root@nmap~#whoami. - irongeek.com · nmap scripting engine metasploit integration av evasion nse...
TRANSCRIPT
root@nmap~#whoami • Mar0n Bos • @purehate_ on the twi6ers
Industry Thought Leader
I Nmap
#!/bin/bash #Disclaimer: I use lots of content from this book. If you do not own this book, #please be sure to purchase it as soon as possible because it is the Bible when #it comes to effec0vely using Nmap to its full poten0al. Plus, it was wri6en by #the author of Nmap himself.
Nmap Scripting Engine Metasploit Integration AV Evasion
NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting
Nmap Scrip0ng Engine (NSE)
o Nmap's most powerful and flexible feature o Allows users to write (and share) simple scripts o Lua programming language o scripts are executed in parallel o Write your own to meet custom needs
Tasks Nmap developers had in mind for NSE
o Network Discovery -‐ WHOIS, ARIN, RIPE, APNIC, identd look ups on open ports, SNMP queries, and lis0ng NFS,SMB,RPC shares and services
o More Sophis0cated Version Detec0on – Handles tricky services like Skype v2 or SNMP bruteforce by using mul0ple probes o Run by default with the –sV argument
o Vulnerability Detec0on – Not a comprehensive vulnerability scanner but is great for single checks across a large network
o Backdoor Detec0on – NSE, signatures and regex can be used to quick create a scan script to locate infec0ons on the network o h6p://nmap.org/nsedoc/scripts/ssl-‐heartbleed.html
o Vulnerability Exploita0on – NSE scripts can also contain the necessary code to exploit vulnerabili0es
Script Categories o Auth – Creden0als on a target system o Broadcast -‐ Discovery of hosts not listed on the command line by broadcas0ng on the local network
o Default – A default set of scripts considered “standard” info
o Discovery – Ac0vely discover more info (Directory services, SNMP, public registries, etc.)
o Dos – They crash a service o Exploit -‐ Ac0vely exploit some vulnerability o External -‐ Send data to a third-‐party database or other network resource
Script Categories o Fuzzer -‐ Send server sobware unexpected or randomized fields in each packet
o Intrusive – These are scripts that cannot be classified in the safe category because the risks are too high that they will crash the target system
o Safe -‐ Scripts which weren't designed to crash services, use large amounts of network bandwidth or other resources
o Version -‐ Extension to the version detec0on feature and cannot be selected explicitly
o Vuln -‐ These scripts check for specific known vulnerabili0es
Command-‐line Arguments o -‐sC -‐ Performs a script scan using the default set of scripts. It is equivalent to -‐-‐script=default
o -‐-‐script <filename>|<category>|<directory>|<expression>[,...] -‐ Runs a script scan using the comma-‐separated list of filenames, script categories, and directories
o -‐-‐script-‐args <args> -‐ Provides arguments to the scripts o -‐-‐script-‐args-‐file <filename> -‐ This op0on is the same as -‐-‐script-‐args except that you pass the arguments in a file rather than on the command-‐line
o -‐-‐script-‐help <filename>|<category>|<directory>|<expression>|all [,...] -‐ Shows help about scripts.
o -‐-‐script-‐trace -‐ All incoming and outgoing communica0on performed by scripts is printed
o -‐-‐script-‐updatedb -‐ This op0on updates the script database found in scripts/script.db which is used by Nmap to determine the available default scripts and categories
Couple More Key Points
o If the -‐oX op0on is used, an XML representa0on of the script help will be wri6en to the given file
o sV -‐ A version scan automa0cally executes the scripts in the version category. These scripts output blends in with the version scan results and they do not produce any script scan output.
o A -‐ The aggressive Nmap mode implies the -‐sC op0on
Methodology o Plug in network and create subnet lists
o Ifconfig o /etc/resolv.conf o Netdiscover o Wireshark o Dig
o Ping scan to create list of live ips o Nmap –sP –PI
o Syn Scan using 0ming and other evasion techniques one port at a 0me o Cat hostlist.txt | sort –R | nmap –sS –p 389 –oG myscan -‐iL –
o Use nmap scripts against the hosts one by one in each port.txt file o Nmap -‐Pn –n -‐-‐open -‐p21 -‐-‐script bp-‐anon,bp-‐bounce,bp-‐libopie –iL 21.txt
Sounds Cool! Where the heck are they?
