Nmap - What is it and how to make best of it?
Nmap is the network mapper that is used to discover the number of hosts and devices on the network that it is accessing, thus mapping the whole network.
Let's not jump into the details of the installation as that is not the information everyone is looking around. Some of you might even have it on the system beforehand but not using it. So here are some details on the information it could provide us with.
scan your own host to determine the open ports and connections:
nmap -sV -p 1-65535 localhost/24
Here sV - get the service version that is running on open ports
-p - specify the port numbers to be scanned.
localhost - target to be probed. (24 means the first 3 octets are part of the network and the remaining 1 octet is open for the other hosts on the network ). This way you can scan multiple hosts at the sametime.
It will return a series of open ports and service running on the ports.
Some basics you got to know to understand the nmap.
1. nmap establishes a 3-way TCP handshake with the "host" as any other client would do.
different ports - service that should be noted :
port 80 - web server
81 - firewall (this drops all the packets that could potentially harm the server)
Any connection to a webserver passes through the firewall(80). Closed ports mean that there are no service running on those ports.
2. Host specified can either be a ip address or the url.
3. nmap basically probes every port on the host network to determine what service is established.
Open ports means - service/port is open for any public connection and is accepting any TCP/UDP client connections.
Closed ports means - port is not providing any service or application but can be accessed to find some other information about the OS or server
filtered ports means - these ports cannot provide any kind of information as the firewall/router drops any packets trying to access these ports.
open/filtered means - the probe cannot determine the type of the port. The open port doesn't give any response which means the firewall simply drops the packets sent to the port.
4. nmap -A google.com
Gets you the OS detection of the target server.
5. nmap -iL textfile.txt
Reads the list of targets from the text file.
6. nmap -sA target.com
Tells you if the target server is protected by a firewall .
If such a firewall exists then use nmap -PN target.com to scan the network. How is this different from the normal scan?
Almost on any information associated with the ports, server OS, servicces attached to the ports can be accessed without any credentials.
Nmap - SQL access:
We can do a whole lot with the Nmap to get all the more information about SQL server/databases access. We can pass additional scripts along with the nmap command on the port -p as "ms-sql-info" - Get database information
"ms-sql-brute" - Pass brute force attacks to check for weak credentials within the database
"ms-sql-empty-password" - Check if the database has empty passwords set for any table/user. Once we know which user has no password set,we can try to detect the databases or privileges that user has been provided.
"ms-sql-hasdbaccess.nse --script-args mysql.username=" - Check the dbaccess provided to the user.
"ms-sql-tables --script-args mysql.username=" - gives the table names and description in each db under the user.
Any details obtained from these scripts could provide the entire infrastructure and any credential associated. If there is a empty password set to any user in the db schema, it could provide the whole table schema which is very scary and harmful.
There are whole lot of customized scripts that can get the password hashes from the server and thus providing direct access into the server to any outsider.
All of this information on this Nmap/mysql access pings are provided so that any security assessment can be made. Don't try to hack into anyone's server. Be it productive.
Remember, Every code is breakable. That doesn't mean you have to be the black hat hacker!!!!!!!
More exploits coming soon...
Nmap is the network mapper that is used to discover the number of hosts and devices on the network that it is accessing, thus mapping the whole network.
Let's not jump into the details of the installation as that is not the information everyone is looking around. Some of you might even have it on the system beforehand but not using it. So here are some details on the information it could provide us with.
scan your own host to determine the open ports and connections:
nmap -sV -p 1-65535 localhost/24
Here sV - get the service version that is running on open ports
-p - specify the port numbers to be scanned.
localhost - target to be probed. (24 means the first 3 octets are part of the network and the remaining 1 octet is open for the other hosts on the network ). This way you can scan multiple hosts at the sametime.
It will return a series of open ports and service running on the ports.
Some basics you got to know to understand the nmap.
1. nmap establishes a 3-way TCP handshake with the "host" as any other client would do.
different ports - service that should be noted :
port 80 - web server
81 - firewall (this drops all the packets that could potentially harm the server)
Any connection to a webserver passes through the firewall(80). Closed ports mean that there are no service running on those ports.
2. Host specified can either be a ip address or the url.
3. nmap basically probes every port on the host network to determine what service is established.
Open ports means - service/port is open for any public connection and is accepting any TCP/UDP client connections.
Closed ports means - port is not providing any service or application but can be accessed to find some other information about the OS or server
filtered ports means - these ports cannot provide any kind of information as the firewall/router drops any packets trying to access these ports.
open/filtered means - the probe cannot determine the type of the port. The open port doesn't give any response which means the firewall simply drops the packets sent to the port.
4. nmap -A google.com
Gets you the OS detection of the target server.
5. nmap -iL textfile.txt
Reads the list of targets from the text file.
6. nmap -sA target.com
Tells you if the target server is protected by a firewall .
If such a firewall exists then use nmap -PN target.com to scan the network. How is this different from the normal scan?
Almost on any information associated with the ports, server OS, servicces attached to the ports can be accessed without any credentials.
Nmap - SQL access:
We can do a whole lot with the Nmap to get all the more information about SQL server/databases access. We can pass additional scripts along with the nmap command on the port -p as "ms-sql-info" - Get database information
"ms-sql-brute" - Pass brute force attacks to check for weak credentials within the database
"ms-sql-empty-password" - Check if the database has empty passwords set for any table/user. Once we know which user has no password set,we can try to detect the databases or privileges that user has been provided.
"ms-sql-hasdbaccess.nse --script-args mysql.username=" - Check the dbaccess provided to the user.
"ms-sql-tables --script-args mysql.username=" - gives the table names and description in each db under the user.
Any details obtained from these scripts could provide the entire infrastructure and any credential associated. If there is a empty password set to any user in the db schema, it could provide the whole table schema which is very scary and harmful.
There are whole lot of customized scripts that can get the password hashes from the server and thus providing direct access into the server to any outsider.
All of this information on this Nmap/mysql access pings are provided so that any security assessment can be made. Don't try to hack into anyone's server. Be it productive.
Remember, Every code is breakable. That doesn't mean you have to be the black hat hacker!!!!!!!
More exploits coming soon...
