Day 045 #FromZeroToHacker – Nmap Post Port Scans

We have found targets and scanned them and their ports. Now it is time for the steps that follow up port scanning: Service and OS detection, Nmap scripts and saving scan results.

Let’s scan what we can learn today in our daily #FromZeroToHacker challenge.

Table of contents
Introduction
What I have learnt today?
Stats
Resources

Introduction to Nmap Advanced scans

In the first lesson of this series, we learned how to enumerate targets. In the second and third lessons, we focused on basic and advanced scanning types for their network ports. Now it is time to use Nmap to:

  • Detect versions of the running services.
  • Detect the target’s OS.
  • Run Nmap’s traceroute.
  • Run Nmap scripts.
  • Save the scan results.
Nmap steps

This is the fourth and last of the Nmap lessons:

  1. Nmap Live Host Discovery
  2. Nmap Basic Port Scans
  3. Nmap Advanced Port Scans
  4. Nmap Post Port Scans

What I have learnt today?

Service Detection

Discovering open ports means nothing if we don’t know what services are running on them. Adding -sV to our Nmap scan will collect and determine service and version information of the open ports.

It is fundamental to note that using -sV forces a TCP 3-way handshake, establishing a connection. Stealth SYN Scan, -sS, is not possible when -sV option is selected.

Using service detection adds a new column to the scan results called Version that displays the version for each detected service.

Nmap sv scan

Like many Nmap actions, this requires root privileges (using sudo).

OS Detection and Traceroute

OS Detection

Nmap can detect the OS (Operation System) using -O (an uppercase O).

Nmap o scan

The target scanned on the image is running a Linux 3.16 version, so Nmap did a close guess. Nmap is really good at figuring out which OS is running, but not so much when it comes to the kernel version.

Traceroute

Nmap let us find the routers the target is behind with the --traceroute option:

Nmap ss can

At the end of the scan, we can see that there is no router, just the target (with the target IP).

But beware! Some routers are configured to not send ICMP Time-To-Live, preventing us from discovering their IP addresses.

Nmap Scripting Engine (NSE)

Nmap functionality is expanded with scripts that use the Lua language.

The Nmap default installation contains about 600 scripts. You may find them at /usr/share/nmap/scripts.

Nmap scripting engine or NSE

You can use any or a group of these scripts. To do so, use --script following by the script(s) you want to use, or just use the default ones with -sC. You can find here a list of all Nmap scripts.

Nmap ss scan standard scripts

Here we have a lot of extra information! If you take a look at the SSH service at port 22, Nmap even recovered four public keys 🙂

Now, time for specific scripts. You have to be careful, as some scripts are pretty loud and/or intrusive. This, for example, is pretty benign, as it just retrieves the HTTP server date and time:

Nmap ss scan specific scripts

You can download more Nmap scripts from the internet, even writing one yourself! The sky (and your time/knowledge) is the limit!

Saving the output

We perform loads of scans so it is logical that we want to save the results in a file. With Nmap, we can do so in three main formats:

  • Normal
  • Grepable (grep)
  • XML

But also in Script kiddie, something we don’t talk about.

Normal

The normal format is a format that is…normal. It is almost exactly what you get on the screen as a result of scanning a target. We use the -oN <FILENAME> option:

Normal format

Grepable

The name of this format comes from the command grep (Global Regular Expression Printer), making filtering pretty efficient. We use it with the -oG <FILENAME> command. Hard to read, but taking less lines, makes it easier to scan with the grep terminal command:

Grepable format

We can search for things inside a file with the command grep <STRING> <FILENAME>:

Grep example

XML

We can save scan results in XML format with -oX <FILENAME>.

XML format

Script Kiddie is bullshit “L33t” language:

Script Kiddie format

All of them

You can save the scan output to all three (proper) formats using -oA <FILENAME> to have your scan results in normal, grepable and XML formats.

Summary

In this lesson, we have covered the following:

  • Service detection.
  • OS Detection and Traceroute.
  • Nmap Scripting Engine (NSE).
  • Saving the output to a file.
  • How stupid Script Kiddie format is (I hate it).

Stats

From 98.761th to 97.156th. Now in the top 100.000!

Here is also the Skill Matrix:

Skills matrix

Resources

Module: Nmap

TryHackMe: Nmap Post Port Scans

Other resources

Nmap Live Host Discovery
Nmap Basic Port Scans
Nmap Advanced Port Scans
List of all Nmap scripts