[root@labs ~] 2014-‐05-‐09 08:48:56 # cd /usr/share/nmap/scripts/ [root@labs scripts] 2014-‐05-‐09 08:49:09 # ls | head acarsd-‐info.nse address-‐info.nse afp-‐brute.nse afp-‐ls.nse afp-‐path-‐vuln.nse afp-‐serverinfo.nse afp-‐showmount.nse ajp-‐auth.nse ajp-‐brute.nse ajp-‐headers.nse [root@labs scripts] 2014-‐05-‐09 08:49:14
Research the Usage h6p://nmap.org/nsedoc/scripts/
FTP
Search: nmap -‐-‐script-‐help "bp-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 21.txt -‐Pn -‐n -‐sS -‐-‐open -‐p21 -‐-‐script=banner,bp-‐anon,bp-‐bounce
# ls -‐lah | grep bp -‐rw-‐r-‐-‐r-‐-‐ 1 root root 5.9K Apr 17 03:33 bp-‐anon.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 5.0K Apr 17 03:33 bp-‐bounce.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.4K Apr 17 03:33 bp-‐brute.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.2K Apr 17 03:33 bp-‐libopie.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.3K Apr 17 03:33 bp-‐probpd-‐backdoor.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.2K Apr 17 03:33 bp-‐vsbpd-‐backdoor.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.1K Apr 17 03:33 bp-‐vuln-‐cve2010-‐4221.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.0K Apr 17 03:33 {tp-‐enum.nse
SSH
Search: nmap -‐-‐script-‐help ”ssh-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 22.txt -‐Pn -‐n -‐sS -‐-‐open -‐p22 -‐-‐script=sshv1,ssh2-‐enum-‐algos
# ls -‐lah | grep ssh -‐rw-‐r-‐-‐r-‐-‐ 1 root root 5.6K Apr 17 03:33 ssh2-‐enum-‐algos.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 15K Apr 17 03:33 ssh-‐hostkey.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 1.5K Apr 17 03:33 sshv1.nse
SMTP
Search: nmap -‐-‐script-‐help ”smtp-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 25.txt -‐Pn -‐n -‐sS -‐-‐open -‐p25 -‐-‐script=banner,smtp-‐commands,smtp-‐enum-‐users,smtp-‐open-‐relay,smtp-‐strangeport
# ls -‐lah | grep smtp -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.2K Apr 17 03:33 smtp-‐brute.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.7K Apr 17 03:33 smtp-‐commands.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 12K Apr 17 03:33 smtp-‐enum-‐users.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 10K Apr 17 03:33 smtp-‐open-‐relay.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 715 Apr 17 03:33 smtp-‐strangeport.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 15K Apr 17 03:33 smtp-‐vuln-‐cve2010-‐4344.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 7.6K Apr 17 03:33 smtp-‐vuln-‐cve2011-‐1720.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 7.8K Apr 17 03:33 smtp-‐vuln-‐cve2011-‐1764.nse
DNS Search: nmap -‐-‐script-‐help ”dns-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 53.txt -‐Pn -‐n -‐sS -‐sU -‐-‐open -‐p53 -‐-‐script=dns-‐cache-‐snoop,dns-‐service-‐discovery,dns-‐update,dns-‐zone-‐transfer,dns-‐recursion
# ls -‐lah | grep dns -‐rw-‐r-‐-‐r-‐-‐ 1 root root 1.5K Apr 17 03:33 broadcast-‐dns-‐service-‐discovery.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 5.3K Apr 17 03:33 dns-‐blacklist.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 9.0K Apr 17 03:33 dns-‐brute.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 7.0K Apr 17 03:33 dns-‐cache-‐snoop.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 15K Apr 17 03:33 dns-‐check-‐zone.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 15K Apr 17 03:33 dns-‐client-‐subnet-‐scan.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 11K Apr 17 03:33 dns-‐fuzz.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.7K Apr 17 03:33 dns-‐ip6-‐arpa-‐scan.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 13K Apr 17 03:33 dns-‐nsec3-‐enum.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 11K Apr 17 03:33 dns-‐nsec-‐enum.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.4K Apr 17 03:33 dns-‐nsid.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 26K Apr 17 03:33 dns-‐zone-‐transfer.nse ….
DHCP
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 67.txt -‐Pn -‐n -‐sS -‐sU -‐-‐open -‐p67 -‐sC
# ls -‐lah | grep dhcp -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.2K Apr 17 03:33 broadcast-‐dhcp6-‐discover.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.6K Apr 17 03:33 broadcast-‐dhcp-‐discover.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 5.8K Apr 17 03:33 dhcp-‐discover.nse
DHCP
MSSQL Search: nmap -‐-‐script-‐help ”ms-‐sql-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL mssql.txt -‐Pn -‐n -‐sS -‐sUV -‐-‐open -‐p T:1433,U:1434 -‐-‐script=ms-‐sql-‐info,ms-‐sql-‐empty-‐password -‐-‐script ms-‐sql-‐tables -‐-‐script-‐args mssql.username=sa,mssql.password=sa -‐-‐script=ms-‐sql-‐hasdbaccess -‐-‐script-‐args mssql.username=sa,mssql.password=sa
# ls -‐lah | grep ms-‐sql -‐rw-‐r-‐-‐r-‐-‐ 1 root root 12K Apr 17 03:33 ms-‐sql-‐brute.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.0K Apr 17 03:33 ms-‐sql-‐config.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.1K Apr 17 03:33 ms-‐sql-‐dump-‐hashes.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 7.1K Apr 17 03:33 ms-‐sql-‐empty-‐password.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 5.9K Apr 17 03:33 ms-‐sql-‐hasdbaccess.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 11K Apr 17 03:33 ms-‐sql-‐info.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.7K Apr 17 03:33 ms-‐sql-‐query.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 9.5K Apr 17 03:33 ms-‐sql-‐tables.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.2K Apr 17 03:33 ms-‐sql-‐xp-‐cmdshell.nse
NFS
Search: nmap -‐-‐script-‐help ”nfs-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 111.txt -‐Pn -‐n -‐sS -‐-‐open -‐p111 -‐-‐script=rpcinfo,nfs-‐ls,nfs-‐showmount,nfs-‐sta{s
# ls -‐lah | grep nfs -‐rw-‐r-‐-‐r-‐-‐ 1 root root 14K Apr 17 03:33 nfs-‐ls.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 2.7K Apr 17 03:33 nfs-‐showmount.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 9.5K Apr 17 03:33 nfs-‐sta{s.nse
NetBIOS
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 137.txt -‐Pn -‐n -‐sS -‐sU -‐-‐open -‐p137 -‐-‐script=nbstat
# ls -‐lah | grep netbios -‐rw-‐r-‐-‐r-‐-‐ 1 root root 2.0K Apr 17 03:33 broadcast-‐netbios-‐master-‐browser.nse [root@labs scripts] 2014-‐05-‐09 17:02:44 # ls -‐lah | grep nbstat -‐rw-‐r-‐-‐r-‐-‐ 1 root root 7.5K Apr 17 03:33 nbstat.nse
SMB Search: nmap -‐-‐script-‐help ”smb-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL smb.txt -‐Pn -‐n -‐sS -‐-‐open -‐p139,445 -‐-‐script="smb-‐enum*",smb-‐os-‐discovery,smb-‐security-‐mode,smb-‐server-‐stats,smb-‐system-‐info,smbv2-‐enabled,smb-‐check-‐vulns –script-‐args safe=1
# ls -‐lah | grep smb -‐rw-‐r-‐-‐r-‐-‐ 1 root root 46K Apr 17 03:33 smb-‐brute.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 28K Apr 17 03:33 smb-‐check-‐vulns.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.8K Apr 17 03:33 smb-‐enum-‐domains.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.6K Apr 17 03:33 smb-‐enum-‐groups.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 8.2K Apr 17 03:33 smb-‐enum-‐processes.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 13K Apr 17 03:33 smb-‐enum-‐sessions.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.2K Apr 17 03:33 smb-‐enum-‐shares.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 13K Apr 17 03:33 smb-‐enum-‐users.nse …
WEB Search: nmap -‐-‐script-‐help ”h6p-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL web.txt -‐Pn -‐n -‐sS -‐-‐open -‐p80,443,8000,8080,8443 -‐-‐script=h6p-‐date,h6p-‐enum,h6p-‐favicon,h6p-‐headers,h6p-‐open-‐proxy,h6p-‐php-‐version,h6p-‐robots.txt,h6p-‐0tle,h6p-‐trace,h6p-‐vhosts,h6p-‐vmware-‐path-‐vuln,citrix-‐enum-‐apps-‐xml,citrix-‐enum-‐servers-‐xml -‐-‐stats-‐every 30s
# ls -‐lah | grep h6p | head -‐n 5 -‐rw-‐r-‐-‐r-‐-‐ 1 root root 2.1K Apr 17 03:33 h6p-‐adobe-‐coldfusion-‐apsa1301.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.2K Apr 17 03:33 h6p-‐affiliate-‐id.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 2.0K Apr 17 03:33 h6p-‐apache-‐nego0a0on.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.9K Apr 17 03:33 h6p-‐auth-‐finder.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.1K Apr 17 03:33 h6p-‐auth.nse
SNMP Search: nmap -‐-‐script-‐help ”snmp-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 161.txt -‐Pn -‐n -‐sS -‐sU -‐-‐open -‐p161 -‐-‐script=snmp-‐interfaces,snmp-‐netstat,snmp-‐processes,snmp-‐sysdescr,snmp-‐win32-‐services,snmp-‐win32-‐shares,snmp-‐win32-‐sobware
# ls -‐lah | grep snmp -‐rw-‐r-‐-‐r-‐-‐ 1 root root 7.9K Apr 17 03:33 snmp-‐brute.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.6K Apr 17 03:33 snmp-‐hh3c-‐logins.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 17K Apr 17 03:33 snmp-‐interfaces.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.6K Apr 17 03:33 snmp-‐ios-‐config.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.2K Apr 17 03:33 snmp-‐netstat.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.7K Apr 17 03:33 snmp-‐processes.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.0K Apr 17 03:33 snmp-‐sysdescr.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 2.2K Apr 17 03:33 snmp-‐win32-‐services.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 2.7K Apr 17 03:33 snmp-‐win32-‐shares.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.2K Apr 17 03:33 snmp-‐win32-‐sobware.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 2.0K Apr 17 03:33 snmp-‐win32-‐users.nse
LDAP Search: nmap -‐-‐script-‐help ”ldap-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 389.txt -‐Pn -‐n -‐sS -‐-‐open -‐p389 -‐-‐script=ldap-‐rootdse
# ls -‐lah | grep ldap -‐rw-‐r-‐-‐r-‐-‐ 1 root root 15K Apr 17 03:33 ldap-‐brute.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.9K Apr 17 03:33 ldap-‐novell-‐getpass.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.6K Apr 17 03:33 ldap-‐rootdse.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 13K Apr 17 03:33 ldap-‐search.nse
SSL
Search: nmap -‐-‐script-‐help ”ssl-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 443.txt -‐Pn -‐n -‐sS -‐-‐open -‐p443 -‐-‐script=banner,ssl-‐cert,ssl-‐enum-‐ciphers,sslv2,ssl-‐heartbleed
