Insecure.org has released a new major version of the free, open source “nmap” security scanner. (Don’t just call nmap a port scanner – Thanks to many improvements over the last years, nmap has become an excellent security scanner).
Visit http://nmap.org/5/ for more information about this new version.
Although there are roughly 600 updates in this new version, these are the top 5 improvements in nmap 5 :
Download and install the new version, buy/read the book, spread the word, and scan ‘til you drop !
Some of my favorite nmap parameters/scan parameters :
Detecting common stateless firewall misconfigurations : Some people allow incoming connections originated from port 20 (FTP), 53 (DNS) or 500 (IKE) in order to “make things work”. Big mistake. This misconfiguration can allow you to find open ports (and traverse firewalls) by setting one of these ports as source port : use parameter -g
Launch multiple scan types at once (syn scan, os & version detection, traceroute, script) : use parameter -A
Scan all ports : use parameter -p-
Display the reason why a port is in a particular state : –reason
Example :
nmap -P0 -nvv -A -p- -g 20 --reason <targets>
Some other interesting parameters are :
-6 : enabled IPv6 scanning
-sO : IP Protocol scan
-D <ip,ip,ip> : try to hide a scan with decoy IP addresses
Finally, a couple of words about script scans : (http://nmap.org/nsedoc/)
–script-updatedb : update the script database
Starting Nmap 5.00 ( http://nmap.org ) at 2009-07-16 21:07 Romance Daylight Time NSE: Updating rule database. NSE script database updated successfully.
Starting Nmap 5.00 ( http://nmap.org ) at 2009-07-16 21:07 Romance Daylight Time
NSE: Updating rule database.
NSE script database updated successfully.
–script=<script> : run a script. You can find the default scripts in the “scripts” folder
–script-args=unsafe=1 (needed to enable certain checks, such as running a regsvc DoS test)
Example : run all smb scripts against a given host :
C:\>nmap -P0 -nvv -A -p- -g 20 –reason –script=smb* 192.168.0.9 Starting Nmap 5.00 ( http://nmap.org ) at 2009-07-16 21:09 Romance Daylight Time NSE: Loaded 15 scripts for scanning. Initiating ARP Ping Scan at 21:10 Scanning 192.168.0.9 [1 port] Completed ARP Ping Scan at 21:10, 0.23s elapsed (1 total hosts) Initiating SYN Stealth Scan at 21:10 Scanning 192.168.0.9 [65535 ports] Discovered open port 445/tcp on 192.168.0.9 Discovered open port 3389/tcp on 192.168.0.9 Discovered open port 1723/tcp on 192.168.0.9 Discovered open port 135/tcp on 192.168.0.9 Discovered open port 139/tcp on 192.168.0.9 Discovered open port 27010/tcp on 192.168.0.9 Discovered open port 1049/tcp on 192.168.0.9 Discovered open port 902/tcp on 192.168.0.9 Discovered open port 27000/tcp on 192.168.0.9 Completed SYN Stealth Scan at 21:10, 57.15s elapsed (65535 total ports) Initiating Service scan at 21:10 Scanning 11 services on 192.168.0.9 Completed Service scan at 21:12, 106.20s elapsed (11 services on 1 host) Initiating OS detection (try #1) against 192.168.0.9 NSE: Script scanning 192.168.0.9. NSE: Starting runlevel 0.5 scan Initiating NSE at 21:12 Completed NSE at 21:12, 11.72s elapsed NSE: Starting runlevel 1 scan Initiating NSE at 21:12 Completed NSE at 21:12, 1.12s elapsed NSE: Starting runlevel 2 scan Initiating NSE at 21:12 Completed NSE at 21:12, 0.14s elapsed NSE: Script Scanning completed. Host 192.168.0.9 is up, received arp-response (0.00s latency). Scanned at 2009-07-16 21:10:00 Romance Daylight Time for 178s Interesting ports on 192.168.0.9: Not shown: 65526 closed ports Reason: 65526 resets PORT STATE SERVICE REASON VERSION 135/tcp open msrpc