Nmap memo form: From Discovery to vulnerability exploitation (Part 4)

Nmap memo form: From Discovery to vulnerability exploitation (Part 4)

What is a firewall?
A firewall is software or hardware used to control network access. There are two types: 1. Host-Based firewall; 2. Network-based firewall.
Host-Based Firewall
This software runs on a single host to control inbound traffic (from network to host) and outbound traffic (from host to network ). These software are installed on the operating system. Common examples are iptables on Linux and Zone Alarm on Windows.
Network-based firewall
These can be hardware devices or software, or a combination of hardware devices and software. Used to protect inbound communication from unprotected sources.
Firewalls are installed between protected and unprotected networks. They view all communications and control inbound and outbound communication by setting rules.
Scan Firewall
To effectively scan the firewall, we must check all open ports, services, and statuses. When using Nmap scanning, you must also take actions to set the time option to determine the existence of the firewall. So you can see the following table about Nmap scan results, and we can easily know whether the firewall exists.

I learned from Google search that the following IP addresses are protected by WAF (Web application firewall) and some IDS. We try to launch a certain type of powerful attack (SQL injection ). When we submit some special characters, it will be displayed as "failed Firewall Authentication ". Only then can we know that this thing can be bypassed through HTTP verb tampering. We will discuss it later.

First, use option-Pn for scanning.

We find that there are filtered ports, so we are sure that the server has firewall protection. We can scan the specified port to obtain more information.

Let's perform an internal network scan. First, we will check the scan version:

More services are found by specifying time options and port options.

Observation:
Scan the various services provided by the firewall to the internal network, including DNS, SSH, HTTPS, and Web Proxy. All these are accessible from all the PCs in the internal network. It also runs a transparent proxy on port 80, so you do not need to change the settings in the client browser.
Evade or bypass the Firewall
Bypass or escape is nothing more than another way to enter the system. The Administrator uses the firewall or IDS/IPS to prevent malicious attacks or spam. But from the attacker's point of view, he will try to bypass firewall rules; Nmap has many ways to bypass the firewall.
1. Fragmentation
Nmap sends 8-byte data packets to bypass the Firewall/IDS/IPS. This technology is very old, but it is still useful when the firewall is improperly configured.
Nmap-f host

MTU, the largest transmission unit. It is the alias of fragmentation. We can specify its size.
Nmap -- mtu 16 host

The above Nmap scan uses 16 bytes of data packets instead of 8 bytes. Therefore, we can specify the custom data packet size as a multiple of 8.
2. Bait
This type of scan is very concealed and imperceptible. The target is scanned by multiple counterfeit or forged IP addresses. In this way, the firewall considers that the attack or scan is performed by multiple resources or IP addresses, so it bypasses the firewall.

Bait is used in the initial ping scan (using ICMP, SYN, ACK, etc.) and in the actual port scan phase. Bait is also used during Remote OS Detection (-O. Bait is not used in version check or TCP connection scan.
This actually seems to the target to be scanned by multiple systems at the same time, making it more difficult for the firewall to trace the source of the scan.
There are two methods to perform bait scanning:
1. nmap-d rnd: 10 TARGET

2. nmap-D decoy1, decoy2, decoy3 target

The following network packet capture shows that multiple bait will spoof the firewall.

3. Idle Scan
Attackers will first use an idle system to scan the target system.
Scan is generated using foreseeable IP sequence IDs in some systems. In order to make the idle scan successful, the zombie host system must be idle during the scan time. For any questions, refer to the previous article.
This technology hides the attacker's IP address.
Nmap-P0-sI zombie target

We use tcpdump to capture all network traffic.
Tcpdump-I interface

4. Option-source-port
Each TCP data packet has a source port number. By default, Nmap randomly selects an available outgoing source port to detect the target. The-source-port option forces Nmap to use the specified port as the source port. This technology exploits the weakness of a firewall that blindly accepts incoming traffic based on a specific port number. Port 21 (FTP), port 53 (DNS), and port 67 (DHCP) are common ports of this scan type.
Nmap -- source-port target

5. Random Data Length:
We can also bypass the firewall when attaching random data length. Many firewalls identify latent port scans by checking the packet size. This is because many scanners send packets of a specific size. To avoid this kind of detection, we can use the command-data-length to add additional data so that it is different from the default size. In, we add more than 25 bytes to change the packet size.

