Posts Tagged nmap
Nsploit: Nmap grows some teeth
Ryan Linn has started a project to bridge Nmap Scans all the way to exploitation using Metasploit.
Similar to the db_autopwn via fasttrack script (available in Backtrack 4), Nsploit does even more granular service level Nmap scanning to identify versions and exploits. Then passes of these to Metasploit and launches the pain at your target box.
It Uses Nmap’s NSE’s to trigger Metasploit commands via XMLRPC. Anything we can identify with an Nmap Script we can launch and get a shell… hopefully a meterpreter shell 
Check out Ryans blog http://blog.happypacket.net/ and learn more about Nsploit from the 2009 SecToor Presentation Nsploit-(Popping-boxes-with-Nmap) hosted by securitytube.com.
PDF slides here
Usage videos below:
Nsploit Multi-Host Ownage from Ryan Linn on Vimeo.
Nsploit Single Host Ownage from Ryan Linn on Vimeo.
UDP Payload Scanning
** Note: We all love the Internet Storm Center. By far it’s one of the largest conglomerations of brilliant engineers i know. So it doesn’t really surprise me that when i was going to write a blog on Nmap’s new UDP payload scanning yesterday, contributor Rob VandenBrink beat me to it. Here is mine anyways =P Robs goes into great detail with some packet captures to show before and after.
UDP…UDP…UDP… oh how do i scan thee?
The issue facing accurate scanning of UDP ports is the nature of UDP programs themselves. Delivering anything other than a legitimate UDP Payload to a service usually results in a dropped packet. This is bad news for pentesters, as we want a full and accurate scan of our targets.
UDP Payload scanning is the solution (most of the time). Instead of scanning with an empty UDP packet, we send it a legitimate payload that works with the service we are scanning. If we receive a response it indicates an open port.
Before Nmap 5.21, Nmap did not support UDP payload scanning. Pentesters previously counted on free tools like UnicornScan, whose author Jack C. Louis passed away last year (rest in peace Jack), or udp-proto-scanner by Portcullis Labs.
Although these tools are often stellar, sometimes they are buggy and lack the Nmap type features we want in a port scanner.
Nmap 5.21 fixes our dilemma by adding the following UDP fingerprints for scanning:
udp/7 echo
udp/53 domain
udp/111 rpcbind
udp/123 ntp
udp/137 netbios-ns
udp/161 SNMP
udp/177 xdmcp
udp/500 ISAKMP
udp/520 route
udp/1645 RADIUS
udp/1812 RADIUS
udp/2049 NFS
udp/5353 zeroconf
udp/10080 amanda
I know this has been a good number of months in development, thanks for all the good work Fyodor and the Nmap Dev Community!
Ncrack – Network Password Cracker
The 2009 Summer of code has a special present for us pentesters. Normally, we use hydra or medusa to crack network service passwords (telnet, ftp, SSH, etc).
Ncrack changes the game a bit.
By bringing the nmap dev team/community to the table it shows promise to fix some current issues in bruteforcing network service passwords. This has already happened in one instance, read the openssh_library paper here. It also gives us the possibility to bruteforce multiple targets and takes the standard nmap target syntax (hostnames, CIDR, range, and single IP’s) which is very extensible and convenient for scripting.
Additionally it can take input from all Nmap’s output files, making certain portions of a pentest faster, meaner, and leaner. We can specify IP’s not to bruteforce, or pass it a whole list of IP’s not to test. It’s multi-threaded and provides easy tuning options (not all have been activated yet). In addition it has a very simple syntax for bruting services on non-standard ports.
While it’s still relatively new and doesn’t have a GUI like Hydra, or as many modules as Medusa, it’s still an awesome addition to any pentesters toolbelt.
Check out the man page here: http://nmap.org/ncrack/man.html
The latest version can be downloaded here: http://nmap.org/ncrack
Note: Ncrack is a new project started in the Summer of code: 2009. While it is already useful for some purposes, it is still unfinished, alpha quality software. You can help out by testing it and reporting any problems as described in the section called “Bugs”. Currently It still only has modules for FTP, SSH, TELNET and HTTP(S)
Happy Cracking!