Open in app

Sign in

Write

Sign in

Penetration Testing with NMAP — No NonSense

Real world penetration testing with NMAP

Bug Rider
3 min readJan 5, 2021

What is NMAP: It is a network mapper i.e., we can map the entire network of an organization

What NMAP can do: It can scans the IP’s, ports, services and etc.

Probe the open ports for running services, if the services are running, it goes further and probes the version of the services. It further look for vulnerabilities associated with the service along with the CVSS score. It identifies the firewall and its version; in some situations, it even bypasses the basic firewall

We can do complete vulnerability management with NMAP, generate reports into different format, which can feed into other security tools

Nmap, intelligently uses ARP scan for LAN and ICMP on WAN(Internet)

Scanning Types: There are many scan types, a few are mentioned below

Port Numbers

Other Options

Timing and Performance

NMAP Output Formats

NMAP Firewall Options

NSE Scripts

Nmap scripts enhance the functionality of NMAP. Whenever you install Nmap, scripts will be installed by default in /usr/share/nmap/scripts folder.

You can find the scripts at this location on kali linux usr/share/nmap/scripts

The scripts file ends with .nse extensions

# ls usr/share/nmap/scripts
# locate *.nse

You can download the scripts from the internet and copy/move them to /usr/share/nmap/scripts folder, later update the nmap database and use the scripts

Download and installing scripts from the internet
# mkdir downloaded-scripts
# cd downloaded-scripts
# mv * /usr/share/nmap/scripts/
# nmap –scripts-updatedbScript browsing
# /usr/share/nmap/scripts
# ls | grep http   you will find all http related scripts
# ls | grep smtp   you will find all smtp related scripts and so one

Script Usage

# nmap --script <script 1>, <script2>, <script3> -p <port number> -sV <other nmap options> <target>
# nmap -- script <script1> -- script-args= <value| path> - sV <target |range>
# nmap --script  vulscan –sV <target |range>
# nmap --script  Nmap vulscan, Nmap-vulners, vulns –sV <target |range>
# nmap --script  vulscan --script-args vulscandb=exploitdb.csv  –sV <target |range>
# nmap -sn -Pn -n --script shodan-api --script-args shodan-api.apikey=<ShodanAPI KEY> <target>
# nmap -sV --script vuln <target> (run all the scripts in vulnerability category)
# nmap -sV --script="version,discovery" <target>(discovery catagory)
# nmap -sV --script "not exploit" <target> (Run all the scripts except for the ones in the exploit category)
# nmap -sV --script "(http-*) and not(http-slowloris or http-brute)" <target> (Run all HTTP scripts except http-brute and http-slowloris)

NSE firewall Scripts

http-waf-detect.nse (for firewall detection)
# nmap –p 80,443  -- script <http-waf-detect> <target> http-waf-fingerprint.nse (for firewall fingerprint)
# nmap –p 80,443  -- script <http-waf-fingerprint> <target>

Vulnerability Scan/Analysis with NMAP

Vulnerability analysis or scan means the same, wherein we scan a particular system for vulnerabilities. Nmap will scan the system, look for open ports, and probe the services running on the open ports including the version number. Then it maps the response against its database and marks the service as vulnerable or not, in some scenarios the nmap will even find the exploits.

Where to look for vulnerability scripts on Kali Linux
# cd /usr/share/nmap/scripts                                                                                                                                                                                                                                         # ls | grep vulnHow to use the scripts
# nmap --script <scriptname> -sV <target | range>
# nmap --script <scriptname> - -script-args= path or values –sV <target | range>

Vulscan Script

Install Nmap Vulscan
# git clone https://github.com/scipag/vulscan.git
# mv vulscan /usr/share/nmap/scripts/
# nmap –scripts-updatedbFor updating Vulscan Database
cd vulscan/utilities/updater/
chmod +x updateFiles.sh
./updateFiles.shUsage
# nmap  --script  vulscan –sV <target |range>
# nmap  --script  Nmap vulscan –sV –oX <filename.xml> <target>
# nmap  --script  vulscan --script-args vulscandb=exploitdb.csv  –sV <target |range>Some CSV databases
cve.csv
exploitdb.csv
openvas.csv
osvdb.csv
scipvuldb.csv
securityfocus.csv
securitytracker.csv
xforce.csv

Vulners Script

Install Nmap Vulners
# git clone https://github.com/vulnersCom/nmap-vulners.git
# mv vulscan /usr/share/nmap/scripts/
# nmap –scripts-updatedbUsage
# nmap  --script  vulners –sV <target |range>
# nmap  --script  Nmap vulscan, Nmap-vulners –sV <target |range>
# nmap  --script  vulners --script-args mincvss=5.0  –sV <target>

Reference:

https://nmap.org/nsedoc/categories/vuln.html

https://github.com/vulnersCom/nmap-vulners

https://github.com/scipag/vulscan

--

--

Bug Rider
Bug Rider

Written by Bug Rider

2 Followers
1 Following

Just a funny guy

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams