Advertisement
joemccray

Nmap 4 da r00kies

Jul 5th, 2016
1,708
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.24 KB | None | 0 0
  1. #########################################
  2. # Teaching the r00kies NMap NSE #
  3. # By Joe McCray #
  4. #########################################
  5.  
  6.  
  7. Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack. If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover.
  8.  
  9. So, let's start with some lab fun (just a little bit)...lol. Here are the instructions for connecting to the VPN:
  10. https://s3.amazonaws.com/StrategicSec-Files/Strategic-Security-2016-VPN-Info.pdf
  11.  
  12. sudo nmap -sP 10.0.0.0/24
  13.  
  14. sudo nmap -sL 10.0.0.0/24
  15.  
  16. cd ~/toolz
  17.  
  18. wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
  19.  
  20. gcc ipcrawl.c -o ipcrawl
  21.  
  22. chmod 777 ipcrawl
  23.  
  24. ./ipcrawl 10.0.0.1 10.0.0.254
  25.  
  26.  
  27.  
  28. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
  29.  
  30. gcc propecia.c propecia
  31.  
  32. sudo cp propecia /bin
  33.  
  34. propecia 10.0.0 22
  35.  
  36. propecia 10.0.0 3389
  37.  
  38. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | grep open
  39.  
  40. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2 " " $3}'
  41.  
  42. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' | wc -l
  43.  
  44. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}'
  45.  
  46. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' > ~/labnet-ip-list.txt
  47.  
  48.  
  49. ##########################
  50. # Playing with Nmap NSE #
  51. ##########################
  52.  
  53. nmap -Pn -p80 --script ip-geolocation-* strategicsec.com
  54.  
  55. nmap -p80 --script dns-brute strategicsec.com
  56.  
  57. nmap --script http-robtex-reverse-ip secore.info
  58.  
  59. nmap -Pn -p80 --script=http-headers strategicsec.com
  60.  
  61.  
  62. ls /usr/share/nmap/scripts | grep http
  63. nmap -Pn -p80 --script=http-* strategicsec.com
  64.  
  65. cd ~/toolz
  66. wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2
  67. tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2
  68. sudo cp wkhtmltoimage-i386 /usr/local/bin/
  69.  
  70. git clone git://github.com/SpiderLabs/Nmap-Tools.git
  71. cd Nmap-Tools/NSE/
  72. sudo cp http-screenshot.nse /usr/share/nmap/scripts/
  73. sudo nmap --script-updatedb
  74.  
  75. cd ~/toolz/
  76. mkdir labscreenshots
  77. cd labscreenshots/
  78.  
  79. sudo nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.0.0.0/24 -iL /home/strategicsec/labnet-ip-list.txt
  80.  
  81.  
  82.  
  83.  
  84. vi screenshots.sh
  85.  
  86. #!/bin/bash
  87. printf "<HTML><BODY><BR>" > labnet-port-80-screenshots.html
  88. ls -1 *.png | awk -F : '{ print $1":"$2"\n<BR><IMG SRC=\""$1"%3A"$2"\" width=400><BR><BR>"}' >> labnet-port-80-screenshots.html
  89. printf "</BODY></HTML>" >> labnet-port-80-screenshots.html
  90.  
  91.  
  92.  
  93.  
  94.  
  95. sh screenshots.sh
  96.  
  97.  
  98.  
  99.  
  100. ##########################
  101. # Nmap NSE tricks to try #
  102. ##########################
  103. sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.0/24
  104.  
  105. sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 10.0.0.0/24
  106.  
  107. sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 10.0.0.0/24
  108.  
  109. sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 10.0.0.0/24
  110.  
  111. sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 10.0.0.0/24
  112.  
  113. sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 10.0.0.0/24
  114.  
  115. sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 10.0.0.0/24
  116.  
  117. sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 10.0.0.0/24
  118.  
  119. sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 10.0.0.0/24
  120.  
  121. sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 10.0.0.0/24
  122.  
  123. sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 10.0.0.0/24
  124.  
  125. sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 10.0.0.0/24
  126.  
  127.  
  128.  
  129.  
  130. #####################################
  131. # Writing Your Own Nmap NSE Scripts #
  132. #####################################
  133.  
  134. - Reference for this tutorial is:
  135. https://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/
  136.  
