Penetration Testing with NMAP — No NonSense

What is NMAP: It is a network mapper i.e., we can map the entire network of an organization

What NMAP can do: It can scans the IP’s, ports, services and etc.

Probe the open ports for running services, if the services are running, it goes further and probes the version of the services. It further look for vulnerabilities associated with the service along with the CVSS score. It identifies the firewall and its version; in some situations, it even bypasses the basic firewall

We can do complete vulnerability management with NMAP, generate reports into different format, which can feed into other security tools

Nmap, intelligently uses ARP scan for LAN and ICMP on WAN(Internet)

Scanning Types: There are many scan types, a few are mentioned below

Port Numbers

Other Options

Timing and Performance

NMAP Output Formats

NMAP Firewall Options

NSE Scripts

Nmap scripts enhance the functionality of NMAP. Whenever you install Nmap, scripts will be installed by default in /usr/share/nmap/scripts folder.

You can find the scripts at this location on kali linux usr/share/nmap/scripts

The scripts file ends with .nse extensions

# ls usr/share/nmap/scripts
# locate *.nse

You can download the scripts from the internet and copy/move them to /usr/share/nmap/scripts folder, later update the nmap database and use the scripts

Download and installing scripts from the internet
# mkdir downloaded-scripts
# cd downloaded-scripts
# mv * /usr/share/nmap/scripts/
# nmap –scripts-updatedb
Script browsing
# /usr/share/nmap/scripts
# ls | grep http you will find all http related scripts
# ls | grep smtp you will find all smtp related scripts and so one

Script Usage

# nmap --script <script 1>, <script2>, <script3> -p <port number> -sV <other nmap options> <target>
# nmap -- script <script1> -- script-args= <value| path> - sV <target |range>
# nmap --script vulscan –sV <target |range>
# nmap --script Nmap vulscan, Nmap-vulners, vulns –sV <target |range>
# nmap --script vulscan --script-args vulscandb=exploitdb.csv –sV <target |range>
# nmap -sn -Pn -n --script shodan-api --script-args shodan-api.apikey=<ShodanAPI KEY> <target>
# nmap -sV --script vuln <target> (run all the scripts in vulnerability category)
# nmap -sV --script="version,discovery" <target>(discovery catagory)
# nmap -sV --script "not exploit" <target> (Run all the scripts except for the ones in the exploit category)
# nmap -sV --script "(http-*) and not(http-slowloris or http-brute)" <target> (Run all HTTP scripts except http-brute and http-slowloris)

NSE firewall Scripts

http-waf-detect.nse (for firewall detection)
# nmap –p 80,443 -- script <http-waf-detect> <target>
http-waf-fingerprint.nse (for firewall fingerprint)
# nmap –p 80,443 -- script <http-waf-fingerprint> <target>

Vulnerability Scan/Analysis with NMAP

Vulnerability analysis or scan means the same, wherein we scan a particular system for vulnerabilities. Nmap will scan the system, look for open ports, and probe the services running on the open ports including the version number. Then it maps the response against its database and marks the service as vulnerable or not, in some scenarios the nmap will even find the exploits.

Where to look for vulnerability scripts on Kali Linux
# cd /usr/share/nmap/scripts # ls | grep vuln
How to use the scripts
# nmap --script <scriptname> -sV <target | range>
# nmap --script <scriptname> - -script-args= path or values –sV <target | range>

Vulscan Script

Install Nmap Vulscan
# git clone https://github.com/scipag/vulscan.git
# mv vulscan /usr/share/nmap/scripts/
# nmap –scripts-updatedb
For updating Vulscan Database
cd vulscan/utilities/updater/
chmod +x updateFiles.sh
./updateFiles.sh
Usage
# nmap --script vulscan –sV <target |range>
# nmap --script Nmap vulscan –sV –oX <filename.xml> <target>
# nmap --script vulscan --script-args vulscandb=exploitdb.csv –sV <target |range>
Some CSV databases
cve.csv
exploitdb.csv
openvas.csv
osvdb.csv
scipvuldb.csv
securityfocus.csv
securitytracker.csv
xforce.csv

Vulners Script

Install Nmap Vulners
# git clone https://github.com/vulnersCom/nmap-vulners.git
# mv vulscan /usr/share/nmap/scripts/
# nmap –scripts-updatedb
Usage
# nmap --script vulners –sV <target |range>
# nmap --script Nmap vulscan, Nmap-vulners –sV <target |range>
# nmap --script vulners --script-args mincvss=5.0 –sV <target>

Reference:

https://nmap.org/nsedoc/categories/vuln.html

https://github.com/vulnersCom/nmap-vulners

https://github.com/scipag/vulscan

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store