root@nmap~#whoami. - irongeek.com · nmap scripting engine metasploit integration av evasion nse...
TRANSCRIPT
![Page 1: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/1.jpg)
![Page 2: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/2.jpg)
root@nmap~#whoami • Mar0n Bos • @purehate_ on the twi6ers
Industry Thought Leader
![Page 3: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/3.jpg)
I Nmap
![Page 4: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/4.jpg)
#!/bin/bash #Disclaimer: I use lots of content from this book. If you do not own this book, #please be sure to purchase it as soon as possible because it is the Bible when #it comes to effec0vely using Nmap to its full poten0al. Plus, it was wri6en by #the author of Nmap himself.
![Page 5: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/5.jpg)
Nmap Scripting Engine Metasploit Integration AV Evasion
NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting
![Page 6: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/6.jpg)
Nmap Scrip0ng Engine (NSE)
o Nmap's most powerful and flexible feature o Allows users to write (and share) simple scripts o Lua programming language o scripts are executed in parallel o Write your own to meet custom needs
![Page 7: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/7.jpg)
Tasks Nmap developers had in mind for NSE
o Network Discovery -‐ WHOIS, ARIN, RIPE, APNIC, identd look ups on open ports, SNMP queries, and lis0ng NFS,SMB,RPC shares and services
o More Sophis0cated Version Detec0on – Handles tricky services like Skype v2 or SNMP bruteforce by using mul0ple probes o Run by default with the –sV argument
o Vulnerability Detec0on – Not a comprehensive vulnerability scanner but is great for single checks across a large network
o Backdoor Detec0on – NSE, signatures and regex can be used to quick create a scan script to locate infec0ons on the network o h6p://nmap.org/nsedoc/scripts/ssl-‐heartbleed.html
o Vulnerability Exploita0on – NSE scripts can also contain the necessary code to exploit vulnerabili0es
![Page 8: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/8.jpg)
Script Categories o Auth – Creden0als on a target system o Broadcast -‐ Discovery of hosts not listed on the command line by broadcas0ng on the local network
o Default – A default set of scripts considered “standard” info
o Discovery – Ac0vely discover more info (Directory services, SNMP, public registries, etc.)
o Dos – They crash a service o Exploit -‐ Ac0vely exploit some vulnerability o External -‐ Send data to a third-‐party database or other network resource
![Page 9: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/9.jpg)
Script Categories o Fuzzer -‐ Send server sobware unexpected or randomized fields in each packet
o Intrusive – These are scripts that cannot be classified in the safe category because the risks are too high that they will crash the target system
o Safe -‐ Scripts which weren't designed to crash services, use large amounts of network bandwidth or other resources
o Version -‐ Extension to the version detec0on feature and cannot be selected explicitly
o Vuln -‐ These scripts check for specific known vulnerabili0es
![Page 10: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/10.jpg)
Command-‐line Arguments o -‐sC -‐ Performs a script scan using the default set of scripts. It is equivalent to -‐-‐script=default
o -‐-‐script <filename>|<category>|<directory>|<expression>[,...] -‐ Runs a script scan using the comma-‐separated list of filenames, script categories, and directories
o -‐-‐script-‐args <args> -‐ Provides arguments to the scripts o -‐-‐script-‐args-‐file <filename> -‐ This op0on is the same as -‐-‐script-‐args except that you pass the arguments in a file rather than on the command-‐line
o -‐-‐script-‐help <filename>|<category>|<directory>|<expression>|all [,...] -‐ Shows help about scripts.
o -‐-‐script-‐trace -‐ All incoming and outgoing communica0on performed by scripts is printed
o -‐-‐script-‐updatedb -‐ This op0on updates the script database found in scripts/script.db which is used by Nmap to determine the available default scripts and categories
![Page 11: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/11.jpg)
Couple More Key Points
o If the -‐oX op0on is used, an XML representa0on of the script help will be wri6en to the given file
o sV -‐ A version scan automa0cally executes the scripts in the version category. These scripts output blends in with the version scan results and they do not produce any script scan output.
o A -‐ The aggressive Nmap mode implies the -‐sC op0on
![Page 12: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/12.jpg)
Methodology o Plug in network and create subnet lists
o Ifconfig o /etc/resolv.conf o Netdiscover o Wireshark o Dig
o Ping scan to create list of live ips o Nmap –sP –PI
o Syn Scan using 0ming and other evasion techniques one port at a 0me o Cat hostlist.txt | sort –R | nmap –sS –p 389 –oG myscan -‐iL –
o Use nmap scripts against the hosts one by one in each port.txt file o Nmap -‐Pn –n -‐-‐open -‐p21 -‐-‐script bp-‐anon,bp-‐bounce,bp-‐libopie –iL 21.txt
![Page 13: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/13.jpg)
Sounds Cool! Where the heck are they?
