💡 Этот учебник переведен с английского с помощью ИИ. Чтобы просмотреть оригинал, вы можете перейти на английский оригинал
Nmap (Network Mapper) is a fundamental tool in network security and administration. This lab introduces you to Nmap scanning flags, which enable you to perform effective network reconnaissance and vulnerability assessment. Through hands-on practice, you will learn how to use various Nmap commands to discover hosts, scan ports, and identify services on a network. These skills are essential for network administrators and security professionals to maintain secure network environments.
Nmap is not pre-installed on most systems, so our first step is to install it. Open a terminal in your LabEx environment and run the following commands:
sudo apt update
sudo apt install nmap -yAfter installation completes, verify that Nmap is installed correctly by checking its version:
nmap --versionYou should see output similar to this:
Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1f libssh2-1.8.0 libz-1.2.11 libpcre-8.39 libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll selectNmap works by sending specially crafted packets to target hosts and analyzing the responses. This helps determine:
The basic syntax of an Nmap command is:
nmap [scan type] [options] targetWhere:
[scan type] specifies the type of scan to perform[options] are additional parameters to customize the scantarget is the IP address, hostname, or IP range to scanLet's start with a simple scan of your own machine (localhost). Run:
nmap localhostThis command scans the most common 1000 TCP ports on your local machine. The output will look similar to:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 15:30 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.11 secondsThe output shows:
Let's analyze the output:
PORT: Shows the port number and protocol (e.g., 22/tcp)STATE: Indicates if the port is open, closed, or filteredSERVICE: Shows the service typically associated with that portThe most common port states are:
open: The port is accepting connectionsclosed: The port is accessible but no application is listening on itfiltered: Nmap cannot determine if the port is open because packet filtering is blocking its probesTo scan a specific port, use the -p flag followed by the port number:
nmap -p 22 localhostThe output will be focused on just port 22:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 15:35 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.01 secondsYou can scan a range of ports using a hyphen:
nmap -p 20-25 localhostThis scans ports 20 through 25:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 15:40 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp closed ftp
22/tcp open ssh
23/tcp closed telnet
24/tcp closed priv-mail
25/tcp closed smtp
Nmap done: 1 IP address (1 host up) scanned in 0.03 secondsNow you have learned how to install Nmap and perform basic port scanning. In the next step, we will explore more advanced scanning techniques using various Nmap flags.
Now that you understand the basics of Nmap, let's explore some essential scanning flags that will give you more control and information from your scans.
The TCP SYN scan is the default scan type when run as root. It's often called a "half-open" scan because it never completes TCP connections. It's relatively stealthy and quick.
Let's run a SYN scan on localhost:
sudo nmap -sS localhostThe output will look similar to:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.10 secondsThe TCP Connect scan is the default scan when Nmap is not run with root privileges. It completes the full TCP handshake, making it more detectable but also more reliable in some cases.
nmap -sT localhostOutput:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.15 secondsThe version detection flag tells Nmap to try to determine the version of services running on open ports:
nmap -sV localhostOutput:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:10 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
631/tcp open ipp CUPS 2.3
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 6.41 secondsNotice how the output now includes detailed version information for each service. This is extremely valuable for security assessments as certain versions may have known vulnerabilities.
The OS detection flag attempts to determine the operating system of the target:
sudo nmap -O localhostOutput:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:15 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
3306/tcp open mysql
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.57 secondsNotice that Nmap has detected that the system is running Linux kernel version 4.X or 5.X.
You can combine multiple flags to get more comprehensive results. For example, let's combine service version detection and OS detection:
sudo nmap -sV -O localhostOutput:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:20 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00015s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
631/tcp open ipp CUPS 2.3
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 0 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.23 secondsThe aggressive scan flag combines several scanning options including OS detection, version detection, script scanning, and traceroute:
sudo nmap -A localhostOutput (truncated for brevity):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:25 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
| 256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_ 256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp open ipp CUPS 2.3
|_http-server-header: CUPS/2.3 IPP/2.1
|_http-title: Home - CUPS 2.3.1
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
| mysql-info:
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 11
| Capabilities flags: 65535
| Some Capabilities: SupportsLoadDataLocal, Support41Auth, Speaks41ProtocolOld, IgnoreSigpipes, DontAllowDatabaseTableColumn, FoundRows, SupportsCompression, ConnectWithDatabase, LongPassword, InteractiveClient, SwitchToSSLAfterHandshake, ODBCClient, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, LongColumnFlag, SupportsTransactions, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: \x14\x12\x1Fjw\x182\x15\x0D\x12\x13C\x1F\x14\x0D\x07
|_ Auth Plugin Name: caching_sha2_password
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 0 hops
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.12 secondsNotice the significant amount of additional information provided by the aggressive scan, including SSH key information, HTTP server details, and more detailed MySQL service information.
