Monday, April 22, 2019

NMAP Fingerprinting with Examples

NMAP (Service Fingerprinting)

Try to fingerprint currently running services on host

nmap -sV target 
root@asus:~/unix% nmap -sV 192.168.0.25

Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-20 11:19 MDT
Nmap scan report for fox.acme.com (192.168.0.25)
Host is up (0.000033s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
389/tcp  open  ldap    OpenLDAP 2.2.X - 2.3.X
631/tcp  open  ipp     CUPS 2.1
3306/tcp open  mysql   MySQL 5.7.25-0ubuntu0.16.04.2
6667/tcp open  irc     InspIRCd
Service Info: Host: irc.local

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.73 seconds
root@asus:~/unix%

Specify how many probes (intensity) to send to host for fingerprinting

nmap -sV --version-intensity [0-9] target 
root@asus:~/unix% nmap -sV --version-intensity 5 192.168.0.25

Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-20 11:22 MDT
Nmap scan report for fox.acme.com (192.168.0.25)
Host is up (0.000017s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
389/tcp  open  ldap    OpenLDAP 2.2.X - 2.3.X
631/tcp  open  ipp     CUPS 2.1
3306/tcp open  mysql   MySQL 5.7.25-0ubuntu0.16.04.2
6667/tcp open  irc     InspIRCd
Service Info: Host: irc.local

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.49 seconds
root@asus:~/unix%

NMAP (OS Fingerprinting)

Try to guess remote hosts OS

nmap -O target 
root@asus:~/unix% nmap -O 192.168.0.25

Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-20 11:28 MDT
Nmap scan report for fox.acme.com (192.168.0.25)
Host is up (0.000024s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
80/tcp   open  http
389/tcp  open  ldap
631/tcp  open  ipp
3306/tcp open  mysql
6667/tcp open  irc
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.7 - 3.10, Linux 3.8 - 4.0
Network Distance: 0 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.50 seconds
root@asus:~/unix%

Verbose for more information

The more ‘v’s you add the more verbose the output nmap produces

nmap -O -v target 
root@asus:~/unix% nmap -O -v 192.168.0.25

Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-20 11:28 MDT
Initiating SYN Stealth Scan at 11:28
Scanning fox.acme.com (192.168.0.25) [1000 ports]
Discovered open port 3306/tcp on 192.168.0.25
Discovered open port 80/tcp on 192.168.0.25
Discovered open port 389/tcp on 192.168.0.25
Discovered open port 6667/tcp on 192.168.0.25
Discovered open port 631/tcp on 192.168.0.25
Completed SYN Stealth Scan at 11:28, 1.70s elapsed (1000 total ports)
Initiating OS detection (try #1) against fox.acme.com (192.168.0.25)
Nmap scan report for fox.acme.com (192.168.0.25)
Host is up (0.000038s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
80/tcp   open  http
389/tcp  open  ldap
631/tcp  open  ipp
3306/tcp open  mysql
6667/tcp open  irc
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.11 - 3.14, Linux 3.7 - 3.10, Linux 3.8 - 4.0
Uptime guess: 13.560 days (since Sat Apr  6 22:02:01 2019)
Network Distance: 0 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros

Read data files from: /usr/bin/../share/nmap
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.46 seconds
           Raw packets sent: 1116 (51.808KB) | Rcvd: 2241 (98.212KB)
root@asus:~/unix%

Aggressive scan

This is basically the same as ‘nmap -sV -O -sC --traceroute target’

nmap -A target 
root@asus:~/unix% nmap -A 192.168.0.25

Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-20 11:30 MDT
Nmap scan report for fox.acme.com (192.168.0.25)
Host is up (0.000045s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
389/tcp  open  ldap    OpenLDAP 2.2.X - 2.3.X
631/tcp  open  ipp     CUPS 2.1
| http-methods: 
|_  Potentially risky methods: PUT
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: CUPS/2.1 IPP/2.1
|_http-title: Home - CUPS 2.1.3
3306/tcp open  mysql   MySQL 5.7.25-0ubuntu0.16.04.2
| mysql-info: 
|   Protocol: 53
|   Version: .7.25-0ubuntu0.16.04.2
|   Thread ID: 34
|   Capabilities flags: 63487
|   Some Capabilities: LongColumnFlag, Support41Auth, Speaks41ProtocolOld, SupportsLoadDataLocal, SupportsTransactions,
 DontAllowDatabaseTableColumn, Speaks41ProtocolNew, ODBCClient, IgnoreSigpipes, InteractiveClient, ConnectWithDatabase, 
FoundRows, LongPassword, IgnoreSpaceBeforeParenthesis, SupportsCompression
|   Status: Autocommit
|   Salt: tk :w%q8B\x08Sb
|_\x03l\x1E p\x05c
6667/tcp open  irc     InspIRCd
| irc-info: 
|   server: irc.local
|   users: 1
|   servers: 1
|   chans: 0
|   lusers: 1
|   lservers: 0
|   source ident: nmap
|   source host: 192.168.0.25
|_  error: Closing link: (nmap@192.168.0.25) [Client exited]
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.7 - 3.10, Linux 3.8 - 4.0
Network Distance: 0 hops
Service Info: Host: irc.local

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.64 seconds
root@asus:~/unix%
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • bWAPP CSRF
    CSRF (Change Password) The first challenge is the change password CSRF. Our goal is to successfully change the users password with out log...
  • DVWA: File Upload
    Our goal is to exploit the weakness in file upload checking and obtain a remote system shell on the host. We start off with the security b...
  • bWAPP XSS Injections
    Cross-site-Scripting - Reflected (GET) Payload: <script>alert(1)</script> Cross-site-Scripting - Reflected (POST) Payload:...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • Exploiting Weak WEBDAV Configurations
    The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...