Nmap memo form: From Discovery to vulnerability exploitation (Part 5)

Nmap memo form: From Discovery to vulnerability exploitation (Part 5)

 

This is the last part of the memo list. Here we will mainly discuss vulnerability assessment and penetration testing.

Database Audit list database names

 

nmap -sV --script=mysql-databases 192.168.195.130

 

 

The database list is not displayed because the user name and password are empty. Specify the user name and password by setting parameters.

 

nmap -sV --script=mysql-databases --script-args mysqluser=root,mysqlpass=toor 192.168.195.130

User Audit

Use the password for authentication. Obtain creden through brute force cracking or empty passwords.

 

nmap -sV --script=mysql-users 192.168.195.130

 

Check root Empty Password

 

sudo nmap --script mysql-empty-password 192.168.195.130

 

 

 

Mysql Server variable list

By default, developers or DBAs forget to set the correct database environment. The following can be used to retrieve environment settings.

 

nmap -p3306 --script mysql-variables localhost

Brute force cracking

Use the nmap script to brute force crack the user name and password

 

nmap --script=mysql-brute localhost

 

 

Hash dump

Dump the hash value of the password and use John the Ripper for brute force cracking. Root permission is required.

 

nmap --script=mysql-dump-hashes localhost

 

 

Mysql Information

This is part of information collection and will facilitate later penetration.

 

nmap --script=mysql-info localhost

 

 

Mysql Enumeration

When we obtain the root permission of the database, we can collect valid usernames and passwords.

 

nmap --script=mysql-enum localhost

 

 

Use CVE-2012-2122

Remembering the most terrible vulnerability CVE-2012-2122 in mysql, attackers successfully entered the database after trying 300 logins with root.

Http://www.cve.mitre.org/cgi-bin/cvename.cgi? Name = CVE-2012-2122

Http://www.exploit-db.com/exploits/19092/

Http://blog.trendmicro.com/trendlabs-security-intelligence/mysql-password-verification-bypass-cve-2012-2122/

Nmap-script = mysql-vuln-cve2012-2122 localhost

 

But the port is filtered out due to bad luck. I used the-d option to view the debug information. It shows that no response is returned because the port is filtered. I suggest you search through shodan.

Test the penetration of the email server

We can use the Nmap script to attack the mail service as follows:

Use Google search to find a valid email account

Test open relay

Brute force password cracking for SMTP

Enumerate SMTP server users

Detect SMTP server Backdoors

Brute force cracking of IMAP passwords

IMAP email server retrieval Function

Brute force password cracking for POP3

Retrieve POP3 mail server

Detected the Exim SMTP vulnerability in versions 4.70 to 4.75

Use Google search to find a valid email account

 

nmap -p80 --script=http-email-harvest target

 

 

Test open relay

What is open relay? It refers to the SMTP server that anyone can use to send mail. This was the default configuration for many email servers.

 

The command to enable relay detection using nmap is as follows:

 

nmap -sV --script smtp-open-relay -v localhost

 

 

Brute force password cracking for SMTP

Email servers usually store very sensitive information, and penetration testers need to perform brute force password cracking on them to audit and check for weak passwords.

 

nmap -p25 -Pn --script smtp-brute target

 

 

Enumerate SMTP service users

Using a mailbox as a user name is very common in web applications. Collecting a user name is a necessary task when auditing the email server. Thanks to nmap's script engine for automating this task.

 

nmap -p25 --script smtp-enum-users target

Detect SMTP server Backdoors

 

nmap -sV --script smtp-strangeport target

 

 

Brute force cracking of IMAP passwords

 

nmap -p143 --script imap-brute target

 

 

IMAP email server retrieval Function

The IMAP server supports different functions. A command named CAPABILITY allows you to list commands supported by the mail server. We can use NMAP to automatically complete this task.

 

nmap -p143,993 -Pn --script imap-capabilities target

 

 

Brute force password cracking for POP3

 

nmap -p110 –script pop3-brute google.com

 

 

Retrieve functions supported by POP3 mail server

POP3 mail server supports POP3 commands for different functions defined in RFC2449. Thanks to Nmap, We can automatically complete this task and display the service information in our scan results.

