NMAP NSE Scripts for WordPress

http-wordpress-info.nse

Rather than brute forcing paths, this script is much more polite and will only download the main page of the WordPress site and examine the theme and plugin paths in the html. The WordPress version will also be identified using the default readme.html file if the meta generator is not present.

http-wordpress-enum.nse

The http-wordpress-enum.nse script comes with default Nmap installation and allows you to attempt to identify users of the WordPress installation. Once you have user names it is possible to brute force the passwords using methods I detailed in the attacking wordpress article.

Hacker Target NMAP-nse-scripts for WordPress

http-wordpress-plugins.nse

Deprecated as http-wordpress-enum.nse updated to include this functionality,

In addition to identifying the plugins in use, I added a feature to the http-wordpress-plugins.nse script that will identify the version of the installed plugin and compare that to the latest version that is checked in real time against the WordPress Plugin API.

-- Interesting ports on my.woot.blog (123.123.123.123):
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-wordpress-plugins:
-- | search amongst the 500 most popular plugins
-- |   akismet 3.0.4 (latest version: 3.0.4)
-- |   wordpress-seo 1.7 (latest version: 1.7.1)
-- |   disqus-comment-system 2.83 (latest version: 2.84)
-- |_  wp-to-twitter 1.2 (latest version: 1.45)

http-wordpress-themes.nse

Deprecated as http-wordpress-enum.nse updated to include this functionality,

Based on the NSE script http-wordpress-plugins.nse I created out a variation that tests for WordPress themes. One of the often overlooked parts of keeping a secure WordPress installation is ensuring all themes (even inactive ones) are kept up to date or removed if not in use. Security vulnerabilities can be found in WordPress themes and these are often exploitable even if the theme is inactive.

The wp-theme.lst was created after I crawled the Alexa top 1 million sites and found around 200000 WordPress sites. By basing the theme list on the in use themes and sorting by popularity this list is a good representation of the most popular themes in being used across the web.

-- Interesting ports on my.woot.blog (123.123.123.123):
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-wordpress-themes:
-- | search amongst the 500 most popular themes 
-- |   twentyfourteen 1.3
-- |   canvas 5.8.7
-- |_  twentytwelve 1.5

The post WordPress Security Testing with Nmap appeared first on HackerTarget.com.

Information Gathering

1. DNS Brute Force

Find sub-domains with this script. Detecting sub-domains associated with an organization's domain can reveal new targets when performing a security assessment. The discovered hosts may be virtual web hosts on a single web server or distinct hosts on IP addresses spread across the world in different data centres.

The dns-brute.nse script will find valid DNS A records by trying a list of common sub-domains and finding those that successfully resolve.

nmap -p 80 --script dns-brute.nse vulnweb.com

Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-24 19:58 EST
Nmap scan report for vulnweb.com (176.28.50.165)
Host is up (0.34s latency).
rDNS record for 176.28.50.165: rs202995.rs.hosteurope.de
PORT   STATE SERVICE
80/tcp open  http

Host script results:
| dns-brute: 
|   DNS Brute-force hostnames: 
|     admin.vulnweb.com - 176.28.50.165
|     firewall.vulnweb.com - 176.28.50.165
|_    dev.vulnweb.com - 176.28.50.165

Nmap done: 1 IP address (1 host up) scanned in 28.41 seconds

2. Find Hosts on IP

Another tactic for expanding an attack surface is to find virtual hosts on an IP address that you are attempting to compromise (or assess). This can be done by using the hostmap-* scripts in the NSE collection. The hostmap-bfk.nse seems to work reasonably well providing a good starting point for your recon (IP to Host services do vary in accuracy).

nmap -p 80 --script hostmap-bfk.nse nmap.org

Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-24 19:47 EST
Nmap scan report for nmap.org (173.255.243.189)
Host is up (0.19s latency).
PORT   STATE SERVICE
80/tcp open  http

