Write-up to Network Scanning with Nmap #
Task - Eternal blue #
The first task is to find the hosts that are vulnerable to an smb vulnerability (Eternal blue).
- Of course nmap is to be used as network scanner (docu).
- The evaluation of the result goes easiest over XML and therefore a xml filter tool xmllint should be used
- As help for xpath there is a CSS <-> XPATH Cheatsheet.
- As help to copy the commands from the internet and get them explained there is explainshell
- define the target network
- search or create a script that finds the vulnerability
- script scan with nmap and the mb-vuln-ms17-010 script
- evaluate the xml result with xmllint
- answer questions
To parse the XML it is best to look at the script under /usr/share/nmap/scripts/, because there is an empty skeleton. With this skeleton you can create a short xpath.
Eternal blue task #
The target network is 18.104.22.168/26, so the vulnerability scan command for nmap is:
nmap -n -Pn -p 445 --script smb-vuln-ms17-010 -oA nmap_script_eternalblue "22.214.171.124/26".
The result can then be evaluated more easily with the xmllint tool:
xmllint --xpath "//hostscript/../address/@addr" --format nmap_script_eternalblue.xml
and results in the following output:
addr="126.96.36.199" addr="188.8.131.52" addr="184.108.40.206"
So the vulnerable hosts are 220.127.116.11, 18.104.22.168, 22.214.171.124.
Questions about nmap #
To perform a full TCP scan the command is used: #
To perform a syn scan the command is used: #
To perform a half-open scan the command is used: #
-sS because a sync scan never finishes the 3-way-handshake.
To find out the OS version use the command: #
The idea / raison d’être of the Nmap Scripting Engine (NSE) is: #
To create a platform that can be extended by building blocks (scripts). Thus functions can be supplemented much faster, more surely and more simply, since ‘‘only’’ the data needs to be evaluated and is thus freed from the details of the platform. The NSE also comes with many libraries that can be used in scripts, for example the smb library. The included scripts can mostly be found under /usr/share/nmap/scripts/ and a manual is also available.
To display all available scripts the command is used: #
To access statistics during a long scan the command is used: #
Additional parameter description for nmap #
nmap -n -Pn -p 445 --script smb-vuln-ms17-010 "126.96.36.199/26" -oA nmap_script_eternalblue
-n (No DNS resolution) . Tells Nmap to never perform reverse DNS resolution on the active IP addresses it finds.
- -p port ranges (Only scan specified ports) . This option specifies which ports to scan and overrides the default.
- –script filename|category|directory|expression|all[,…] . Performs a script check against the comma-separated list of filenames, script categories, and directories.
- -oA basename (Output to all formats) . For convenience, -oA basename can be specified to store scan results in normal, XML, and grepable formats simultaneously. They are stored in basename.nmap, basename.xml and basename.gnmap respectively.