Unleashing the Power of nmap Scripting for Penetration Testing

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right let's go ahead and check out our final results and there you have it very nice looking look at that broken down per service all the possible vulnerabilities that were found as a result of that scan [Music] hi everyone and welcome back to another Nielsen networking video in the video ahead I am going to show you some Advanced nmap Techniques specifically using nmap alongside a script to take nmap to the next level now that said I will be showing you how to use nmap scripts that are designed specifically for pen testing vulnerability scans Network assessments so on and so forth these scripts should help all you especially pen testers ethical hackers system admins and other Security Experts to locate vulnerabilities so that they can be further tested documented and eventually remediated all right before we get to our first scans let's go over the lab that we will be using for this video this is a lab that I have built from the ground up on my own Hardware my software meaning I own it and I do have permission to do everything we're going to be doing in this video that said the virtualbox infrastructure I have contains a Kali Linux machine that will be running all the um scans from we also have Windows XP box Windows 10 Windows 7 Ubuntu with WordPress loaded on it and we have a metasploitable test server which if you don't know what that is stay tuned I'll kind of explain it and explain how you can get your own uh later on in the video that said let's get to our first scan all right and one more thing before we begin if you have never used nmap or you don't have you know some fundamental understanding of how nmap works please do yourself a favor and go back and check out video one of this series and then come back here otherwise you're it's kind of like learning how to multiply and divide before before learning how to add and subtract you're gonna you're gonna see these cool things and be like oh that's great maybe you can go and copy the commands but you're really not going to understand what you're doing so do yourself a favor do it the right way go check out video one if you haven't seen it so that said let's get to the first script for real this time all right the first script we are going to cover and actually the next three to four scripts are all going to be HTTP related scripts meaning web server targets and we're going to start off with the cross site request forgery vulnerability detection script now to do this you would run the following command and just so we're clear nmap is obviously the program this is the first switch telling it you want to know the version this is telling it we're going to use a script this is the script number and this is the IP I'm going to run it against I'm actually going to run this about against multiple IPS but this will be the first one so we're going to go ahead and hit enter and let it start doing its thing and while that's happening I'm going to go ahead and open up another window here so we can run multiple scans at a time so we can compare the results we get so this one we're going to run against 2.7 and one more so we can get three different results here okay I'll come back to you when these are done all right all the scans finished let's go ahead and take a look let's check out the one on the left here first this is going to oops be the metasploitable server scrolling down we can see there's typical behavior from nmap you know the um Port service the version all that good stuff and then further down we get to what we are looking for first of all it tells you um the header for the Apache web server and then going a little further down here's what you really want to pay attention to found the following possible cross site request forgery vulnerabilities now this is where you would want to if you're you know doing a pen test um one ability again you're going to then need to take this a step further and you would need to uh zero in on this file or this file or what's this PHP script you know you would need to then take it a step further so that these are kind of call outs they're not exactly telling you 100 what the vulnerability is but they're saying hey take a closer look so it's step one in that scan and then scrolling down you can continue to see other services ports and things that are open and it looks like that is about it for the first one so let's go ahead and check out the second machine scrolling up this is going to be our Windows 7 machine and it looks like it couldn't find any couldn't find any so it looks like it's struck out here so we're one and one let's go ahead and check out the last one and this is going to be oh this is actually end Maps they have a website you should write this down this is a free domain that you can run and map scans against for testing purposes so this is a pretty cool resource to have and I'll go ahead and throw this in the description as well and it looks like this one's actually throwing up some possibilities too so let's take a look here showing it has SSH open I believe they did that on purpose uh and then took it down to the um header again I think it's a different version of Apache but the same header we're looking at here possible vulnerabilities and then it's telling you again where to look so we got two out of the three so we're uh what 66 percent uh pretty good so that's the first script that again you would then take these and you would need to further investigate your findings