Education

The swiss army knife of the cyber world, it can port scan, fingerprint, produce reports and run scripts using the nmap scripting engine (NSE).

Why do we care about NMAP, surely everyone knows how to NMAP?

Well, that’s simply not true, it’s always important to tech new people, to revise and hone existing skills and the world of nmap scripting is constantly evolving.

Port scanning and fingerprinting let alone leaking sensitive data and conducting “attacks” is all possible. You can do a basic vulnerability scan with nmap alone!

TCP Scans

-sT (TCP Connect)

-sS (Syn scan – this does not complete the three way handshake)

UDP Scans

UDP scans across all 65535 ports is fun (it’s not it’s going to take an insane amount of time)

-sU

You are better off targeting well known services and doing specific fingerprinting.

Think about well-known UDP services!

  • DNS on UDP 53
  • VPN IPSEC on UDP 500
  • SNMP on UDP 161
  • SNMP TRAPS on UDP 162

Combined Ports

You can specify both TCP and UDP ports using this format:

sudo nmap -sU -sS -p U:53,T:53,T:445 192.168.0.5

Finding Open Ports First

This script set the ports variable to be a list of ports (it scans all ports with timing mode 4 (TCP)

Graphical user interface, text

Description automatically generated
A screenshot of a computer

Description automatically generated with medium confidence
Text

Description automatically generated
#Port Scan and Find Open Ports ports=$(nmap -p- –min-rate=1000 -T4 192.168.0.5 | grep ^[0-9] | cut -d ‘/’ -f 1 | tr ‘\n’ ‘,’ | sed s/,$//) #Nmap specific ports based on the first scan above nmap -sC -sV -p$ports 192.168.0.5

NMAP Output Example

You can output in different formats:

-oA (Output all formats)

For this we’ve just copy and pasted the txt output from the above command:

Starting Nmap 7.80 ( https://nmap.org ) at 2022-06-19 08:10 BST Nmap scan report for 192.168.0.5 Host is up (0.0039s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0) | ssh-hostkey: | 3072 42:03:33:17:26:74:48:c7:ce:85:38:1e:92:1d:ce:9d (RSA) | 256 6b:15:7c:92:cf:51:fc:e3:08:f9:79:f3:27:3d:a1:f6 (ECDSA) |_ 256 68:30:a8:5c:f3:5e:b1:e2:76:7f:32:8a:47:f1:5e:b5 (ED25519) 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-06-19 07:10:53Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: galaxy.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: galaxy.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: GALAXY | NetBIOS_Domain_Name: GALAXY | NetBIOS_Computer_Name: ORION | DNS_Domain_Name: galaxy.local | DNS_Computer_Name: orion.galaxy.local | DNS_Tree_Name: galaxy.local | Product_Version: 10.0.20348 |_ System_Time: 2022-06-19T07:13:10+00:00 | ssl-cert: Subject: commonName=orion.galaxy.local | Not valid before: 2022-04-08T11:46:49 |_Not valid after: 2022-10-08T11:46:49 |_ssl-date: 2022-06-19T07:13:49+00:00; 0s from scanner time. 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable 5800/tcp open vnc-http TightVNC (user: orion; VNC TCP port: 5900) |_http-title: TightVNC desktop [orion] 5900/tcp open vnc VNC (protocol 3.8) |_ssl-cert: ERROR: Script execution failed (use -d to debug) |_ssl-date: ERROR: Script execution failed (use -d to debug) |_sslv2: ERROR: Script execution failed (use -d to debug) |_tls-alpn: ERROR: Script execution failed (use -d to debug) |_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug) |_vnc-info: ERROR: Script execution failed (use -d to debug) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 56728/tcp open msrpc Microsoft Windows RPC 56744/tcp open msrpc Microsoft Windows RPC 60660/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 60661/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=6/19%Time=62AECC02%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,”\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03″); Service Info: Host: ORION; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_nbstat: NetBIOS name: ORION, NetBIOS user: <unknown>, NetBIOS MAC: 00:15:5d:02:43:04 (Microsoft) | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2022-06-19T07:13:10 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 182.77 seconds

