NMAP

Posted on July 4, 2019 by Tom Hamilton
Reading Time: 2 minutes

Last Updated: 8/29/2024

NMAP or “Network Mapper” is a free utility that can “map” your network. It can be used to do port scans. It can perform OS detection. it’s scriptable and can be used in vulnerability detection. It’s wildly supported and included in Metasploit.

root@kali-linux:/home/user# nmap 192.168.122.186

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-17 11:23 EST
Nmap scan report for dc (192.168.122.186)
Host is up (0.00014s latency).
Not shown: 990 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 52:54:00:F3:51:47 (QEMU virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 55.67 seconds
root@kali-linux:/home/user#

One of the ways to updates the scripts is. (this is an old screenshot)

nmap --script-updatedb

https://nmap.org/nsedoc/categories/vuln.html

smb-vuln-conficker
smb-vuln-cve2009-3103
smb-vuln-ms06-025
smb-vuln-ms07-029
smb-vuln-regsvc-dos
smb-vuln-ms08-067

http-vuln-cve2017-5689   
Detects if a system with Intel Active Management Technology is vulnerable to the INTEL-SA-00075 privilege 
 
nmap --script smb-check-vulns -p445 192.168.122.123
nmap --script smb-vuln-ms08-067 -P0 192.168.122.184
nmap --script smb-vuln-regsvc-dos  -p445  -P0 192.168.122.123
nmap --script smb-vuln-cve2009-3103 -p445  -P0 192.168.122.184
nmap --script http-vuln-cve2017-5689 -P0 192.168.122.184
nmap -p445 --script smb-vuln-ms17-010 192.168.123.111

A quick note. Scripts are kept in /usr/share/nmap/scripts

root@nodey:/usr/share/nmap/scripts# nmap --script vmware-version.nse -p443 192.168.160.33
Starting Nmap 7.80 ( https://nmap.org ) at 2024-08-24 08:36 EST
Nmap scan report for 192.168.160.33
Host is up (0.00025s latency).

PORT    STATE SERVICE
443/tcp open  https
| vmware-version:
|   Server version: VMware ESXi 7.0.3
|   Build: 23794027
|   Locale version: INTL 000
|   OS type: vmnix-x86
|_  Product Line ID: embeddedEsx
MAC Address: F8:B1:56:D1:E5:83 (Dell)
Service Info: CPE: cpe:/o:vmware:ESXi:7.0.3

Another example.

root@nodey:/usr/share/nmap/scripts#  nmap --script smb2-capabilities.nse  -p 139 192.168.160.50
Starting Nmap 7.80 ( https://nmap.org ) at 2024-08-24 08:43 EST
Nmap scan report for test-dc.sparedomain.net (192.168.160.50)
Host is up (0.00061s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
MAC Address: 00:0C:29:98:E6:FC (VMware)

Host script results:
| smb2-capabilities:
|   2.02:
|     Distributed File System
|   2.10:
|     Distributed File System
|     Leasing
|   3.00:
|     Distributed File System
|     Leasing
|   3.02:
|     Distributed File System
|_    Leasing

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds

References:
https://www.infosecmatter.com/nmap-nse-library/?nse=smb2-capabilities
https://ambhalerao12.medium.com/how-to-bruteforce-ssh-login-credentials-using-nmap-b632305f2e50

This entry was posted in Networking, Security. Bookmark the permalink.