NMAP - danielcastropalomares/security GitHub Wiki
Para escanear todos los puertos de forma rápida:
nmap -p- x.x.x.x
NMAP && metasploit
nmap -sV x.x.x.x -oX result.xml
searchsploit -x --nmap result.xml
SCRIPTS
Podemos listar todos los scripts en el siguiente directorio:
ls /usr/share/nmap/scripts/
Por ejemplo podemos utilizar el auth-methods:
nmap --script=ssh-auth-methods 172.31.255.136
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-30 20:29 CET
Nmap scan report for 172.31.255.136
Host is up (0.00024s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
80/tcp open http
111/tcp open rpcbind
MAC Address: 08:00:27:8A:1E:36 (Oracle VirtualBox virtual NIC)
Con estos parámetros ejecutamos los scripts por defecto menos intrusivos para los puertos que están abiertos:
root@kali:~# nmap -A 172.31.255.136
root@kali:~# nmap -sC 172.31.255.136
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-30 20:32 CET
Nmap scan report for 172.31.255.136
Host is up (0.00049s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
| 2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
| 256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA)
|_ 256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp open http
|_http-title: Clean Blog - Start Bootstrap Theme
111/tcp open rpcbind
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 47325/udp status
|_ 100024 1 51812/tcp status
MAC Address: 08:00:27:8A:1E:36 (Oracle VirtualBox virtual NIC)
Ahora bien, lo que nos puede interesar, es conocer las vulnerabilidades que pueda tener este servicio. Para ello podemos utilizar el script vuln. Incluso nos indica las posibles queries de SQL:
root@kali:~# nmap -Pn --script vuln 172.31.255.136
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-30 20:43 CET
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 172.31.255.136
Host is up (0.000064s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /admin/: Possible admin folder
| /mail/: Mail folder
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
| /img/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
| /js/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
| /manual/: Potentially interesting folder
|_ /vendor/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
| http-fileupload-exploiter:
|
| Couldn't find a file-type field.
|
| Couldn't find a file-type field.
|
|_ Couldn't find a file-type field.
| http-sql-injection:
| Possible sqli for queries:
| http://172.31.255.136:80/vendor/bootstrap/js/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://172.31.255.136:80/vendor/bootstrap/js/?C=N%3bO%3dD%27%20OR%20sqlspider
Pero en este caso, el SSH es vulnerable a la enumeración de usuarios, y no lo detecta. Vamos a instalar un script para tal de utilizar la BDD de CVE:
cd /usr/share/nmap/scripts/
git clone https://github.com/vulnersCom/nmap-vulners.git
git clone https://github.com/scipag/vulscan.git
Para mantener actualizado los ficheros CSV, vamos a ejecutar el siguiente script:
chmod +x /usr/share/nmap/scripts/vulscan/utilities/updater/updateFiles.sh
cd /usr/share/nmap/scripts/vulscan/utilities/updater/
./updateFiles.sh
Ahora si ejecutamos los dos scripts, vemos que nos aparece la vulnerabilidad afectada:
root@kali:~# nmap --script vulscan,nmap-vulners --script-args vulscandb=scipvuldb.csv -sV 172.31.255.136
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-30 21:38 CET
Nmap scan report for 172.31.255.136
Host is up (0.00021s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:6.7p1:
| CVE-2016-10708 5.0 https://vulners.com/cve/CVE-2016-10708
| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
| CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473
| CVE-2016-0778 4.6 https://vulners.com/cve/CVE-2016-0778
|_ CVE-2016-0777 4.0 https://vulners.com/cve/CVE-2016-0777
| vulscan: scipvuldb.csv:
| [76870] OpenSSH up to 6.9 auth2-chall.c kbdint_next_device privilege escalation
| [76326] OpenSSH 6.8 XSECURITY privilege escalation
| [12724] OpenSSH up to 6.6 Fingerprint Record Check sshconnect.c verify_host_key HostCertificate weak authentication
| [12683] OpenBSD OpenSSH up to 6.5 Configuration child_set_env Wildcard privilege escalation
| [12124] OpenSSH 6.4 J-PAKE Protocol schnorr.c hash_buffer denial of service
| [11124] OpenSSH 6.2/6.3 Post Authentication sshd process initialize mm_newkeys_from_blob privilege escalation
|
|_
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
| vulners:
| cpe:/a:apache:http_server:2.4.10:
| CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167
| CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169
| CVE-2017-7668 7.5 https://vulners.com/cve/CVE-2017-7668
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788
| CVE-2017-15710 5.0 https://vulners.com/cve/CVE-2017-15710
| CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798
| CVE-2016-0736 5.0 https://vulners.com/cve/CVE-2016-0736
| CVE-2016-2161 5.0 https://vulners.com/cve/CVE-2016-2161
| CVE-2014-3583 5.0 https://vulners.com/cve/CVE-2014-3583
| CVE-2016-8743 5.0 https://vulners.com/cve/CVE-2016-8743
| CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975
| CVE-2014-8109 4.3 https://vulners.com/cve/CVE-2014-8109
| CVE-2015-3185 4.3 https://vulners.com/cve/CVE-2015-3185
| CVE-2018-1283 3.5 https://vulners.com/cve/CVE-2018-1283
|_ CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612
| vulscan: scipvuldb.csv:
| [68575] Apache HTTP Server up to 2.4.10 LuaAuthzProvider mod_lua.c privilege escalation
| [68435] Apache HTTP Server 2.4.10 mod_proxy_fcgi.c handle_headers denial of service
| [88747] Apache HTTP Server 2.4.17/2.4.18 mod_http2 denial of service
| [76731] Apache HTTP Server 2.4.12 ErrorDocument 400 Crash denial of service
| [74367] Apache HTTP Server up to 2.4.12 mod_lua lua_request.c wsupgrade denial of service
| [13300] Apache HTTP Server 2.4.1/2.4.2 mod_wsgi setuid() privilege escalation
| [13299] Apache HTTP Server 2.4.1/2.4.2 mod_wsgi Content-Type Header information disclosure
|
Recordar que podemos consultar las diferentes BDD:
root@kali:/usr/share/nmap/scripts/vulscan# ls -liath /usr/share/nmap/scripts/vulscan/*.csv
922033 -rw-r--r-- 1 root root 4.4M Oct 30 20:50 /usr/share/nmap/scripts/vulscan/xforce.csv
922028 -rw-r--r-- 1 root root 1.8M Oct 30 20:50 /usr/share/nmap/scripts/vulscan/securitytracker.csv
922027 -rw-r--r-- 1 root root 6.9M Oct 30 20:50 /usr/share/nmap/scripts/vulscan/securityfocus.csv
922026 -rw-r--r-- 1 root root 6.5M Oct 30 20:50 /usr/share/nmap/scripts/vulscan/scipvuldb.csv
922025 -rw-r--r-- 1 root root 6.5M Oct 30 20:50 /usr/share/nmap/scripts/vulscan/osvdb.csv
922024 -rw-r--r-- 1 root root 1.5M Oct 30 20:50 /usr/share/nmap/scripts/vulscan/openvas.csv
922023 -rw-r--r-- 1 root root 1.8M Oct 30 20:50 /usr/share/nmap/scripts/vulscan/exploitdb.csv
922022 -rw-r--r-- 1 root root 16M Oct 30 20:50 /usr/share/nmap/scripts/vulscan/cve.csv
Si no especificamos la BDD, buscara en todas.