Nmap 4 da r00kies

1. #########################################
2. # Teaching the r00kies NMap NSE #
3. # By Joe McCray #
4. #########################################
5.  
6.  
7. Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack. If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover.
8.  
9. So, let's start with some lab fun (just a little bit)...lol. Here are the instructions for connecting to the VPN:
10. https://s3.amazonaws.com/StrategicSec-Files/Strategic-Security-2016-VPN-Info.pdf
11.  
12. sudo nmap -sP 10.0.0.0/24
13.  
14. sudo nmap -sL 10.0.0.0/24
15.  
16. cd ~/toolz
17.  
18. wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
19.  
20. gcc ipcrawl.c -o ipcrawl
21.  
22. chmod 777 ipcrawl
23.  
24. ./ipcrawl 10.0.0.1 10.0.0.254
25.  
26.  
27.  
28. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
29.  
30. gcc propecia.c propecia
31.  
32. sudo cp propecia /bin
33.  
34. propecia 10.0.0 22
35.  
36. propecia 10.0.0 3389
37.  
38. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | grep open
39.  
40. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2 " " $3}'
41.  
42. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' | wc -l
43.  
44. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}'
45.  
46. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' > ~/labnet-ip-list.txt
47.  
48.  
49. ##########################
50. # Playing with Nmap NSE #
51. ##########################
52.  
53. nmap -Pn -p80 --script ip-geolocation-* strategicsec.com
54.  
55. nmap -p80 --script dns-brute strategicsec.com
56.  
57. nmap --script http-robtex-reverse-ip secore.info
58.  
59. nmap -Pn -p80 --script=http-headers strategicsec.com
60.  
61.  
62. ls /usr/share/nmap/scripts | grep http
63. nmap -Pn -p80 --script=http-* strategicsec.com
64.  
65. cd ~/toolz
66. wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2
67. tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2
68. sudo cp wkhtmltoimage-i386 /usr/local/bin/
69.  
70. git clone git://github.com/SpiderLabs/Nmap-Tools.git
71. cd Nmap-Tools/NSE/
72. sudo cp http-screenshot.nse /usr/share/nmap/scripts/
73. sudo nmap --script-updatedb
74.  
75. cd ~/toolz/
76. mkdir labscreenshots
77. cd labscreenshots/
78.  
79. sudo nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.0.0.0/24 -iL /home/strategicsec/labnet-ip-list.txt
80.  
81.  
82.  
83.  
84. vi screenshots.sh
85.  
86. #!/bin/bash
87. printf "<HTML><BODY><BR>" > labnet-port-80-screenshots.html
88. ls -1 *.png | awk -F : '{ print $1":"$2"\n<BR><IMG SRC=\""$1"%3A"$2"\" width=400><BR><BR>"}' >> labnet-port-80-screenshots.html
89. printf "</BODY></HTML>" >> labnet-port-80-screenshots.html
90.  
91.  
92.  
93.  
94.  
95. sh screenshots.sh
96.  
97.  
98.  
99.  
100. ##########################
101. # Nmap NSE tricks to try #
102. ##########################
103. sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.0/24
104.  
105. sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 10.0.0.0/24
106.  
107. sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 10.0.0.0/24
108.  
109. sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 10.0.0.0/24
110.  
111. sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 10.0.0.0/24
112.  
113. sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 10.0.0.0/24
114.  
115. sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 10.0.0.0/24
116.  
117. sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 10.0.0.0/24
118.  
119. sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 10.0.0.0/24
120.  
121. sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 10.0.0.0/24
122.  
123. sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 10.0.0.0/24
124.  
125. sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 10.0.0.0/24
126.  
127.  
128.  
129.  
130. #####################################
131. # Writing Your Own Nmap NSE Scripts #
132. #####################################
133.  
134. - Reference for this tutorial is:
135. https://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/
136.  
137. ----------------------------------------------------------------------
138. sudo vi /usr/share/nmap/scripts/intro-nse.nse
139.  