Host script results:
| hostmap-bfk: 
|   hosts: 
|     www.nmap.org
|     173.255.243.189
|     seclists.org
|     sectools.org
|     svn.nmap.org
|     nmap.org
|     hb.insecure.org
|     insecure.org
|     images.insecure.org
|     189.243.255.173.in-addr.arpa
|_    www.insecure.org

Nmap done: 1 IP address (1 host up) scanned in 2.10 seconds

3. Traceroute Geolocation

Perform a traceroute to your target IP address and have geolocation data plotted for each hop along the way. Makes correlating the reverse dns names of routers in your path with locations much easier.

sudo nmap --traceroute --script traceroute-geolocation.nse -p 80 hackertarget.com

Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-24 21:03 EST
Nmap scan report for hackertarget.com (178.79.163.23)
Host is up (0.31s latency).
PORT   STATE SERVICE
80/tcp open  http

Host script results:
| traceroute-geolocation: 
|   HOP  RTT     ADDRESS                                                GEOLOCATION
|   1    2.09    192.168.1.1                                            - ,- 
|   2    25.55   core-xxxxx.grapevine.net.au (203.xxx.32.20)            -27,133 Australia (Unknown)
|   3    31.61   core-xxxxx.grapevine.net.au (203.xxx.32.25)            -27,133 Australia (Unknown)
|   4    25.02   xe0-0-0-icr1.cbr2.transact.net.au (202.55.144.117)     -27,133 Australia (Unknown)
|   5    23.48   xe11-3-0.cr1.cbr2.on.ii.net (150.101.33.62)            -27,133 Australia (Unknown)
|   6    43.45   ae2.br1.syd4.on.ii.net (150.101.33.22)                 -27,133 Australia (Unknown)
|   7    175.24  te0-0-0-1.br1.lax1.on.ii.net (203.16.213.69)           -27,133 Australia (Unknown)
|   8    181.29  TenGE13-2.br02.lax04.pccwbtn.net (206.223.123.93)      38,-97 United States (Unknown)
|   9    310.46  telecity.ge9-9.br02.ldn01.pccwbtn.net (63.218.13.222)  51,0 United Kingdom (London)
|   10   309.63  212.111.33.238                                         51,0 United Kingdom (Unknown)
|_  11   338.95  hackertarget.com (178.79.163.23)                       51,0 United Kingdom (Unknown)

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   2.09 ms   192.168.1.1
2   25.55 ms  core-xxxxx.grapevine.net.au (203.xxx.32.20)
3   31.61 ms  core-xxxxx.grapevine.net.au (203.xxx.32.25)
4   25.02 ms  xe0-0-0-icr1.cbr2.transact.net.au (202.55.144.117)
5   23.48 ms  xe11-3-0.cr1.cbr2.on.ii.net (150.101.33.62)
6   43.45 ms  ae2.br1.syd4.on.ii.net (150.101.33.22)
7   175.24 ms te0-0-0-1.br1.lax1.on.ii.net (203.16.213.69)
8   181.29 ms TenGE13-2.br02.lax04.pccwbtn.net (206.223.123.93)
9   310.46 ms telecity.ge9-9.br02.ldn01.pccwbtn.net (63.218.13.222)
10  309.63 ms 212.111.33.238
11  338.95 ms hackertarget.com (178.79.163.23)

HTTP Recon

Nmap comes with a wide range of NSE scripts for testing web servers and web applications. An advantage of using the NSE scripts for your HTTP reconnaissance is that you are able to test aspects of a web server against large subnets. This can quickly provide a picture of the types of servers and applications in use within the subnet.

