Nmap, short for Network Mapper, is an open-source and highly versatile tool that has earned its place as the Swiss Army knife of network scanning. Its primary mission? To chart the uncharted, map the unmapped, and expose the unseen. Whether you are a network administrator ensuring the security of your systems, a cybersecurity professional seeking vulnerabilities, or a curious explorer of the digital realm, Nmap is an invaluable companion on your journey.
Let's begin!
To kick things off, we'll begin by performing a swift nmap scan on our Metasploitable machine. To accomplish this, I'll execute the following command:
┌──(kali㉿kali)-[~]
└─$ nmap 10.0.2.5 Upon executing this command, nmap will initiate a scan of the target and report back any open ports associated with the system.
┌──(kali㉿kali)-[~]
└─$ nmap 10.0.2.5
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-15 14:18 EDT
Nmap scan report for 10.0.2.5
Host is up (0.011s latency).
Not shown: 977 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.56 secondsWhile the information we've collected so far is extensive, there's a need for a deeper understanding, particularly regarding the software and its versions running on the target system. To obtain this information, we will execute the following:
┌──(kali㉿kali)-[~]
└─$nmap -sV 10.0.2.5"-sV" option in Nmap performs version detection, identifying the software and its versions running on open ports.
Results
┌──(kali㉿kali)-[~]
└─$nmap -sV 10.0.2.5
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-15 14:21 EDT
Nmap scan report for 10.0.2.5
Host is up (0.015s latency).
Not shown: 977 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.85 secondsHow do I find vulnerabilities?
Nmap boasts an impressive array of scripts designed for use on your target machine. These scripts offer a wide range of functionalities, spanning from the identification of known vulnerabilities to advanced capabilities. Whether you're seeking to identify potential security weaknesses or performing more intricate network assessments, Nmap's script library has you covered.
Let's find those vulnerabilities!
To begin, we'll incorporate an additional argument into our Nmap command, specifically aimed at uncovering any vulnerabilities that might exist on the target machine.
The command, as shown below, is structured to accomplish this task:
┌──(kali㉿kali)-[~]
└─$nmap -sV --script vulners 10.0.2.5The command `nmap -sV --script vulners 10.0.2.5` accomplishes the following:
┌──(kali㉿kali)-[~]
└─$nmap -sV --script vulners 10.0.2.5
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-15 16:13 EDT
Nmap scan report for 10.0.2.5
Host is up (0.013s latency).
Not shown: 977 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
| vulners:
| cpe:/a:isc:bind:9.4.2:
| SSV:60184 8.5 https://vulners.com/seebug/SSV:60184 *EXPLOIT*
| CVE-2012-1667 8.5 https://vulners.com/cve/CVE-2012-1667
| SSV:60292 7.8 https://vulners.com/seebug/SSV:60292 *EXPLOIT*
| CVE-2014-8500 7.8 https://vulners.com/cve/CVE-2014-8500
| CVE-2012-5166 7.8 https://vulners.com/cve/CVE-2012-5166
| CVE-2012-4244 7.8 https://vulners.com/cve/CVE-2012-4244
| CVE-2012-3817 7.8 https://vulners.com/cve/CVE-2012-3817
| CVE-2008-4163 7.8 https://vulners.com/cve/CVE-2008-4163
| CVE-2010-0382 7.6 https://vulners.com/cve/CVE-2010-0382
| EXPLOITPACK:D6DDF5E24DE171DAAD71FD95FC1B67F2 7.2 https://vulners.com/exploitpack/EXPLOITPACK:D6DDF5E24DE171DAAD71FD95FC1B67F2 *EXPLOIT*
| EDB-ID:42121 7.2 https://vulners.com/exploitdb/EDB-ID:42121 *EXPLOIT*
| CVE-2017-3141 7.2 https://vulners.com/cve/CVE-2017-3141
| CVE-2015-8461 7.1 https://vulners.com/cve/CVE-2015-8461
| CVE-2021-25216 6.8 https://vulners.com/cve/CVE-2021-25216
| CVE-2015-8704 6.8 https://vulners.com/cve/CVE-2015-8704
| CVE-2009-0025 6.8 https://vulners.com/cve/CVE-2009-0025
| CVE-2015-8705 6.6 https://vulners.com/cve/CVE-2015-8705
| CVE-2010-3614 6.4 https://vulners.com/cve/CVE-2010-3614
