Write-up to Network Scanning with Nmap

Task - Eternal blue

The first task is to find the hosts that are vulnerable to an smb vulnerability (Eternal blue).

Tools

  • Of course nmap is to be used as network scanner (docu).
  • The evaluation of the result goes easiest over XML and therefore a xml filter tool xmllint should be used
  • As help for xpath there is a CSS <-> XPATH Cheatsheet.
  • As help to copy the commands from the internet and get them explained there is explainshell

Procedure

  1. define the target network
  2. search or create a script that finds the vulnerability
  3. script scan with nmap and the mb-vuln-ms17-010 script
  4. evaluate the xml result with xmllint
  5. answer questions

To parse the XML it is best to look at the script under /usr/share/nmap/scripts/, because there is an empty skeleton. With this skeleton you can create a short xpath.

Implementation

Eternal blue task

The target network is 152.96.6.193/26, so the vulnerability scan command for nmap is:

nmap -n -Pn -p 445 --script smb-vuln-ms17-010 -oA nmap_script_eternalblue "152.96.6.193/26".

The result can then be evaluated more easily with the xmllint tool:

xmllint --xpath "//hostscript/../address/@addr" --format nmap_script_eternalblue.xml

and results in the following output:

 addr="152.96.6.212"
 addr="152.96.6.249"
 addr="152.96.6.251"

So the vulnerable hosts are 152.96.6.212, 152.96.6.249, 152.96.6.251.

Questions about nmap

To perform a full TCP scan the command is used:

-sT

To perform a syn scan the command is used:

-sS

To perform a half-open scan the command is used:

-sS because a sync scan never finishes the 3-way-handshake.

To find out the OS version use the command:

-O -v

The idea / raison d’être of the Nmap Scripting Engine (NSE) is:

To create a platform that can be extended by building blocks (scripts). Thus functions can be supplemented much faster, more surely and more simply, since ‘‘only’’ the data needs to be evaluated and is thus freed from the details of the platform. The NSE also comes with many libraries that can be used in scripts, for example the smb library. The included scripts can mostly be found under /usr/share/nmap/scripts/ and a manual is also available.

To display all available scripts the command is used:

nmap --script-help=

To access statistics during a long scan the command is used:

ENTER

Additional parameter description for nmap

nmap -n -Pn -p 445 --script smb-vuln-ms17-010 "152.96.6.193/26" -oA nmap_script_eternalblue

-n (No DNS resolution) . Tells Nmap to never perform reverse DNS resolution on the active IP addresses it finds.

  • -p port ranges (Only scan specified ports) . This option specifies which ports to scan and overrides the default.
  • –script filename|category|directory|expression|all[,…] . Performs a script check against the comma-separated list of filenames, script categories, and directories.
  • -oA basename (Output to all formats) . For convenience, -oA basename can be specified to store scan results in normal, XML, and grepable formats simultaneously. They are stored in basename.nmap, basename.xml and basename.gnmap respectively.
Previous