Lab Access: https://tryhackme.com/room/nmap04
In the last room, as shown in the figure below, we focus on how Nmap can be used to:
- Detect versions of the running services (on all open ports)
- Detect the OS based on any signs revealed by the target
- Run Nmap’s traceroute
- Run select Nmap scripts
- Save the scan results in various formats
This room will focus on these steps and how to execute them after the port scan.
[Question 1.1] Ensure you have a solid understanding of how the Nmap scan progresses and the steps and stages it follows. Launch the AttackBox by using the Start AttackBox button, as you will need it to answer the questions in later tasks.
Answer: No answer is needed.
Without a doubt, this is one of my favourite flags when it comes to port scanning because it helps to obtain and identify the “service” and “version” of the open ports, allowing us to see if any potential vulnerabilities, such as “version not updated,” exist.
Option to use: -sV
Example: nmap -sV <target>In addition, we can adjust the intensity from “0 to 9”:
- Level ranges between 0, the lightest, and 9, the most complete.
-sV --version-lighthas an intensity of 2, while-sV --version-allhas an intensity of 9.
This is critical to understand because -sV forces Nmap to proceed with the TCP 3-way handshake and establish the connection so that we can obtain the version and service, and thus “stealth scan” (-sS) is not possible to use because “-sS” required a 2-way handshake and “-sV” required a 3-way handshake, and hence they will conflict.The following console output illustrates a simple Nmap stealth SYN scan with the -sV parameter. When the -sV option is used, a new column in the output displays the version of each discovered service.
- For example, if TCP port 22 is open, we get 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 instead of 22/tcp open ssh (protocol 2.0).
- Because TCP port 22 is open, the SSH protocol is guessed as the service; Nmap did not need to connect to port 22 to check. -sV, on the other hand, requires connecting to this open port in order to obtain the service banner and any version information it might obtain, such as nginx 1.6.2. As a result, unlike the service column, the version column is not an educated guess.
It should be noted that many Nmap options require root permissions. Unless you are running Nmap as root, you must use sudo as shown above.[Question 2.1] Start the target machine for this task and launch the AttackBox. Run nmap -sV --version-light <target>via the AttackBox. What is the detected version for port 143?
Answer: Dovecot imapd
[Question 2.2] Which service did not have a version detected with --version-light?
Answer: rpcbind
OS Detection — It’s rather straightforward, which means it can recognize the Operating System (OS) based on its behaviour and any telltale signals in its response.
Option to use: -O Example: nmap -sS -O <target>It should be noted that it is CASE sensitive.
Even while this option has the potential to detect the target’s “Operating System,” it may not be 100% accurate because various factors can influence the accuracy of the result.
To make a reliable guess, Nmap must first locate at least one open and one closed port on the target. Furthermore, as virtualization and similar technologies become more popular, the guest OS fingerprints may become corrupted. As a result, take the OS version with a grain of salt (skeptical attitude).
Traceroute — Simply add the traceroute option to Nmap to discover the routers between us and the target. However, it differs slightly from “traceroute / tracert” in “terminal” in that normal “traceroute” begins with a packet with a low TTL (Time to Live) and increases it until it reaches the target, but Nmap’s Traceroute begins with a packet with a high TTL and decreases it.
Option to use: --traceroute
Example: nmap -sS --traceroute <target>
It is important to remember:
Many routers are configured not to transmit ICMP Time-to-Live messages when their Time-to-Live has expired, preventing us from knowing their IP addresses.[Question 3.1] Run nmap with -O option against <target>. What OS did Nmap detect?
Answer: Linux
NSE (Nmap Scripting Engine) — It basically has a directory with close to 600 scripts in it, and having this script means that we don’t need to write the script ourselves because it has been provided.
The goal is for users to be able to build (and distribute) simple scripts to automate a wide range of networking activities. These scripts are then executed in parallel with the speed and efficiency that Nmap is known for.
Script - a chunk of code that does not require compilation. In other words, information is not translated to machine language and stays in its original human-readable form. Many programs provide additional capability through scripts; also, scripts allow for the creation of bespoke functionality that was not previously available through built-in commands.The script can be found at the following location:
/usr/share/nmap/scripts
You can utilize any or all of the installed scripts; additionally, you can install other users’ scripts and use them for your scans.
You can choose to run the scripts in the default category using --script=default or simply adding -sC. In addition to default, categories include: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.
Some scripts are classified in more than one category. Furthermore, some programs do brute-force attacks on services, while others conduct DoS attacks and exploit systems. As a result, it is critical to exercise caution when picking scripts to run if you do not want to crash or exploit services.
We use Nmap to perform an SYN scan on <target> and then run the default scripts in the terminal given below.
