Nmap memo form: From Discovery to vulnerability exploitation (Part 5)
This is the last part of the memo list. Here we will mainly discuss vulnerability assessment and penetration testing.
Database Audit list database names
nmap -sV --script=mysql-databases 192.168.195.130
The database list is not displayed because the user name and password are empty. Specify the user name and password by setting parameters.
nmap -sV --script=mysql-databases --script-args mysqluser=root,mysqlpass=toor 192.168.195.130
User Audit
Use the password for authentication. Obtain creden through brute force cracking or empty passwords.
nmap -sV --script=mysql-users 192.168.195.130
Check root Empty Password
sudo nmap --script mysql-empty-password 192.168.195.130
Mysql Server variable list
By default, developers or DBAs forget to set the correct database environment. The following can be used to retrieve environment settings.
nmap -p3306 --script mysql-variables localhost
Brute force cracking
Use the nmap script to brute force crack the user name and password
nmap --script=mysql-brute localhost
Hash dump
Dump the hash value of the password and use John the Ripper for brute force cracking. Root permission is required.
nmap --script=mysql-dump-hashes localhost
Mysql Information
This is part of information collection and will facilitate later penetration.
nmap --script=mysql-info localhost
Mysql Enumeration
When we obtain the root permission of the database, we can collect valid usernames and passwords.
nmap --script=mysql-enum localhost
Use CVE-2012-2122
Remembering the most terrible vulnerability CVE-2012-2122 in mysql, attackers successfully entered the database after trying 300 logins with root.
Http://www.cve.mitre.org/cgi-bin/cvename.cgi? Name = CVE-2012-2122
Http://www.exploit-db.com/exploits/19092/
Http://blog.trendmicro.com/trendlabs-security-intelligence/mysql-password-verification-bypass-cve-2012-2122/
Nmap-script = mysql-vuln-cve2012-2122 localhost
But the port is filtered out due to bad luck. I used the-d option to view the debug information. It shows that no response is returned because the port is filtered. I suggest you search through shodan.
Test the penetration of the email server
We can use the Nmap script to attack the mail service as follows:
Use Google search to find a valid email account
Test open relay
Brute force password cracking for SMTP
Enumerate SMTP server users
Detect SMTP server Backdoors
Brute force cracking of IMAP passwords
IMAP email server retrieval Function
Brute force password cracking for POP3
Retrieve POP3 mail server
Detected the Exim SMTP vulnerability in versions 4.70 to 4.75
Use Google search to find a valid email account
nmap -p80 --script=http-email-harvest target
Test open relay
What is open relay? It refers to the SMTP server that anyone can use to send mail. This was the default configuration for many email servers.
The command to enable relay detection using nmap is as follows:
nmap -sV --script smtp-open-relay -v localhost
Brute force password cracking for SMTP
Email servers usually store very sensitive information, and penetration testers need to perform brute force password cracking on them to audit and check for weak passwords.
nmap -p25 -Pn --script smtp-brute target
Enumerate SMTP service users
Using a mailbox as a user name is very common in web applications. Collecting a user name is a necessary task when auditing the email server. Thanks to nmap's script engine for automating this task.
nmap -p25 --script smtp-enum-users target
Detect SMTP server Backdoors
nmap -sV --script smtp-strangeport target
Brute force cracking of IMAP passwords
nmap -p143 --script imap-brute target
IMAP email server retrieval Function
The IMAP server supports different functions. A command named CAPABILITY allows you to list commands supported by the mail server. We can use NMAP to automatically complete this task.
nmap -p143,993 -Pn --script imap-capabilities target
Brute force password cracking for POP3
nmap -p110 –script pop3-brute google.com
Retrieve functions supported by POP3 mail server
POP3 mail server supports POP3 commands for different functions defined in RFC2449. Thanks to Nmap, We can automatically complete this task and display the service information in our scan results.
nmap -p110 –script pop3-capabilities target
Detected the Exim SMTP vulnerability in versions 4.70 to 4.75
The Exim SMTP between versions 4.70 and 4.75 has the string Formatting Vulnerability, allowing attackers to remotely execute code. NMAP neuron-specific security (NMAP) can help penetration testers remotely detect this vulnerability.
nmap –script smtp-vuln-cve2011-1764 –script-args mailfrom=
,mailto=
,domain=
-p25,465,587
Nmap Script Engine Development (AUC)
Through the previous example, we have learned how powerful the strength of the neuron-specific language. NMAP can develop custom scripts for network and Web applications.
