Friday, July 19, 2013

Nmap usage to perform Vulnerability Assesments

NSE Documentation Portal [] provides a detail guide on nmap scripts usage.

Using nmap Scripts we can perform vulnerability assessments. 

In this tutorial I will show a few examples of nmap scripts. 

1. "smb-check-vulns" script to check Windows RPC vulnerabilities. 

Checks for vulnerabilities:
  • MS08-067, a Windows RPC vulnerability
  • Conficker, an infection by the Conficker worm
  • Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000
  • SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
  • MS06-025, a Windows Ras RPC service vulnerability
  • MS07-029, a Windows Dns Server RPC service vulnerability
$ nmap --script smb-check-vulns.nse -p445 <targetHostIP>

$ sudo nmap  --script smb-check-vulns.nse --script-args=unsafe=1 -p445 <targetHostIP>

Host script results:| smb-check-vulns:
| MS08-067: NOT VULNERABLE| Conficker: Likely CLEAN| regsvc DoS: regsvc DoS: NOT VULNERABLE| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE| MS06-025: NO SERVICE (the Ras RPC service is inactive)|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)

2. "nbstat" script to retrieve the target's NetBIOS names and MAC address.
By default, the script displays the name of the computer and the logged-in user; if the verbosity is turned up.

sudo nmap -sU --script nbstat.nse -p137

Host script results:
| nbstat:  
|   NetBIOS name: IT-FS, NetBIOS user: <unknown>, NetBIOS MAC: 1c:6f:65:91:19:96
|   Names
|     IT-FS<00>            Flags: <unique><active>
|     IT-FS<20>            Flags: <unique><active>
|     IT-DEPT<00>          Flags: <group><active>
|     IT-DEPT<1c>          Flags: <group><active>
|     IT-DEPT<1e>          Flags: <group><active>
|     IT-DEPT<1d>          Flags: <unique><active>
|     \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|_    IT-DEPT<1b>          Flags: <unique><active>

3. "upnp-info" script to extract system information from the UPnP service.

$ nmap -sV -sC

Host script results:
|_nbstat: NetBIOS name: IT-FS, NetBIOS user: <unknown>, NetBIOS MAC: 1c:6f:65:91:19:96
| smb-os-discovery:  
|   OS: Windows Server 2003 3790 (Windows Server 2003 5.2)
|   Name: IT-DEPT\IT-FS
|_  System time: 2013-07-19 14:41:14 UTC+5.5
|_smbv2-enabled: Server doesn't support SMBv2 protocol

1 comment:

  1. NMAP can be used to quickly scan thousands of ports, and it allows clear, reliable differentiation between ports in open, closed and filtered states. That's why they are very effective to check vulnerabilities.

    Silvester Norman

    Change Mac Address