[root@labs ~] 2014-‐05-‐09 08:48:56 # cd /usr/share/nmap/scripts/ [root@labs scripts] 2014-‐05-‐09 08:49:09 # ls | head acarsd-‐info.nse address-‐info.nse afp-‐brute.nse afp-‐ls.nse afp-‐path-‐vuln.nse afp-‐serverinfo.nse afp-‐showmount.nse ajp-‐auth.nse ajp-‐brute.nse ajp-‐headers.nse [root@labs scripts] 2014-‐05-‐09 08:49:14
![Page 14: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/14.jpg)
Research the Usage h6p://nmap.org/nsedoc/scripts/
![Page 15: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/15.jpg)
![Page 16: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/16.jpg)
FTP
Search: nmap -‐-‐script-‐help "bp-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 21.txt -‐Pn -‐n -‐sS -‐-‐open -‐p21 -‐-‐script=banner,bp-‐anon,bp-‐bounce
# ls -‐lah | grep bp -‐rw-‐r-‐-‐r-‐-‐ 1 root root 5.9K Apr 17 03:33 bp-‐anon.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 5.0K Apr 17 03:33 bp-‐bounce.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.4K Apr 17 03:33 bp-‐brute.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.2K Apr 17 03:33 bp-‐libopie.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.3K Apr 17 03:33 bp-‐probpd-‐backdoor.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.2K Apr 17 03:33 bp-‐vsbpd-‐backdoor.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.1K Apr 17 03:33 bp-‐vuln-‐cve2010-‐4221.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.0K Apr 17 03:33 {tp-‐enum.nse
![Page 17: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/17.jpg)
![Page 18: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/18.jpg)
SSH
Search: nmap -‐-‐script-‐help ”ssh-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 22.txt -‐Pn -‐n -‐sS -‐-‐open -‐p22 -‐-‐script=sshv1,ssh2-‐enum-‐algos
# ls -‐lah | grep ssh -‐rw-‐r-‐-‐r-‐-‐ 1 root root 5.6K Apr 17 03:33 ssh2-‐enum-‐algos.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 15K Apr 17 03:33 ssh-‐hostkey.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 1.5K Apr 17 03:33 sshv1.nse
![Page 19: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/19.jpg)
SMTP
Search: nmap -‐-‐script-‐help ”smtp-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 25.txt -‐Pn -‐n -‐sS -‐-‐open -‐p25 -‐-‐script=banner,smtp-‐commands,smtp-‐enum-‐users,smtp-‐open-‐relay,smtp-‐strangeport
# ls -‐lah | grep smtp -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.2K Apr 17 03:33 smtp-‐brute.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.7K Apr 17 03:33 smtp-‐commands.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 12K Apr 17 03:33 smtp-‐enum-‐users.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 10K Apr 17 03:33 smtp-‐open-‐relay.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 715 Apr 17 03:33 smtp-‐strangeport.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 15K Apr 17 03:33 smtp-‐vuln-‐cve2010-‐4344.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 7.6K Apr 17 03:33 smtp-‐vuln-‐cve2011-‐1720.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 7.8K Apr 17 03:33 smtp-‐vuln-‐cve2011-‐1764.nse
![Page 20: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/20.jpg)
DNS Search: nmap -‐-‐script-‐help ”dns-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 53.txt -‐Pn -‐n -‐sS -‐sU -‐-‐open -‐p53 -‐-‐script=dns-‐cache-‐snoop,dns-‐service-‐discovery,dns-‐update,dns-‐zone-‐transfer,dns-‐recursion
# ls -‐lah | grep dns -‐rw-‐r-‐-‐r-‐-‐ 1 root root 1.5K Apr 17 03:33 broadcast-‐dns-‐service-‐discovery.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 5.3K Apr 17 03:33 dns-‐blacklist.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 9.0K Apr 17 03:33 dns-‐brute.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 7.0K Apr 17 03:33 dns-‐cache-‐snoop.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 15K Apr 17 03:33 dns-‐check-‐zone.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 15K Apr 17 03:33 dns-‐client-‐subnet-‐scan.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 11K Apr 17 03:33 dns-‐fuzz.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.7K Apr 17 03:33 dns-‐ip6-‐arpa-‐scan.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 13K Apr 17 03:33 dns-‐nsec3-‐enum.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 11K Apr 17 03:33 dns-‐nsec-‐enum.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.4K Apr 17 03:33 dns-‐nsid.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 26K Apr 17 03:33 dns-‐zone-‐transfer.nse ….