# ls -‐lah | grep ssl -‐rw-‐r-‐-‐r-‐-‐ 1 root root 7.4K Apr 17 03:33 ssl-‐cert.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.8K Apr 17 03:33 ssl-‐date.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 15K Apr 17 03:33 ssl-‐enum-‐ciphers.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 2.1K Apr 17 03:33 ssl-‐google-‐cert-‐catalog.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 10K Apr 17 03:33 ssl-‐heartbleed.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.2K Apr 17 03:33 ssl-‐known-‐key.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.7K Apr 17 03:33 sslv2.nse
IP Geo loca0on nmap -‐Pn -‐p80 -‐-‐script ip-‐geoloca0on-‐* tools.ques0on-‐defense.com Star0ng Nmap 6.45 ( h6p://nmap.org ) at 2014-‐05-‐10 12:35 EDT Nmap scan report for tools.ques0on-‐defense.com (74.143.109.27) Host is up. rDNS record for 74.143.109.27: highland.corp.ques0on-‐defense.com PORT STATE SERVICE 80/tcp filtered h6p Host script results: | ip-‐geoloca0on-‐geobytes: | la0tude: 38.2252 | longitude: -‐85.7141 | city: Louisville | region: Kentucky |_ country: United States | ip-‐geoloca0on-‐geoplugin: | 74.143.109.27 (tools.ques0on-‐defense.com) | coordinates (lat,lon): 38.400398,-‐85.772499 |_ state: Indiana, United States |_ip-‐geoloca0on-‐maxmind: ERROR: Script execu0on failed (use -‐d to debug) Nmap done: 1 IP address (1 host up) scanned in 2.79 seconds
Mo’ Scripts
o DB2 -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 523.txt -‐Pn -‐n -‐sS -‐sU -‐-‐open -‐-‐version-‐intensity 0 -‐p523 -‐-‐script=db2-‐discover,db2-‐das-‐info
o Oracle -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 1521.txt -‐Pn -‐n -‐sS -‐-‐open -‐p1521 -‐-‐script=oracle-‐sid-‐brute
o Citrix -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 1604.txt -‐Pn -‐n -‐sS -‐sU -‐-‐open -‐p1604 -‐-‐script=citrix-‐enum-‐apps,citrix-‐enum-‐servers
o MySQL -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 -‐iL $name/3306.txt -‐Pn -‐n -‐sS -‐-‐open -‐p3306 -‐-‐script=mysql-‐databases,mysql-‐info,mysql-‐users,mysql-‐variables
Mo’ Scripts
o IMAP -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 993.txt -‐Pn -‐n -‐sS -‐-‐open -‐p993 -‐-‐script=banner,sslv2,imap-‐capabili0es
o POP3 -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 995.txt -‐Pn -‐n -‐sS -‐-‐open -‐p995 -‐-‐script=banner,sslv2,pop3-‐capabili0es
o VNC -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 5900.txt -‐Pn -‐n -‐sS -‐-‐open -‐p5900 -‐-‐script=vnc-‐info,realvnc-‐auth-‐bypass
o X11 -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 –iL x11.txt -‐Pn -‐n -‐sS -‐-‐open -‐p6000-‐6005 -‐-‐script=x11-‐access
o Finger -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 79.txt -‐Pn -‐n -‐sS -‐-‐open -‐p79 -‐sC
Adding Custom Scripts
o Many people write custom NSE scripts which are not included by default
o Github is a goldmine for these o h6ps://github.com/mainframed/NMAP o h6ps://github.com/kost/nmap-‐nse/tree/master/scripts
o h6ps://github.com/offensivecoder/nmap-‐nse-‐scripts
o h6ps://github.com/SpiderLabs/Nmap-‐Tools o Wri0ng custom nmap scripts makes you look like a straight baller at work!
How the $#%@ do I add a custom script?