Nmap -- data-length target
Capture Data Traffic

6. random sequence scan targets:
Option-randomize-host is used for random sequential scanning of specified targets. -Randomize-host helps prevent firewall and intrusion detection systems from detecting multiple targets continuously.
Nmap -- randomize-hosts targets

7. MAC Address Spoofing:
Each machine has its own unique mac address. Therefore, this is another way to bypass the firewall, because some firewalls enable rules based on MAC addresses. To obtain the scan results, you need to first know which MAC addresses can be used. This can be done through manual or advanced fuzzy testing. I prefer fuzzy testing, which is very easy to implement using Python. We only need to manually import the regular expression to Python and then automate the execution.
In particular, the-spoof-MAC option enables you to select a MAC address from a specific vendor, select a random MAC address, or set a specific MAC address. Another advantage of MAC address spoofing is that you conceal your scan because your actual MAC address will not appear in the firewall's log files.
Nmap-sT-PN-spoof-mac aa: bb: cc: dd: ee: ff target

Mac Address Spoofing requires the following parameters:

8. Send error Verification
In some firewalls and IDS/IPS, only packets with correct packets are checked. Therefore, attackers send error verification to cheat IDS/IPS.
Nmap -- badsum target

9. Sun-RPC scanning
What is Sun RPC? Sun RPC (Remote Procedure Call) is a Unix protocol used to implement multiple services, such as NFS. It was initially developed by Sun but is now widely used on other platforms (including Digital Unix ). It is also called ONC ).
The Sun RPC package includes an RPC compiler that automatically generates server and client stubs.
Nmap databases with nearly 600 RPC programs. Many RPC services use high port numbers or UDP protocol, and RPC programs also have severe remote exploitation vulnerabilities. Therefore, network administrators and Security Auditors often want to learn more about any RPC programs in their networks.
Run the following command to obtain the details of RPC:
Rpcinfo/rpcinfo -- p hostname

Nmap uses the following three steps to directly communicate with open RPC ports and then obtain information.
1) use TCP or UDP to scan open ports.
2)-the sV option checks the open ports using the Sun RPC protocol.
3) The RPC brute-force cracking engine sends empty commands to the ports recorded in the nmap-rpc database one by one to determine the RPC program. When nmap guesses an error, it will receive an error message indicating that the request port does not run the PRC program. When nmap consumes all known records, or the port returns non-RPC data packets, nmap will give up.
Post-SSL processor Scanning

NMAP can detect SSL encryption protocols. This function is automatically enabled when Version Detection is performed. As previously discussed in RPC scanning, as long as an appropriate (SSL) port is detected to automatically perform post-SSL processor scanning.
Command:
Nmap-Pn-sSV-T4-F target

NMAP service probe File Format
Nmap uses local files to store Version Detection probes and matching strings. Although nmap's nmap-services are sufficient for most users, understanding the file format helps penetration testers add new rules to scan engines. # The row starting with "#" is used for comment and ignore.
Exclusion command
The specified port is excluded from version scan. It can only be used once, at the top of all probe commands, at the top of the file. Ports should be separated by commas.
Syntax: Exclude
Probe instruction
Syntax: Probe
 
