1. DNS Brute Force
Find sub-domains with this script. Detecting sub-domains associated with an organizations domain can reveal new targets when performing a security assessment. The discovered hosts may be virtual web hosts on a single web server or may be distinct hosts on IP addresses spread across the world in different data centres.
dns-brute.nse script will find valid DNS (
A) records by trying a list of common sub-domains and finding those that successfully resolve.
nmap -p 80 --script dns-brute.nse vulnweb.com Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 19:58 EST Nmap scan report for vulnweb.com (18.104.22.168) Host is up (0.34s latency). rDNS record for 22.214.171.124: rs202995.rs.hosteurope.de PORT STATE SERVICE 80/tcp open http Host script results: | dns-brute: | DNS Brute-force hostnames: | admin.vulnweb.com - 126.96.36.199 | firewall.vulnweb.com - 188.8.131.52 |_ dev.vulnweb.com - 184.108.40.206 Nmap done: 1 IP address (1 host up) scanned in 28.41 seconds
2. Find Hosts on IP
Another tactic for expanding an attack surface is to find virtual hosts on an IP address that you are attempting to compromise (or assess). This can be done by using the hostmap-* scripts in the NSE collection. The
hostmap-bfk.nse seems to work reasonably well providing a good starting point for your recon (IP to Host services do vary in accuracy).
nmap -p 80 --script hostmap-bfk.nse nmap.org Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 19:47 EST Nmap scan report for nmap.org (220.127.116.11) Host is up (0.19s latency). PORT STATE SERVICE 80/tcp open http Host script results: | hostmap-bfk: | hosts: | www.nmap.org | 18.104.22.168 | seclists.org | sectools.org | svn.nmap.org | nmap.org | hb.insecure.org | insecure.org | images.insecure.org | 22.214.171.124.in-addr.arpa |_ www.insecure.org Nmap done: 1 IP address (1 host up) scanned in 2.10 seconds
ip:x.x.x.xhowever recently the accuracy of this search seems hit and miss.
3. Traceroute Geolocation
traceroute to your target IP address and have geolocation data plotted for each hop along the way. Makes correlating the reverse dns names of routers in your path with locations much easier.
sudo nmap --traceroute --script traceroute-geolocation.nse -p 80 hackertarget.com Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 21:03 EST Nmap scan report for hackertarget.com (126.96.36.199) Host is up (0.31s latency). PORT STATE SERVICE 80/tcp open http Host script results: | traceroute-geolocation: | HOP RTT ADDRESS GEOLOCATION | 1 2.09 192.168.1.1 - ,- | 2 25.55 core-xxxxx.grapevine.net.au (203.xxx.32.20) -27,133 Australia (Unknown) | 3 31.61 core-xxxxx.grapevine.net.au (203.xxx.32.25) -27,133 Australia (Unknown) | 4 25.02 xe0-0-0-icr1.cbr2.transact.net.au (188.8.131.52) -27,133 Australia (Unknown) | 5 23.48 xe11-3-0.cr1.cbr2.on.ii.net (184.108.40.206) -27,133 Australia (Unknown) | 6 43.45 ae2.br1.syd4.on.ii.net (220.127.116.11) -27,133 Australia (Unknown) | 7 175.24 te0-0-0-1.br1.lax1.on.ii.net (18.104.22.168) -27,133 Australia (Unknown) | 8 181.29 TenGE13-2.br02.lax04.pccwbtn.net (22.214.171.124) 38,-97 United States (Unknown) | 9 310.46 telecity.ge9-9.br02.ldn01.pccwbtn.net (126.96.36.199) 51,0 United Kingdom (London) | 10 309.63 188.8.131.52 51,0 United Kingdom (Unknown) |_ 11 338.95 hackertarget.com (184.108.40.206) 51,0 United Kingdom (Unknown) TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 2.09 ms 192.168.1.1 2 25.55 ms core-xxxxx.grapevine.net.au (203.xxx.32.20) 3 31.61 ms core-xxxxx.grapevine.net.au (203.xxx.32.25) 4 25.02 ms xe0-0-0-icr1.cbr2.transact.net.au (220.127.116.11) 5 23.48 ms xe11-3-0.cr1.cbr2.on.ii.net (18.104.22.168) 6 43.45 ms ae2.br1.syd4.on.ii.net (22.214.171.124) 7 175.24 ms te0-0-0-1.br1.lax1.on.ii.net (126.96.36.199) 8 181.29 ms TenGE13-2.br02.lax04.pccwbtn.net (188.8.131.52) 9 310.46 ms telecity.ge9-9.br02.ldn01.pccwbtn.net (184.108.40.206) 10 309.63 ms 220.127.116.11 11 338.95 ms hackertarget.com (18.104.22.168)
Nmap comes with a wide range of NSE scripts for testing web servers and web applications. An advantage of using the NSE scripts for your HTTP reconnaissance is that you are able to test aspects of a web server against large subnets. This can quickly provide a picture of the types of servers and applications in use within the subnet.