This is basically developed by the lua language.
Nmap script format
The AUC script contains five fields and a port or host definition rule.
Description domain
This field is used to describe the script.
CATEGORY domain
This field describes the category of the script. See the following demo.
categories = {“default”, “discovery”, “safe”}
Author domain
This field describes the owner and contact information of the script.
License domain
This field helps ensure that we have legal permission to distribute all the attached Nmap scripts. All these scripts currently use the standard Nmap license, which is an optional field. They include the following rows as the standard.
license = “Same as Nmap–See http://nmap.org/book/man-legal.html”
Dependent domain
This field contains the name of the script to be run before executing the script. This allows the script to call the execution result of another script. For example, most smb-* scripts depend on smb-brute, because the accounts found through smb-brute may obtain more information from other smb scripts. Listing dependent scripts does not cause those scripts to be run. It needs to be called using-script or other options. The dependent script is executed in the order in the list. The following is an example.
dependencies = {“smb-brute”}
Rules
NMAP uses script rules to determine whether a script needs to be run for a target. The rule is a Lua function and returns true or false. If the rule calculation result is true, the script operation is executed.
The script must contain one or more of the following functions to determine the running of the script:
prerule()
Hostrule (host)
Portrule (host, Port)
postrule()
Before any host is scanned, The prerule script runs once in the script pre-scan phase. The hostrule and portrule scripts run after each host is scanned. The postrule script is executed once after all hosts are scanned. A script can run in more than one stage, if it has several rules.
Operation
The operation is the core part of the ASIC script. It contains all commands executed by the script when the prerule, portrule, hostrule, or postrule is triggered. This is a Lua function that accepts the same parameter rules. The Return value of the operation may be key-value, string, or null. See http://nmap.org/book/nse-api.html#nse-structured-output for information
Environment variables: Each script has its own environment variables.
SCRIPT_PATH: Describes the script path.
SCRIPT_NAME: Describes the Script Name. This variable can be used in debugging output.
SCRIPT_TYPE:
Because the script can have multiple rule functions, this environment variable will show which rules have activated the script. Scripts can share the same code at different scanning stages. This requires four string values: "prerule", "hostrule", "portrule", or "postrule ". These variables can only take effect after evaluation of the rule function or after evaluation.
List all databases
Lua has a lot of features for Development convenience, but it has a self-built internal library used for the development of NNS. The directory nselib contains many libraries that developers can use to develop new scripts. The library list is as follows.
Afp
Patrik Karlsson The script is written to communicate with the Apple AFP service, but the function is not complete.
Ajp
Execution based on basic AJP 1.3 from Apache mod_proxy_ajp available documentation; http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html
Amqp
The AMQP database provides some basic functions for retrieving the attributes of the AMQP server.
ASN1
ASN.1 Function
Base32
Base32 encoding and decoding. Follow RFC 4648.
BASE64
Base64 encoding and decoding. Follow RFC 4648.
Bin
Package and package binary data
Bit
Operations on the entire number of digits
Bitcoin
This library implements a small subset of Bitcoin protocols. It currently supports version handshakes and handles address responses.
Bittorrent
BitTorrent and DHT protocol libraries enable users to read torrent file information, decode the buffer zone of BitTorrent, and find other clients associated with it, and the node found in the search client.
Bjnp
The implementation of the Canon BJNP protocol is used to discover and query canon network printers and scanner devices.
Brute
The brute library is a common framework that tries to establish password guesses for remote services.
Cassandra
As a cassandra Client
Citrixxml
This module is written by Patrick Carson to communicate with the Citrix XML service. It has incomplete functions and lacks some functions and parameters.
Comm
Common frameworks in Network exploration tasks, such as banner capturing and data exchange.
