Peter Van Eeckhoutte's Blog

Insecure.org has released a new major version of the free, open source “nmap” security scanner. (Don’t just call nmap a port scanner – Thanks to many improvements over the last years, nmap has become an excellent security scanner).

Visit http://nmap.org/5/ for more information about this new version.

Although there are roughly 600 updates in this new version, these are the top 5 improvements in nmap 5 :

• ncat (allows data transfer, redirection and debugging) – (Remember hobbit’s nc ?)
• ndiff scan comparison
• better performance
• improved zenmap GUI (including a real neat feature to visually map the network you have scanned)
• Improvement of nmap scripting engine (nse), reviewed existing scripts and added 32 new scripts.

Download and install the new version, buy/read the book, spread the word, and scan ‘til you drop !

Some of my favorite nmap parameters/scan parameters :

Detecting common stateless firewall misconfigurations : Some people allow incoming connections originated from port 20 (FTP), 53 (DNS) or 500 (IKE) in order to “make things work”. Big mistake. This misconfiguration can allow you to find open ports (and traverse firewalls) by setting one of these ports as source port : use parameter -g

Launch multiple scan types at once (syn scan, os & version detection, traceroute, script) : use parameter -A

Scan all ports : use parameter -p-

Display the reason why a port is in a particular state : –reason

Example :

nmap -P0 -nvv -A -p- -g 20 --reason <targets>

Some other interesting parameters are :

-6 : enabled IPv6 scanning

-sO : IP Protocol scan

-D <ip,ip,ip> : try to hide a scan with decoy IP addresses

Finally, a couple of words about script scans : (http://nmap.org/nsedoc/)

–script-updatedb : update the script database

Starting Nmap 5.00 ( http://nmap.org ) at 2009-07-16 21:07 Romance Daylight Time

NSE: Updating rule database.

NSE script database updated successfully.

–script=<script> : run a script. You can find the default scripts in the “scripts” folder

–script-args=unsafe=1   (needed to enable certain checks, such as running a regsvc DoS test)

Example :  run all smb scripts against a given host :

C:\>nmap -P0 -nvv -A -p- -g 20 –reason –script=smb* 192.168.0.9

Starting Nmap 5.00 ( http://nmap.org ) at 2009-07-16 21:09 Romance Daylight Time

NSE: Loaded 15 scripts for scanning.

Initiating ARP Ping Scan at 21:10

Scanning 192.168.0.9 [1 port]

Completed ARP Ping Scan at 21:10, 0.23s elapsed (1 total hosts)

Initiating SYN Stealth Scan at 21:10

Scanning 192.168.0.9 [65535 ports]

Discovered open port 445/tcp on 192.168.0.9

Discovered open port 3389/tcp on 192.168.0.9

Discovered open port 1723/tcp on 192.168.0.9

Discovered open port 135/tcp on 192.168.0.9

Discovered open port 139/tcp on 192.168.0.9

Discovered open port 27010/tcp on 192.168.0.9

Discovered open port 1049/tcp on 192.168.0.9

Discovered open port 902/tcp on 192.168.0.9

Discovered open port 27000/tcp on 192.168.0.9

Completed SYN Stealth Scan at 21:10, 57.15s elapsed (65535 total ports)

Initiating Service scan at 21:10

Scanning 11 services on 192.168.0.9

Completed Service scan at 21:12, 106.20s elapsed (11 services on 1 host)

Initiating OS detection (try #1) against 192.168.0.9

NSE: Script scanning 192.168.0.9.

NSE: Starting runlevel 0.5 scan

Initiating NSE at 21:12

Completed NSE at 21:12, 11.72s elapsed

NSE: Starting runlevel 1 scan

Initiating NSE at 21:12

Completed NSE at 21:12, 1.12s elapsed

NSE: Starting runlevel 2 scan

Initiating NSE at 21:12

Completed NSE at 21:12, 0.14s elapsed

NSE: Script Scanning completed.