Example:
Probe TCP GetRequest q | GET/HTTP/1.0 \ r \ n |
Probe UDP DNSStatusRequest q | \ x10 |
Probe tcp null q |
The probe command tells nmap to send a specified string to identify the service. The parameters are as follows:
This must be TCP or UDP. NMAP only uses a probe that matches the Protocol it tries to scan the service.
This is a pure English name.
Tell Nmap what to send. It must have a q, marking the start and end of the string with a separator. It allows the following standard escape characters of C or Perl strings: \, \ a, \ B, \ f, \ n, \ r, \ t, \ v, and \ xHH (H is any hexadecimal number ). Nmap probes also have empty content probes. For example, in the third example above, this tcp null Probe is used to receive the banner returned by the Service. If your separator (which is | in these examples) needs to be in the probe string, you need to select different separators.
Syntax: match
[]
Examples:
Match ftp m/^ 220. * Welcome to. * Pure -? FTPd (\ d \ S + \ s *)/p/Pure-FTPd/v/$1/cpe:/a: pureftpd: pure-ftpd: $1/
Match ssh m/^ SSH-([\ d.] +)-OpenSSH [_-] ([\ w.] +) \ r? \ N/I p/OpenSSH/v/$2/I/protocol $1/cpe:/a: openbsd: openssh: $2/
Match mysql m | ^ \ x10 \ x01 \ xff \ x13 \ x04Bad handshake $ | p/MySQL/cpe:/a: mysql/
Match chargen m | @ ABCDEFGHIJKLMNOPQRSTUVWXYZ |
Match uucp m | ^ login: $ | p/NetBSD uuucpd/o/NetBSD/cpe:/o: netbsd/
Match printer m | ^ ([\ w-_.] +): lpd: Illegal service request \ n $ | p/lpd/h/$1/
Match afs m | ^ [\ d \ D] {28} \ s * (OpenAFS) ([\ d \.] {3} [^ \ s] *) | p/$1/v/$2/
 
Matching command
The matching Command tells Nmap how to identify the service based on the response of the server after the probe is sent. Each probe can follow dozens or hundreds of matching statements. Matching Commands include: Optional version description, application name, version number, and other information of the Nmap report. The command for this parameter is as follows:
This is the service name for simple pattern matching. For example, ssh, smtp, http, or snmp.
This mode is used to determine whether the received response matches the previously given service parameters. The format is Perl. The syntax is m/[regex]/[opts]. "M" tells Nmap that a matched string starts. A forward slash (/) is a separator. This regular expression is a Perl-style regular expression. Currently, the options that can be configured are 'I' (case-insensitive) and 'S' (. can also match line breaks ). The two options in Perl have the same semantics. Enclose the string to be captured with parentheses, such as the version number.
This section actually contains several optional fields. Each field starts with a confirmation letter (for example, h is the "host name "). The following is a delimiter. The preferred Delimiter is a slash ('/'), unless it is indicated by a slash in the content. Next is the field value and then the separator. The following table describes the six fields:

Soft match command
Syntax: softmatch
Example:
Softmatch ftp m/^ 220 [-. \ w] + ftp. * \ r \ n $/I
Softmatch smtp m | ^ 220 [-. \ w] + SMTP. * \ r \ n |
Softmatch pop3 m | ^ \ + OK [-\ [\] \ (\)!, /+: @. \ W] + \ r \ n $ |
The format of the soft match command is similar to that of the match command. The main difference is that after the soft match is successful, the scan will continue, but only the probe associated with the matched service will be sent, this helps to obtain more information, such as the version number.
Port and SSL port commands
Syntax: port
Example:
Ports 110,113,199,505,540,124, 30444
Ports 111,4045, 32750-32810,38978
This command tells nmap which ports are used to identify the service. The syntax is similar to the-p option of nmap.
Syntax: sslports
Example: sslports 443
This is the port used to detect the ssl Service.
Totalwaitms command
Syntax: totalwaitms
Example: totalwaitms 5000
This command tells nmap how long it will take to wait for a response after a probe is sent for a specific service. Nmap is 5 seconds by default.
Rare-level commands
Syntax: rarity
Example: rarity 6
This command corresponds to the extent to which the probe can return the expected results. The higher the value, the more rare it is.
Rollback command
Syntax: fallback
Example: fallback GetRequest, GenericLines
This option specifies the standby probe used when the current probe does not match successfully. The order is from left to right. For probes without a rollback command, the hidden execution will be rolled back to the empty probe.
Now let's talk about the use of nmap in web penetration.
Nmap HTTP Method
Web servers support different HTTP methods based on their configurations and software, and some of these requests are dangerous under certain conditions. HTTP methods include GET, HEAD, POST, TRACE, DEBUG, OPTION, DELETE, TRACK, and PUT. For more details, refer to here.
Command:
Nmap-p80, 443 -- script http-methods scanme.nmap.org