One of the more aggressive tests, this script effectively brute forces a web server path in order to discover web applications in use. Attempts will be made to find valid paths on the web server that match a list of known paths for common web applications. The standard test includes testing of over 2000 paths, meaning that the web server log will have over 2000 entries that are
HTTP 404 not found, not a stealthy testing option! This is very similar to the famous Nikto web server testing tool (that performs 6000+ tests).
nmap --script http-enum 192.168.10.55 Nmap scan report for ubuntu-test (192.168.10.55) Host is up (0.024s latency). Not shown: 993 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http | http-enum: | /robots.txt: Robots file | /readme.html: WordPress version 3.9.2 | /css/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)' | /images/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)' |_ /js/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
Specify base path, for example you could specify a base path of
nmap --script -http-enum --script-args http-enum.basepath='pub/' 192.168.10.55 Nmap scan report for xbmc (192.168.1.5) Host is up (0.0012s latency). PORT STATE SERVICE 80/tcp open http | http-enum: | /pub/: Root directory w/ listing on 'apache/2.2.22 (ubuntu)' | /pub/images/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)' |_ /pub/js/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)' Nmap done: 1 IP address (1 host up) scanned in 1.03 seconds
5. HTTP Title
It is not a difficult thing to find the Title of the web page from a web server, this script just makes it easier to get those title's in one set of results from a range of IP addresses.
Having the title of the page included in the Nmap scan results can provide context to a host, that may identify the primary purpose of the web server and whether that server is a potential attack target.
nmap --script http-title -sV -p 80 192.168.1.0/24 Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 20:47 EST Nmap scan report for 192.168.1.1 Host is up (0.0018s latency). PORT STATE SERVICE VERSION 80/tcp open http Linksys wireless-G WAP http config (Name RT-N16) |_http-title: 401 Unauthorized Service Info: Device: WAP Nmap scan report for xbmc (192.168.1.115) Host is up (0.0022s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html). Nmap scan report for 192.168.1.118 Host is up (0.0035s latency). PORT STATE SERVICE VERSION 80/tcp open upnp Epson WorkForce 630 printer UPnP (UPnP 1.0; Epson UPnP SDK 1.0) |_http-title: WorkForce 630 Service Info: Device: printer; CPE: cpe:/h:epson:workforce_630 Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 256 IP addresses (8 hosts up) scanned in 10.17 seconds
Microsoft Windows Network Recon
Find operating systems, users, processes and more from systems within your local windows network with these information gathering scripts. Generally these
smb-* scripts will get you a lot more information if you have valid credentials. However, with even Guest or Anonymous access you will usually be able to at least expand your knowledge of the network.
Determine operating system, computer name, netbios name and domain with the
smb-os-discovery.nse script. An example use case could be to use this script to find all the Windows XP hosts on a large network, so they can be unplugged and thrown out (Windows XP is no longer supported by Microsoft). The key advantage to using Nmap for something like this rather than a Microsoft native tool is that it will find all systems connected to the network not just those attached to a domain.
nmap -p 445 --script smb-os-discovery 192.168.1.0/24 Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 23:32 EST Nmap scan report for test1 (192.168.1.115) Host is up (0.0035s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-os-discovery: | OS: Unix (Samba 3.6.3) | Computer name: ubuntu003 | NetBIOS computer name: | Domain name: | FQDN: ubuntu003 |_ System time: 2014-09-24T23:34:41+10:00 Nmap scan report for 192.168.1.101 Host is up (0.018s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | OS CPE: cpe:/o:microsoft:windows_xp::- | Computer name: test-xp3 | NetBIOS computer name: TEST-XP3 | Workgroup: WORKGROUP |_ System time: 2014-09-24T23:33:01+01:00
Another example of the
smb series of NSE scripts is the
smb-brute.nse that will attempt to brute force local accounts against the SMB service.
While I would not classify brute forcing accounts as a recon function of the assessment process this script can lead to large amount of recon if we do get valid credentials as there are other
smb-* scripts that can be leveraged to retrieve all local user accounts (
smb-enum-users.nse), groups (
smb-enum-groups.nse), processes (
smb-enum-processes.nse) and even execute processes remotely with the
nmap -sV -p 445 --script smb-brute 192.168.1.101 Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 23:47 EST Nmap scan report for 192.168.1.101 Host is up (0.060s latency). PORT STATE SERVICE VERSION 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-brute: |_ No accounts found Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 115.04 seconds
As can be seen in the example above we have not found any accounts. So lets take a look at the activity on the wire while the
smb-brute.nse script was running.
It is pretty clear from this Wireshark capture that sessions were being established and a large number of account credentials were being tested.
Digging deeper and finding Gold with Nmap NSE scripts
After this quick skim of the capabilities of a sample of the Nmap NSE scripts. My suggestion is to look a bit deeper. There are literally hundreds of scripts now available and included in a regular Nmap installation. Each of the
.nse files comes with pretty good documentation right there in the script or more information can be found on the NSE scripts documentation portal.
Find the NSE scripts location for your Nmap installation (
locate nse | grep scripts) and take a look through the included scripts. There are many surprising finds; not only for reconnaissance but also scripts for discovery of exploitable services.