Creds
Nmap-supported credential classes
CVS
A minimal pserver protocol implementation of CVS (parallel version System), which currently only supports verification.
Datafiles
Read and analyze nmap data files, such as nmap-protocols, nmap-rpc, nmap-services, and nmap-mac-prefixes.
DHCP
Implements a Dynamic Host Configuration Protocol (DHCP) client.
For more databases, follow the link below:
Http://nmap.org/book/nse-library.html
Http://nmap.org/nsedoc/
Nmap API
The Nmap API is very useful for security researchers and penetration testers. You can customize the settings during scanning and utilization. The data obtained after the nmap scan host ends is used as the script parameter. The host and parameters are encapsulated into a lua table. If the script matches hostrule, the host information will be obtained. If the script matches portrule, the host and port information will be obtained.
Next let's take a look at the API rule Host
This table is passed to the rule and action functions as a parameter. It contains details about the operating system.
Host. OS
Displays the matched OS list in array mode. Example:
host.os = {
{
name = ,----Linux 2.6/3.2
classes = {
{
vendor = ,------Linux
osfamily = ,-------Linux
osgen = ,------2.6.x
type = ,---------general purpose
cpe = {---------------------"cpe:/o:linux:linux_kernel:3"
"cpe:/<...>",
[More CPE]
}
},
[More classes]
},
},
[More OS matches]
}
Similar to host. OS, host. ip, host. name, host. region, etc. For complete components, see http://nmap.org/book/nse-api.html.
Network API connection
The nsock library provided by Nmap can efficiently and concurrently run network I/O.
Connection API
This is part of the Network api. The following is an example of connecting to the api.
require(“nmap”)
local socket = nmap.new_socket()
socket:set_timeout(1000)
try = nmap.new_try(function() socket:close() end)
try(socket:connect(host.ip, port.number))
try(socket:send(“login”))
response = try(socket:receive())
socket:close()
Exception Handling
The Nmap Lua language does not have an exception handling mechanism, so APIs provide powerful exception handling functions.
local result, socket, try, catch
result = “”
socket = nmap.new_socket()
catch = function()
socket:close()
end
try = nmap.new_try(catch)
try(socket:connect(host.ip, port.number))
result = try(socket:receive_lines(1))
try(socket:send(result))
Our first AUC script
Next, let's take an example to show you how to compile a self-owned neuron-level code-1 (AUC) script.
Before that, please read the basic knowledge required for the development of the neuron-specific language service (NIST.
Http://nmap.org/book/nse-tutorial.html
Hackers like to intrude into cameras to view others' photos. The most common one is to hijack the AXIS camera. You can use the following dork to search.
inurl:axis-cgi/jpg
Open the url with axis-cgi/jpg/image. cgi, And then you can see the private or public camera, which is unauthorized. See the following example.
Now, we can try to exploit this vulnerability by using the neuron-specific security token.
1. Create the axis. neuron file and write the following code to automate the process.
description = [[Attempts to detect webcams AXIS vulnerable to unauthenticated access to the video stream by queryingthe URI ” /axis-cgi/jpg/image.cgi “.
2. we load the library required for development
local http = require “http”
local shortport = require “shortport”
local stdnse = require “stdnse“
3. Define execution rules
portrule = shortport.http
4. Define a vulnerability ID, such as a status code
action = function(host, port)
local uri = ” /axis-cgi/jpg/image.cgi”
local _, status_404, resp_404 = http.identify_404(host,port)
if status_404 == 200 then
stdnse.print_debug(1, “%s: Web server returns ambiguous response. Axis webcams return standard 404 status responses. Exiting.”, SCRIPT_NAME)
return
end
stdnse.print_debug(1, “%s: HTTP HEAD %s”, SCRIPT_NAME,uri)
local resp = http.head(host, port, uri)
if resp.status and resp.status == 200 then
return string.format(“Axis video feed is unprotected:http://%s/axis-cgi/jpg/image.cgi “, host.ip)
end
End
You can find this script from the https://github.com/bikashdash/Axis_Vuln_Webcam.
Reference:
Https://secwiki.org/w/Nmap/External_Script_Library
Http://nmap.org/book/nse-tutorial.html