  137. ----------------------------------------------------------------------
  138. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  139.  
  140. -- The Head Section --
  141. -- The Rule Section --
  142. portrule = function(host, port)
  143. return port.protocol == "tcp"
  144. and port.number == 80
  145. and port.state == "open"
  146. end
  147.  
  148. -- The Action Section --
  149. action = function(host, port)
  150. return "Advanced Pentester Night School!"
  151. end
  152. ----------------------------------------------------------------------
  153.  
  154. - Ok, now that we've made that change let's run the script
  155. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
  156.  
  157.  
  158.  
  159.  
  160.  
  161.  
  162. ----------------------------------------------------------------------
  163. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  164.  
  165. -- The Head Section --
  166. local shortport = require "shortport"
  167.  
  168. -- The Rule Section --
  169. portrule = shortport.http
  170.  
  171.  
  172. -- The Action Section --
  173. action = function(host, port)
  174. return "Advanced Pentester Night School!"
  175. end
  176. ----------------------------------------------------------------------
  177.  
  178. - Ok, now that we've made that change let's run the script
  179. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
  180.  
  181.  
  182.  
  183.  
  184.  
  185.  
  186.  
  187. OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working last year.
  188.  
  189. ----------------------------------------------------------------------
  190. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  191.  
  192. -- The Head Section --
  193. local shortport = require "shortport"
  194. local http = require "http"
  195.  
  196. -- The Rule Section --
  197. portrule = shortport.http
  198.  
  199. -- The Action Section --
  200. action = function(host, port)
  201.  
  202. local uri = "/installing-metasploit-in-ubunt/"
  203. local response = http.get(host, port, uri)
  204. return response.status
  205.  
  206. end
  207. ----------------------------------------------------------------------
  208.  
  209. - Ok, now that we've made that change let's run the script
  210. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  211.  
  212.  
  213.  
  214.  
  215. ----------------------------------------------------------------------
  216. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  217.  
  218. -- The Head Section --
  219. local shortport = require "shortport"
  220. local http = require "http"
  221.  
  222. -- The Rule Section --
  223. portrule = shortport.http
  224.  
  225. -- The Action Section --
  226. action = function(host, port)
  227.  
  228. local uri = "/installing-metasploit-in-ubunt/"
  229. local response = http.get(host, port, uri)
  230.  
  231. if ( response.status == 200 ) then
  232. return response.body
  233. end
  234.  
  235. end
  236. ----------------------------------------------------------------------
  237.  
  238. - Ok, now that we've made that change let's run the script
  239. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  240.  
  241.  
  242.  
  243.  
  244.  
  245.  
  246.  
  247.  
  248.  
  249. ----------------------------------------------------------------------
  250. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  251.  
  252. -- The Head Section --
  253. local shortport = require "shortport"
  254. local http = require "http"
  255. local string = require "string"
  256.  
  257. -- The Rule Section --
  258. portrule = shortport.http
  259.  
  260. -- The Action Section --
  261. action = function(host, port)
  262.  
  263. local uri = "/installing-metasploit-in-ubunt/"
  264. local response = http.get(host, port, uri)
  265.  
  266. if ( response.status == 200 ) then
  267. local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  268. return title
  269. end
  270.  
  271. end
  272. ----------------------------------------------------------------------
  273.  
  274. - Ok, now that we've made that change let's run the script
  275. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  276.  
  277.  
  278.  
  279.  
  280.  
  281.  
  282.  
  283. ----------------------------------------------------------------------
  284. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  285.  
  286. -- The Head Section --
  287. local shortport = require "shortport"
  288. local http = require "http"
  289. local string = require "string"
  290.  
  291. -- The Rule Section --
  292. portrule = shortport.http
  293.  
  294. -- The Action Section --
  295. action = function(host, port)
  296.  
  297. local uri = "/installing-metasploit-in-ubunt/"
  298. local response = http.get(host, port, uri)
  299.  
  300. if ( response.status == 200 ) then
  301. local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  302.  
  303. if (title) then
  304. return "Vulnerable"
  305. else
  306. return "Not Vulnerable"
  307. end
  308. end
  309. end
  310.  
  311. ----------------------------------------------------------------------
  312.  
  313. - Ok, now that we've made that change let's run the script
  314. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement