How to leverage Nmap for service and OS detection, use Nmap Scripting Engine (NSE), and save the results.
https://tryhackme.com/room/nmap04
Task 1 - Introduction
We will cover the following:
- Detect versions of the running services (on all open ports)
- Detect the OS based on any signs revealed by the target
- Run Nmap’s traceroute
- Run select Nmap scripts
- Save the scan results in various formats
Task 2 - Service Detection
-sVto your Nmap command will collect and determine service and version information for the open ports.
Answer the questions below
Start the target machine for this task and launch the AttackBox. Run nmap -sV –version-light 10.10.101.238 via the AttackBox. What is the detected version for port 143? dovecot imapd
Which service did not have a version detected with –version-light? rpcbind
Task 3 - OS Detection and Traceroute
-O- Exampenmap -sS -O 10.10.101.238Nmap can decept the Operating System, based on behaviour and responses.--tracerouteIf you want Nmap to find the routers betwen you and the target. For examplenmap -sS --traceroute 10.10.101.238
Answer the questions below
Run nmap with -O option against 10.10.101.238. What OS did Nmap detect? linux
Task 4 - Nmap Scripting Engine (NSE)
Nmap default installation can easily contain close to 600 scripts. On my Kali Linux this is /usr/share/nmap/scripts we can run the default scripts with -sC which is equal to --script=default. We can choose different categories from the table below with this flag. Or even specific scripts with --script "SCRIPT-NAME"
| Script Category | Description |
|---|---|
| auth | Authentication related scripts |
| broadcast | Discover hosts by sending broadcast messages |
| brute | Performs brute-force password auditing against logins |
| default | Default scripts, same as -sC |
| discovery | Retrieve accessible information, such as database tables and DNS names |
| dos | Detects servers vulnerable to Denial of Service (DoS) |
| exploit | Attempts to exploit various vulnerable services |
| external | Checks using a third-party service, such as Geoplugin and Virustotal |
| fuzzer | Launch fuzzing attacks |
| intrusive | Intrusive scripts such as brute-force attacks and exploitation |
| malware | Scans for backdoors |
| safe | Safe scripts that won’t crash the target |
| version | Retrieve service versions |
| vuln | Checks for vulnerabilities or exploit vulnerable services |
Answer the questions below
Knowing that Nmap scripts are saved in /usr/share/nmap/scripts on the AttackBox. What does the script http-robots.txt check for? disallowed entries
Can you figure out the name for the script that checks for the remote code execution vulnerability MS15-034 (CVE2015-2015-1635)? http-vuln-cve2015-1635
Launch the AttackBox if you haven’t already. After you ensure you have terminated the VM from Task 2, start the target machine for this task. On the AttackBox, run Nmap with the default scripts -sC against 10.10.101.238. You will notice that there is a service listening on port 53. What is its full version value? 9.9.5-9+deb8u19-Debian
Based on its description, the script ssh2-enum-algos “reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers.” What is the name of the key exchange algorithms (kex_algorithms) that relies upon “sha1” and is supported by 10.10.101.238? diffie-hellman-group14-sha1
Task 5 - Saving the Output
The three main formats are:
- Normal
-oN FILENAME - Grepable (grepable)
-oG FILENAME - XML
-oX FILENAME
Answer the questions below
Terminate the target machine of the previous task and start the target machine for this task. On the AttackBox terminal, issue the command scp pentester@MACHINE_IP:/home/pentester/* . to download the Nmap reports in normal and grepable formats from the target virtual machine.
Note that the username pentester has the password THM17577
Check the attached Nmap logs. How many systems are listening on the HTTPS port? cat scan_172_17_network.gnmap | grep https there are 3
What is the IP address of the system listening on port 8089? cat scan_172_17_network.gnmap | grep 8089 172.17.20.147
Task 6 - Summary
Familiarized ourselves with Nmap. Here is a list of options/flags we learned to use.
| Option | Meaning |
|---|---|
| -sV | determine service/version info on open ports |
| -sV –version-light | try the most likely probes (2) |
| -sV –version-all | try all available probes (9) |
| -O | detect OS |
| –traceroute | run traceroute to target |
| –script=SCRIPTS | Nmap scripts to run |
| -sC or –script=default | run default scripts |
| -A | equivalent to -sV -O -sC –traceroute |
| -oN | save output in normal format |
| -oG | save output in grepable format |
| -oX | save output in XML format |
| -oA | save output in normal, XML and Grepable formats |