at this point so let's go ahead and move on to the next script all right the next script is the HTTP Apache server status script what this script does is it looks for a misconfigured Apache web servers and when it finds one the script then runs itself against the server the server will then return information that is then parsed by the script and then return to you and this information can be you know the system uptime the version of Apache it's running um recent HTTP requests and so on and so forth so you could then take that information and once again do further research and see if there's any known vulnerabilities for instance against the version of Apache it's running things like that so let's go ahead and test it out shall we okay first thing we're going to run it against my metasploitable server which is running Apache and unfortunately that gives us no results there I guess that's fortunate but for the demo it's unfortunate I don't get to show you but let's go ahead and check out our Apache web server that's running WordPress and that doesn't look like it has it either so let's try it against the end Maps site again which was scan me and it doesn't look like it has the misconfiguration either so good job to them good job to me I guess for uh having uh our Apache servers configured correctly so that said let's go ahead and move on to the next script okay the next script is known as the HTTP method script now what this script does is it goes out and finds what options are available from certain web servers so what it does is it sends an options request to a web server and says what methods are available what are the options and then that web server will respond and normally you would expect to get a get ahead a post and then the options method but occasionally you'll get a different response and those can often be risky so let's go ahead and check it out and see what we get and we're going to first run it against I didn't mean to do that we're going to first run it against our Apache web server that is running WordPress okay and see these are the standard methods you would expect to get when you run the script so that's good that server it makes sense that's good I just built that server yesterday I should be configured correctly so let's go out and run this against the metasploitable server and look at that that server showing that it's configured as well now let's go ahead and run it against our IIs server okay so here this is returning the standard options that we'd expect but it's also returning the trace method now with the trace method is and why this is considered risky is because it can occasionally lead to the disclosure of sensitive information such as you know an internal authentication Header appended by reverse proxies or other information that you could then again take and use to take things a step further so that's why that is risky and those are things you would be looking for when using that script so let's go ahead and go on to the next one all right the next script is the HTTP error script and what this script does is it crawls through the website and looks for any uh error Pages it finds and then you would be able to take that error code from that error page and do some further investigation at least that's what the point of the script is so let's go ahead and check it out real quick it's pretty straightforward to run we're going to run it against nmap again and here you go and it did return that it found one page that has a error code 404 so then you would go out and do some further research and see if that's anything that you could use you know in a penetration or a vulnerability scan so on to the next one all right the next script I want to show you is the HTTP grep script now what this script does is it goes out in spiders or crawls a website and attempts to find on the various pages of that website information and by default it's going to look for IP addresses and email addresses but it can also look for first name it can look for a a bunch more you could just go out to nmap.org and search for the name of the script and it will pull up the entire details on that but for this video we're going to search for just the IP and email and we're going to search against our metasploitable server so let's go ahead and check it out and here we go and as you can see it has already um replied with the email address another email address looks like an IP it doesn't really tell you what it's for but it did that and then some other information so let's try this against a different server so we got let's run this against Windows 7 which is running is nothing there and what about our WordPress server and nothing there so that's what that script does it can be very useful if you're trying to just you know do some reconnaissance about the company so there you go next script all right and the next one is a specific to Wordpress it is HTTP WordPress enum and it is a scan that goes out and looks for plugins that are running on the site and when it finds them it returns them there are numerous WordPress plugins that are uh vulnerable so this is actually pretty useful especially if the client you're running your pen test for happens to be using a WordPress website so let's check it out let's run it against my WordPress that I just installed yesterday and see what we get okay and this must be a default plugin because I did not install this uh but as you can see it returned the plugin that must be the default and at this point I could then take that and go out and research if there were any vulnerabilities for that so that's the WordPress one let's go ahead and move on to the next one all right in the next script we're going to go over is known as DNS brute so we're shifting away from HTTP over to DNS for one script and then we're going to move on to SMB after this script but first DNS brute what it is is it's a script that looks for subdomains of a parent domain so nielsenetworking.com it's going to go out and look for subdomains of that domain the reason it does this is because a lot of subdomains point to different actual servers so then those servers can expand the scope of the initial pen test or vulnerability scan and now those need to be included and you know from A to Z everything you do with every other server you had on your list or that you found during your network discovery so that said let's give it a shot and see what we can find and we're going to go ahead and utilize the scammy.m org again because I don't have any internal servers that have subdomains so we're going to go ahead and run this and see what we get okay and we can see here this is the actual IP that we were running on that matches this so this is the same server so that didn't return anything that was useful but look at this this is an a record pointing to a different server so now we could add this to the list of servers or devices we don't know what this is necessarily that we have to go out and perform you know the same scans we do on all the other devices during the tests so that's that okay so let's go ahead and move on over to some SMB scanning all right the first script we're going to use for SMB scanning to look for uh vulnerabilities is going to be known as SMB protocols and you guessed it it's a simple or a simple script that's going to go out and ask the servers what SMB protocols do you support the servers will then respond with which ones they support and we can take a look and look for ones that we know are not good to have supported so let's go ahead and run this I'm going to run this using an IP list that I've created ahead of time again if you don't know how to do this or you don't know why we're doing this go back and check out that first video because we go over there in that video we'll let this run and then we'll review it okay and it looks like it finished it was actually quicker than I thought all right so first one we have is Windows 7 and it looks like it is supporting SMB version one and look right here the script even tells you this is dangerous but default and it looks like it supports 2.2 and 2.1 and then we're going to go down here and it looks like this is going to be the Windows XP box and once again it's supporting smb1 dangerous but default and that seems to be the theme because even our uh metasploitable server is showing up as supporting SMB version one and last but not least it couldn't be left out is our Windows 10 machine supporting SMB and this one's actually supporting uh not just one two two dot one so this thing apparently supports every kind of SMB you can think of so like when you're looking at something like this when you're writing on a report you would need to ask do you really need to have all these versions of SMB supported maybe there's a reason maybe there's a legacy server that they need all these versions you don't know but you do know this one is a big No-No and easily exploitable um so are these for that matter but more on that in another video but moving down here our last machine which is our uh Ubuntu Server running our Apache is not running SMB so good job for Linux once again so that is that script now we're going to move on to another SMB script okay and the next SMB and the last SMB uh script we're going to go over is known as SMB security mode and this script checks various information about the S P protocol authentication methods with security level things like that but the most important parameter it's looking for is message signing and it shows if it's enabled or not and whenever you see a a response that it is not required it should immediately be reported as a vulnerability because that is known as a big misconfiguration that tons of exploits out in the wild on this specific thing if you do not have message signing enabled and required that's a big red flag so let's go ahead and check it out and see how it looks I'm gonna go ahead and run it again and I should have mentioned SMB runs on 445 so you're going to want to make sure you put that in um when you're running the scan we're going to go ahead and run it and we'll let it come back oh and that was really quick so let's go up and check okay 2.7 and windows 7. and as you can see here it is showing message signing disabled now this is the default this is the default as they actually ship to this day Windows comes um maybe Windows 11's changed but as far as Windows 10 it always came this way uh s p signing was not required so look at again disabled disabled so that would be so it's it's disabled on all of the machines that are running SMB and of course Cali or uh Ubuntu is not running SMB and there you go so there would be four vulnerable servers that you could likely exploit easily using vulnerabilities you could find out on the internet so that's pretty scary stuff and these would be big red flags that would need to be on that report as hey get these machines offline right away or get them uh reconfigured the correct way so next we're going to move on to SSL ciphers all right and the first SSL script we're going to run is known as ssle enum ciphers I'm sure that's short for