Using Nmap to Screenshot Web Services o wget h6p://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-‐0.11.0_rc1-‐sta0c-‐i386.tar.bz2
o tar -‐jxvf wkhtmltoimage-‐0.11.0_rc1-‐sta0c-‐i386.tar.bz2
o cp wkhtmltoimage-‐i386 /usr/local/bin/
Download our Script
o git clone git://github.com/SpiderLabs/Nmap-‐Tools.git
o cd Nmap-‐Tools/NSE/ o cp h6p-‐screenshot.nse /usr/local/share/nmap/scripts/
o nmap -‐-‐script-‐updatedb
Take an a$$ load of screenshots nmap -‐A -‐-‐script=default,h6p-‐screenshot 192.168.1.0/24 -‐oA nmap-‐local
Nmap Scripting Engine Metasploit Integration AV Evasion
Importing and Working with Nmap Scans in Metasploit Using nmap from inside the framework
Ge�ng Rollin’ with the MSF database [root@labs ~] 2014-‐05-‐10 00:27:45 # service postgresql start [ ok ] Star0ng PostgreSQL 9.1 database server: main. [root@labs ~] 2014-‐05-‐10 00:27:55 # service metasploit start [ ok ] Star0ng Metasploit rpc server: prosvc. [ ok ] Star0ng Metasploit web server: thin. [ ok ] Star0ng Metasploit worker: worker. [root@labs ~] 2014-‐05-‐10 00:28:09 # msfconsole msf > db_status [*] postgresql connected to msf3
MSF Database Crash Course Command Descrip0on -‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ creds List all creden0als in the database db_connect Connect to an exis0ng database db_disconnect Disconnect from the current database instance db_export Export a file containing the contents of the database db_import Import a scan result file (filetype will be auto-‐detected) db_nmap Executes nmap and records the output automa0cally db_rebuild_cache Rebuilds the database-‐stored module cache db_status Show the current database status hosts List all hosts in the database loot List all loot in the database notes List all notes in the database services List all services in the database vulns List all vulnerabili0es in the database workspace Switch between database workspaces
Import an nmap file msf > db_import 192.168_scan.xml [*] Impor0ng 'Nmap XML' data [*] Import: Parsing with 'Nokogiri v1.4.3.1' [*] Impor0ng host 192.168.1.1 [*] Impor0ng host 192.168.1.2 [*] Impor0ng host 192.168.1.3 [*] Impor0ng host 192.168.1.4 [*] Impor0ng host 192.168.1.7 [*] Impor0ng host 192.168.1.9 [*] Impor0ng host 192.168.1.10 [*] Impor0ng host 192.168.1.13 [*] Impor0ng host 192.168.1.15 [*] Impor0ng host 192.168.1.16 [*] Impor0ng host 192.168.1.22 [*] Impor0ng host 192.168.1.100 [*] Successfully imported /root/192.168_scan.xml
Check out your targets
msf > hosts -‐u Hosts ===== address mac name os_name os_flavor os_sp purpose info comments -‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐ -‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐ 192.168.1.1 Unknown device 192.168.1.10 goro.home Unknown device
Use ‘hosts -‐u’ to get a list of only hosts that respond to ping and are believed to be up
Use the -‐p flag to only list specific ports you’re interested in
msf > services -‐p 445 -‐u Services ======== host port proto name state info -‐-‐-‐-‐ -‐-‐-‐-‐ -‐-‐-‐-‐-‐ -‐-‐-‐-‐ -‐-‐-‐-‐-‐ -‐-‐-‐-‐ 192.168.1.10 445 tcp microsob-‐ds open Samba smbd 3.X workgroup: SKYNET 192.168.1.100 445 tcp microsob-‐ds open 192.168.1.11 445 tcp netbios-‐ssn open 192.168.1.2 445 tcp microsob-‐ds open 192.168.1.22 445 tcp microsob-‐ds open 192.168.1.4 445 tcp microsob-‐ds open Microsob Windows 2003 or 2008 microsob-‐ds 192.168.1.6 445 tcp netbios-‐ssn open 192.168.1.9 445 tcp microsob-‐ds open