4. http-enum.nse

One of the more aggressive tests, this script effectively brute forces a web server path in order to discover web applications in use. Attempts will be made to find valid paths on the web server that match a list of known paths for common web applications. The standard test includes testing of over 2000 paths, meaning that the web server log will have over 2000 entries that are HTTP 404 not found, not a stealthy testing option! This is very similar to the famous Nikto web server testing tool (that performs 6000+ tests).

nmap --script http-enum 192.168.10.55

Nmap scan report for ubuntu-test (192.168.10.55)
Host is up (0.024s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
| http-enum: 
|   /robots.txt: Robots file
|   /readme.html: WordPress version 3.9.2
|   /css/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_  /js/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'

Additional options:

Specify base path, for example you could specify a base path of /pub/.

nmap --script -http-enum --script-args http-enum.basepath='pub/' 192.168.10.55

Nmap scan report for xbmc (192.168.1.5)
Host is up (0.0012s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|   /pub/: Root directory w/ listing on 'apache/2.2.22 (ubuntu)'
|   /pub/images/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_  /pub/js/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'

Nmap done: 1 IP address (1 host up) scanned in 1.03 seconds

5. HTTP Title

It is not a difficult thing to find the Title of the web page from a web server, this script just makes it easier to get those title's in one set of results from a range of IP addresses.

Having the title of the page included in the Nmap scan results can provide context to a host, that may identify the primary purpose of the web server and whether that server is a potential attack target.

nmap --script http-title -sV -p 80 192.168.1.0/24

Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-24 20:47 EST
Nmap scan report for 192.168.1.1
Host is up (0.0018s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    Linksys wireless-G WAP http config (Name RT-N16)
|_http-title: 401 Unauthorized
Service Info: Device: WAP

Nmap scan report for xbmc (192.168.1.115)
Host is up (0.0022s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).

Nmap scan report for 192.168.1.118
Host is up (0.0035s latency).
PORT   STATE SERVICE VERSION
80/tcp open  upnp    Epson WorkForce 630 printer UPnP (UPnP 1.0; Epson UPnP SDK 1.0)
|_http-title: WorkForce 630
Service Info: Device: printer; CPE: cpe:/h:epson:workforce_630

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (8 hosts up) scanned in 10.17 seconds

Microsoft Windows Network Recon

Find operating systems, users, processes and more from systems within your local windows network with these information gathering scripts. Generally these smb-* scripts will get you a lot more information if you have valid credentials. However, with even Guest or Anonymous access you will usually be able to at least expand your knowledge of the network.

6. smb-os-discovery.nse

Determine operating system, computer name, netbios name and domain with the smb-os-discovery.nse script. An example use case could be to use this script to find all the Windows XP hosts on a large network, so they can be unplugged and thrown out (Windows XP is no longer supported by Microsoft). The key advantage to using Nmap for something like this rather than a Microsoft native tool is that it will find all systems connected to the network not just those attached to a domain.

nmap -p 445 --script smb-os-discovery 192.168.1.0/24

Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-24 23:32 EST

Nmap scan report for test1 (192.168.1.115)
Host is up (0.0035s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.6.3)
|   Computer name: ubuntu003
|   NetBIOS computer name: 
|   Domain name: 
|   FQDN: ubuntu003
|_  System time: 2023-02-24T23:34:41+10:00

Nmap scan report for 192.168.1.101
Host is up (0.018s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: test-xp3
|   NetBIOS computer name: TEST-XP3
|   Workgroup: WORKGROUP
|_  System time: 2023-02-24T23:33:01+01:00

7. smb-brute.nse

Another example of the smb series of NSE scripts is the smb-brute.nse that will attempt to brute force local accounts against the SMB service.

While I would not classify brute forcing accounts as a recon function of the assessment process this script can lead to large amount of recon if we do get valid credentials as there are other smb-* scripts that can be leveraged to retrieve all local user accounts smb-enum-users.nse, groups smb-enum-groups.nse, processes smb-enum-processes.nse and even execute processes remotely with the smb-psexec.nse script.

nmap -sV -p 445 --script smb-brute 192.168.1.101

Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-24 23:47 EST
Nmap scan report for 192.168.1.101
Host is up (0.060s latency).
PORT    STATE SERVICE      VERSION
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-brute: 
|_  No accounts found

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.04 seconds

As can be seen in the example above we have not found any accounts. So lets take a look at the activity on the wire while the smb-brute.nse script was running.