enumerate and what this script does is it repeatedly tries to initiate SSL and TLS connections with a host and each time it tries a new Cipher or compressor while recording whether the host accepts it or not and then it puts it compiles a list of all the ciphers that were allowed and then gives you a grade of what it considers the strength of that Cipher and gives you a grade of I believe in a through F just like a report card so we're going to go ahead and run this on our Windows 7 box because this is the only machine in the lab at the moment that I have an SSL certificate enabled on so let's go ahead and run it let's see what we got and that was Blazing quick and I've seen a lot of F's and I don't like that so let's go ahead and review the results here so for the first thing it's run in SSL 3.0 which is a problem and it's telling me I'm getting an F right here for all the different certificate versions or ciphers I should say and then let's scroll down here it tells you right here that this is vulnerable to a suite 32 attack it's a big red flag there's a lot of exploits available for that and then scroll down it says oh yeah I'm running TLS 1.0 on top of SSL 3.0 so not much better right I'll look at that straight F's no one would be proud of that report card and then once again obviously that's going to be vulnerable to Suite 32. so uh there you go this is a script that I would almost suggest everyone runs even just if you're not even going through a vulnerability scan or a pen test or you're you know you're just a network admin and this is just due diligence do this every now and then set a Cron job for this to run every now and then just to check it out keep you out of hot water so on to the next SSL script all right the next and final SSL script is known as the SSL cert not the just SSL server and what this script does is it goes out and retrieves uh SSL certificates from servers and it will return various information along with an actual copy of the certificate so let's go ahead and take a look and you can run with it you can run this with the dash V at the end or not uh if you don't you won't get as much verbosity returned so I'm going to go ahead and leave it on because I like to get the maximum you can get go ahead and run it and you can see there's the actual encrypted certificate and as we scroll up you can see the validity period algorithm and you can see the common name the issuer so a lot of a lot of good information here not just for a pen test or a vulnerability scan just being a server admin so you have 100 servers and you want to put in like a warning that if your certificates about it to expire you know you you get a warning and you could just set this up as Cron job have it run have python or Pearl or something you know parse out the information of when it expires and send it and send an email to you so lots of uses for this script not just necessarily in um testing or vulnerability scanning alright that's it let's move on all right and for our second to last script we're going to go over one that isn't really a script at all and the reason I say that is because how nmap categorizes scripts it will use a term so the one we're going to do is Vol short for vulnerability but there's also one that's named version when you're trying to get the versions of things or there's one for Discovery when you're just trying to discover it so you kind of get that so what volt is going to do is it's going to go out and scan all the scripts that are relevant in that category so we're going to go ahead and run it against our metasploitable server so we should get some results so let's go ahead and let this run may take a second but let's Let It Go okay so the script finished running let's go ahead and take a look at what it decided to run against this machine and remember it will try to run what it finds when it does a port scan whatever services are running it will then go out and pick the scripts it thinks are best to run against it so it started with the uh cross site request forgery script that we actually start of the video with because we knew there was some issues there and it did as well so it went ahead and said that there's some possible vulnerabilities there and then it ran a SQL injection query script which makes sense because this metasploitable server is listed as having issues with mySQL so that's interesting that it figured that out on its own and to give it all the all these possibilities for SQL injection queries and then it looks like it didn't find anything on cross-site scripting so that's good uh but it did find a vulnerability which I guess is known as the slow loris vulnerability never heard of that I'd have to go ahead and check it out and the cool thing is with the script if you wanted to go check it out you could just right click on this and go to open link and it would open a browser and you could go look at it and then it looks like it tried to run that script Nothing here uh nothing here apparently it does allow for Trace remember that was that method we could check and see if it pulled down the trace method I didn't think it did but maybe if you run a trace directly against it even though it's not advertising the method maybe it does give you some useful information and then the um the last one that looks good is the HTTP enumeration and it looks like it found a few things it thought where it thought was interesting like a takey Wiki test page uh possible information file phpmyadmin see if it's looking for anything it's it's almost like a mini version of AI in