To perform a detailed check, run the following command:
Nmap-p80, 443 -- script http-methods-script-args http-methods.retest scanme.nmap.org

By default, the script http-methods uses the root folder as the base path (/). If you want to set a different basic path, set the HTTP methods. url path of the parameter:
Command:
Nmap-p80, 443 -- script http-methods -- script-args http-methods.urlpath =/mypath/scanme.nmap.org

HTTP methods TRACE, CONNECT, PUT, and DELETE may pose security risks. If a Web server or application supports these methods, a thorough test is required. TRACE makes applications vulnerable to cross-site tracking (XST) attacks, which may cause attackers to access HttpOnly cookies. The CONNECT method may allow the Web server to act as an unauthorized Web Proxy. The PUT and DELETE methods have the ability to change the content of folders. Improper permission settings may be abused.
You can learn more about the risks of each method:
Https://www.owasp.org/index.php/Test_HTTP_Methods_%28OTG-CONFIG-006%29
HTTP User Agent:
Some firewalls filter Nmap's default UserAgent. You can set different user proxies.
Command:
Nmap-p80 -- script http-methods -- script-args http. useragent = "Mozilla 5"

HTTP Pipeline
Some web servers allow encapsulation of multiple HTTP requests in one package. This can speed up script execution. It is recommended to enable it if the web server supports it. By default, the next MPs queue will have 40 requests and automatically adjust the size based on network conditions.
Command:
Nmap-p80 -- script http-methods -- script-args http. pipeline = 25

In addition, we can set the http. max-pipeline parameter to control the maximum value of the http pipeline. If this parameter is set, nmap automatically ignores http. pipeline.
Command:
Nmap-p80 -- script http-methods -- script-args http. max-pipeline = 10
Scan HTTP Proxy
Http proxy is used to hide your real IP address. The following command shows how to detect open proxy:
Command:
Nmap -- script http-open-proxy-p8080

We can also specify the url for verification.
Command:
Nmap -- script http-open-proxy -- script-args http-open-proxy.url = http://whatsmyip.org, http-open-. pattern = "Your IP address is"-p8080

Discover interesting files and directories and administrator accounts
This is a common task in penetration testing and cannot be done manually. The vulnerabilities of Web applications that are frequently discussed include directory list, user account enumeration, and configuration files. Nmap-based Nmap can help us complete this task more quickly.
Nmap -- script http-enum-p80

Query Lua scripts

Go to the Lua list

Fingerprints are stored in nselib/data/http-fingerprints.lua, which is actually a LUA table. To display all existing pages
Nmap script http-enum http-enum.displayall-p80

Specify different User agents to bypass some firewalls
Nmap-p80 -- script http-enum -- script-args http. useragent = "Mozilla 5 ″
You can also specify the number of HTTP MPs queues to accelerate scanning.
Nmap-p80 -- script http-enum -- script-args http. pipeline = 25

Brute force HTTP Authentication
Many home routers, IP network cameras, and even Web applications still rely on HTTP authentication. penetration testers need to try the word list of weak passwords to ensure that the system or user account is secure. Now we can perform powerful Dictionary Attacks on resources protected by http Authentication thanks to the HTTP-brute script. See the following command:
Nmap-p80 -- script http-brute -- script-args http-brute.path =/admin/

Http-brute scripts use built-in dictionaries by default. If you want to use custom dictionaries.
Nmap-p80 -- script http-brute -- script-args userdb =/var/usernames.txt, passdb =/var/passwords.txt

Http-brute supports different attack modes.
User Mode: In this mode, for each user in userdb, each password in passdb is tried.
Nmap -- script http-brute -- script-args brute. mode = user