![Page 21: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/21.jpg)
![Page 22: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/22.jpg)
DHCP
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 67.txt -‐Pn -‐n -‐sS -‐sU -‐-‐open -‐p67 -‐sC
# ls -‐lah | grep dhcp -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.2K Apr 17 03:33 broadcast-‐dhcp6-‐discover.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.6K Apr 17 03:33 broadcast-‐dhcp-‐discover.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 5.8K Apr 17 03:33 dhcp-‐discover.nse
![Page 23: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/23.jpg)
DHCP
![Page 24: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/24.jpg)
MSSQL Search: nmap -‐-‐script-‐help ”ms-‐sql-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL mssql.txt -‐Pn -‐n -‐sS -‐sUV -‐-‐open -‐p T:1433,U:1434 -‐-‐script=ms-‐sql-‐info,ms-‐sql-‐empty-‐password -‐-‐script ms-‐sql-‐tables -‐-‐script-‐args mssql.username=sa,mssql.password=sa -‐-‐script=ms-‐sql-‐hasdbaccess -‐-‐script-‐args mssql.username=sa,mssql.password=sa
# ls -‐lah | grep ms-‐sql -‐rw-‐r-‐-‐r-‐-‐ 1 root root 12K Apr 17 03:33 ms-‐sql-‐brute.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.0K Apr 17 03:33 ms-‐sql-‐config.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.1K Apr 17 03:33 ms-‐sql-‐dump-‐hashes.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 7.1K Apr 17 03:33 ms-‐sql-‐empty-‐password.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 5.9K Apr 17 03:33 ms-‐sql-‐hasdbaccess.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 11K Apr 17 03:33 ms-‐sql-‐info.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.7K Apr 17 03:33 ms-‐sql-‐query.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 9.5K Apr 17 03:33 ms-‐sql-‐tables.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.2K Apr 17 03:33 ms-‐sql-‐xp-‐cmdshell.nse
![Page 25: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/25.jpg)
NFS
Search: nmap -‐-‐script-‐help ”nfs-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 111.txt -‐Pn -‐n -‐sS -‐-‐open -‐p111 -‐-‐script=rpcinfo,nfs-‐ls,nfs-‐showmount,nfs-‐sta{s
# ls -‐lah | grep nfs -‐rw-‐r-‐-‐r-‐-‐ 1 root root 14K Apr 17 03:33 nfs-‐ls.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 2.7K Apr 17 03:33 nfs-‐showmount.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 9.5K Apr 17 03:33 nfs-‐sta{s.nse
![Page 26: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/26.jpg)
![Page 27: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/27.jpg)
NetBIOS
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 137.txt -‐Pn -‐n -‐sS -‐sU -‐-‐open -‐p137 -‐-‐script=nbstat
# ls -‐lah | grep netbios -‐rw-‐r-‐-‐r-‐-‐ 1 root root 2.0K Apr 17 03:33 broadcast-‐netbios-‐master-‐browser.nse [root@labs scripts] 2014-‐05-‐09 17:02:44 # ls -‐lah | grep nbstat -‐rw-‐r-‐-‐r-‐-‐ 1 root root 7.5K Apr 17 03:33 nbstat.nse
![Page 28: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/28.jpg)
SMB Search: nmap -‐-‐script-‐help ”smb-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL smb.txt -‐Pn -‐n -‐sS -‐-‐open -‐p139,445 -‐-‐script="smb-‐enum*",smb-‐os-‐discovery,smb-‐security-‐mode,smb-‐server-‐stats,smb-‐system-‐info,smbv2-‐enabled,smb-‐check-‐vulns –script-‐args safe=1
