Nmap/Short Course/Lecture 5

From charlesreid1

Main page: Nmap/Short Course

Lab: Nmap/Short Course/Lab 5

Summary and Objective

This lecture marks the beginning of Module 2, focusing on Red Team techniques, and will dive deeper into how the Nmap Scripting Engine (NSE) can be used for gathering detailed information beyond basic port and OS identification.

Objective: To equip students with the skills to use the Nmap Scripting Engine (NSE) for advanced network and service reconnaissance, enabling them to uncover more detailed information about target environments by leveraging discovery-focused scripts and customizing their behavior.

Notes

Recap & Introduction to NSE for Reconnaissance

Quick Recap of Lecture 4

In our last session, we covered Nmap optimization techniques, including timing controls (-T templates, granular options) for performance. We also discussed basic firewall/IDS evasion methods like fragmentation (-f), decoys (-D), and source port manipulation (-g). Crucially, we had our first introduction to the Nmap Scripting Engine (NSE), learning how to run default scripts with -sC and understanding the concept of script categories.

What is "Advanced Reconnaissance"?

Advanced reconnaissance goes beyond simply identifying live hosts, open ports, and operating systems. It involves digging deeper to understand the network's structure, the specific configurations of services, interdependencies, and discovering information that isn't immediately obvious. This could include finding hidden subdomains, enumerating network shares, identifying detailed service configurations, or discovering less common services. The goal is to build a much richer picture of the target environment.

Role of NSE in Deeper Information Gathering

The Nmap Scripting Engine is a powerful tool for automating these advanced reconnaissance tasks. Instead of manually probing for every piece of information, NSE scripts can systematically query services and network protocols to extract valuable data. Many scripts are specifically designed for information gathering without being intrusive, making them ideal for the reconnaissance phase of a security assessment. They can interact with services in more complex ways than standard Nmap probes.

Revisiting Script Categories: Focus on discovery and broadcast

We previously mentioned NSE script categories. For advanced reconnaissance, two categories are particularly relevant:

  • discovery: These scripts aim to actively discover more about the network or specific targets. This can include querying directory services, SNMP-enabled devices, finding virtual hosts on web servers, and much more.
  • broadcast: These scripts listen for responses to broadcast probes on the local network. They can uncover services that announce themselves via broadcast mechanisms, such as DHCP servers, UPnP devices, or systems responding to NetBIOS queries. These are particularly useful when you're already on the internal network. We'll be exploring scripts from these categories to gather intelligence.

Using NSE for Network-Level Discovery

These NSE scripts help uncover broader network information, potentially identifying new targets or understanding network boundaries and services.

broadcast-* Scripts: Listening on the Local Network

When your scanning machine is on the same local network segment as potential targets, broadcast scripts can be very effective. These scripts typically send out broadcast probes for various protocols and listen for any responses.

  • broadcast-dhcp-discover: Sends a DHCP INFORM or DISCOVER request to the broadcast address to identify DHCP servers on the local network. This can reveal the IP address of the DHCP server and sometimes other network configuration details.
  • broadcast-dns-service-discovery: Sends multicast DNS (mDNS) queries to discover services advertised on the local network, often used by zero-configuration networking (zeroconf) systems like Apple's Bonjour.
  • Other examples include broadcast-netbios-master-browser (to find NetBIOS master browsers) or broadcast-upnp-info (to discover UPnP devices and their control URLs).
# Discover DHCP servers on the local network (run on an interface in the target LAN)
sudo nmap --script broadcast-dhcp-discover

# Discover mDNS services (ensure Nmap is listening on the correct interface)
sudo nmap --script broadcast-dns-service-discovery



[Instructor: Run 'sudo nmap --script broadcast-dhcp-discover -e <your_lab_ethernet_interface>' and show output. This may require a DHCP server in the lab.]
Starting Nmap X.XX ( https://nmap.org ) at YEAR-MM-DD HH:MM ZONE
Pre-scan script results:
| broadcast-dhcp-discover:
|   Response 1 of 1:
|     Interface: eth0
|     IP: 192.168.1.100
|     Server Identifier: 192.168.1.1
|     Subnet Mask: 255.255.255.0
|     Router: 192.168.1.1
|_    Domain Name Server: 192.168.1.1, 8.8.8.8
Nmap done: 0 IP addresses (0 hosts up) scanned in X.XX seconds

Broadcast scripts often don't take explicit targets in the same way other Nmap scans do, as they operate on the local broadcast domain.

The -e <interface> option might be needed.

Discovering Subdomains and Network Ranges

dns-brute: Attempts to enumerate DNS hostnames by trying a list of common subdomains (e.g., www, mail, ftp, dev) against a target domain. This can uncover hidden or forgotten servers. It can use a default list or a user-provided list. 

# Brute-force subdomains for a target domain
nmap --script dns-brute --script-args dns-brute.domain=<target_domain.com> <target_domain.com>

targets-asn: Given an Autonomous System Number (ASN), this script queries online resources (like RADB) to find IP address ranges (netblocks) associated with that ASN. This is useful for understanding the network footprint of a larger organization. 

# Find netblocks for a given ASN (e.g., AS15169 for Google)
nmap --script targets-asn --script-args targets-asn.asn=15169

[Instructor: Run 'nmap --script dns-brute --script-args dns-brute.domain=scanme.nmap.org scanme.nmap.org' and show example output.]
Host script results:
| dns-brute:
|   DNS Brute-force hostnames:
|     localhost.scanme.nmap.org - 127.0.0.1
|     beta.scanme.nmap.org - 45.33.32.156
|_    www.scanme.nmap.org - 45.33.32.156

These scripts help expand the scope of reconnaissance by identifying more potential targets or understanding the organization's overall network presence.

Enumerating Specific Services with NSE Discovery Scripts

Once services are identified on open ports, NSE discovery scripts can often extract much more detailed information than simple version detection.

Server Message Block (SMB) Enumeration

SMB/CIFS is commonly used for file sharing and network services in Windows environments (and with Samba on Linux).

  • smb-os-discovery: This script attempts to determine the operating system, computer name, domain, workgroup, and current time of an SMB server. It often provides more accurate OS information than Nmap's standard OS detection for SMB-enabled hosts.
  • smb-enum-shares: Attempts to list available SMB shares on a target, along with their permissions (though full permission checking can be complex). Use with caution and only if authorized, as aggressive share enumeration can sometimes trigger alerts.
# Get detailed OS and system info from an SMB server
sudo nmap -p 139,445 --script smb-os-discovery <target_IP>

# List SMB shares (if safe and authorized for the lab)
sudo nmap -p 139,445 --script smb-enum-shares <target_IP>

[Instructor: Run 'sudo nmap -p 139,445 --script smb-os-discovery <your_lab_smb_target>' and show output.]
Host script results:
| smb-os-discovery:
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   OS CPE: cpe:/o:microsoft:windows_server_2019::-
|   Computer name: FILESRV01
|   NetBIOS computer name: FILESRV01\x00
|   Domain name: corporate.local
|   Forest name: corporate.local
|   FQDN: FILESRV01.corporate.local
|_  System time: 2025-05-28T15:50:10+00:00

Simple Network Management Protocol (SNMP) Enumeration

SNMP is a protocol used for managing devices on IP networks. If SNMP is misconfigured (e.g., using default community strings like "public" or "private"), it can be a goldmine for reconnaissance.

  • snmp-info: Gathers basic information from an SNMP-enabled device, such as uptime, contact, location, and description.
  • snmp-interfaces: Enumerates network interfaces on an SNMP-enabled device, showing IP addresses, MAC addresses, interface speeds, and traffic statistics.
  • snmp-processes: Lists running processes on a device via SNMP (if the agent supports it and permissions allow).
# Gather basic SNMP info using default community 'public'
sudo nmap -sU -p 161 --script snmp-info <target_IP>

# Enumerate network interfaces via SNMP
sudo nmap -sU -p 161 --script snmp-interfaces <target_IP>

The information gathered from SNMP can reveal detailed system configurations, network topology insights, and running software.

Other Service Enumeration Examples

Many other services can be probed with NSE for discovery:

  • NFS (Network File System): nfs-ls (lists NFS exports), nfs-showmount (similar to the showmount -e command).
  • FTP (File Transfer Protocol): ftp-anon (checks for anonymous FTP login).
  • HTTP: While many HTTP scripts are for vulnerability checking, some are purely for discovery, like http-headers (fetches and displays HTTP headers), http-sitemap-generator (attempts to find sitemap files), http-robots.txt (parses robots.txt).
# Check for anonymous FTP login
nmap -p 21 --script ftp-anon <target_IP>

# Get HTTP headers from a web server
nmap -p 80 --script http-headers <target_IP>

The key is to explore scripts relevant to the services discovered during initial port scanning.

Customizing NSE Usage: Script Arguments (--script-args)

Many NSE scripts can be customized using script arguments to modify their behavior, provide specific input, or adjust their intensity.

Passing Arguments to Scripts

The --script-args Nmap option is used to pass arguments to NSE scripts. The format is typically --script-args "scriptname.argname=value,anotherarg=othervalue". If an argument is for a specific script, you prefix it with the script's name. Arguments not prefixed with a script name are considered global and accessible to all scripts (though few scripts use global arguments). Multiple arguments are separated by commas. If values contain spaces or special characters, enclose them in quotes.

Finding Available Script Arguments

The best way to find out what arguments a script accepts is to use Nmap's built-in help: 

nmap --script-help <scriptname>

This command will display a description of the script, its categories, and a list of any arguments it accepts, along with their descriptions. For example, nmap --script-help dns-brute will show you that dns-brute accepts arguments like dns-brute.domain (which we used earlier), dns-brute.threads (to control parallelism), and dns-brute.hostlist (to provide a custom list of subdomains to try).

Examples of Using Script Arguments

Customizing dns-brute with a specific wordlist for subdomains: 

nmap --script dns-brute --script-args "dns-brute.domain=<target_domain.com>,dns-brute.hostlist=/path/to/my_subdomain_list.txt" <target_domain.com>

Increasing the verbosity or intensity of some discovery scripts (if supported): For example, some scripts might have a debug or verbosity argument. 

# Hypothetical example for a script supporting a 'verbosity' argument
nmap --script some-discovery-script --script-args "some-discovery-script.verbosity=2" <target_IP>

Telling a script that might try to log in to use specific credentials (though this leans towards auth or brute scripts, some discovery scripts might have optional credential arguments for deeper access if available): 

# Example for smb-enum-shares, if you had credentials (use ethically!)
# sudo nmap -p 139,445 --script smb-enum-shares --script-args "smbuser=<user>,smbpass=<pass>" <target_IP>

Importance of Reading Script Documentation

Always consult the script's documentation using --script-help or by looking at the script's source code (or online Nmap documentation) before using arguments. This ensures you understand what the argument does and the expected format for its value. Incorrectly specified arguments might be ignored or cause the script to behave unexpectedly.

The lab for this lecture will involve using several of these discovery scripts and experimenting with their arguments.

Lab

Use discovery and default NSE scripts to gather more detailed information about services and configurations in the Web/Cloud Infrastructure (Scenario 3). Explore broadcast scripts in the Corporate Network (Scenario 1).

Nmap/Short Course/Lab 5

Flags


Defcon.png
Nmap Short Course
12-part short course on advanced nmap topics for cybersecurity professionals.

lectures, plus red team and blue team lab scenarios.

Nmap/Short Course


Module 1: Nmap Mastery - Beyond the Basics

Lectures:

Nmap/Short Course/Lecture 1
Nmap/Short Course/Lecture 2
Nmap/Short Course/Lecture 3
Nmap/Short Course/Lecture 4

Labs:

Nmap/Short Course/Lab 1
Nmap/Short Course/Lab 2
Nmap/Short Course/Lab 3
Nmap/Short Course/Lab 4


Module 2: Red Team Nmap - Offensive Recon & Vuln Identification

Lectures:

Nmap/Short Course/Lecture 5
Nmap/Short Course/Lecture 6
Nmap/Short Course/Lecture 7
Nmap/Short Course/Lecture 8

Labs:

Nmap/Short Course/Lab 5
Nmap/Short Course/Lab 6
Nmap/Short Course/Lab 7
Nmap/Short Course/Lab 8


Module 3: Blue Team Nmap - Auditing, Defense & Network Monitoring

Lectures:

Nmap/Short Course/Lecture 9
Nmap/Short Course/Lecture 10
Nmap/Short Course/Lecture 11
Nmap/Short Course/Lecture 12

Labs:

Nmap/Short Course/Lab 9
Nmap/Short Course/Lab 10
Nmap/Short Course/Lab 11
Nmap/Short Course/Lab 12


Notes for the Instructor:

Nmap/Short Course/Running the Labs


Flags  · Template:NmapShortCourseFlag  · e


Retrieved from "https://charlesreid1.com/w/index.php?title=Nmap/Short_Course/Lecture_5&oldid=30344"