In this step, you've learned about several essential Nmap scanning flags and how to combine them for more comprehensive results. In the next step, we will explore practical scanning strategies for different scenarios.
In this step, we will learn about network scanning strategies and how to control the timing and performance of Nmap scans. This is crucial when scanning larger networks or when you need to be more discreet.
Nmap can scan multiple hosts in various ways:
You can specify multiple IP addresses separated by spaces:
nmap 127.0.0.1 127.0.0.2You can scan a range of IP addresses using the CIDR notation:
nmap 127.0.0.1/30This command scans 127.0.0.0 through 127.0.0.3. The output will show:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:35 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
3306/tcp open mysql
Nmap scan report for 127.0.0.2
Host is up (0.00015s latency).
All 1000 scanned ports on 127.0.0.2 are closed
Nmap scan report for 127.0.0.3
Host is up (0.00013s latency).
All 1000 scanned ports on 127.0.0.3 are closed
Nmap done: 4 IP addresses (3 hosts up) scanned in 0.92 secondsSometimes you just want to know which hosts are online without scanning ports. The ping scan is perfect for this:
nmap -sn 127.0.0.1/24This command will scan the entire 127.0.0.1/24 subnet but will only perform host discovery without port scanning. Due to output length, we'll just show a snippet:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:40 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Nmap scan report for 127.0.0.2
Host is up (0.00013s latency).
Nmap scan report for 127.0.0.3
Host is up (0.00014s latency).
...
Nmap done: 256 IP addresses (256 hosts up) scanned in 2.34 secondsSometimes firewalls block ping requests. To bypass this and scan all hosts regardless of ping responses, use the -Pn flag:
nmap -Pn localhostOutput:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:45 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.12 secondsNmap provides several timing templates that adjust various scanning parameters:
-T0: Paranoid - Very slow, used for IDS evasion-T1: Sneaky - Slow, used for IDS evasion-T2: Polite - Slows down to consume less bandwidth-T3: Normal - Default, balances speed with reliability-T4: Aggressive - Faster, assumes a reasonably fast and reliable network-T5: Insane - Very fast, assumes an extremely fast networkLet's try an aggressive scan:
nmap -T4 localhostOutput:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:50 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.09 secondsNotice that the scan completed slightly faster than the default scan.
Nmap can save scan results in various formats for later analysis or reporting:
Save the scan results in a normal format to a file:
nmap -oN scan_results.txt localhostThis command saves the scan output to scan_results.txt in the current directory.
Save the scan results in XML format, which is useful for parsing with other tools:
nmap -oX scan_results.xml localhostSave the scan results in all formats (normal, XML, and grepable):
nmap -oA scan_results localhostThis creates three files: scan_results.nmap, scan_results.xml, and scan_results.gnmap.
Let's examine the contents of the normal output file:
cat scan_results.txtOutput:
## Nmap 7.80 scan initiated Thu Sep 14 16:55:23 2023 as: nmap -oN scan_results.txt localhost
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
3306/tcp open mysql
## Nmap done at Thu Sep 14 16:55:23 2023 -- 1 IP address (1 host up) scanned in 0.12 secondsLet's combine what we've learned to create a practical scanning strategy for a comprehensive scan:
sudo nmap -sS -sV -O -T4 -oA comprehensive_scan localhostThis command:
Output:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
631/tcp open ipp CUPS 2.3
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 0 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.42 secondsNow you can view the comprehensive scan results in any of the output files:
ls comprehensive_scan.*Output:
comprehensive_scan.gnmap comprehensive_scan.nmap comprehensive_scan.xmlRemember that network scanning should only be performed on networks you own or have explicit permission to scan. Unauthorized scanning can be:
In this lab environment, we've only scanned localhost, which is always permissible as it's your own system.
You have now learned about different network scanning strategies, timing controls, and output formats. You have all the foundational knowledge needed to perform effective network reconnaissance using Nmap.
In this step, we will explore Nmap's powerful scripting engine (NSE) and learn how to perform targeted service analysis. NSE scripts extend Nmap's functionality by enabling more detailed scans for specific services and vulnerabilities.
The Nmap Scripting Engine allows users to write and share scripts to automate a variety of networking tasks. Nmap comes with hundreds of pre-written scripts categorized into various groups:
auth: Authentication related scriptsdefault: Scripts run by default with -sCdiscovery: Host and service discoveryexploit: Attempt to exploit vulnerabilitiesmalware: Detect malware and backdoorssafe: Safe, non-intrusive scriptsvuln: Vulnerability detection scriptsThe -sC flag runs the default set of scripts, which are generally safe and provide useful information:
nmap -sC localhostOutput:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:10 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
| 256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_ 256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
80/tcp open http
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp open ipp
|_http-server-header: CUPS/2.3 IPP/2.1
|_http-title: Home - CUPS 2.3.1
3306/tcp open mysql
|_mysql-info: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 3.42 secondsNotice how the scripts have provided additional information about each service, like SSH host keys and HTTP page titles.
