Nmap/Short Course/Lecture 7
From charlesreid1
Main page: Nmap/Short Course
Contents
Summary and Objective
This session will guide students on how to use Nmap and its scripting engine to perform deep dives into common network services and introduce Ncat for manual interaction.
Objective: To teach students how to perform in-depth enumeration of common network services (like HTTP, SSH, FTP, SMB) using Nmap and specific NSE scripts, map an organization's attack surface based on these findings, and introduce Ncat for basic service interaction.
Notes
Recap & Introduction to Deep Service Enumeration
Quick Recap of Lecture 6
In our previous lecture, we focused on vulnerability scanning with the Nmap Scripting Engine, particularly using scripts from the vuln category. We discussed how to identify specific known vulnerabilities, the importance of targeted scanning, managing script updates, and the critical ethical considerations involved. This provided a foundation for actively looking for weaknesses.
What is "Deep Service Enumeration"?
Deep service enumeration goes a step beyond simple version detection (-sV). While version detection tells you what software and version is running (e.g., Apache 2.4.54), deep enumeration aims to understand how that service is configured, what specific features are enabled, what content it hosts, and any non-obvious functionalities it might expose. It's about gathering detailed intelligence on each running service. For example, for a web server, this could mean finding hidden directories, understanding supported HTTP methods, or identifying virtual hosts.
Mapping the Attack Surface
The information gathered through deep service enumeration is crucial for attack surface mapping. An attack surface represents all the points where an unauthorized user (an attacker) can try to enter data or extract data from a system. By meticulously enumerating services, their configurations, and accessible data, security professionals can build a comprehensive map of potential weaknesses. This map helps prioritize defensive efforts or, from a red team perspective, identify promising avenues for further investigation or exploitation. The more you know about a service, the better you can assess its security.
HTTP/HTTPS Enumeration with NSE
Web servers are ubiquitous and often complex, making them prime targets for enumeration. NSE offers a wealth of scripts for this.
Why Focus on HTTP/HTTPS?
HTTP and HTTPS are the backbone of the modern web, hosting everything from simple websites to complex applications and APIs. Their complexity and the frequent presence of custom code make them rich targets for information gathering and vulnerability discovery. Misconfigurations or exposed information on web servers can often provide initial footholds into a network.
Key NSE Scripts for HTTP/HTTPS Enumeration
http-title: A simple but effective script that fetches and displays the title of the web page found at the root of a web server. This can give a quick idea of the website's purpose.
sudo nmap -sV -p80,443 --script http-title <target_web_server_IP>
http-headers: Retrieves and displays the full HTTP headers sent by the web server. Headers can reveal server software and version (though -sV often gets this too), enabled technologies (e.g., ASP.NET, PHP versions), cookie information, and sometimes custom headers with interesting data.
sudo nmap -sV -p80,443 --script http-headers <target_web_server_IP>
http-enum: A powerful script that attempts to enumerate common directories, files, and CGI applications by trying a list of known paths. This can uncover administration interfaces, backup files, exposed development directories, or vulnerable scripts.
sudo nmap -sV -p80,443 --script http-enum <target_web_server_IP>
[Instructor: Run 'sudo nmap -sV -p80 --script http-enum <your_lab_web_server_IP_with_some_common_dirs_like_admin_or_test>' and show example findings.] PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.54 ((Unix)) | http-enum: | /admin/: Admin interface | /test.php: Test PHP page |_ /backup/: Potentially interesting directory
http-methods: Determines which HTTP methods (like GET, POST, PUT, DELETE, OPTIONS, HEAD, TRACE) are supported by the web server, often on a per-directory basis if http.url script arg is used. If potentially dangerous methods like PUT or DELETE are enabled on sensitive paths without proper authentication, it can indicate a serious misconfiguration. The OPTIONS method can also reveal allowed methods.
sudo nmap -sV -p80,443 --script http-methods --script-args http.url=/ <target_web_server_IP>
http-robots.txt: Parses the robots.txt file. This file tells web crawlers which paths they should not access. Ironically, attackers often use it as a starting point to find potentially interesting or restricted areas of a website.
sudo nmap -sV -p80,443 --script http-robots.txt <target_web_server_IP>
Interpreting the results from these scripts involves looking for unexpected open paths, revealing headers, or enabled methods that could be leveraged. For example, http-enum finding an /admin/ directory warrants further manual investigation.
Enumerating Other Common Services (SSH, FTP, SMB)
Beyond web servers, other common services offer valuable information through NSE enumeration.
SSH (Secure Shell - Port 22)
SSH is typically used for secure remote administration.
ssh-hostkey: Retrieves the SSH server's public host key. This can be useful for identifying the server (e.g., if you have its key from a previous scan, you can check if it has changed, which might indicate a man-in-the-middle attack or a reinstallation). It also reveals key type (RSA, DSA, ECDSA, Ed25519) and size.
sudo nmap -sV -p22 --script ssh-hostkey <target_ssh_server_IP>
ssh2-enum-algos: Lists the encryption algorithms, Key Exchange (KEX) algorithms, MAC (Message Authentication Code) algorithms, and compression algorithms supported by the SSH server. This information can be used to identify servers supporting weak or outdated cryptographic algorithms, which might be a security concern.
sudo nmap -sV -p22 --script ssh2-enum-algos <target_ssh_server_IP>
[Instructor: Run 'sudo nmap -sV -p22 --script ssh2-enum-algos <your_lab_ssh_server_IP>' and show the lists of algorithms.]