Now to do something useful with this msf > services -‐p 445 -‐R Services ======== host port proto name state info -‐-‐-‐-‐ -‐-‐-‐-‐ -‐-‐-‐-‐-‐ -‐-‐-‐-‐ -‐-‐-‐-‐-‐ -‐-‐-‐-‐ 192.168.1.10 445 tcp microsob-‐ds open Samba smbd 3.X workgroup: SKYNET 192.168.1.100 445 tcp microsob-‐ds open 192.168.1.11 445 tcp netbios-‐ssn open 192.168.1.2 445 tcp microsob-‐ds open 192.168.1.22 445 tcp microsob-‐ds open 192.168.1.4 445 tcp microsob-‐ds open Microsob Windows 2003 or 2008 microsob-‐ds 192.168.1.6 445 tcp netbios-‐ssn open 192.168.1.9 445 tcp microsob-‐ds open
RHOSTS => file:/tmp/msf-‐db-‐rhosts-‐20110909-‐32464-‐oyzbko By adding the -‐R flag, you’ve told Metasploit to set the RHOSTS variable
Now select an exploit to use against these hosts
msf > use auxiliary/scanner/smb/smb_enumusers msf auxiliary(smb_enumusers) > show op0ons Module op0ons (auxiliary/scanner/smb/smb_enumusers): Name Current Se�ng Required Descrip0on -‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ RHOSTS file:/tmp/msf-‐db-‐rhosts-‐20110909-‐32464-‐oyzbko yes The target address range or CIDR iden0fier SMBDomain WORKGROUP no The Windows domain to use for authen0ca0on SMBPass no The password for the specified username SMBUser no The username to authen0cate as THREADS 1 yes The number of concurrent threads
That’s cool and all but I am to lazy to import a file
Help with the hosts command msf > hosts -‐h Usage: hosts [ op0ons ] [addr1 addr2 ...] OPTIONS: -‐a,-‐-‐add Add the hosts instead of searching -‐d,-‐-‐delete Delete the hosts instead of searching -‐c <col1,col2> Only show the given columns (see list below) -‐h,-‐-‐help Show this help informa0on -‐u,-‐-‐up Only show hosts which are up -‐o <file> Send output to a file in csv format -‐R,-‐-‐rhosts Set RHOSTS from the results of the search -‐S,-‐-‐search Search string to filter by Available columns: address, arch, comm, comments, created_at, cred_count, exploit_a6empt_count, history_count, host_detail_count, info, mac, name, note_count, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln
Help with the services command msf > services -‐h Usage: services [-‐h] [-‐u] [-‐a] [-‐r <proto>] [-‐p <port1,port2>] [-‐s <name1,name2>] [-‐o <filename>] [addr1 addr2 ...] -‐a,-‐-‐add Add the services instead of searching -‐d,-‐-‐delete Delete the services instead of searching -‐c <col1,col2> Only show the given columns -‐h,-‐-‐help Show this help informa0on -‐s <name1,name2> Search for a list of service names -‐p <port1,port2> Search for a list of ports -‐r <protocol> Only show [tcp|udp] services -‐u,-‐-‐up Only show services which are up -‐o <file> Send output to a file in csv format -‐R,-‐-‐rhosts Set RHOSTS from the results of the search -‐S,-‐-‐search Search string to filter by Available columns: created_at, info, name, port, proto, state, updated_at
Example Database queries
o msf > hosts -‐c address,os_flavor o msf > hosts -‐c address,os_flavor -‐S Linux o msf > hosts -‐c address,os_flavor -‐S Linux –R o msf > services -‐c name,info 172.16.194.134 o services -‐c name,info -‐S h6p o msf > services -‐c info,name -‐p 445 o msf > services -‐c port,proto,state -‐p 70-‐81 o msf > services -‐s h6p -‐c port 172.16.194.134 o msf > services -‐S Unr
Export that shiz msf > services -‐s h6p -‐c port 172.16.194.134 -‐o /root/msfu/h6p.csv [*] Wrote services to /root/msfu/h6p.csv msf > hosts -‐S Linux -‐o /root/msfu/linux.csv [*] Wrote hosts to /root/msfu/linux.csv msf > cat /root/msfu/linux.csv [*] exec: cat /root/msfu/linux.csv address,mac,name,os_name,os_flavor,os_sp,purpose,info,comments "172.16.194.172","00:0C:29:D1:62:80","","Linux","Debian","","server","","" msf > cat /root/msfu/h6p.csv [*] exec: cat /root/msfu/h6p.csv host,port "172.16.194.134","80" "172.16.194.134","443"
