Nmap and Nikto 101 at Null

Nmap and Nikto 101

Ramnath

About me• Ramnath Shenoy• FireEye –Engineering• OSCP • Interests – Windows Internals and Web Applications. Path to OSCE!

• @ramnathsk• https://in.linkedin.com/in/ramnathshenoyk

Agenda• Introduction to Nmap.• Basic scanning techniques.• Enumeration and Vulnerability Detection.• Nmap Demo• Introduction to Nikto.• Basic scanning techniques (various switches)• Nikto Demo

Nmap• Network Mapper - Utility used to identify assets and map them in a

network.• https://github.com/nmap/nmap (Current release is 7.40, 19 year old

project and active)

Why Nmap • How does NMAP,.. Nmap?

192.168.56.100

192.168.56.145

192.168.56.45

192.168.56.14

• Perhaps I can ping sweep?• What if someone has a FW enabled?• How to know which IP’s are alive?• There only

• 65535(PORTS) *2 (TCP &UDP)*24 ( if class C)

8031288080

44322

138139445

443

Nmap Switches Discovery nmap <options> <scan type> <target>• options

• Host discover• -sn: Ping Scan - disable port scan• -Pn: Treat all hosts as online -- skip host discovery• -n/-R: Never do DNS resolution/Always resolve

[default: sometimes]• --dns-servers <serv1[,serv2],...>: Specify custom

DNS servers• --system-dns: Use OS's DNS resolver

• Target Specification• -iL <inputfilename>: Input from list of

hosts/networks• -iR <num hosts>: Choose random targets• --exclude <host1[,host2][,host3],...>: Exclude

hosts/networks• --excludefile <exclude_file>: Exclude list from file

Nmap Scanning techniques• -sP (Ping Sweep) – Performs ARP ping and ICMP echo request to

determine system is alive.• -sS (SYN Scan) – Determines a system/port being alive by sending

only SYN and waiting for SYN-ACK• -sT (TCP Scan) – Determines a system/port being alive by completing

a 3way handshake (SYN ; SYN+ACK ; ACK)• -sF (FIN Scan) – Determines a system/port being alive by sending FIN

and waiting for an ACK. • -sU (UDP Scan) – Probes UDP detects system/port is alive when there

is a UDP response + ICMP packet Dest unreachable.

NMAP port “Status” - Open• Open - SYN reached the end system, victim responded with

SYN+ACK and Completes the handshake.

Nmap -n -sT -p 80 192.168.56.104

NMAP port “Status” - Closed• Closed - SYN reached the end system, responded with RST+ACK.

System is accessible and service is still not open on victim.

Nmap -n -sT -p 22 192.168.56.104

NMAP port “Status” - Filtered• Filtered – Observed when a port does not respond on repeated

tries.

Nmap -n -sT -p 445 192.168.56.105

Why Service Enumeration?• Port is open,..• People run web server on 999 port!• Runs apache web service ?? like 33 % www servers run on it.• I need Banners and identify what they are!• I need Operating system type!• I need Vulns!

Nmap – service Version and Enumeration!• Nmap-services database is constantly updated with services, finger

printing and banners to identify remote ports and operating systems.

• -sV - runs about ~30 Nmap Script Engine (.nse files) to identify and enumerate the service that has been detected earlier.

• -sC – runs “default” ~200 Nmap Script Engine (.nse files) to identify and enumerate the services and provide vulnerabilities identified. Optionally can use - -script option.

Nmap service Enumeration!• The Difference between the two in Action

Regular TCP scan

TCP scan with Version

-sT + -sV = -sTV

Nmap service Enumeration! -2• -sV under the hood!

NSE –What and Why?• Nmap Script Engine, written in Lua.• Sophisticated Version detection and OS detection.

Example: smb-os-discovery.nse , http-cisco-anyconnect.nse …• Vulnerability detection.

Example: tls-ticketbleed.nse, sslv2-drown.nse,..• Malware detection.

Example: http-google-malware.nse..• Vulnerability Exploitation.

Example: smb-psexec.nse,..

NSE – what? where? • -sC and –script uses NSE. There is a default set launched when no

option is given. https://nmap.org/nsedoc/categories/default.html

Nmap Enumeration technique

Notice how the service is not shellEven though Banner shows Shell

Nmap Enumeration technique

So you need to use –sTV along for Version grab

Nmap Scanning strategy

Nmap --exclude 192.168.56.103 -sS –p 80 192.168.56.0/24 (sample- horizontal scan)Nmap –sS –p1-6000,27017-27019 192.168.56.102 (sample – vertical scan)

192.168.56.102

192.168.56.103

192.168.56.104

192.168.56.105

TCP-80 TCP-80 TCP-80 TCP-80TCP- 445TCP- 22 TCP- 22TCP -443 TCP-443TCP - 8080 TCP-8080TCP - 1524TCP- 9999

Nmap Output Formatting

Nmap Output Formatting

GreppableRegular Text

XML

NdiffScan done earlier, non compliant ports closed and re-validation

Three ports closed

NMAP – Demo, Stage -1• Run time interactionWhile running -> Nmap –sT 192.168.56.102Press ? -> v (verbosity) -> d (Debug)-> p (packet tracing) , arrows (how long?)Shift + option (v,d,p) to disable this

Nikto

NiktoSponsored by Netsparker Written by Chris Sullo and David Lodge Language – Perl, needs SSL librarieshttps://github.com/sullo/niktoCurrent Version is -> 2.1.6

Why Nikto?• Web Application vulnerability scanner.• Default paths /CGI -install on Commercial Off The Shelf applications.

(COTS)• Version detect of COTS and report vulnerabilities.• Tune and run only a specific vulnerability type on set of servers.• Misconfigurations and Insecure data leakage on Headers.• Command line only

Nikto Basics• Nikto has two help options “nikto” & “-H” (extensive information)

Nikto Scanning Techniques• Nikto Scanning techniques

Nikto –host http://192.168.56.102 Nikto –h http://192.168.56.102 Nikto –host 192.168.56.102 –port 443 Nikto -host https://192.168.56.102

• Nikto Scanning from a list of hosts Nikto –host hosts.txt –port 8080

• Nikto scan only from this root directory Nikto –host http://192.168.56.102 –root /admin/

Nikto Output

Nikto –Output 2

Nikto Tuning OptionsNikto –Tuning 1 –host 192.168.56.102 –port 80,443,8080

Nikto –Tuning example

Nikto Output formatting• Nikto -o /path/file –Format htm -host 192.168.56.102 –port 80,443,8080• Nikto -output /path/file.htm -host 192.168.56.102 –port 80,443,8080

Nikto Run Time Debugging• Space

• v -verbose, d – debug, P – Pause and N – next host

Nikto Demo 2

Thanks!