Tag: Host Discovery

  • Cool Tools Series: NMAP for Penetration Tests

    Cool Tools Series: NMAP for Penetration Tests

    In Scottie’s recent Cool Tools blog about discovery tools, he, like many network penetration testers, starts with Nmap. Nmap is a great discovery tool with many flags and scripts. In this post, I will expand upon Scottie’s ideas and delve more deeply into what Nmap has to offer, specifically for network penetration testing.

    Hosts Marked as Down When They Are Up

    If you find you have problems with Nmap flagging hosts as down, even though they should be up, I would recommend adding these flags to your command:

    • -PS – SYN ping scan. You can optionally add a port number after this.
    • PA – ACK ping scan. You can optionally add a port number after this.
    • -PE – Typical ICMP ping echo request, typically blocked by firewalls.
    • -PP – ICMP timestamp ping query, which can sometimes get around misconfigured firewalls.
    • -PM – ICMP subnet mask ping query, also good for evading misconfigured firewalls.
    • -PO -This issues an IP protocol ping, which seems to work a lot of times when other probes don’t.

    Putting that all together, my typical scans are now starting to look like this:

    sudo nmap -oA [output] -sSUV --unique --resolve-all -PS -PA -PE -PP -PM -PO -T4 -O -p T:-,U:53,161 -vv -iL [targets]

    Some other options present here:

    • -oA [output– Output in all file formats simultaneously.
    • -sSUV – Combo of -sS (TCP SYN scan), -sU (UDP scan), and -sV (service version scanning).
    • –unique – Scan each IP only once (e.g. if raxis.com resolves to 1.1.1.1, and both are targets, only scan 1.1.1.1 once).
    • –resolve-all – If an DNS name resolves to multiple IPs, scan each IP.
    • -T4 – Go a bit faster than default, recommended for modern networks (unless you’re trying to be quiet).
    • -O – Try to determine operating system.
    • -p T:-,U:53,161 – Scan all TCP ports as well as UDP ports 53 (DNS) and 161 (SNMP).
    • -vv – Be very verbose in output.
    • -iL [targets– Use the targets in the specified file.

    Additionally, when using -oA, if your scan gets interrupted, you can use this to resume the scan where it left off:

    nmap --resume

    The Nmap Scripting Engine

    The Nmap Scripting Engine (NSE) provides 604 scripts and 139 libraries at the time I’m writing this. That number grows each year, so, needless to say, this is a very useful tool for penetration testers or for blue teams checking out possible vulnerabilities in their systems. I’ll discuss some Useful NSE scripts here, and I encourage you to take a look to see if there are others that would be helpful for your needs.

    Shodan

    • Queries the Shodan API for the targets. Follow the instructions on the NSE site to setup a Shodan API key.
    nmap --script shodan-api [IP Range] -sn -Pn -n --script-args 'shodan-api.outfile=potato.csv,shodan-api.apikey=SHODANAPIKEY'
nmap --script shodan-api --script-args 'shodan-api.target=[IP],shodan-api.apikey=SHODANAPIKEY'

    Server Message Block (SMB)

    • Check if SMB signing is disabled:
    nmap --script smb-security-mode -p445 [IP]

    File Shares

    • Attempt to enumerate SMB shares:
    nmap --script smb-enum-shares -p445 [IP]
    • Show NFS Shares (Exports):
    nmap -sV --script=nfs-showmount [IP List or Range]
    • Attempt to get useful information from NFS shares (mimics an -ls command):
    nmap -p 111 --script=nfs-ls [IP List or Range]
nmap -sV --script=nfs-ls [IP List or Range]

    Databases

    • Attempts to find configuration and version info for a Microsoft SQL Server instance:
    nmap -p 445 --script ms-sql-info [IP]
nmap -p 1433 --script ms-sql-info --script-args mssql.instance-port=1433 [IP]
    • Looks for MySQL servers with an empty password for root or anonymous:
    nmap -sV --script=mysql-empty-password [IP]

    Domain Name Server (DNS)

    • Perform DNS Cache Snooping:
    nmap -sU -p 53 --script dns-cache-snoop --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' [IP]
    • Checks DNS anti-spam and open proxy blacklists to see if an IP has been flagged:
    nmap --script dns-blacklist --script-args='dns-blacklist.ip=[IP]'
nmap -sn [IP] --script dns-blacklist

    Virtual Private Network (VPN)

    • Checks if the host is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability: 
    nmap -p 443 --script http-vuln-cve2014-2128 [IP]

    Network Time Protocol (NTP)

    • Shows an NTP server’s monitor data:
    sudo nmap -sU -pU:123 -Pn -n --script=ntp-monlist [IP]

    Remote Access

    • Attempts to brute-force a VNC server: 
    nmap --script vnc-brute -p 5900 [IP]
    • Discovers the security layer and encryption level that is supported by a RDP service:
    nmap -p 3389 --script rdp-enum-encryption <ip>

    Network Protocols

    • Attempts to brute-force a POP3 account: 
    nmap -sV --script=pop3-brute [IP]
    • Attempts to brute-force a telnet server: 
    nmap -p 23 --script telnet-brute --script-args userdb=myusers.lst,passdb=mypwds.lst,telnet-brute.timeout=8s [IP]

    Java

    • Attempts to dump all objects from a remote RMI registry: 
    nmap --script rmi-dumpregistry -p 1098 [IP]
nmap --script rmi-dumpregistry -sV --version-all -p 443 [IP]

    Weak Ciphers & Algorithms

    • Enumerates all web ciphers that a server accepts:
    nmap -sV --script ssl-enum-ciphers -p 443 <host>
    • Finds the number of algorithms the SSH2 server offers (or lists them with verbosity set):
    nmap --script ssh2-enum-algos [IP]

    Certificates

    • Displays the server’s SSL certificate. Set verbosity to add more details: 
    nmap --script=ssl-cert -p 443 [IP]

    Http

    • Checks if HTTP TRACE is enabled:
    nmap --script http-trace -d [IP]

  • Cool Tools Series: Host Discovery

    Before starting any penetration test, you must know the scope of the work. Depending on the type of assessment, this could be specific hosts or full ranges of IP addresses with live hosts scattered throughout. If the scope is the latter, then it is a good idea to initially identify which hosts are live and then discover common, known vulnerabilities on the hosts. This will narrow down the attack surface and potential attack vectors to help establish a list of priority targets during the assessment.  