# ls -‐lah | grep smb -‐rw-‐r-‐-‐r-‐-‐ 1 root root 46K Apr 17 03:33 smb-‐brute.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 28K Apr 17 03:33 smb-‐check-‐vulns.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.8K Apr 17 03:33 smb-‐enum-‐domains.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.6K Apr 17 03:33 smb-‐enum-‐groups.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 8.2K Apr 17 03:33 smb-‐enum-‐processes.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 13K Apr 17 03:33 smb-‐enum-‐sessions.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.2K Apr 17 03:33 smb-‐enum-‐shares.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 13K Apr 17 03:33 smb-‐enum-‐users.nse …
![Page 29: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/29.jpg)
![Page 30: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/30.jpg)
WEB Search: nmap -‐-‐script-‐help ”h6p-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL web.txt -‐Pn -‐n -‐sS -‐-‐open -‐p80,443,8000,8080,8443 -‐-‐script=h6p-‐date,h6p-‐enum,h6p-‐favicon,h6p-‐headers,h6p-‐open-‐proxy,h6p-‐php-‐version,h6p-‐robots.txt,h6p-‐0tle,h6p-‐trace,h6p-‐vhosts,h6p-‐vmware-‐path-‐vuln,citrix-‐enum-‐apps-‐xml,citrix-‐enum-‐servers-‐xml -‐-‐stats-‐every 30s
# ls -‐lah | grep h6p | head -‐n 5 -‐rw-‐r-‐-‐r-‐-‐ 1 root root 2.1K Apr 17 03:33 h6p-‐adobe-‐coldfusion-‐apsa1301.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.2K Apr 17 03:33 h6p-‐affiliate-‐id.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 2.0K Apr 17 03:33 h6p-‐apache-‐nego0a0on.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.9K Apr 17 03:33 h6p-‐auth-‐finder.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.1K Apr 17 03:33 h6p-‐auth.nse
![Page 31: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/31.jpg)
SNMP Search: nmap -‐-‐script-‐help ”snmp-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 161.txt -‐Pn -‐n -‐sS -‐sU -‐-‐open -‐p161 -‐-‐script=snmp-‐interfaces,snmp-‐netstat,snmp-‐processes,snmp-‐sysdescr,snmp-‐win32-‐services,snmp-‐win32-‐shares,snmp-‐win32-‐sobware
# ls -‐lah | grep snmp -‐rw-‐r-‐-‐r-‐-‐ 1 root root 7.9K Apr 17 03:33 snmp-‐brute.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.6K Apr 17 03:33 snmp-‐hh3c-‐logins.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 17K Apr 17 03:33 snmp-‐interfaces.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.6K Apr 17 03:33 snmp-‐ios-‐config.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.2K Apr 17 03:33 snmp-‐netstat.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.7K Apr 17 03:33 snmp-‐processes.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.0K Apr 17 03:33 snmp-‐sysdescr.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 2.2K Apr 17 03:33 snmp-‐win32-‐services.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 2.7K Apr 17 03:33 snmp-‐win32-‐shares.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.2K Apr 17 03:33 snmp-‐win32-‐sobware.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 2.0K Apr 17 03:33 snmp-‐win32-‐users.nse
![Page 32: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/32.jpg)
LDAP Search: nmap -‐-‐script-‐help ”ldap-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 389.txt -‐Pn -‐n -‐sS -‐-‐open -‐p389 -‐-‐script=ldap-‐rootdse
# ls -‐lah | grep ldap -‐rw-‐r-‐-‐r-‐-‐ 1 root root 15K Apr 17 03:33 ldap-‐brute.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.9K Apr 17 03:33 ldap-‐novell-‐getpass.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.6K Apr 17 03:33 ldap-‐rootdse.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 13K Apr 17 03:33 ldap-‐search.nse
![Page 33: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/33.jpg)
SSL
Search: nmap -‐-‐script-‐help ”ssl-‐*"
Example: nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 443.txt -‐Pn -‐n -‐sS -‐-‐open -‐p443 -‐-‐script=banner,ssl-‐cert,ssl-‐enum-‐ciphers,sslv2,ssl-‐heartbleed
