Post on 03-Mar-2017
Nmap and Nikto 101
Ramnath
About me• Ramnath Shenoy• FireEye –Engineering• OSCP • Interests – Windows Internals and Web Applications. Path to OSCE!
• @ramnathsk• https://in.linkedin.com/in/ramnathshenoyk
Agenda• Introduction to Nmap.• Basic scanning techniques.• Enumeration and Vulnerability Detection.• Nmap Demo• Introduction to Nikto.• Basic scanning techniques (various switches)• Nikto Demo
Nmap• Network Mapper - Utility used to identify assets and map them in a
network.• https://github.com/nmap/nmap (Current release is 7.40, 19 year old
project and active)
Why Nmap • How does NMAP,.. Nmap?
192.168.56.100
192.168.56.145
192.168.56.45
192.168.56.14
• Perhaps I can ping sweep?• What if someone has a FW enabled?• How to know which IP’s are alive?• There only
• 65535(PORTS) *2 (TCP &UDP)*24 ( if class C)
8031288080
44322
138139445
443
Nmap Switches Discovery nmap <options> <scan type> <target>• options
• Host discover• -sn: Ping Scan - disable port scan• -Pn: Treat all hosts as online -- skip host discovery• -n/-R: Never do DNS resolution/Always resolve
[default: sometimes]• --dns-servers <serv1[,serv2],...>: Specify custom
DNS servers• --system-dns: Use OS's DNS resolver
• Target Specification• -iL <inputfilename>: Input from list of
hosts/networks• -iR <num hosts>: Choose random targets• --exclude <host1[,host2][,host3],...>: Exclude
hosts/networks• --excludefile <exclude_file>: Exclude list from file
Nmap Scanning techniques• -sP (Ping Sweep) – Performs ARP ping and ICMP echo request to
determine system is alive.• -sS (SYN Scan) – Determines a system/port being alive by sending
only SYN and waiting for SYN-ACK• -sT (TCP Scan) – Determines a system/port being alive by completing
a 3way handshake (SYN ; SYN+ACK ; ACK)• -sF (FIN Scan) – Determines a system/port being alive by sending FIN
and waiting for an ACK. • -sU (UDP Scan) – Probes UDP detects system/port is alive when there
is a UDP response + ICMP packet Dest unreachable.
NMAP port “Status” - Open• Open - SYN reached the end system, victim responded with
SYN+ACK and Completes the handshake.
Nmap -n -sT -p 80 192.168.56.104
NMAP port “Status” - Closed• Closed - SYN reached the end system, responded with RST+ACK.
System is accessible and service is still not open on victim.
Nmap -n -sT -p 22 192.168.56.104
NMAP port “Status” - Filtered• Filtered – Observed when a port does not respond on repeated
tries.
Nmap -n -sT -p 445 192.168.56.105
Why Service Enumeration?• Port is open,..• People run web server on 999 port!• Runs apache web service ?? like 33 % www servers run on it.• I need Banners and identify what they are!• I need Operating system type!• I need Vulns!
Nmap – service Version and Enumeration!• Nmap-services database is constantly updated with services, finger
printing and banners to identify remote ports and operating systems.
• -sV - runs about ~30 Nmap Script Engine (.nse files) to identify and enumerate the service that has been detected earlier.
• -sC – runs “default” ~200 Nmap Script Engine (.nse files) to identify and enumerate the services and provide vulnerabilities identified. Optionally can use - -script option.
Nmap service Enumeration!• The Difference between the two in Action
Regular TCP scan
TCP scan with Version
-sT + -sV = -sTV
Nmap service Enumeration! -2• -sV under the hood!
NSE –What and Why?• Nmap Script Engine, written in Lua.• Sophisticated Version detection and OS detection.
Example: smb-os-discovery.nse , http-cisco-anyconnect.nse …• Vulnerability detection.
Example: tls-ticketbleed.nse, sslv2-drown.nse,..• Malware detection.
Example: http-google-malware.nse..• Vulnerability Exploitation.
Example: smb-psexec.nse,..
NSE – what? where? • -sC and –script uses NSE. There is a default set launched when no
option is given. https://nmap.org/nsedoc/categories/default.html
Nmap Enumeration technique
Notice how the service is not shellEven though Banner shows Shell
Nmap Enumeration technique
So you need to use –sTV along for Version grab
Nmap Scanning strategy
Nmap --exclude 192.168.56.103 -sS –p 80 192.168.56.0/24 (sample- horizontal scan)Nmap –sS –p1-6000,27017-27019 192.168.56.102 (sample – vertical scan)
192.168.56.102
192.168.56.103
192.168.56.104
192.168.56.105
TCP-80 TCP-80 TCP-80 TCP-80TCP- 445TCP- 22 TCP- 22TCP -443 TCP-443TCP - 8080 TCP-8080TCP - 1524TCP- 9999
Nmap Output Formatting
Nmap Output Formatting
GreppableRegular Text
XML
NdiffScan done earlier, non compliant ports closed and re-validation
Three ports closed
NMAP – Demo, Stage -1• Run time interactionWhile running -> Nmap –sT 192.168.56.102Press ? -> v (verbosity) -> d (Debug)-> p (packet tracing) , arrows (how long?)Shift + option (v,d,p) to disable this
Nikto
NiktoSponsored by Netsparker Written by Chris Sullo and David Lodge Language – Perl, needs SSL librarieshttps://github.com/sullo/niktoCurrent Version is -> 2.1.6
Why Nikto?• Web Application vulnerability scanner.• Default paths /CGI -install on Commercial Off The Shelf applications.
(COTS)• Version detect of COTS and report vulnerabilities.• Tune and run only a specific vulnerability type on set of servers.• Misconfigurations and Insecure data leakage on Headers.• Command line only
Nikto Basics• Nikto has two help options “nikto” & “-H” (extensive information)
Nikto Scanning Techniques• Nikto Scanning techniques
Nikto –host http://192.168.56.102 Nikto –h http://192.168.56.102 Nikto –host 192.168.56.102 –port 443 Nikto -host https://192.168.56.102
• Nikto Scanning from a list of hosts Nikto –host hosts.txt –port 8080
• Nikto scan only from this root directory Nikto –host http://192.168.56.102 –root /admin/
Nikto Output
Nikto –Output 2
Nikto Tuning OptionsNikto –Tuning 1 –host 192.168.56.102 –port 80,443,8080
Nikto –Tuning example
Nikto Output formatting• Nikto -o /path/file –Format htm -host 192.168.56.102 –port 80,443,8080• Nikto -output /path/file.htm -host 192.168.56.102 –port 80,443,8080
Nikto Run Time Debugging• Space
• v -verbose, d – debug, P – Pause and N – next host
Nikto Demo 2
Thanks!