launching a DOS attack in a forever loop: | ||
nmap 192.168.1.105 -max-parallelism 800 -Pn --script http-slowloris --script-args http-slowloris.runforever=true | |||
===15. Launching brute force attacks=== | |||
15. Launching brute force attacks | |||
NSE is really fascinating – it contains scripts for everything you can imagine. See the next three examples of BFA against WordPress, MSSQL, and FTP server: | NSE is really fascinating – it contains scripts for everything you can imagine. See the next three examples of BFA against WordPress, MSSQL, and FTP server: | ||
WordPress brute force attack: | WordPress brute force attack: | ||
nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress brute.hostname=domain.com, http-wordpress-brute.threads=3,brute.firstonly=true' 192.168.1.105 | |||
nmap -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress | |||
Brute force attack against MS-SQL: | Brute force attack against MS-SQL: | ||
nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt 192.168.1.105 | |||
nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt 192.168.1.105 | |||
FTP brute force attack: | FTP brute force attack: | ||
nmap --script ftp-brute -p 21 192.168.1.105 | |||
===16. Detecting malware infections on remote hosts=== | |||
16. Detecting malware infections on remote hosts | |||
Nmap is able to detect malware and backdoors by running extensive tests on a few popular OS services like on Identd, Proftpd, Vsftpd, IRC, SMB, and SMTP. It also has a module to check for popular malware signs inside remote servers and integrates Google’s Safe Browsing and VirusTotal databases as well. | Nmap is able to detect malware and backdoors by running extensive tests on a few popular OS services like on Identd, Proftpd, Vsftpd, IRC, SMB, and SMTP. It also has a module to check for popular malware signs inside remote servers and integrates Google’s Safe Browsing and VirusTotal databases as well. | ||
A common malware scan can be performed by using: | A common malware scan can be performed by using: | ||
nmap -sV --script=http-malware-host 192.168.1.105 | |||
nmap -sV --script=http-malware-host 192.168.1.105 | |||
Or using Google’s Malware check: | Or using Google’s Malware check: | ||
nmap -p80 --script http-google-malware infectedsite.com | |||
nmap -p80 --script http-google-malware infectedsite.com | |||
Output example: | Output example: | ||
80/tcp open http | |||
80/tcp open http | |_http-google-malware.nse: Host is known for distributing malware. | ||
|_http-google-malware.nse: Host is known for distributing malware. | |||
Nmap is one of the most complete and accurate port scanners used by infosec professionals today. With it, you can perform simple port scan tasks or use its powerful scripting engine to launch DOS attacks, detect malware or brute force testings on remote and local servers. | Nmap is one of the most complete and accurate port scanners used by infosec professionals today. With it, you can perform simple port scan tasks or use its powerful scripting engine to launch DOS attacks, detect malware or brute force testings on remote and local servers. | ||
Today we covered the top fifteen Nmap commands to scan remote hosts, but there’s a lot more to discover if you’re starting to use Nmap in your OSINT strategy. | Today we covered the top fifteen Nmap commands to scan remote hosts, but there’s a lot more to discover if you’re starting to use Nmap in your OSINT strategy. | ||
==Terkait== | |||
*[[Namp]] | |||
==Source== | |||
*[https://securitytrails.com/blog/nmap-commands securitytrails.com] | |||
[[Category:Security]] | |||