# ls -‐lah | grep ssl -‐rw-‐r-‐-‐r-‐-‐ 1 root root 7.4K Apr 17 03:33 ssl-‐cert.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 3.8K Apr 17 03:33 ssl-‐date.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 15K Apr 17 03:33 ssl-‐enum-‐ciphers.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 2.1K Apr 17 03:33 ssl-‐google-‐cert-‐catalog.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 10K Apr 17 03:33 ssl-‐heartbleed.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 4.2K Apr 17 03:33 ssl-‐known-‐key.nse -‐rw-‐r-‐-‐r-‐-‐ 1 root root 6.7K Apr 17 03:33 sslv2.nse
![Page 34: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/34.jpg)
![Page 35: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/35.jpg)
IP Geo loca0on nmap -‐Pn -‐p80 -‐-‐script ip-‐geoloca0on-‐* tools.ques0on-‐defense.com Star0ng Nmap 6.45 ( h6p://nmap.org ) at 2014-‐05-‐10 12:35 EDT Nmap scan report for tools.ques0on-‐defense.com (74.143.109.27) Host is up. rDNS record for 74.143.109.27: highland.corp.ques0on-‐defense.com PORT STATE SERVICE 80/tcp filtered h6p Host script results: | ip-‐geoloca0on-‐geobytes: | la0tude: 38.2252 | longitude: -‐85.7141 | city: Louisville | region: Kentucky |_ country: United States | ip-‐geoloca0on-‐geoplugin: | 74.143.109.27 (tools.ques0on-‐defense.com) | coordinates (lat,lon): 38.400398,-‐85.772499 |_ state: Indiana, United States |_ip-‐geoloca0on-‐maxmind: ERROR: Script execu0on failed (use -‐d to debug) Nmap done: 1 IP address (1 host up) scanned in 2.79 seconds
![Page 36: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/36.jpg)
Mo’ Scripts
o DB2 -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 523.txt -‐Pn -‐n -‐sS -‐sU -‐-‐open -‐-‐version-‐intensity 0 -‐p523 -‐-‐script=db2-‐discover,db2-‐das-‐info
o Oracle -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 1521.txt -‐Pn -‐n -‐sS -‐-‐open -‐p1521 -‐-‐script=oracle-‐sid-‐brute
o Citrix -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 1604.txt -‐Pn -‐n -‐sS -‐sU -‐-‐open -‐p1604 -‐-‐script=citrix-‐enum-‐apps,citrix-‐enum-‐servers
o MySQL -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 -‐iL $name/3306.txt -‐Pn -‐n -‐sS -‐-‐open -‐p3306 -‐-‐script=mysql-‐databases,mysql-‐info,mysql-‐users,mysql-‐variables
![Page 37: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/37.jpg)
Mo’ Scripts
o IMAP -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 993.txt -‐Pn -‐n -‐sS -‐-‐open -‐p993 -‐-‐script=banner,sslv2,imap-‐capabili0es
o POP3 -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 995.txt -‐Pn -‐n -‐sS -‐-‐open -‐p995 -‐-‐script=banner,sslv2,pop3-‐capabili0es
o VNC -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 5900.txt -‐Pn -‐n -‐sS -‐-‐open -‐p5900 -‐-‐script=vnc-‐info,realvnc-‐auth-‐bypass
o X11 -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 –iL x11.txt -‐Pn -‐n -‐sS -‐-‐open -‐p6000-‐6005 -‐-‐script=x11-‐access
o Finger -‐ nmap -‐-‐scan-‐delay 5s -‐g 53 –iL 79.txt -‐Pn -‐n -‐sS -‐-‐open -‐p79 -‐sC
![Page 38: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/38.jpg)
Adding Custom Scripts
o Many people write custom NSE scripts which are not included by default
o Github is a goldmine for these o h6ps://github.com/mainframed/NMAP o h6ps://github.com/kost/nmap-‐nse/tree/master/scripts
o h6ps://github.com/offensivecoder/nmap-‐nse-‐scripts
o h6ps://github.com/SpiderLabs/Nmap-‐Tools o Wri0ng custom nmap scripts makes you look like a straight baller at work!
![Page 39: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/39.jpg)
How the $#%@ do I add a custom script?
