nmap and nikto 101 at null
TRANSCRIPT
![Page 1: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/1.jpg)
Nmap and Nikto 101
Ramnath
![Page 2: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/2.jpg)
About me• Ramnath Shenoy• FireEye –Engineering• OSCP • Interests – Windows Internals and Web Applications. Path to OSCE!
• @ramnathsk• https://in.linkedin.com/in/ramnathshenoyk
![Page 3: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/3.jpg)
Agenda• Introduction to Nmap.• Basic scanning techniques.• Enumeration and Vulnerability Detection.• Nmap Demo• Introduction to Nikto.• Basic scanning techniques (various switches)• Nikto Demo
![Page 4: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/4.jpg)
Nmap• Network Mapper - Utility used to identify assets and map them in a
network.• https://github.com/nmap/nmap (Current release is 7.40, 19 year old
project and active)
![Page 5: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/5.jpg)
Why Nmap • How does NMAP,.. Nmap?
192.168.56.100
192.168.56.145
192.168.56.45
192.168.56.14
• Perhaps I can ping sweep?• What if someone has a FW enabled?• How to know which IP’s are alive?• There only
• 65535(PORTS) *2 (TCP &UDP)*24 ( if class C)
8031288080
44322
138139445
443
![Page 6: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/6.jpg)
Nmap Switches Discovery nmap <options> <scan type> <target>• options
• Host discover• -sn: Ping Scan - disable port scan• -Pn: Treat all hosts as online -- skip host discovery• -n/-R: Never do DNS resolution/Always resolve
[default: sometimes]• --dns-servers <serv1[,serv2],...>: Specify custom
DNS servers• --system-dns: Use OS's DNS resolver
• Target Specification• -iL <inputfilename>: Input from list of
hosts/networks• -iR <num hosts>: Choose random targets• --exclude <host1[,host2][,host3],...>: Exclude
hosts/networks• --excludefile <exclude_file>: Exclude list from file
![Page 7: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/7.jpg)
Nmap Scanning techniques• -sP (Ping Sweep) – Performs ARP ping and ICMP echo request to
determine system is alive.• -sS (SYN Scan) – Determines a system/port being alive by sending
only SYN and waiting for SYN-ACK• -sT (TCP Scan) – Determines a system/port being alive by completing
a 3way handshake (SYN ; SYN+ACK ; ACK)• -sF (FIN Scan) – Determines a system/port being alive by sending FIN
and waiting for an ACK. • -sU (UDP Scan) – Probes UDP detects system/port is alive when there
is a UDP response + ICMP packet Dest unreachable.
![Page 8: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/8.jpg)
NMAP port “Status” - Open• Open - SYN reached the end system, victim responded with
SYN+ACK and Completes the handshake.
Nmap -n -sT -p 80 192.168.56.104
![Page 9: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/9.jpg)
NMAP port “Status” - Closed• Closed - SYN reached the end system, responded with RST+ACK.
System is accessible and service is still not open on victim.
Nmap -n -sT -p 22 192.168.56.104
![Page 10: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/10.jpg)
NMAP port “Status” - Filtered• Filtered – Observed when a port does not respond on repeated
tries.
Nmap -n -sT -p 445 192.168.56.105
![Page 11: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/11.jpg)
Why Service Enumeration?• Port is open,..• People run web server on 999 port!• Runs apache web service ?? like 33 % www servers run on it.• I need Banners and identify what they are!• I need Operating system type!• I need Vulns!
![Page 12: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/12.jpg)
Nmap – service Version and Enumeration!• Nmap-services database is constantly updated with services, finger
printing and banners to identify remote ports and operating systems.
• -sV - runs about ~30 Nmap Script Engine (.nse files) to identify and enumerate the service that has been detected earlier.
• -sC – runs “default” ~200 Nmap Script Engine (.nse files) to identify and enumerate the services and provide vulnerabilities identified. Optionally can use - -script option.
![Page 13: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/13.jpg)
Nmap service Enumeration!• The Difference between the two in Action
Regular TCP scan
TCP scan with Version
-sT + -sV = -sTV
![Page 14: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/14.jpg)
Nmap service Enumeration! -2• -sV under the hood!