| SSV:4636 5.8 https://vulners.com/seebug/SSV:4636 *EXPLOIT*
| SSV:30099 5.0 https://vulners.com/seebug/SSV:30099 *EXPLOIT*
| SSV:20595 5.0 https://vulners.com/seebug/SSV:20595 *EXPLOIT*
| PACKETSTORM:157836 5.0 https://vulners.com/packetstorm/PACKETSTORM:157836 *EXPLOIT*
| FBC03933-7A65-52F3-83F4-4B2253A490B6 5.0 https://vulners.com/githubexploit/FBC03933-7A65-52F3-83F4-4B2253A490B6 *EXPLOIT*
| CVE-2023-3341 5.0 https://vulners.com/cve/CVE-2023-3341
| CVE-2022-2795 5.0 https://vulners.com/cve/CVE-2022-2795
| CVE-2021-25219 5.0 https://vulners.com/cve/CVE-2021-25219
| CVE-2021-25215 5.0 https://vulners.com/cve/CVE-2021-25215
| CVE-2020-8616 5.0 https://vulners.com/cve/CVE-2020-8616
| CVE-2017-3145 5.0 https://vulners.com/cve/CVE-2017-3145
| CVE-2016-9444 5.0 https://vulners.com/cve/CVE-2016-9444
| CVE-2016-9131 5.0 https://vulners.com/cve/CVE-2016-9131
| CVE-2016-8864 5.0 https://vulners.com/cve/CVE-2016-8864
| CVE-2016-2848 5.0 https://vulners.com/cve/CVE-2016-2848
| CVE-2016-1286 5.0 https://vulners.com/cve/CVE-2016-1286
| CVE-2015-8000 5.0 https://vulners.com/cve/CVE-2015-8000
| CVE-2012-1033 5.0 https://vulners.com/cve/CVE-2012-1033
| CVE-2011-4313 5.0 https://vulners.com/cve/CVE-2011-4313
| CVE-2011-1910 5.0 https://vulners.com/cve/CVE-2011-1910
| CVE-2009-0265 5.0 https://vulners.com/cve/CVE-2009-0265
| SSV:11919 4.3 https://vulners.com/seebug/SSV:11919 *EXPLOIT*
| CVE-2020-8617 4.3 https://vulners.com/cve/CVE-2020-8617
| CVE-2017-3143 4.3 https://vulners.com/cve/CVE-2017-3143
| CVE-2017-3142 4.3 https://vulners.com/cve/CVE-2017-3142
| CVE-2016-2775 4.3 https://vulners.com/cve/CVE-2016-2775
| CVE-2016-1285 4.3 https://vulners.com/cve/CVE-2016-1285
| CVE-2010-0097 4.3 https://vulners.com/cve/CVE-2010-0097
| CVE-2009-0696 4.3 https://vulners.com/cve/CVE-2009-0696
| 1337DAY-ID-34485 4.3 https://vulners.com/zdt/1337DAY-ID-34485 *EXPLOIT*
| CVE-2020-8622 4.0 https://vulners.com/cve/CVE-2020-8622
| CVE-2016-6170 4.0 https://vulners.com/cve/CVE-2016-6170
| CVE-2010-0290 4.0 https://vulners.com/cve/CVE-2010-0290
| SSV:14986 2.6 https://vulners.com/seebug/SSV:14986 *EXPLOIT*
| CVE-2009-4022 2.6 https://vulners.com/cve/CVE-2009-4022
| PACKETSTORM:142800 0.0 https://vulners.com/packetstorm/PACKETSTORM:142800 *EXPLOIT*
|_ 1337DAY-ID-27896 0.0 https://vulners.com/zdt/1337DAY-ID-27896 *EXPLOIT*
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 43220/tcp mountd
| 100005 1,2,3 55716/udp mountd
| 100021 1,3,4 43292/tcp nlockmgr
| 100021 1,3,4 48541/udp nlockmgr
| 100024 1 58693/udp status
|_ 100024 1 60564/tcp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
| vulners:
| cpe:/a:apache:coyote_http_connector:1.1:
| PRION:CVE-2023-26044 5.0 https://vulners.com/prion/PRION:CVE-2023-26044
|_ PRION:CVE-2022-36032 5.0 https://vulners.com/prion/PRION:CVE-2022-36032
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.55 seconds1. `nmap`: This is the Nmap tool, a powerful network scanner used to discover and analyze devices on a network.
2. `-sV`: This option instructs Nmap to perform version detection. It attempts to identify the software and its versions running on open ports of the target machine (in this case, the IP address 10.0.2.5).
3. `--script vulners`: This part of the command specifies the use of a specific Nmap script called "vulners." The "vulners" script is designed to check for known vulnerabilities in the software running on the target machine. It does this by referencing the Vulners.com vulnerability database.
So, when you execute this command, Nmap will scan the target machine (IP address 10.0.2.5), identify the software and its versions running on open ports, and then use the "vulners" script to check if any of the identified software versions have known vulnerabilities listed in the Vulners.com database. This information can be valuable for assessing the security of the target system.
Comments