As you know Nmap is a free security
scanner. It is an open source project and it can be installed in the majority
of the operating systems like Redhat Linux, Microsoft Windows, UNIX,
FreeBSD, etc...
Some days ago, Fyodor published here that a new Nmap version has been released. The most important changes of
Nmap 6.40 since 6.25 are:
- Added 91 new fingerprints bringing the new to 4.118.
- Their signatures have been increased from 273 to 8.979.
- The tool stills detect 897 popular protocols like http, ssh, smpt, snmp, imap, pop3 or another not too popular like gopher-proxy, airdroid, enemyterritory...
- Some IPv6 OS fingerprints added.
- [Nsock] Added initial proxy support to Nsock.
- Added 14 NSE scripts with a total 446.
- Now we have the option to mix IPv4 range notation with CIDR netmasks. For example 192.168-1.4-100,200.7/24
- Timeout script-args are now standardized to use the timespec (30s, 900ms, 20h, etc.)
- [Ncat] Added --lua-exec. This feature allows us to run Lua scripts with Ncat.
- ...
In my opinion, Nmap is the best network
security scanner. Their scripts are really useful and it's a great
news to hear about they have released 14 new ones.
These are the last
scripts released:
- http-adobe-coldfusion-apsa1301
- http-coldfusion-subzero
- http-comments-displayer
- http-fileupload-exploiter
- http-phpmyadmin-dir-traversal
- http-stored-xss
- http-vuln-cve2013-0156
- ike-version
- murmur-version
- mysql-enum
- teamspeak2-version
- ventrilo-info
You can install this version with the commands below:
wget http://nmap.org/dist/nmap-6.40.tar.bz2 bzip2 -cd nmap-6.40.tar.bz2 | tar xvf - cd nmap-6.40 ./configure make sudo make install
You can check out if you are running the last version with this command:
jnieto@behindthefirewalls.com:~/nmap-6.40/scripts$ nmap -V Nmap version 6.40 ( http://nmap.org ) Platform: x86_64-unknown-linux-gnu Compiled with: nmap-liblua-5.2.2 openssl-1.0.1c libpcre-8.31 nmap-libpcap-1.2.1 nmap-libdnet-1.12 ipv6 Compiled without: Available nsock engines: epoll poll select
Now, I'm going to show you some examples in order to work with some interesting scripts.
The hostmap-ip2hosts.nse script is really useful. We can get all domain names behind the same IP.
nmap --script hostmap-ip2hosts.nse -sn -Pn behindthefirewalls.com
With the hostmap-robtex we can get the same information we got before but now using Robtex.com. I talked about this website in the post: Finding All Websites Hosted Behind same IP
nmap --script=hostmap-robtex.nse -sn -Pn linkedin.com
With the command below, you can get all user registered in the majority of the Drupal installations, even the drupal.org site. As I wrote some months ago in Stealing Drupal Users we can get the Drupal users using the web browser... Thanks to Nmap we can automate this process.
Drupal does not recognize this problem as a vulnerability. They know it is easier to make a brute force login if a hacker knows the users...
nmap --script=http-drupal-enum-users drupal.org -p 80,443 -Pn
With the next scripts, we can detect if some organization has installed a Web Application Firewall (WAF) in his infrastructure.
nmap --script=http-waf-detect.nse www.toyota.jp -p 80 -Pn
With the whois.nse script, we can get the contact details and the network range of a certain company.
nmap --script=whois.nse www.facebook.com -p 80 -PnWith smb-check-vulns.nse you can check for these vulnerabilities in your private network:
- MS08-067, a Windows RPC vulnerability.
- Conficker, an infection by the Conficker worm.
- Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000.
- SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497).
- MS06-025, a Windows Ras RPC service vulnerabilityMS07-029, a Windows Dns Server RPC service vulnerability.
sudo nmap -sU -sS --script smb-check-vulns.nse --script-args=unsafe=1 -p U:137,T:139 161.111.80.0/24
Also, Nmap has a lot of scripts in order to detect computers with some weakness in our network. You can try with some of these.
- afp-path-vuln.nse
- ftp-vuln-cve2010-4221.nse
- http-huawei-hg5xx-vuln.nse
- http-iis-webdav-vuln.nse
- http-vmware-path-vuln.nse
- http-vuln-cve2009-3960.nse
- http-vuln-cve2010-0738.nse
- http-vuln-cve2010-2861.nse
- http-vuln-cve2011-3192.nse
- http-vuln-cve2011-3368.nse
- http-vuln-cve2012-1823.nse
- http-vuln-cve2013-0156.nse
- mysql-vuln-cve2012-2122.nse
- rdp-vuln-ms12-020.nse
- rmi-vuln-classloader.nse
- samba-vuln-cve-2012-1182.nse
- smb-check-vulns.nse
- smb-vuln-ms10-054.nse
- smb-vuln-ms10-061.nse
- smtp-vuln-cve2010-4344.nse
- smtp-vuln-cve2011-1720.nse
- smtp-vuln-cve2011-1764.nse