    There are several tools that I like to use when I start a new assessment. Some are free open-source tools, while others are commercial.

    Open-Source Tools

    Nmap

    The first tool I always use in Nmap. Nmap is an open-source tool that can identify live hosts and services by conducting protocol enumeration across systems. It can also be used for specific configuration checks or even as a vulnerability scanner by using the Nmap Scripting Engine (NSE).

    Even when I use Nmap with vulnerability scanners, I still regularly utilize Nmap scripts. Nmap come pre-installed with Kali Linux but can easily be installed on any Linux or Windows system. Using Nmap for the first time can be intimidating, but after using it for a bit, users often find it very easy and reliable.  I usually run the initial scans by ignoring ICMP checks (Ping) and just assume that all hosts are live. I do this because some network admins like to disable ICMP on live hosts as a security measure (Good on ’em!).

    nmap -v -A --open -Pn -iL targets.txt -oA nmap_scan

    Note: -Pn disables the ICMP check.

    If the scope is extremely large and the Nmap scans won’t complete in the time allowed, I enable the ICMP check by remove the “-Pn”:

    nmap -v -A --open -iL targets.txt -oA nmap_scan

    Below is a screen shot of a typical initial scan I perform on network assessments (internal & external):

    nmap -v -A -Pn --open {IP Range} -oA {Output File Name}
    Nmap Discovery Scan

    The commands above are easy to learn once you use them a few times, and I’ll cover what is going on here.  

    • First, I like to use the “-v” which enables verbose outputs.
    • The “-A” enables OS and version detection, as well as script scanning and traceroute output.
    • “-Pn” disables ICMP ping for host discovery, causing the scan to assume that all hosts are live.
    • Next, we have the IP range, in this instance a standard /24 internal network. If I have specific hosts or multiple ranges to target, I will create a text file and use the “-iL” switch to point to the text file.
    • Lastly, I like to output the results to all supported formats by setting “-oA.” The reason I do this is because I like to ensure I have the different file types for future use. For example, the .nmap output is easy to read when I want to scan through the output. I typically use the XML output for importing into Metasploit or when using Eyewitness to enumerate web hosts.

    There are quite a few good cheat sheets out there too if you let the Googles do the work for you. If not, follow this series for more Nmap tips and tricks in the future.

    Masscan

    Another tool similar to Nmap is Masscan. Masscan is a TCP port scanner that scans faster than Nmap. Unlike Nmap, Masscan requires you to define the ports you want to scan. I typically don’t use Masscan and just stick with Nmap, but it’s a good option if you want to quickly look for specific open ports on a network.

    OpenVas

    Another tool I use on occasion is OpenVAS (a.k.a. Greenbone), a vulnerability scanner. Greenbone offers a commercial version, but there is an open-source version available as well. I’ve used this many times when I am unable to access my usual vulnerability scanners. One downside to the tool is that It can be difficult to install. I recently followed the instructions for installing with Kali and ran into quite a few issues with the install. I’ve also noticed that the initial setup can take some time due to the signatures that are downloaded. If purchasing a commercial vulnerability scanner is too expensive, then Greenbone is definitely worth looking into, despite its challenges.

    OpenVAS Dashboard

    Commercial Tools

    Nessus

    By far, my favorite vulnerability scanner is Tenable’s Nessus. There is a free version available, but it’s limited to 16 IP addresses. If you are doing a lot of vulnerability scanning or time-boxed penetration tests, then it might be worth looking into purchasing this.

    The thing I like most about Nessus is how I can sort by vulnerabilities across all hosts in a given scan. I can also sort these vulnerabilities by risk rating, which helps me narrow down critical or specific vulnerabilities to exploit or signs that a host or service may be a high priority for a closer look.

    When viewing Nessus results, never ignore the informational findings. They often provide clues that more may be going on on a host or service than you realize at first glance.

    Nexpose

    Another great vulnerability assessment tool is Nexpose, owned by Rapid7. Nexpose is similar to Nessus, as it provides similar vulnerabilities. There are some slight differences in the way the products display results.

    Nexpose is built around “sites.” Each site has defined hosts or IP ranges under it. From there each host’s vulnerabilities will be listed.  The easiest way I’ve found to list out all vulnerabilities is to create a report from the site I’m working in.

    Besides greater extensibility, one major advantage with Nexpose is that it ties in with Rapid7’s vulnerability management product, InsightVM. If you’re looking for a full vulnerability management solution and not just a vulnerability scanner, Nexpose is a good option to check out.

    There are many other tools that I use, but these are always my first go to tools to start an assessment. 

    Follow the series!

    Stay tuned for more posts in the Cool Tools series, where the Raxis penetration testing team will highlight some of their favorite tools and explain how to get started with them.

    Take a look as Adam Fernandez dives into Nmap for Penetration Tests in the next post in this series.