The command is sudo nmap -sS -sC <target>, where -sC ensures that Nmap executes the default scripts after the SYN scan. Below are some fresh details. Take a look at the SSH service on port 22; Nmap recovered all four public keys associated with the operating server. Consider another example: the HTTP service on port 80; Nmap obtained the default page title. We can see that the page has been left as is.
You can also specify the script by name using --script "SCRIPT-NAME" or a pattern such as --script "ftp*", which would include ftp-brute.
If you are unsure what a script does, you can open the script file with a text reader, such as less, or a text editor.In the case of ftp-brute, it states: “Performs brute force password auditing against FTP servers.”
You have to be careful as some scripts are pretty intrusive. Moreover, some scripts might be for a specific server and, if chosen at random, will waste your time with no benefit. As usual, make sure that you are authorized to launch such tests on the target server.
Let’s consider a benign script, http-date, which we guess would retrieve the http server date and time, and this is indeed confirmed in its description: “Gets the date from HTTP-like services.
Also, it prints how much the date differs from local time…” On the AttackBox, we execute sudo nmap -sS -n --script "http-date" <target> as shown in the console below.
Finally, you can extend Nmap’s capability beyond the original Nmap scripts by writing your own scripts or downloading Nmap scripts from the Internet.
Downloading and running a Nmap script from the Internet carries some risk. As a result, it’s best not to run a script from an author you don’t know.[Question 4.1] Knowing that Nmap scripts are saved in /usr/share/nmap/scripts on the AttackBox. What does the script http-robots.txt check for?
Answer: disallowed entries
[Question 4.2] Can you figure out the name for the script that checks for the remote code execution vulnerability MS15–034 (CVE2015–2015–1635)?
Answer: http-vuln-cve2015–1635
[Question 4.3] Launch the AttackBox if you haven’t already. After you ensure you have terminated the VM from Task 2, start the target machine for this task. On the AttackBox, run Nmap with the default scripts -sC against <target>. You will notice that there is a service listening on port 53. What is its full version value?
Answer: 9.9.5–9+deb8u19-Debian
[Question 4.4] Based on its description, the script ssh2-enum-algos “reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers.” What is the name of the key exchange algorithms (kex_algorithms) that relies upon “sha1” and is supported by 10.10.29.130?
Answer: diffie-hellman-group14-sha1
It is only reasonable to save the results of a Nmap scan in a file.
- It is also critical to choose and follow a proper naming convention for your filenames.
The amount of files might quickly rise, making it difficult to find a previous scan result. The three primary formats are as follows:
1. Normal
2. Grepable (grep able)
3. XMLThere is one more that we do not recommend:
- Script Kiddie
Normal — The format is identical to what you see on the display when you scan a target.
Option to use: -oN <file_name>
The "N" stands for "Normal"
Grepable — Generally, it makes filtering the scan output for specific keywords or terms more efficient, and the scan output differs from standard format because Nmap wants each line to be useful and complete when the user uses grep.
- As a result, in grepable output, the lines are much longer and more difficult to read than in standard output.
- Grep = Global Regular Expression Printer
Option to use: -oG <file_name>
An example use of grep is grep KEYWORD TEXT_FILE; this command will display all the lines containing the provided keyword.
Let’s compare the output of using grep on normal output and grepable output.
You will notice that the former does not provide the IP address of the host. Instead, it returned 80/tcp open http nginx 1.6.2, making it very inconvenient if you are sifting through the scan results of multiple systems.
However, the latter provides enough information, such as the host’s IP address, in each line to make it complete.
XML — It appears that processing the output in other programs would be the most convenient option.
Option to use: -oX <file_name>Conveniently, you may save the scan output in all three formats by combining -oN, -oG, and -oX for normal, grepable, and XML with -oA <FILENAME>.
Script Kiddie — If you wish to search the output for any noteworthy keywords or save the results for future reference, this format is useless.
Option to use: -oS <file_name>Not for those who are not technologically skilled.
[Question 5.1] Check the attached Nmap logs. How many systems are listening on the HTTPS port?
Answer: 3
[Question 5.2] What is the IP address of the system listening on port 8089?
Answer: 172.17.20.147
[Question 6.1] This room concludes the Nmap series of 4 rooms. Ensure you have taken note of all the Nmap options explained in this room and previous ones.
Answer: No answer is needed.
CONCLUSION
All of the information presented in this room is incredibly useful because it will aid immensely in the area of enumeration, and we needed as much information as possible before moving on to the “action” phase.
Such as “service detection,” which helps us determine whether the target is still running an older version and may be leveraged by discovering the vulnerability documentation on the internet.
That being said, I particularly enjoy the “NSE” section because it would save us a lot of time and effort by leveraging the existing script to complete the necessary work on our behalf and then save the file for future reference.
It’s a fun room with a big impact!
Cheers! ◡̈