 

nmap -p110 –script pop3-capabilities target

 

 

Detected the Exim SMTP vulnerability in versions 4.70 to 4.75

The Exim SMTP between versions 4.70 and 4.75 has the string Formatting Vulnerability, allowing attackers to remotely execute code. NMAP neuron-specific security (NMAP) can help penetration testers remotely detect this vulnerability.

 

nmap –script smtp-vuln-cve2011-1764 –script-args mailfrom=
  
   ,mailto=
   
    ,domain=
    
      -p25,465,587 
     
    
   
  

Nmap Script Engine Development (AUC)

Through the previous example, we have learned how powerful the strength of the neuron-specific language. NMAP can develop custom scripts for network and Web applications.

This is basically developed by the lua language.

Nmap script format

The AUC script contains five fields and a port or host definition rule.

Description domain

This field is used to describe the script.

CATEGORY domain

This field describes the category of the script. See the following demo.

 

categories = {“default”, “discovery”, “safe”}

 

Author domain

This field describes the owner and contact information of the script.

License domain

This field helps ensure that we have legal permission to distribute all the attached Nmap scripts. All these scripts currently use the standard Nmap license, which is an optional field. They include the following rows as the standard.

 

license = “Same as Nmap–See http://nmap.org/book/man-legal.html”

 

 

Dependent domain

This field contains the name of the script to be run before executing the script. This allows the script to call the execution result of another script. For example, most smb-* scripts depend on smb-brute, because the accounts found through smb-brute may obtain more information from other smb scripts. Listing dependent scripts does not cause those scripts to be run. It needs to be called using-script or other options. The dependent script is executed in the order in the list. The following is an example.

 

dependencies = {“smb-brute”}

 

Rules

NMAP uses script rules to determine whether a script needs to be run for a target. The rule is a Lua function and returns true or false. If the rule calculation result is true, the script operation is executed.

The script must contain one or more of the following functions to determine the running of the script:

 

prerule（）

Hostrule (host)

Portrule (host, Port)

postrule（）

 

Before any host is scanned, The prerule script runs once in the script pre-scan phase. The hostrule and portrule scripts run after each host is scanned. The postrule script is executed once after all hosts are scanned. A script can run in more than one stage, if it has several rules.

Operation

The operation is the core part of the ASIC script. It contains all commands executed by the script when the prerule, portrule, hostrule, or postrule is triggered. This is a Lua function that accepts the same parameter rules. The Return value of the operation may be key-value, string, or null. See http://nmap.org/book/nse-api.html#nse-structured-output for information

Environment variables: Each script has its own environment variables.

 

SCRIPT_PATH: Describes the script path.

SCRIPT_NAME: Describes the Script Name. This variable can be used in debugging output.

SCRIPT_TYPE：

 

Because the script can have multiple rule functions, this environment variable will show which rules have activated the script. Scripts can share the same code at different scanning stages. This requires four string values: "prerule", "hostrule", "portrule", or "postrule ". These variables can only take effect after evaluation of the rule function or after evaluation.

List all databases

Lua has a lot of features for Development convenience, but it has a self-built internal library used for the development of NNS. The directory nselib contains many libraries that developers can use to develop new scripts. The library list is as follows.

Afp

Patrik Karlsson The script is written to communicate with the Apple AFP service, but the function is not complete.

Ajp

Execution based on basic AJP 1.3 from Apache mod_proxy_ajp available documentation; http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html

Amqp

The AMQP database provides some basic functions for retrieving the attributes of the AMQP server.

ASN1

ASN.1 Function

Base32

Base32 encoding and decoding. Follow RFC 4648.

BASE64

Base64 encoding and decoding. Follow RFC 4648.

Bin

Package and package binary data

Bit

Operations on the entire number of digits

Bitcoin

This library implements a small subset of Bitcoin protocols. It currently supports version handshakes and handles address responses.

Bittorrent

BitTorrent and DHT protocol libraries enable users to read torrent file information, decode the buffer zone of BitTorrent, and find other clients associated with it, and the node found in the search client.

Bjnp

The implementation of the Canon BJNP protocol is used to discover and query canon network printers and scanner devices.

Brute

The brute library is a common framework that tries to establish password guesses for remote services.

Cassandra

As a cassandra Client

Citrixxml

This module is written by Patrick Carson to communicate with the Citrix XML service. It has incomplete functions and lacks some functions and parameters.

Comm

Common frameworks in Network exploration tasks, such as banner capturing and data exchange.