Nmap Scripting Engine Metasploit Integration Evasion
Defeating IDS/IPS Stealth/Decoy Scanning Firewall Subversion
Syn Scan -‐sS (TCP SYN scan)
o Rela0vely unobtrusive and stealthy since it never completes TCP connec0ons
o If you want to know more you should have been paying a6en0on to Adrian
Source Port Manipula0on
o DNS -‐ Port 53 (TCP) o FTP -‐ Port 20 (TCP) o Kerberos – Port 88 (TCP or UDP) o DHCP – Port 67 (UDP)
Does not work for: o Opera0ons that use normal opera0ng system sockets
o DNS requests o TCP connect scan o OS version detec0on o Script scanning
-‐-‐source-‐port <portnumber>; -‐g <portnumber>
Fragmenta0on -‐f (fragment packets); -‐-‐mtu (using the specified MTU)
o Split up the TCP header over several packets to make it harder for packet filters
o Specify this op0on once and split the packets into eight bytes or less aber the IP header o 20-‐byte TCP header o Split into three packets o Two with eight bytes of the TCP header, and one with the final four
o Specify -‐f again to use 16 bytes per fragment o Specify your own offset size with the -‐-‐mtu op0on
o Don't also specify -‐f if you use –mtu o Offset must be a mul0ple of eight
o Generally not supported for connect scans, FTP bounce, version detec0on and scrip0ng engine
Scan Delay -‐-‐scan-‐delay <0me>; -‐-‐max-‐scan-‐delay <0me>
o Wait at least the given amount of 0me between each probe
o Evade threshold based intrusion detec0on and preven0on systems (IDS/IPS)
o Nmap tries to detect rate limi0ng and adjust the scan delay accordingly
o A low -‐-‐max-‐scan-‐delay can speed up Nmap
IP List Randomiza0on -‐-‐randomize-‐hosts (Randomize target host order)
o Combine it with slow 0ming op0ons o make the scans less obvious to various network monitoring systems
o Only works up to 16384 hosts o Alterna0ve: Shuffle list with sort –R and then use a -‐iL
Decoy Scanning -‐D <decoy1>[,<decoy2>][,ME][,...] (Cloak a scan with decoys)
o Makes it appear to the remote host that the hosts you specify as decoys are scanning the target network too
o Make the scans less obvious to various network monitoring systems
o Hosts you use as decoys should be up o Use IP addresses instead of names o Can be defeated through router path tracing, response-‐dropping, and other ac0ve mechanisms
o Decoys work with: ini0al ping scan (using ICMP, SYN, ACK), actual port scanning phase, and remote OS detec0on
o Decoys do not work with: version detec0on or TCP connect scan
Data Length -‐-‐data-‐length <number> (Append random data to sent packets)
o One common way to “signature” nmap packets is the default data length
o TCP packets are generally 40 bytes and ICMP echo requests are just 28
o Append the given number of random bytes to most of the packets it sends, and not to use any protocol-‐specific payloads
o Adds extra “padding” to the packet, making it look less like a scan-‐packet and more like a legi0mate packet
More Evasion Tips
o Do several “Scans” of the target. Break your scans up into chunks of “ports of interest”
o Most IDS/IPS alert on scans of more than 5 ports o Layer your source-‐obfusca0on techniques
o Decoys o Timing o Fragmenta0on o Data Length o Etc.
o Keep your “scan 0me” to a minimum by breaking scans into mul0ple jobs
Credit Where Credit is Due
o h6p://www.redspin.com/blog/2011/09/14/impor0ng-‐and-‐working-‐with-‐nmap-‐scans-‐in-‐metasploit-‐framework-‐4/
o h6p://nmap.org/book/ o h6p://blog.spiderlabs.com/2012/06/using-‐nmap-‐to-‐screenshot-‐web-‐services.html
o h6ps://github.com/leebaird/discover o h6p://www.offensive-‐security.com/metasploit-‐unleashed/