Tuesday, August 27, 2013

As you know Nmap is a free security scanner. It is an open source project and it can be installed in the majority of the operating systems like Redhat Linux, Microsoft Windows, UNIX, FreeBSD, etc...

Some days ago, Fyodor published here that a new Nmap version has been released. The most important changes of Nmap 6.40 since 6.25 are:

  • Added 91 new fingerprints bringing the new to 4.118.
  • Their signatures have been increased from 273 to 8.979.
  • The tool stills detect 897 popular protocols like http, ssh, smpt, snmp, imap, pop3 or another not too popular like gopher-proxy, airdroid, enemyterritory...
  • Some IPv6 OS fingerprints added.
  • [Nsock] Added initial proxy support to Nsock.
  • Added 14 NSE scripts with a total 446.
  • Now we have the option to mix IPv4 range notation with CIDR netmasks. For example 192.168-1.4-100,200.7/24
  • Timeout script-args are now standardized to use the timespec (30s, 900ms, 20h, etc.)
  • [Ncat] Added --lua-exec. This feature allows us to run Lua scripts with Ncat.
  • ...

In my opinion, Nmap is the best network security scanner. Their scripts are really useful and it's a great news to hear about they have released 14 new ones. 

These are the last scripts released:
  • hostmap-ip2hosts
  • http-adobe-coldfusion-apsa1301
  • http-coldfusion-subzero
  • http-comments-displayer
  • http-fileupload-exploiter
  • http-phpmyadmin-dir-traversal
  • http-stored-xss
  • http-vuln-cve2013-0156
  • ike-version
  • murmur-version
  • mysql-enum
  • teamspeak2-version
  • ventrilo-info

You can install this version with the commands below:
wget http://nmap.org/dist/nmap-6.40.tar.bz2
bzip2 -cd nmap-6.40.tar.bz2 | tar xvf -
cd nmap-6.40
sudo make install

You can check out if you are running the last version with this command:
jnieto@behindthefirewalls.com:~/nmap-6.40/scripts$ nmap -V
Nmap version 6.40 ( http://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: nmap-liblua-5.2.2 openssl-1.0.1c libpcre-8.31 nmap-libpcap-1.2.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Now, I'm going to show you some examples in order to work with some interesting scripts.

The hostmap-ip2hosts.nse script is really useful. We can get all domain names behind the same IP.
nmap --script hostmap-ip2hosts.nse -sn -Pn behindthefirewalls.com

With the hostmap-robtex we can get the same information we got before but now using Robtex.com. I talked about this website in the post: Finding All Websites Hosted Behind same IP
nmap --script=hostmap-robtex.nse -sn -Pn linkedin.com

With the command below, you can get all user registered in the majority of the Drupal installations, even the drupal.org site. As I wrote some months ago in Stealing Drupal Users we can get the Drupal users using the web browser... Thanks to Nmap we can automate this process.

Drupal does not recognize this problem as a vulnerability. They know it is easier to make a brute force login if a hacker knows the users...
nmap --script=http-drupal-enum-users drupal.org -p 80,443 -Pn

With the next scripts, we can detect if some organization has installed a Web Application Firewall (WAF) in his infrastructure.
nmap --script=http-waf-detect.nse www.toyota.jp -p 80 -Pn

With the whois.nse script, we can get the contact details and the network range of a certain company.
nmap --script=whois.nse www.facebook.com -p 80 -Pn

With smb-check-vulns.nse you can check for these vulnerabilities in your private network:
  • MS08-067, a Windows RPC vulnerability.
  • Conficker, an infection by the Conficker worm.
  • Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000.
  • SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497).
  • MS06-025, a Windows Ras RPC service vulnerabilityMS07-029, a Windows Dns Server RPC service vulnerability.
sudo nmap -sU -sS --script smb-check-vulns.nse --script-args=unsafe=1 -p U:137,T:139

Also, Nmap has a lot of scripts in order to detect computers with some weakness in our network. You can try with some of these.

  • afp-path-vuln.nse
  • ftp-vuln-cve2010-4221.nse
  • http-huawei-hg5xx-vuln.nse
  • http-iis-webdav-vuln.nse
  • http-vmware-path-vuln.nse
  • http-vuln-cve2009-3960.nse
  • http-vuln-cve2010-0738.nse
  • http-vuln-cve2010-2861.nse
  • http-vuln-cve2011-3192.nse
  • http-vuln-cve2011-3368.nse
  • http-vuln-cve2012-1823.nse
  • http-vuln-cve2013-0156.nse
  • mysql-vuln-cve2012-2122.nse
  • rdp-vuln-ms12-020.nse
  • rmi-vuln-classloader.nse
  • samba-vuln-cve-2012-1182.nse
  • smb-check-vulns.nse
  • smb-vuln-ms10-054.nse
  • smb-vuln-ms10-061.nse
  • smtp-vuln-cve2010-4344.nse
  • smtp-vuln-cve2011-1720.nse
  • smtp-vuln-cve2011-1764.nse

Posted on Tuesday, August 27, 2013 by Javier Nieto

No comments

Saturday, August 10, 2013

Currently, we can check that many manufacturers of security appliances are writing books "for dummies".  You can get them for free and you can download them in this post.

Notice these books are free because they want to sell you their products, obviously... But many of them are really interesting because they show you how working the Next Generation Firewalls, how the Modern Malware is evolutioning, how we can avoid attacks like Distributed Denials of Firewalls, etc...

I've created a recopilation of many of them...

Click on the pictures to download the books.  If some links are broken, please tell me.

Definitive Guide to Next-Generation Threat Protection FireEye

Intrusion Prevention Systems For Dummies Sourcefire

Oficial link

Modern Malware for Dummies by PaloAlto Networks

Oficial link

Next Generation Firewalls for Dummies by Palo Alto  Networks

Oficial link

UTM for Dummies by Fortinet

DDOS for dummies by Corero

Oficial link

Network Security in Virtualized Data Centers by PaloAlto Networks

Oficial link

Posted on Saturday, August 10, 2013 by Javier Nieto

No comments