It is pretty clear from this Wireshark capture that sessions were being established and a large number of account credentials were being tested.

Digging deeper and finding Gold with Nmap NSE scripts

This was a quick skim of the capabilities of a sample of the Nmap NSE scripts. Time to look a bit deeper. There are literally hundreds of scripts now available and included in a regular Nmap installation. Each of the .nse files comes with documentation right there in the script or more information can be found on the NSE scripts documentation portal.

Locating NSE Scripts

To find the complete list of NSE scripts location on an Nmap installation use;

 $ locate *.nse 

or filter with area of interest such as below;

 $ locate nse | grep scripts | grep dns 

Take a look through the included scripts. There are many surprising finds, not only for recon, but also scripts for discovery of exploitable services.

  Updated: 24 February 2023

The post 7 Nmap NSE Scripts for Recon appeared first on HackerTarget.com.

The python script parses the Nmap XML output from the ssl-cert.nse script and produces csv output with the target SSL certificate details.

libssl-dev package

When compiling Nmap you need the libssl-dev package installed. Nmap nse scripts such as ssl-cert will not work without it.

Once this is installed ./configure, make, make install to install the latest version of Nmap.

apt-get install libssl-dev

Once the package is installed go ahead and install Nmap from source. Extract the source into a folder, configure and install.

Testing the SSL cert parse script

For a quick test of the SSL cert parse script I grabbed the top 25 computing sites from Alexa.

Start Nmap with the ssl-cert nse script. The -iL option loads the list 25 target host names with the -oX producing the Nmap XML results.

nmap -iL top25-tech.txt -sV -p 443 -oX nmap-results-top25 --script=ssl-cert

Python script

Once the scan has completed, the python script below can be used to parse the Nmap XML and produce the csv output. The results can be loaded into a spreadsheet, or parsed further, depending on your needs.

testuser@ubuntu:~$ python nmap-ssl-certs.py nmap-results-top25.xml
 
150.101.195.240,www.google.com,Google Inc,US,2014-05-07,2014-08-05
31.13.70.17,*.facebook.com,Facebook, Inc.,US,2014-02-28,2015-04-13
150.101.195.212,*.google.com,Google Inc,US,2014-05-07,2014-08-05
74.125.237.149,mail.google.com,Google Inc,US,2014-05-07,2014-08-05
98.139.183.24,www.yahoo.com,Yahoo Inc.,US,2014-04-09,2015-04-09
198.35.26.96,*.wikipedia.org,Wikimedia Foundation, Inc.,US,2012-10-21,2016-01-20
199.59.148.82,twitter.com,Twitter, Inc.,US,2014-04-08,2016-05-09
216.52.242.80,www.linkedin.com,LinkedIn Corporation,US,2013-12-19,2016-12-30
98.136.189.41,*.login.yahoo.com,Yahoo Inc.,US,2014-04-08,2015-04-09
65.55.143.19,mail.live.com,Microsoft Corporation,US,2013-05-21,2015-05-22
150.101.195.216,*.google.com,Google Inc,US,2014-05-07,2014-08-05
150.101.195.227,*.google.com,Google Inc,US,2014-05-07,2014-08-05
119.160.243.163,search.yahoo.com,Yahoo Inc.,US,2014-04-08,2015-04-09
192.0.82.252,wordpress.com,Automattic, Inc.,US,2014-04-16,2016-04-16
204.79.197.200,*.bing.com,Microsoft Corporation,US,2014-05-20,2016-05-19
54.225.139.43,*.pinterest.com,Pinterest Inc,US,2014-04-09,2017-04-13
66.235.120.127,,,,,
150.101.195.249,*.google.com,Google Inc,US,2014-05-07,2014-08-05
65.55.206.228,,,,,
66.211.169.66,paypal.com,PayPal, Inc.,US,2013-01-09,2015-01-11
134.170.188.221,microsoft.com,,,2013-06-20,2015-06-20
17.172.224.47,apple.com,Apple Inc.,US,2012-11-13,2014-11-03
23.23.110.81,*.imgur.com,Imgur, Inc.,US,2013-06-25,2016-08-31
198.252.206.140,*.stackexchange.com,Stack Exchange, Inc.,US,2013-07-02,2016-07-06
68.71.220.3,,,,,

The script is simple but it works. It should be pretty easy to read allowing modification to parse other NSE scripts and results from the Nmap XML output.

Parse XML data

There are many ways to parse XML data. The xml.dom method used here seems to be one of the more straightforward for parsing the Nmap XML. Another option could include using ElementTree, or even using xmlstarlet in bash as seen on this stack.exchange post.

#!/usr/bin/env python
import xml.dom.minidom
import sys
import getopt
try: 
    scandata = sys.argv[1]
except:
    print "*** You need to supply an Nmap XML file ***"
if scandata:
    doc = xml.dom.minidom.parse(scandata)
    output = []
    for host in doc.getElementsByTagName("host"):
        ip = ''
        commonName = ''
        organizationName = ''
        countryName = ''
        notBefore = ''
        notAfter = ''
        addresses = host.getElementsByTagName("address")
        ip = addresses[0].getAttribute("addr")                         # Get IP address from addr element 
        scripts = host.getElementsByTagName("script")
        for script in scripts:
              for elem in script.getElementsByTagName("elem"):         # Get cert details for each target 
                 try:
                    if elem.getAttribute("key") == 'commonName':
                       if commonName == '':                            # Only get the first commonName 
                           commonName =  elem.childNodes[0].nodeValue
                 except:
                    pass
                 try:
                    if elem.getAttribute("key") == 'organizationName':
                       if organizationName == '': 
                           organizationName =  elem.childNodes[0].nodeValue
                 except:
                    pass
                 try:
                    if elem.getAttribute("key") == 'countryName':
                       countryName =  elem.childNodes[0].nodeValue
                 except:
                    pass
                 try:
                    if elem.getAttribute("key") == 'notBefore':
                       notBefore =  elem.childNodes[0].nodeValue
                       notBefore = notBefore.split('T')[0]
                 except:
                    pass
                 try:
                    if elem.getAttribute("key") == 'notAfter':
                       notAfter =  elem.childNodes[0].nodeValue
                       notAfter = notAfter.split('T')[0]
                 except:
                    pass
        output.append(ip + ',' + commonName + ',' + organizationName + ',' + countryName + ',' + notBefore + ',' + notAfter)
    for i in output:
        print i

Nmap XML to CSV

Not specifically tied to the SSL results; we have another script that converts Nmap XML to CSV. This is an easy to use script that can be adapted to achieve the output needed for reporting.

Different organisations have different reporting requirements so this simple script was created to enable anyone to modify it as required with minimal python knowledge.

https://github.com/hackertarget/nmap-csv-xlsx

The post Parse Nmap XML to get SSL Certificate details appeared first on HackerTarget.com.

-sL  -n

Below we have listed the IP addresses in the target subnet -sL with no reverse DNS lookups -n

testsystem:~$ nmap -sL -n 192.168.1.0/30

Starting Nmap 6.25 ( http://nmap.org ) at 2014-05-17 23:33 EST
Nmap scan report for 192.168.1.0
Nmap scan report for 192.168.1.1
Nmap scan report for 192.168.1.2
Nmap scan report for 192.168.1.3
Nmap done: 4 IP addresses (0 hosts up) scanned in 0.00 seconds

grep | cut

In the second example the results are piped through grep and cut to extract just the IP addresses we wanted in our list. Additionally a second target range has been added to the target list. The target list can contain hostnames, IP addresses, subnets or a range of IPs such as 192.168.1.1-5.

