上QQ阅读APP看书，第一时间看更新

Nmap

Network mapper (Nmap) is a tool that allows you to perform network discovery and security auditing. It is only available in the command line, and has a graphical version called Zenmap. Nmap is able to work across multiple platforms, such as macOS, Windows, and Linux. Nmap is very robust in that it provides additional functionality by not only allowing you to detect open ports, but also allowing you to detect the operating system and services running on your target. Nmap is included in Kali Linux by default. Nmap can be used to perform the following:

Network discovery: This allows you to detect any live hosts on the target network
Port discovery: This allows the detection of open ports
Service discovery: This provides the ability to detect software versions tied to a specific port
Operating system discovery: This provides information on the running operating system and version
Vulnerability scanning: This provides the ability to detect vulnerabilities using scripts

Nmap has a number of scanning options that you can use. Some of the common scans are as follows:

-sS: This is a TCP SYN scan. This scan is one of the most commonly used scan types, as it offers stealth by not completing the TCP connection.
-sT: This is a TCP connect scan. This scan performs a complete connection to the target port, which can lead to detection by the target.
-sU: This performs a scan over the UDP protocol. Using this scan, you can uncover ports related to DHCP, DNS, SNMP, and so on.
-p: This defines a specific port or port range. Ranges are separated by a dash, -. If you do not specify a port or range, the scan will scan all 65,535 ports.
-sC: This performs a scan using the default set of scripts.
-sV: This performs version detection by referencing the port to the Nmap services database of well-known services. Once the reference is made, Nmap is able to display the service that is running on the port. Although this linking is very accurate, you might find a case where admins link different applications to common ports.
-O: This performs operating system detection by sending a number of crafted packets (such as TCP sampling, window check sizes, and IP options) and comparing them to the nmap-os-db. Once there is a match, Nmap will display the operating system of the target.
--script: This defines scripts using a comma-separated list for different categories, names, and directories. For example, --script "http-*" will load every script which deals with http. --script "default,safe" will load scripts that are in the default and safe category.

SANS currently has a good Nmap cheat sheet that you can use for reference. This is located here: https://blogs.sans.org/pen-testing/files/2013/10/NmapCheatSheetv1.1.pdf.

Nmap was originally used for port scanning, but the tool has evolved beyond that and is now capable of performing vulnerability scans too. Leveraging the Nmap Scripting Engine (NSE) allows you to write your own scripts, and use scripts that are freely available. Within Kali Linux, there are a number of scripts that can be found at the /usr/share/nmap/scripts location. There are various categories for the scripts, such as information gathering, vulnerability scanning, brute force, and so on. To view a full list of scripts that are currently available within Kali Linux, you can run the ls /usr/share/nmap/scripts command from a Terminal window within Kali Linux. Alternatively, you can use the locate command, which you learned about in the previous chapter: locate *.nse.

If you are unsure of what a script does, you can use the nmap -script-help [script name] command, as shown in Figure 10:

Figure 10: Nmap script help

Let's perform a few scans against the Metasploitable 2 virtual machine. Ensure that both your Kali Linux and Metasploitable 2 virtual machines are on the same virtual network:

We will perform some network discovery using the netdiscover command from a Terminal window in Kali Linux. After some time, your Metasploitable 2 IP address will be displayed.
We will run a basic TCP SYN scan against the Metasploitable 2 virtual machine using the nmap -sS [ip address] command. Once the scan has completed, we will be presented with a list of all open ports, as shown in Figure 11. In the output, we are presented with the current list of open ports. But let's combine some more parameters to obtain richer results:

Figure 11: Nmap TCP SYN scan

Note that nfs port 2049/TCP is open on Metasploitable 2. Using the file browser, you can navigate to nfs://[IP] of your Metasploitable 2 virtual machine. You will have access to the filesystem without authentication. You can leverage this vulnerability and browse to /etc/ and copy the shadow and passwd files to your Kali Linux. You will use these files in Chapter 6, Understanding Password Attacks.

Using the nmap -sS -sV -O -sU [ip address] command, we are able to obtain results, which provide a lot more information. You will notice that we can now see the service version tied to the port numbers for both TCP and UDP, as well as the operating system's information, as shown in Figure 12:

Figure 12: An Nmap scan combining various scan options

Since this version of Metasploitable has an Apache server running, let's leverage a script to provide us with even more information. Using the nmap --script http-enum.nse [IP address] command, we are able to detect information related to the open HTTP ports, as shown in Figure 13:

Figure 13: Nmap displaying the open ports of a machine in the Terminal

You can perform an Nmap scan using the switches in step 3 toward your Metasploitable 3 system, but you will need to add in -oX, which exports the output to an .xml file. In Chapter 5, Diving into the Metasploit Framework, you will use this.

By having a good understanding of Nmap, you can really benefit when performing a penetration test. Ensure that you have practiced various scans within your lab, so that you gain a good understanding of the outputs and how to use different scans in specific situations.