syn-ack Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack 445/tcp open microsoft-ds syn-ack Microsoft Windows 2003 microsoft-ds 902/tcp open ssl/vmware-auth syn-ack VMware Authentication Daemon 1.10 (Uses VNC) 1049/tcp open msrpc syn-ack Microsoft Windows RPC 1723/tcp open pptp syn-ack Microsoft (Firmware: 3790) 3389/tcp open microsoft-rdp syn-ack Microsoft Terminal Service 27000/tcp open flexlm syn-ack FlexLM license manager 27010/tcp open flexlm syn-ack FlexLM license manager MAC Address: 00:03:FF:07:23:D5 (Microsoft) Device type: general purpose Running: Microsoft Windows 2003 OS details: Microsoft Windows Server 2003 SP1 or SP2 TCP/IP fingerprint: OS:SCAN(V=5.00%D=7/16%OT=80%CT=1%CU=%PV=Y%DS=1%G=N%M=0003FF%TM=4A5F7BBA%P=i OS:686-pc-windows-windows)SEQ(SP=105%GCD=1%ISR=104%TI=I%CI=I%II=I%SS=S%TS=0 OS:)OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT OS:00NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS)WIN(W1=4000%W2=4000%W3=4000%W4= OS:4000%W5=4000%W6=4000)ECN(R=Y%DF=N%TG=80%W=4000%O=M5B4NW0NNS%CC=N%Q=)T1(R OS:=Y%DF=N%TG=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%TG=80%W=0%S=Z%A=S%F=AR%O OS:=%RD=0%Q=)T3(R=Y%DF=N%TG=80%W=4000%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0% OS:Q=)T4(R=Y%DF=N%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%TG=80%W=0%S= OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R OS:=Y%DF=N%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=N)IE(R=Y%DFI=S%TG=80%CD= OS:Z) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=261 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows Host script results: | smb-brute: |_ guest:<anything> => Password was correct, but user’s account is disabled | smb-pwdump: | Couldn’t run smb-pwdump.nse, missing required file(s): | – nselib/data/lsremora.dll | – nselib/data/servpw.exe | These are included in pwdump6 version 1.7.2: |_ <http://foofus.net/fizzgig/pwdump/downloads.htm> | smb-os-discovery: Windows Server 2003 R2 3790 Service Pack 2 | LAN Manager: Windows Server 2003 R2 5.2 | Name: CORELAN\NILUS |_ System time: 2009-07-16 21:12:57 UTC+2 | smb-security-mode: User-level authentication | SMB Security: Challenge/response passwords supported |_ SMB Security: Message signing supported | smb-enum-shares: | Anonymous shares: | IPC$ | Restricted shares: | ADMIN$ | C$ | D$ |_ E$ | smb-check-vulns: | MS08-067: FIXED | Conficker: Likely CLEAN |_ regsvc DoS: CHECK DISABLED (add ‘–script-args=unsafe=1’ to run) Read data files from: C:\Program Files\Nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 178.92 seconds Raw packets sent: 70666 (3.111MB) | Rcvd: 131148 (5.247MB)
C:\>nmap -P0 -nvv -A -p- -g 20 –reason –script=smb* 192.168.0.9
Starting Nmap 5.00 ( http://nmap.org ) at 2009-07-16 21:09 Romance Daylight Time
NSE: Loaded 15 scripts for scanning.
Initiating ARP Ping Scan at 21:10
Scanning 192.168.0.9 [1 port]
Completed ARP Ping Scan at 21:10, 0.23s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 21:10
Scanning 192.168.0.9 [65535 ports]
Discovered open port 445/tcp on 192.168.0.9
Discovered open port 3389/tcp on 192.168.0.9
Discovered open port 1723/tcp on 192.168.0.9
Discovered open port 135/tcp on 192.168.0.9
Discovered open port 139/tcp on 192.168.0.9
Discovered open port 27010/tcp on 192.168.0.9
Discovered open port 1049/tcp on 192.168.0.9
Discovered open port 902/tcp on 192.168.0.9
Discovered open port 27000/tcp on 192.168.0.9
Completed SYN Stealth Scan at 21:10, 57.15s elapsed (65535 total ports)
Initiating Service scan at 21:10
Scanning 11 services on 192.168.0.9
Completed Service scan at 21:12, 106.20s elapsed (11 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.9
NSE: Script scanning 192.168.0.9.