Using Nmap to Screenshot Web Services o wget h6p://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-‐0.11.0_rc1-‐sta0c-‐i386.tar.bz2
o tar -‐jxvf wkhtmltoimage-‐0.11.0_rc1-‐sta0c-‐i386.tar.bz2
o cp wkhtmltoimage-‐i386 /usr/local/bin/
![Page 40: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/40.jpg)
Download our Script
o git clone git://github.com/SpiderLabs/Nmap-‐Tools.git
o cd Nmap-‐Tools/NSE/ o cp h6p-‐screenshot.nse /usr/local/share/nmap/scripts/
o nmap -‐-‐script-‐updatedb
![Page 41: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/41.jpg)
Take an a$$ load of screenshots nmap -‐A -‐-‐script=default,h6p-‐screenshot 192.168.1.0/24 -‐oA nmap-‐local
![Page 42: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/42.jpg)
Nmap Scripting Engine Metasploit Integration AV Evasion
Importing and Working with Nmap Scans in Metasploit Using nmap from inside the framework
![Page 43: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/43.jpg)
Ge�ng Rollin’ with the MSF database [root@labs ~] 2014-‐05-‐10 00:27:45 # service postgresql start [ ok ] Star0ng PostgreSQL 9.1 database server: main. [root@labs ~] 2014-‐05-‐10 00:27:55 # service metasploit start [ ok ] Star0ng Metasploit rpc server: prosvc. [ ok ] Star0ng Metasploit web server: thin. [ ok ] Star0ng Metasploit worker: worker. [root@labs ~] 2014-‐05-‐10 00:28:09 # msfconsole msf > db_status [*] postgresql connected to msf3
![Page 44: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/44.jpg)
MSF Database Crash Course Command Descrip0on -‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ creds List all creden0als in the database db_connect Connect to an exis0ng database db_disconnect Disconnect from the current database instance db_export Export a file containing the contents of the database db_import Import a scan result file (filetype will be auto-‐detected) db_nmap Executes nmap and records the output automa0cally db_rebuild_cache Rebuilds the database-‐stored module cache db_status Show the current database status hosts List all hosts in the database loot List all loot in the database notes List all notes in the database services List all services in the database vulns List all vulnerabili0es in the database workspace Switch between database workspaces
![Page 45: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/45.jpg)
Import an nmap file msf > db_import 192.168_scan.xml [*] Impor0ng 'Nmap XML' data [*] Import: Parsing with 'Nokogiri v1.4.3.1' [*] Impor0ng host 192.168.1.1 [*] Impor0ng host 192.168.1.2 [*] Impor0ng host 192.168.1.3 [*] Impor0ng host 192.168.1.4 [*] Impor0ng host 192.168.1.7 [*] Impor0ng host 192.168.1.9 [*] Impor0ng host 192.168.1.10 [*] Impor0ng host 192.168.1.13 [*] Impor0ng host 192.168.1.15 [*] Impor0ng host 192.168.1.16 [*] Impor0ng host 192.168.1.22 [*] Impor0ng host 192.168.1.100 [*] Successfully imported /root/192.168_scan.xml
![Page 46: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/46.jpg)
Check out your targets
msf > hosts -‐u Hosts ===== address mac name os_name os_flavor os_sp purpose info comments -‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐ -‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐ 192.168.1.1 Unknown device 192.168.1.10 goro.home Unknown device
Use ‘hosts -‐u’ to get a list of only hosts that respond to ping and are believed to be up
![Page 47: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/47.jpg)
Use the -‐p flag to only list specific ports you’re interested in
msf > services -‐p 445 -‐u Services ======== host port proto name state info -‐-‐-‐-‐ -‐-‐-‐-‐ -‐-‐-‐-‐-‐ -‐-‐-‐-‐ -‐-‐-‐-‐-‐ -‐-‐-‐-‐ 192.168.1.10 445 tcp microsob-‐ds open Samba smbd 3.X workgroup: SKYNET 192.168.1.100 445 tcp microsob-‐ds open 192.168.1.11 445 tcp netbios-‐ssn open 192.168.1.2 445 tcp microsob-‐ds open 192.168.1.22 445 tcp microsob-‐ds open 192.168.1.4 445 tcp microsob-‐ds open Microsob Windows 2003 or 2008 microsob-‐ds 192.168.1.6 445 tcp netbios-‐ssn open 192.168.1.9 445 tcp microsob-‐ds open
![Page 48: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/48.jpg)