a way anything that it thinks might be helpful like this one a potentially interesting directory with a listing on Apache so on the web server I don't know why I thought the icons were interesting but whatever uh and so that's kind of what this script does so that's that and for the next trip we're going to get into it and we're actually gonna use the next group we're gonna do to build a lightweight vulnerability scanner so let's go do that now all right final script of the video I saved the best for last and I really mean that we're going to be going over a script known as vulner's and we're going to actually be taking vulner's and with the results from vulner is because there will be many and I'll explain why in a minute we're then going to actually be using python to parse out relevant information but more on that in a second so we're going to be doing with vulner's which is a script that does the following it will go out scan our machine for all open ports then look at what services are running and then finally can pair or not actually I said that wrong it's going to do ports services and then the version number and then it's going to take all that information and compare that with its online database which last time I checked with nmap on their website they said it was over 250 gigs so this enormous online database of known vulnerabilities and they're going to match up the version number of the service we have with the information they have and then it's going to report back on the screen the problem is when it reports back it can be overwhelming and almost too intense to read hence why we're going to go ahead and use Python to parse out that useful information so in the long term what we're going to end up with is a a script that gives us a ton of information that is parsed down into very readable and usable information kind of a mini version of nessus if you will and it's free so let's go ahead and get to that all right and the command we're going to start with we're going to go ahead and just let it do a rod dump and then we'll format it nicer just I just want to show you what the difference is so let's go ahead and run it and all right let's go ahead and check the results oh there's a lot here so as you can see it is a little bit overwhelming on the screen right there but what we can do is we can see right here so this is going to be all SSH uh vulnerabilities so what you would do is you would then click on one of them um well that's one way to do it so if you click on them let's just see what happens we right click go to open link it's going to take us out to their site that is kind of Hit or Miss okay this one actually looks like it gives you a pretty good description some of them honestly aren't that great of a description but what you could always do if they're not giving you a great description on the vulner website you could just go ahead and put it in Google and go ahead and look at them at multiple different websites so you could even go straight to the nist right here and they have full details on it and they even will go into um remediation techniques and everything else so it's it's pretty cool um the thing is it's very overwhelming I mean look at all this okay so then that this is going to be for DNS you go down there there's a bunch more stuff and then HTTP and as we scroll down there's going to be more and more let's check out a few other services and then I'm going to show you how to uh format it a little nicer so then it's continuing down and you can see there's more and more and then it just gets a little overwhelming here with all this junk so we're going to do is we're actually going to take this and we're going to tweak the command a little bit to make it a little bit easier on the eyes and um to weed out some of the junk you don't care about okay and the first thing we are going to do is we are going to tell nmap to return our results in XML so to do that we need to do the following I'm going to go ahead and paste it right here we are going to tell nmap to you need to do the same thing with the vulner script that's all the same but at this point we are now going to tell it to use the switch Dash o uppercase X and then you will put the name of the file you want to have the output and then the number of the machine so I'm going to actually change this because I want to do that metasploitable server again and then I need to make sure I'm just going to copy this and control out I want to see where I'm at okay this will work so we'll go ahead and run it here and we're going to go ahead and run the script all right the script finished let's go ahead and make sure it's the uh it output of the XML file and it did let's just make sure that's it and that's today okay so we're good all right and the next thing we need to do now that we have our XML file there is we need to install if you don't already have it the PIP package management software because we need to download something that I couldn't find using apt to try to install it and that is going to be the python Dash lib and map module so to do that we're going to run the following two commands and you can try to run the python script I'm going to show you in a second without doing this if you think you already have this installed I doubt you will because I did it but the first um command we're going to run is this and of course I already have it so it's telling me I already have it and then the second one is going to be this Command right here and again it's just going to tell me I already have it so we're good so we