140. -- The Head Section --
141. -- The Rule Section --
142. portrule = function(host, port)
143. return port.protocol == "tcp"
144. and port.number == 80
145. and port.state == "open"
146. end
147.  
148. -- The Action Section --
149. action = function(host, port)
150. return "Advanced Pentester Night School!"
151. end
152. ----------------------------------------------------------------------
153.  
154. - Ok, now that we've made that change let's run the script
155. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
156.  
157.  
158.  
159.  
160.  
161.  
162. ----------------------------------------------------------------------
163. sudo vi /usr/share/nmap/scripts/intro-nse.nse
164.  
165. -- The Head Section --
166. local shortport = require "shortport"
167.  
168. -- The Rule Section --
169. portrule = shortport.http
170.  
171.  
172. -- The Action Section --
173. action = function(host, port)
174. return "Advanced Pentester Night School!"
175. end
176. ----------------------------------------------------------------------
177.  
178. - Ok, now that we've made that change let's run the script
179. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
180.  
181.  
182.  
183.  
184.  
185.  
186.  
187. OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working last year.
188.  
189. ----------------------------------------------------------------------
190. sudo vi /usr/share/nmap/scripts/intro-nse.nse
191.  
192. -- The Head Section --
193. local shortport = require "shortport"
194. local http = require "http"
195.  
196. -- The Rule Section --
197. portrule = shortport.http
198.  
199. -- The Action Section --
200. action = function(host, port)
201.  
202. local uri = "/installing-metasploit-in-ubunt/"
203. local response = http.get(host, port, uri)
204. return response.status
205.  
206. end
207. ----------------------------------------------------------------------
208.  
209. - Ok, now that we've made that change let's run the script
210. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
211.  
212.  
213.  
214.  
215. ----------------------------------------------------------------------
216. sudo vi /usr/share/nmap/scripts/intro-nse.nse
217.  
218. -- The Head Section --
219. local shortport = require "shortport"
220. local http = require "http"
221.  
222. -- The Rule Section --
223. portrule = shortport.http
224.  
225. -- The Action Section --
226. action = function(host, port)
227.  
228. local uri = "/installing-metasploit-in-ubunt/"
229. local response = http.get(host, port, uri)
230.  
231. if ( response.status == 200 ) then
232. return response.body
233. end
234.  
235. end
236. ----------------------------------------------------------------------
237.  
238. - Ok, now that we've made that change let's run the script
239. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
240.  
241.  
242.  
243.  
244.  
245.  
246.  
247.  
248.  
249. ----------------------------------------------------------------------
250. sudo vi /usr/share/nmap/scripts/intro-nse.nse
251.  
252. -- The Head Section --
253. local shortport = require "shortport"
254. local http = require "http"
255. local string = require "string"
256.  
257. -- The Rule Section --
258. portrule = shortport.http
259.  
260. -- The Action Section --
261. action = function(host, port)
262.  
263. local uri = "/installing-metasploit-in-ubunt/"
264. local response = http.get(host, port, uri)
265.  
266. if ( response.status == 200 ) then
267. local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
268. return title
269. end
270.  
271. end
272. ----------------------------------------------------------------------
273.  
274. - Ok, now that we've made that change let's run the script
275. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
276.  
277.  
278.  
279.  
280.  
281.  
282.  
283. ----------------------------------------------------------------------
284. sudo vi /usr/share/nmap/scripts/intro-nse.nse
285.  
286. -- The Head Section --
287. local shortport = require "shortport"
288. local http = require "http"
289. local string = require "string"
290.  
291. -- The Rule Section --
292. portrule = shortport.http
293.  
294. -- The Action Section --
295. action = function(host, port)
296.  
297. local uri = "/installing-metasploit-in-ubunt/"
298. local response = http.get(host, port, uri)
299.  
300. if ( response.status == 200 ) then
301. local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
302.  
303. if (title) then
304. return "Vulnerable"
305. else
306. return "Not Vulnerable"
307. end
308. end
309. end
310.  
311. ----------------------------------------------------------------------
312.  
313. - Ok, now that we've made that change let's run the script
314. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443