Now to do something useful with this msf > services -‐p 445 -‐R Services ======== host port proto name state info -‐-‐-‐-‐ -‐-‐-‐-‐ -‐-‐-‐-‐-‐ -‐-‐-‐-‐ -‐-‐-‐-‐-‐ -‐-‐-‐-‐ 192.168.1.10 445 tcp microsob-‐ds open Samba smbd 3.X workgroup: SKYNET 192.168.1.100 445 tcp microsob-‐ds open 192.168.1.11 445 tcp netbios-‐ssn open 192.168.1.2 445 tcp microsob-‐ds open 192.168.1.22 445 tcp microsob-‐ds open 192.168.1.4 445 tcp microsob-‐ds open Microsob Windows 2003 or 2008 microsob-‐ds 192.168.1.6 445 tcp netbios-‐ssn open 192.168.1.9 445 tcp microsob-‐ds open
RHOSTS => file:/tmp/msf-‐db-‐rhosts-‐20110909-‐32464-‐oyzbko By adding the -‐R flag, you’ve told Metasploit to set the RHOSTS variable
![Page 49: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/49.jpg)
Now select an exploit to use against these hosts
msf > use auxiliary/scanner/smb/smb_enumusers msf auxiliary(smb_enumusers) > show op0ons Module op0ons (auxiliary/scanner/smb/smb_enumusers): Name Current Se�ng Required Descrip0on -‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐ -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ RHOSTS file:/tmp/msf-‐db-‐rhosts-‐20110909-‐32464-‐oyzbko yes The target address range or CIDR iden0fier SMBDomain WORKGROUP no The Windows domain to use for authen0ca0on SMBPass no The password for the specified username SMBUser no The username to authen0cate as THREADS 1 yes The number of concurrent threads
![Page 50: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/50.jpg)
That’s cool and all but I am to lazy to import a file
![Page 51: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/51.jpg)
Help with the hosts command msf > hosts -‐h Usage: hosts [ op0ons ] [addr1 addr2 ...] OPTIONS: -‐a,-‐-‐add Add the hosts instead of searching -‐d,-‐-‐delete Delete the hosts instead of searching -‐c <col1,col2> Only show the given columns (see list below) -‐h,-‐-‐help Show this help informa0on -‐u,-‐-‐up Only show hosts which are up -‐o <file> Send output to a file in csv format -‐R,-‐-‐rhosts Set RHOSTS from the results of the search -‐S,-‐-‐search Search string to filter by Available columns: address, arch, comm, comments, created_at, cred_count, exploit_a6empt_count, history_count, host_detail_count, info, mac, name, note_count, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln
![Page 52: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/52.jpg)
Help with the services command msf > services -‐h Usage: services [-‐h] [-‐u] [-‐a] [-‐r <proto>] [-‐p <port1,port2>] [-‐s <name1,name2>] [-‐o <filename>] [addr1 addr2 ...] -‐a,-‐-‐add Add the services instead of searching -‐d,-‐-‐delete Delete the services instead of searching -‐c <col1,col2> Only show the given columns -‐h,-‐-‐help Show this help informa0on -‐s <name1,name2> Search for a list of service names -‐p <port1,port2> Search for a list of ports -‐r <protocol> Only show [tcp|udp] services -‐u,-‐-‐up Only show services which are up -‐o <file> Send output to a file in csv format -‐R,-‐-‐rhosts Set RHOSTS from the results of the search -‐S,-‐-‐search Search string to filter by Available columns: created_at, info, name, port, proto, state, updated_at
![Page 53: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/53.jpg)
Example Database queries
o msf > hosts -‐c address,os_flavor o msf > hosts -‐c address,os_flavor -‐S Linux o msf > hosts -‐c address,os_flavor -‐S Linux –R o msf > services -‐c name,info 172.16.194.134 o services -‐c name,info -‐S h6p o msf > services -‐c info,name -‐p 445 o msf > services -‐c port,proto,state -‐p 70-‐81 o msf > services -‐s h6p -‐c port 172.16.194.134 o msf > services -‐S Unr
![Page 54: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/54.jpg)
Export that shiz msf > services -‐s h6p -‐c port 172.16.194.134 -‐o /root/msfu/h6p.csv [*] Wrote services to /root/msfu/h6p.csv msf > hosts -‐S Linux -‐o /root/msfu/linux.csv [*] Wrote hosts to /root/msfu/linux.csv msf > cat /root/msfu/linux.csv [*] exec: cat /root/msfu/linux.csv address,mac,name,os_name,os_flavor,os_sp,purpose,info,comments "172.16.194.172","00:0C:29:D1:62:80","","Linux","Debian","","server","","" msf > cat /root/msfu/h6p.csv [*] exec: cat /root/msfu/h6p.csv host,port "172.16.194.134","80" "172.16.194.134","443"
![Page 55: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/55.jpg)
Nmap Scripting Engine Metasploit Integration Evasion
Defeating IDS/IPS Stealth/Decoy Scanning Firewall Subversion
![Page 56: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/56.jpg)
Syn Scan -‐sS (TCP SYN scan)
o Rela0vely unobtrusive and stealthy since it never completes TCP connec0ons
o If you want to know more you should have been paying a6en0on to Adrian
![Page 57: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/57.jpg)
Source Port Manipula0on
o DNS -‐ Port 53 (TCP) o FTP -‐ Port 20 (TCP) o Kerberos – Port 88 (TCP or UDP) o DHCP – Port 67 (UDP)
Does not work for: o Opera0ons that use normal opera0ng system sockets
o DNS requests o TCP connect scan o OS version detec0on o Script scanning
-‐-‐source-‐port <portnumber>; -‐g <portnumber>
![Page 58: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/58.jpg)
Fragmenta0on -‐f (fragment packets); -‐-‐mtu (using the specified MTU)
o Split up the TCP header over several packets to make it harder for packet filters
o Specify this op0on once and split the packets into eight bytes or less aber the IP header o 20-‐byte TCP header o Split into three packets o Two with eight bytes of the TCP header, and one with the final four
o Specify -‐f again to use 16 bytes per fragment o Specify your own offset size with the -‐-‐mtu op0on
o Don't also specify -‐f if you use –mtu o Offset must be a mul0ple of eight
o Generally not supported for connect scans, FTP bounce, version detec0on and scrip0ng engine
![Page 59: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/59.jpg)
Scan Delay -‐-‐scan-‐delay <0me>; -‐-‐max-‐scan-‐delay <0me>
o Wait at least the given amount of 0me between each probe
o Evade threshold based intrusion detec0on and preven0on systems (IDS/IPS)
o Nmap tries to detect rate limi0ng and adjust the scan delay accordingly
o A low -‐-‐max-‐scan-‐delay can speed up Nmap
![Page 60: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/60.jpg)
IP List Randomiza0on -‐-‐randomize-‐hosts (Randomize target host order)
o Combine it with slow 0ming op0ons o make the scans less obvious to various network monitoring systems
o Only works up to 16384 hosts o Alterna0ve: Shuffle list with sort –R and then use a -‐iL
![Page 61: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/61.jpg)
Decoy Scanning -‐D <decoy1>[,<decoy2>][,ME][,...] (Cloak a scan with decoys)
o Makes it appear to the remote host that the hosts you specify as decoys are scanning the target network too
o Make the scans less obvious to various network monitoring systems
o Hosts you use as decoys should be up o Use IP addresses instead of names o Can be defeated through router path tracing, response-‐dropping, and other ac0ve mechanisms
o Decoys work with: ini0al ping scan (using ICMP, SYN, ACK), actual port scanning phase, and remote OS detec0on
o Decoys do not work with: version detec0on or TCP connect scan
![Page 62: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/62.jpg)
Data Length -‐-‐data-‐length <number> (Append random data to sent packets)
o One common way to “signature” nmap packets is the default data length
o TCP packets are generally 40 bytes and ICMP echo requests are just 28
o Append the given number of random bytes to most of the packets it sends, and not to use any protocol-‐specific payloads
o Adds extra “padding” to the packet, making it look less like a scan-‐packet and more like a legi0mate packet
![Page 63: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/63.jpg)
More Evasion Tips
o Do several “Scans” of the target. Break your scans up into chunks of “ports of interest”
o Most IDS/IPS alert on scans of more than 5 ports o Layer your source-‐obfusca0on techniques
o Decoys o Timing o Fragmenta0on o Data Length o Etc.
o Keep your “scan 0me” to a minimum by breaking scans into mul0ple jobs
![Page 64: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/64.jpg)
Credit Where Credit is Due
o h6p://www.redspin.com/blog/2011/09/14/impor0ng-‐and-‐working-‐with-‐nmap-‐scans-‐in-‐metasploit-‐framework-‐4/
o h6p://nmap.org/book/ o h6p://blog.spiderlabs.com/2012/06/using-‐nmap-‐to-‐screenshot-‐web-‐services.html
o h6ps://github.com/leebaird/discover o h6p://www.offensive-‐security.com/metasploit-‐unleashed/
![Page 65: root@nmap~#whoami. - Irongeek.com · Nmap Scripting Engine Metasploit Integration AV Evasion NSE Scripts: What, Where, Why and How Using Scripts like a boss for pentesting](https://reader030.vdocument.in/reader030/viewer/2022021720/5bb2929d09d3f206648c6adb/html5/thumbnails/65.jpg)