would need to run those two and I'll throw these in the description you need to run those two commands and once that is done and now we can actually go ahead and write that up python script so let's go ahead and do that now all right to create our python script you're going to go ahead and open VI or Nano I'm going to go ahead with Nano so you would do actually here we're going to want to do sudo and Nano and then name it whatever you want to name it I'm just going to name mine after the IP of the machine and I'll just name it vold that way I know and when we get in here we're going to want to put in the following code and I'm going to cut and paste this because this is a lot I will actually put this in the description as well but something worth noting here the indentation on this script are critical meaning if you were to add a if I did that the whole script would stop working so you need to make sure they are aligned exactly so the first three are all the way on the left and then it's indented one space then two spaces and then three and three so again I will paste this exactly as it needs to be in the description but you need to have that the next thing you need to change is whatever your IP number for the machine you are running against is or whatever the output file was you picked when we did the nmap scan with the O and X so mine was 13 so I should be good so I'm going to go ahead and do a control save and then I'm going to get out of here and I'm going to clear this up and now all that's left to do is to run the python script so to do that we're going to go ahead and do python you could do actually we'll do python three because that's the latest and you know we're cool like that so we're going to do the name of the Python script here which I guess I should have used a dot py but whatever this will work and we're going to go 13.vul and I am going to redirect this into I'm just going to call this 1002.13 dot results and do that and then what I'm going to do is I'm going to go Nano you could use VI whatever whatever a text editor do you like to use I'm going to go ahead and whoops three dot results I'm going to go in here and as you can see once we're in here you get the uh the nice breakdown it's just more pleasant on the eye it's kind of like running h-stop versus just regular top I mean not quite the same but you know what I mean it breaks it up with some colors here to make things easier on the eye to show the delineation between different vulnerabilities or set I should say different Services it labels the exploits over here and then the links are still right click clickable and then of course in the middle it has the cve score breakdown from the highest to the lowest it just formats it nicer and that's what I meant you could still go through and read it on the screen the other way if you wanted but I just don't prefer that way I prefer to see it the the way it is on the right screen versus how it is on the left it just looks a lot nicer to me but to each his own and if you like it the other way you could look at it like this you know so I guess it's not horribly bad again I just like it this way so I'm sticking to that so I guess uh with that said that's going to be the end of this video I hope you've enjoyed it it went longer than I thought but there was just a lot of scripts and a lot of information uh to put out there I hope you're not overwhelmed I know we covered a lot of individual scripts and you're probably like well if we could just run vulner and get these results why not just do that and the reason is because vulner doesn't always pull up those individual it only pulls up the scripts it thinks are relevant to your machine so by running them individually you are first you're reducing the overhead on your machine and you'll get your results returned quicker and secondly you can do more targeted per uh like let's say you just want to Target what's wrong with SSL certificates on your network you can just do that or if you can go with vulner vulner it's going to do it's kind of like you get all or not you know what I mean so anyways I hope you appreciated this video um we're gonna you know go keep Full Speed Ahead and try to get some more videos out in the security series with some different security tools I just felt thought that with Metasploit was such a big success that showing you ways to find more vulnerabilities and more things would help you you know with your pen test and your um vulnerability scans moving forward so that said if you've enjoyed this video please don't hesitate to hit that like button we could use all the help we can get subscribe ring the notifications do whatever you want to do comment if you have any questions or I just want to give me some thumbs up thumbs down whatever I'm I'll take it all so uh that's about it you have a great rest of your day talk to you later

Info

Channel: Nielsen Networking

Views: 1,251

Rating: undefined out of 5

Keywords: Cybersecurity, ransomware, Tutorial, security awareness, hacking, linux, vulnerability, exploit, kalilinux, kalitutorial, metasploit, kaliinstallation, kaliinstall, kali, server, hacked, hacker, ethical hacking, virtual machines, nmap, network scanning kali linux, network scanning tools, nmap advanced tutorial, nmap advanced scanning techniques, wireshark, kali linux security tools, kali linux, terminal, kali linux tutorial, how to hack, kali linux 2022, how to, cyber security, penetration testing

Id: 038uGW0ZrpQ

Channel Id: undefined

Length: 31min 37sec (1897 seconds)

Published: Mon Dec 19 2022