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh2-enum-algos:
| kex_algorithms: (10)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ... (list continues)
| server_host_key_algorithms: (5)
| rsa-sha2-512
| rsa-sha2-256
| ssh-rsa
| ... (list continues)
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| ... (list continues)
| mac_algorithms: (10)
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| ... (list continues)
|_ compression_algorithms: (2)
none
zlib@openssh.com
FTP (File Transfer Protocol - Port 21)
FTP servers can sometimes be misconfigured, offering valuable enumeration points.
ftp-anon: (Reiterated from discovery) Checks if anonymous login is permitted. If so, this is a significant finding as it allows unauthenticated access to potentially sensitive files.
ftp-syst: Sends the SYST command to the FTP server, which often returns a string identifying the server's operating system or FTP software type. This can corroborate or refine OS detection.
sudo nmap -sV -p21 --script "ftp-anon,ftp-syst" <target_ftp_server_IP>
SMB (Server Message Block) / CIFS (Ports 139, 445)
SMB is prevalent in Windows environments and with Samba on Linux.
smb-os-discovery: (Reiterated) Provides detailed OS information, computer name, domain/workgroup, and system time. This is often more reliable than Nmap's standard OS detection for SMB hosts.
smb-enum-shares: Attempts to list all accessible network shares on the target. Identifying open shares, especially those with weak permissions (e.g., "Everyone" read/write), is critical. Students should be reminded of the potential noise and authorization needed for this script.
smb-enum-users: Can attempt to enumerate user accounts on the target system via SAMR (Security Account Manager Remote) protocol queries. This can reveal valid usernames for further targeting. (IMPORTANT: This is often a more intrusive script and requires careful consideration and authorization.)
sudo nmap -sV -p139,445 --script "smb-os-discovery,smb-enum-shares" <target_smb_server_IP> # For smb-enum-users, if authorized: sudo nmap -sV -p139,445 --script smb-enum-users <target_smb_server_IP>
The goal with these scripts is to build a comprehensive profile of each service, its configuration, and any data it might expose.
Introduction to Ncat for Basic Service Interaction
Nmap identifies open ports and services; Ncat allows you to interact with them directly.
What is Ncat?
Ncat is Nmap's powerful and flexible reimplementation of the classic Netcat (often called nc or "the TCP/IP Swiss army knife"). It can read and write data across networks from the command line using TCP or UDP. Ncat includes many improvements over the original Netcat, such as SSL support, proxy connections, and IPv6 compatibility. It's an indispensable tool for network debugging, exploration, and even simple client/server applications.
While Nmap's version detection (-sV) is excellent at identifying service banners, sometimes you want to manually connect to a port Nmap found open and see the raw initial banner or greeting message yourself. Ncat is perfect for this.
# Nmap finds an open port, e.g., port 25 (SMTP) # sudo nmap -p25 <target_IP> # Output shows: PORT STATE SERVICE # 25/tcp open smtp # Now use Ncat to connect and see the banner ncat <target_IP> 25
[Instructor: After showing an Nmap scan finding an open SMTP port, run 'ncat <target_IP> 25' (or another banner-producing port like FTP 21) and show the immediate output from the server.] 220 mail.example.com ESMTP Postfix
This allows for a quick manual check or interaction. You might then type QUIT (for SMTP/FTP) or Ctrl+C to close the connection.
Basic Ncat for Sending Data (e.g., Manual HTTP Request)
You can also use Ncat to send simple commands or data to a service. For instance, after Nmap identifies an HTTP server on port 80, you could manually send a basic HTTP GET request:
# Send a basic HTTP GET request and print server response to stdout printf "GET / HTTP/1.0\r\n\r\n" | ncat <target_web_server_IP> 80
This command uses printf to construct a minimal HTTP GET request for the root path and pipes it into Ncat, which sends it to the server. The server's response (headers and HTML content) will be printed to your terminal. This is great for understanding raw HTTP interactions.
How Ncat Complements Nmap
Nmap excels at automated discovery and scanning at scale. Ncat provides the means for more focused, manual interaction with individual services that Nmap has identified. If an NSE script gives an interesting but ambiguous result, you might use Ncat to manually send specific probes to clarify. In the next lecture, we'll touch upon how Nmap and Ncat can be used in post-exploitation scenarios, for instance, transferring files or setting up listeners. For now, understanding Ncat as a tool for direct service connection and basic data exchange is key. The lab will involve using Ncat to connect to some of the services identified by Nmap.
Lab
Students use Nmap to find a "vulnerable" service (e.g., an old web server version with a known NSE check in Scenario 3, or a misconfigured service in Scenario 2). They then use Ncat to manually connect and verify information from the banner or try default credentials if applicable (and safe within lab).
Flags