NSE: Starting runlevel 0.5 scan
Initiating NSE at 21:12
Completed NSE at 21:12, 11.72s elapsed
NSE: Starting runlevel 1 scan
Completed NSE at 21:12, 1.12s elapsed
NSE: Starting runlevel 2 scan
Completed NSE at 21:12, 0.14s elapsed
NSE: Script Scanning completed.
Host 192.168.0.9 is up, received arp-response (0.00s latency).
Scanned at 2009-07-16 21:10:00 Romance Daylight Time for 178s
Interesting ports on 192.168.0.9:
Not shown: 65526 closed ports
Reason: 65526 resets
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack Microsoft Windows 2003 microsoft-ds
902/tcp open ssl/vmware-auth syn-ack VMware Authentication Daemon 1.10 (Uses VNC)
1049/tcp open msrpc syn-ack Microsoft Windows RPC
1723/tcp open pptp syn-ack Microsoft (Firmware: 3790)
3389/tcp open microsoft-rdp syn-ack Microsoft Terminal Service
27000/tcp open flexlm syn-ack FlexLM license manager
27010/tcp open flexlm syn-ack FlexLM license manager
MAC Address: 00:03:FF:07:23:D5 (Microsoft)
Device type: general purpose
Running: Microsoft Windows 2003
OS details: Microsoft Windows Server 2003 SP1 or SP2
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=7/16%OT=80%CT=1%CU=%PV=Y%DS=1%G=N%M=0003FF%TM=4A5F7BBA%P=i
OS:686-pc-windows-windows)SEQ(SP=105%GCD=1%ISR=104%TI=I%CI=I%II=I%SS=S%TS=0
OS:)OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT
OS:00NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS)WIN(W1=4000%W2=4000%W3=4000%W4=
OS:4000%W5=4000%W6=4000)ECN(R=Y%DF=N%TG=80%W=4000%O=M5B4NW0NNS%CC=N%Q=)T1(R
OS:=Y%DF=N%TG=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%TG=80%W=0%S=Z%A=S%F=AR%O
OS:=%RD=0%Q=)T3(R=Y%DF=N%TG=80%W=4000%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%
OS:Q=)T4(R=Y%DF=N%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%TG=80%W=0%S=
OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R
OS:=Y%DF=N%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=N)IE(R=Y%DFI=S%TG=80%CD=
OS:Z)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows
Host script results:
| smb-brute:
|_ guest:<anything> => Password was correct, but user’s account is disabled
| smb-pwdump:
| Couldn’t run smb-pwdump.nse, missing required file(s):
| – nselib/data/lsremora.dll
| – nselib/data/servpw.exe
| These are included in pwdump6 version 1.7.2:
|_ <http://foofus.net/fizzgig/pwdump/downloads.htm>
| smb-os-discovery: Windows Server 2003 R2 3790 Service Pack 2
| LAN Manager: Windows Server 2003 R2 5.2
| Name: CORELAN\NILUS
|_ System time: 2009-07-16 21:12:57 UTC+2
| smb-security-mode: User-level authentication
| SMB Security: Challenge/response passwords supported
|_ SMB Security: Message signing supported
| smb-enum-shares:
| Anonymous shares:
| IPC$
| Restricted shares:
| ADMIN$
| C$
| D$
|_ E$
| smb-check-vulns:
| MS08-067: FIXED
| Conficker: Likely CLEAN
|_ regsvc DoS: CHECK DISABLED (add ‘–script-args=unsafe=1’ to run)
Read data files from: C:\Program Files\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 178.92 seconds
Raw packets sent: 70666 (3.111MB) | Rcvd: 131148 (5.247MB)
Tags:
© Corelan Consulting BV. All rights reserved. The contents of this page may not be reproduced, redistributed, or republished, in whole or in part, for commercial or non-commercial purposes without prior written permission. See the Terms of Use and Privacy Policy for details.