![Page 15: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/15.jpg)
NSE –What and Why?• Nmap Script Engine, written in Lua.• Sophisticated Version detection and OS detection.
Example: smb-os-discovery.nse , http-cisco-anyconnect.nse …• Vulnerability detection.
Example: tls-ticketbleed.nse, sslv2-drown.nse,..• Malware detection.
Example: http-google-malware.nse..• Vulnerability Exploitation.
Example: smb-psexec.nse,..
![Page 16: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/16.jpg)
NSE – what? where? • -sC and –script uses NSE. There is a default set launched when no
option is given. https://nmap.org/nsedoc/categories/default.html
![Page 17: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/17.jpg)
Nmap Enumeration technique
Notice how the service is not shellEven though Banner shows Shell
![Page 18: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/18.jpg)
Nmap Enumeration technique
So you need to use –sTV along for Version grab
![Page 19: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/19.jpg)
Nmap Scanning strategy
Nmap --exclude 192.168.56.103 -sS –p 80 192.168.56.0/24 (sample- horizontal scan)Nmap –sS –p1-6000,27017-27019 192.168.56.102 (sample – vertical scan)
192.168.56.102
192.168.56.103
192.168.56.104
192.168.56.105
TCP-80 TCP-80 TCP-80 TCP-80TCP- 445TCP- 22 TCP- 22TCP -443 TCP-443TCP - 8080 TCP-8080TCP - 1524TCP- 9999
![Page 20: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/20.jpg)
Nmap Output Formatting
![Page 21: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/21.jpg)
Nmap Output Formatting
GreppableRegular Text
XML
![Page 22: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/22.jpg)
NdiffScan done earlier, non compliant ports closed and re-validation
Three ports closed
![Page 23: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/23.jpg)
NMAP – Demo, Stage -1• Run time interactionWhile running -> Nmap –sT 192.168.56.102Press ? -> v (verbosity) -> d (Debug)-> p (packet tracing) , arrows (how long?)Shift + option (v,d,p) to disable this
![Page 24: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/24.jpg)
Nikto
![Page 25: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/25.jpg)
NiktoSponsored by Netsparker Written by Chris Sullo and David Lodge Language – Perl, needs SSL librarieshttps://github.com/sullo/niktoCurrent Version is -> 2.1.6
![Page 26: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/26.jpg)
Why Nikto?• Web Application vulnerability scanner.• Default paths /CGI -install on Commercial Off The Shelf applications.
(COTS)• Version detect of COTS and report vulnerabilities.• Tune and run only a specific vulnerability type on set of servers.• Misconfigurations and Insecure data leakage on Headers.• Command line only
![Page 27: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/27.jpg)
Nikto Basics• Nikto has two help options “nikto” & “-H” (extensive information)
![Page 28: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/28.jpg)
Nikto Scanning Techniques• Nikto Scanning techniques
Nikto –host http://192.168.56.102 Nikto –h http://192.168.56.102 Nikto –host 192.168.56.102 –port 443 Nikto -host https://192.168.56.102
• Nikto Scanning from a list of hosts Nikto –host hosts.txt –port 8080
• Nikto scan only from this root directory Nikto –host http://192.168.56.102 –root /admin/
![Page 29: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/29.jpg)
Nikto Output
![Page 30: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/30.jpg)
Nikto –Output 2
![Page 31: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/31.jpg)
Nikto Tuning OptionsNikto –Tuning 1 –host 192.168.56.102 –port 80,443,8080
![Page 32: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/32.jpg)
Nikto –Tuning example
![Page 33: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/33.jpg)
Nikto Output formatting• Nikto -o /path/file –Format htm -host 192.168.56.102 –port 80,443,8080• Nikto -output /path/file.htm -host 192.168.56.102 –port 80,443,8080
![Page 34: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/34.jpg)
Nikto Run Time Debugging• Space
• v -verbose, d – debug, P – Pause and N – next host
![Page 35: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/35.jpg)
Nikto Demo 2
![Page 36: Nmap and Nikto 101 at Null](https://reader036.vdocument.in/reader036/viewer/2022082213/58b8aaff1a28abc06d8b69f9/html5/thumbnails/36.jpg)
Thanks!