Password mode: In this mode, for each password in passdb, each user in userdb is attempted.
Nmap -- script http-brute -- script-args brute. mode = pass

Fcreds: This mode requires an additional parameter brute. credfile.
Nmap -- script http-brute -- script-args brute. mode = creds, brute. credfile =./creds.txt
Mod_userdir penetration test
The Apache module UserDir provides the URI syntax /~ Username/to access the user directory. We can use Nmap for dictionary attacks to determine a list of valid user names on the web server. Command: nmap-p80-script http-userdir-enum

Like the preceding script, you can set User Agent and HTTP pipeline parameters.
Test default credential
In general, the Web application has default creden。, which can be easily discovered by using the neuron-specific language (AUC.
Nmap-p80 -- script http-default-accounts
The script logs in by looking for a known path and a known user password, depending on the fingerprint file stored in/nselib/data/http-default-accounts.nse.
WordPress Audit
If you find wordpress installed with a weak password account, enter the following command:
Nmap-p80 -- script http-wordpress-brute

Set the number of threads, using the script parameter http-wordpress-brute.threads:
Nmap-p80 -- script http-wordpress-brute -- script-args http-wordpressbrute.threads = 5
If the server is a virtual host, use the http-wordpressbrute parameter to set the Host field:
Nmap-p80 -- script http-wordpress-brute -- script-args http-
Wordpressbrute. hostname = "ahostname.wordpress.com"
Set a different login URI to login using the parameter http-wordpress-brute.uri:
Nmap-p80 -- script http-wordpress-brute -- script-args http-wordpressbrute.uri = "/hidden-wp-login.php"
To change the name of the POST variable for the stored user name and password, set the parameter http-wordpress-brute.uservar and http-wordpress-brute.passvar:
Nmap-p80 -- script http-wordpress-brute -- script-args http-wordpressbrute.uservar = usuario, http-wordpress-brute.passvar = pasguord
Joomla Audit
Joomla is a popular cms in many countries. It uses http-joomla-brute scripts to detect Weak Password accounts.
Nmap-p80 -- script http-joomla-brute

Mark: the Wordpress method also applies to Joomla.
Detect Web Application Firewall
To detect the web application firewall, run the following command:
Nmap-p80 -- script http-waf-detect

As you can see, the error message here shows mod_security

You can detect the firewall by detecting changes in the response content. We recommend that you use pages with less content.
Nmap-p80 -- script http-waf-detect -- script-args = "http-waf-detect.detectBodyChanges"

Use more attack loads:
Nmap-p80 -- script http-waf-detect -- script-args = "http-waf-detect.aggro"

Detects cross-site tracking Vulnerabilities
When the Web Server
The cross-site scripting vulnerability and the TRACE method are enabled to obtain the HttpOnly enabled Cookie. Run the following command to check whether TRACE is Enabled.
Nmap-p80 -- script http-methods, http-trace -- script-args http-methods.retest target>

Cross-Site Scripting Vulnerability Detection
The cross-site scripting vulnerability allows attackers to execute arbitrary js Code. The detection command is as follows:
Nmap-p80 -- script http-unsafe-output-escaping

The http-unsafe-output-escaping script is written by Martin Holst Swende. It detects possible problems with user input-based output, this script sends the following content to all parameters it finds: ghz % 3 Ehzx % 22zxc % 27xcv
Check SQL Injection
Run the following command:
Nmap-p80 -- script http-SQL-injection

You can set httpspider. maxpagecount to speed up scanning.
Nmap-p80 -- script http-SQL-injection -- script-args httpspider. maxpagecount = 200
An interesting parameter is httpspider. withinhost, which limits nmap to crawl only the specified host. It is enabled by default, and can be disabled for crawling-related sites.
Nmap-p80 -- script http-SQL-injection -- script-args httpspider. withinhost = false
You can find the official document library.
You can also set the number of User Agent and HTTP MPs Queues:
Nmap-p80 -- script http-SQL-injection -- script-args http. useragent = "Mozilla 42 ″