Host 192.168.0.9 is up, received arp-response (0.00s latency).

Scanned at 2009-07-16 21:10:00 Romance Daylight Time for 178s

Interesting ports on 192.168.0.9:

Not shown: 65526 closed ports

Reason: 65526 resets

PORT      STATE SERVICE         REASON  VERSION

135/tcp   open  msrpc           syn-ack Microsoft Windows RPC

139/tcp   open  netbios-ssn     syn-ack

445/tcp   open  microsoft-ds    syn-ack Microsoft Windows 2003 microsoft-ds

902/tcp   open  ssl/vmware-auth syn-ack VMware Authentication Daemon 1.10 (Uses VNC)

1049/tcp  open  msrpc           syn-ack Microsoft Windows RPC

1723/tcp  open  pptp            syn-ack Microsoft (Firmware: 3790)

3389/tcp  open  microsoft-rdp   syn-ack Microsoft Terminal Service

27000/tcp open  flexlm          syn-ack FlexLM license manager

27010/tcp open  flexlm          syn-ack FlexLM license manager

MAC Address: 00:03:FF:07:23:D5 (Microsoft)

Device type: general purpose

Running: Microsoft Windows 2003

OS details: Microsoft Windows Server 2003 SP1 or SP2

TCP/IP fingerprint:

OS:SCAN(V=5.00%D=7/16%OT=80%CT=1%CU=%PV=Y%DS=1%G=N%M=0003FF%TM=4A5F7BBA%P=i

OS:686-pc-windows-windows)SEQ(SP=105%GCD=1%ISR=104%TI=I%CI=I%II=I%SS=S%TS=0

OS:)OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT

OS:00NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS)WIN(W1=4000%W2=4000%W3=4000%W4=

OS:4000%W5=4000%W6=4000)ECN(R=Y%DF=N%TG=80%W=4000%O=M5B4NW0NNS%CC=N%Q=)T1(R

OS:=Y%DF=N%TG=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%TG=80%W=0%S=Z%A=S%F=AR%O

OS:=%RD=0%Q=)T3(R=Y%DF=N%TG=80%W=4000%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%

OS:Q=)T4(R=Y%DF=N%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%TG=80%W=0%S=

OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R

OS:=Y%DF=N%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=N)IE(R=Y%DFI=S%TG=80%CD=

OS:Z)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=261 (Good luck!)

IP ID Sequence Generation: Incremental

Service Info: OS: Windows

Host script results:

|  smb-brute:

|_ guest:<anything> => Password was correct, but user’s account is disabled

|  smb-pwdump:

|  Couldn’t run smb-pwdump.nse, missing required file(s):

|  – nselib/data/lsremora.dll

|  – nselib/data/servpw.exe

|  These are included in pwdump6 version 1.7.2:

|_ <http://foofus.net/fizzgig/pwdump/downloads.htm>

|  smb-os-discovery: Windows Server 2003 R2 3790 Service Pack 2

|  LAN Manager: Windows Server 2003 R2 5.2

|  Name: CORELAN\NILUS

|_ System time: 2009-07-16 21:12:57 UTC+2

|  smb-security-mode: User-level authentication

|  SMB Security: Challenge/response passwords supported

|_ SMB Security: Message signing supported

|  smb-enum-shares:

|  Anonymous shares:

|     IPC$

|  Restricted shares:

|     ADMIN$

|     C$

|     D$

|_    E$

|  smb-check-vulns:

|  MS08-067: FIXED

|  Conficker: Likely CLEAN

|_ regsvc DoS: CHECK DISABLED (add ‘–script-args=unsafe=1′ to run)

Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 178.92 seconds

           Raw packets sent: 70666 (3.111MB) | Rcvd: 131148 (5.247MB)

© 2009, Peter Van Eeckhoutte. All rights reserved. Terms of Use are applicable to all content on this blog. If you want to use/reuse parts of the content on this blog, you must provide a link to the original content on this blog.