Post Port Scan Activity

Now that we have exposed some ports we can see what else we can do, for this we are going to just use crack map exec (CME) to password spray on WINRM and SMB against the target IP. The below was run on UBUNTU Desktop. If you have kali you can probably just run the CME commands!

sudo apt install git libssl-dev libffi-dev python3-dev build-essential python2-dev -y sudo apt install python3-poetry -y pip3 install CacheControl pip3 install colored pip3 install termcolor sudo apt install python3.10-venv python3 -m pip install –user pipx python3 -m pipx ensurepath pipx install crackmapexec crackmapexec winrm 192.168.0.5 -u administrator -p password Password123 12345678 Pa55w0rd1 crackmapexec smb 192.168.0.5 -u administrator -p password Password123 12345678 Pa55w0rd1
A screenshot of a computer

Description automatically generated with medium confidence
A screenshot of a computer

Description automatically generated with medium confidence

NSE

Now also remember we’ve got a domain controller, we can use CME to attack LDAP but we can also use other tools like NMAP NSE. You will need some info for this from the domain, and to create some username and password lists (or use generic ones). the LDAP base needs to be exact for the user so whilst the base bath for users is “cn=users,dc=domain,dc=local” in reality most accounts will be in a custom OU structure.

nmap -p 389 -T4 -v --script ldap-brute --script-args "userdb=users.txt,passdb=passwords.txt,ldap.base=\"cn=users,dc=galaxy,dc=local\"" 192.168.0.5

Other tools for LDAP brute force include:

  • Hydra
  • Patator
  • CME

Remember as well, if it’s a domain controller you can also attack Kerberos! So go and look for:

  • AESROAST
  • KERBEROAST

Summary

As you can see NMAP is very versatile and can perform a range of activities through the NSE. You will also find massive value in using nmap to enumerate and then conducting attacks using other tools like CME.

Nmap & CrackMapExec (CME) Demo

The swiss army knife of the cyber world, it can port scan, fingerprint, produce reports and run scripts using the nmap scripting engine (NSE).

Why do we care about NMAP, surely everyone knows how to NMAP?

Well, that’s simply not true, it’s always important to tech new people, to revise and hone existing skills and the world of nmap scripting is constantly evolving.

Port scanning and fingerprinting let alone leaking sensitive data and conducting “attacks” is all possible. You can do a basic vulnerability scan with nmap alone!

TCP Scans

-sT (TCP Connect)

-sS (Syn scan – this does not complete the three way handshake)

UDP Scans

UDP scans across all 65535 ports is fun (it’s not it’s going to take an insane amount of time)

-sU

You are better off targeting well known services and doing specific fingerprinting.

Think about well-known UDP services!

  • DNS on UDP 53
  • VPN IPSEC on UDP 500
  • SNMP on UDP 161
  • SNMP TRAPS on UDP 162

Finding Open Ports First

This script set the ports variable to be a list of ports (it scans all ports with timing mode 4 (TCP)

Graphical user interface, text

Description automatically generated

A screenshot of a computer

Description automatically generated with medium confidence

Text

Description automatically generated

#Port Scan and Find Open Ports

ports=$(nmap -p- –min-rate=1000 -T4 192.168.0.5 | grep ^[0-9] | cut -d ‘/’ -f 1 | tr ‘\n’ ‘,’ | sed s/,$//)

#Nmap specific ports based on the first scan above

nmap -sC -sV -p$ports 192.168.0.5

NMAP Output Example

You can output in different formats:

-oA (Output all formats)

For this we’ve just copy and pasted the txt output from the above command:

Starting Nmap 7.80 ( https://nmap.org ) at 2022-06-19 08:10 BST

Nmap scan report for 192.168.0.5

Host is up (0.0039s latency).

PORT STATE SERVICE VERSION

21/tcp open ftp Microsoft ftpd

| ftp-syst:

|_ SYST: Windows_NT

22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0)

| ssh-hostkey:

| 3072 42:03:33:17:26:74:48:c7:ce:85:38:1e:92:1d:ce:9d (RSA)

| 256 6b:15:7c:92:cf:51:fc:e3:08:f9:79:f3:27:3d:a1:f6 (ECDSA)

|_ 256 68:30:a8:5c:f3:5e:b1:e2:76:7f:32:8a:47:f1:5e:b5 (ED25519)

53/tcp open domain?

| fingerprint-strings:

| DNSVersionBindReqTCP:

| version

|_ bind

80/tcp open http Microsoft IIS httpd 10.0

| http-methods:

|_ Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/10.0

|_http-title: IIS Windows Server

88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-06-19 07:10:53Z)

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: galaxy.local0., Site: Default-First-Site-Name)

445/tcp open microsoft-ds?