Creds

Nmap-supported credential classes

CVS

A minimal pserver protocol implementation of CVS (parallel version System), which currently only supports verification.

Datafiles

Read and analyze nmap data files, such as nmap-protocols, nmap-rpc, nmap-services, and nmap-mac-prefixes.

DHCP

Implements a Dynamic Host Configuration Protocol (DHCP) client.

For more databases, follow the link below:

Http://nmap.org/book/nse-library.html

Http://nmap.org/nsedoc/

Nmap API

The Nmap API is very useful for security researchers and penetration testers. You can customize the settings during scanning and utilization. The data obtained after the nmap scan host ends is used as the script parameter. The host and parameters are encapsulated into a lua table. If the script matches hostrule, the host information will be obtained. If the script matches portrule, the host and port information will be obtained.

Next let's take a look at the API rule Host

This table is passed to the rule and action functions as a parameter. It contains details about the operating system.

Host. OS

Displays the matched OS list in array mode. Example:

 

host.os = {

  {

    name =  ,----Linux 2.6/3.2

    classes = {

      {

        vendor =  ,------Linux

        osfamily =  ,-------Linux

        osgen =  ,------2.6.x

        type =  ,---------general purpose

        cpe = {---------------------"cpe:/o:linux:linux_kernel:3"

          "cpe:/<...>",

          [More CPE]

        }

      },

      [More classes]

    },

  },

  [More OS matches]

}

 

Similar to host. OS, host. ip, host. name, host. region, etc. For complete components, see http://nmap.org/book/nse-api.html.

 

Network API connection

The nsock library provided by Nmap can efficiently and concurrently run network I/O.

 

Connection API

This is part of the Network api. The following is an example of connecting to the api.

require(“nmap”)

local socket = nmap.new_socket()

socket:set_timeout(1000)

try = nmap.new_try(function() socket:close() end)

try(socket:connect(host.ip, port.number))

try(socket:send(“login”))

response = try(socket:receive())

socket:close()

 

Exception Handling

The Nmap Lua language does not have an exception handling mechanism, so APIs provide powerful exception handling functions.

local result, socket, try, catch

result = “”

socket = nmap.new_socket()

catch = function()

socket:close()

end

try = nmap.new_try(catch)

try(socket:connect(host.ip, port.number))

result = try(socket:receive_lines(1))

try(socket:send(result))

 

Our first AUC script

Next, let's take an example to show you how to compile a self-owned neuron-level code-1 (AUC) script.

Before that, please read the basic knowledge required for the development of the neuron-specific language service (NIST.

Http://nmap.org/book/nse-tutorial.html

Hackers like to intrude into cameras to view others' photos. The most common one is to hijack the AXIS camera. You can use the following dork to search.

 

inurl:axis-cgi/jpg

 

Open the url with axis-cgi/jpg/image. cgi, And then you can see the private or public camera, which is unauthorized. See the following example.

 

Now, we can try to exploit this vulnerability by using the neuron-specific security token.

1. Create the axis. neuron file and write the following code to automate the process.

 

description = [[Attempts to detect webcams AXIS vulnerable to unauthenticated access to the video stream by queryingthe URI ” /axis-cgi/jpg/image.cgi “.

 

2. we load the library required for development

 

local http = require “http”

local shortport = require “shortport”

local stdnse = require “stdnse“

 

3. Define execution rules

 

portrule = shortport.http

 

4. Define a vulnerability ID, such as a status code

 

action = function(host, port)

local uri = ” /axis-cgi/jpg/image.cgi”

local _, status_404, resp_404 = http.identify_404(host,port)

if status_404 == 200 then

stdnse.print_debug(1, “%s: Web server returns ambiguous response. Axis webcams return standard 404 status responses. Exiting.”, SCRIPT_NAME)

return

end

stdnse.print_debug(1, “%s: HTTP HEAD %s”, SCRIPT_NAME,uri)

local resp = http.head(host, port, uri)

if resp.status and resp.status == 200 then

return string.format(“Axis video feed is unprotected:http://%s/axis-cgi/jpg/image.cgi “, host.ip)

end

End

 

You can find this script from the https://github.com/bikashdash/Axis_Vuln_Webcam.

Reference:

Https://secwiki.org/w/Nmap/External_Script_Library

Http://nmap.org/book/nse-tutorial.html