You can run specific scripts using the --script flag followed by the script name or category:
nmap --script=http-title localhostThis runs only the http-title script, which retrieves the title of HTTP pages:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:15 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp open ipp
|_http-title: Home - CUPS 2.3.1
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.68 secondsYou can run all scripts in a specific category:
nmap --script=discovery localhostThis runs all discovery scripts, which can provide a wealth of information about network services (output truncated for brevity):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:20 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
| 256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_ 256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
80/tcp open http
|_http-favicon: Unknown favicon MD5: 6D33949773573A11BEBE0D20AC1B7967
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp open ipp
| cups-info:
| CUPS Server:
| Server: CUPS/2.3 IPP/2.1
|_ Authentication-Method: Basic
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS POST
|_http-server-header: CUPS/2.3 IPP/2.1
|_http-title: Home - CUPS 2.3.1
3306/tcp open mysql
| mysql-info:
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 15
| Capabilities flags: 65535
| Some Capabilities: ConnectWithDatabase, SupportsLoadDataLocal, SupportsTransactions, DontAllowDatabaseTableColumn, Support41Auth, InteractiveClient, Speaks41ProtocolOld, FoundRows, IgnoreSigpipes, ODBCClient, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, LongColumnFlag, Speaks41ProtocolNew, SupportsMultipleStatments, LongPassword, SupportsCompression, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: \x7FeL)\x0C\x5C#S\x06N%\x1E\x7EYaC
|_ Auth Plugin Name: caching_sha2_password
Nmap done: 1 IP address (1 host up) scanned in 5.28 secondsFor the most comprehensive results, combine script scanning with service detection:
nmap -sV -sC localhostOutput:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:25 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
| 256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_ 256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp open ipp CUPS 2.3
|_http-server-header: CUPS/2.3 IPP/2.1
|_http-title: Home - CUPS 2.3.1
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
|_mysql-info: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.03 secondsLet's focus on analyzing specific services in more detail.
To analyze HTTP services in detail, we can use the http-* scripts:
nmap --script="http-*" -p 80 localhostThis runs all HTTP-related scripts against port 80:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:30 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
PORT STATE SERVICE
80/tcp open http
|_http-chrono: Request times for /; avg: 32.68ms; min: 32.68ms; max: 32.68ms
|_http-comments-displayer: Couldn't find any comments.
|_http-date: Thu, 14 Sep 2023 17:30:24 GMT; +6s from local time.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-favicon: Unknown favicon MD5: 6D33949773573A11BEBE0D20AC1B7967
|_http-feed: Couldn't find any feeds.
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-generator: Couldn't find any generator in the HTML headers and body
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-mobileversion-checker: No mobile version detected.
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-security-headers:
| http-server-header:
| Apache/2.4.41
|_ Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-traceroute: ERROR: Script execution failed (use -d to debug)
|_http-useragent-tester:
|_http-xssed: No previously reported XSS vuln.
Nmap done: 1 IP address (1 host up) scanned in 2.31 secondsSimilarly, we can analyze SSH services:
nmap --script="ssh-*" -p 22 localhostOutput:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:35 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
| 256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_ 256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
|_ssh-run: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 0.26 secondsNmap includes scripts that can detect potential vulnerabilities. Using the vuln category can help identify security issues:
nmap --script=vuln localhostThis can take some time as it runs various vulnerability checks. Output might look like:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:40 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
631/tcp open ipp
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 87.28 secondsIn this case, Nmap has identified that the Apache web server might be vulnerable to a Slowloris DoS attack. This information can be valuable for securing your systems.
Now, let's combine everything we've learned to create a comprehensive security report:
sudo nmap -sS -sV -O -sC --script=vuln -T4 -oA comprehensive_security_report localhostThis command:
The output will be comprehensive and might take some time to complete. Once finished, you'll have a detailed security report in various formats (normal, XML, and grepable) that you can reference for security analysis.
In this step, you've learned how to use Nmap's scripting engine to gather detailed information about services and detect potential vulnerabilities. These advanced techniques are essential for comprehensive network security assessments.
In this lab, you have learned the fundamentals of using Nmap for network reconnaissance and security assessment. You now understand:
These skills form a foundation for network security assessments and are essential for cybersecurity professionals. Remember to always use these techniques responsibly and only on networks you have permission to scan.
As you continue your cybersecurity journey, consider exploring more advanced Nmap features such as custom NSE script development, firewall evasion techniques, and integration with other security tools. Regular practice with Nmap will help you become more proficient in identifying potential security issues in network environments.