464/tcp open kpasswd5?

593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0

636/tcp open tcpwrapped

3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: galaxy.local0., Site: Default-First-Site-Name)

3269/tcp open tcpwrapped

3389/tcp open ms-wbt-server Microsoft Terminal Services

| rdp-ntlm-info:

| Target_Name: GALAXY

| NetBIOS_Domain_Name: GALAXY

| NetBIOS_Computer_Name: ORION

| DNS_Domain_Name: galaxy.local

| DNS_Computer_Name: orion.galaxy.local

| DNS_Tree_Name: galaxy.local

| Product_Version: 10.0.20348

|_ System_Time: 2022-06-19T07:13:10+00:00

| ssl-cert: Subject: commonName=orion.galaxy.local

| Not valid before: 2022-04-08T11:46:49

|_Not valid after: 2022-10-08T11:46:49

|_ssl-date: 2022-06-19T07:13:49+00:00; 0s from scanner time.

5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

|_http-server-header: Microsoft-HTTPAPI/2.0

|_http-title: Service Unavailable

5800/tcp open vnc-http TightVNC (user: orion; VNC TCP port: 5900)

|_http-title: TightVNC desktop [orion]

5900/tcp open vnc VNC (protocol 3.8)

|_ssl-cert: ERROR: Script execution failed (use -d to debug)

|_ssl-date: ERROR: Script execution failed (use -d to debug)

|_sslv2: ERROR: Script execution failed (use -d to debug)

|_tls-alpn: ERROR: Script execution failed (use -d to debug)

|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)

|_vnc-info: ERROR: Script execution failed (use -d to debug)

5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

|_http-server-header: Microsoft-HTTPAPI/2.0

|_http-title: Not Found

9389/tcp open mc-nmf .NET Message Framing

49664/tcp open msrpc Microsoft Windows RPC

49669/tcp open msrpc Microsoft Windows RPC

56728/tcp open msrpc Microsoft Windows RPC

56744/tcp open msrpc Microsoft Windows RPC

60660/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0

60661/tcp open msrpc Microsoft Windows RPC

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

SF-Port53-TCP:V=7.80%I=7%D=6/19%Time=62AECC02%P=x86_64-pc-linux-gnu%r(DNSV

SF:ersionBindReqTCP,20,”\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\

SF:x04bind\0\0\x10\0\x03″);

Service Info: Host: ORION; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

|_nbstat: NetBIOS name: ORION, NetBIOS user: <unknown>, NetBIOS MAC: 00:15:5d:02:43:04 (Microsoft)

| smb2-security-mode:

| 2.02:

|_ Message signing enabled and required

| smb2-time:

| date: 2022-06-19T07:13:10

|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 182.77 seconds

Post Port Scan Activity

Now that we have exposed some ports we can see what else we can do, for this we are going to just use crack map exec (CME) to password spray on WINRM and SMB against the target IP. The below was run on UBUNTU Desktop. If you have kali you can probably just run the CME commands!

sudo apt install git libssl-dev libffi-dev python3-dev build-essential python2-dev -y

sudo apt install python3-poetry -y

pip3 install CacheControl

pip3 install colored

pip3 install termcolor

sudo apt install python3.10-venv

python3 -m pip install –user pipx

python3 -m pipx ensurepath

pipx install crackmapexec

crackmapexec winrm 192.168.0.5 -u administrator -p password Password123 12345678 Pa55w0rd1

crackmapexec smb 192.168.0.5 -u administrator -p password Password123 12345678 Pa55w0rd1

A screenshot of a computer

Description automatically generated with medium confidence

A screenshot of a computer

Description automatically generated with medium confidence

Summary

As you can see NMAP is very versatile and can perform a range of activities through the NSE. You will also find massive value in using nmap to enumerate and then conducting attacks using other tools like CME.