testsystem:~$ nmap -sL -n 192.168.2.1/32, 192.168.1.0/30 | grep 'Nmap scan report for' | cut -f 5 -d ' '
192.168.2.1
192.168.1.0
192.168.1.1
192.168.1.2
192.168.1.3

0.0.0.0/0

Want to list 4 billion IP addresses? Use the very same command to list all possible IPv4 addresses target 0.0.0.0/0.

testsystem:~$ nmap -sL -n 0.0.0.0/0 | grep 'Nmap scan report for' | cut -f 5 -d ' '
0.0.0.0
0.0.0.1
0.0.0.2
0.0.0.3
0.0.0.4
***** ctrl-c, listing all IP addresses will waste a lot of pixels ******

The commands in the above examples send no packets to the target systems, Nmap is simply listing the IP addresses in the subnet. If we however do not use the -n the command will attempt to resolve each IP address, this will take longer and will send dns queries.

Further targeting parameters that may be of use

--exclude

When selecting a large range of targets you may wish to specifically exclude some IP addresses. For example you could scan a subnet and use the --exclude parameter to not scan an IP within that range.

--dns-server

Use a dns server that is different than the default to perform reverse dns lookups --dns-server.

-iL

Select targets from a file using the -iL option. You can use a file containing a list of IP addresses, subnets and hostnames, one per line to feed into Nmap. From this file we could create a full list of all IP addresses.

The post List all IPs in Subnet with Nmap appeared first on HackerTarget.com.

First, a working version of Nmap (at least version 6.25), this is not difficult to find or install. So lets jump ahead to running an NSE Script to detect the Heartbleed vulnerability.

Download the NSE (ssl-heartbleed.nse) script and the tls.lua library that is required:

ssl-heartbleed.nse tls.lua

Now place the tls.lua in the nselib directory on the system you are running Nmap on. Note: I have not tested this on Windows, only Ubuntu Linux, however it should just be a matter of dropping it in the nselib folder (C:\program files\nmap\nselib).

Running the actual ssl-heartbleed.nse script is simply a matter of referencing it as a parameter to the Nmap command.

nmap -sV -p 443 --script=ssl-heartbleed.nse 192.168.1.1

It really is as simple as that, point to the nse script with the --script= and you are cooking! Even better as this is using Nmap, we can scan entire ranges of IP addresses for the vulnerability.

Testing for the vulnerability

Here is an example of a test against one of my local systems that was running a vulnerable version of OpenVPN-AS.

Nmap scan report for mediacentre (192.168.1.5)
Host is up (0.0059s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE     VERSION
443/tcp  open  ssl         OpenSSL (SSLv3)
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|           
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|       http://www.openssl.org/news/secadv_20140407.txt 
|_      http://cvedetails.com/cve/2014-0160/
Service Info: Host:  firefly003; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Not good! looks to be well and truly vulnerable.

Upgrade OpenVPN

OpenVPN had advised that upgrades are required. It was a matter of a quick dpkg -i to upgrade the OpenVPN-AS server on my home network.

Lets try again with another test.

Nmap scan report for mediacentre (192.168.1.5)
Host is up (0.0011s latency).
PORT    STATE SERVICE VERSION
443/tcp open  ssl     OpenSSL (SSLv3)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.24 seconds

Looks good to me, upgrade successful.

The post Testing Heartbleed with the Nmap NSE script appeared first on HackerTarget.com.

In this high-level comparison of Nessus, Nexpose, and OpenVAS, I have not attempted a detailed metric-based analysis with the reason being it would be difficult to get a conclusive result due to the large differences in detection and the categorization of vulnerabilities by the different solutions.

Background Info

The testing deliberately focuses on network vulnerability scanning capabilities rather than looking at the web application vulnerability detection in detail. Here at Hacker Target, we believe a network vulnerability scanner must be capable of identifying poorly configured services, default services that have poor security, and software with known security vulnerabilities.

Notes on the Vulnerability Scanner Testing

• Apart from NMAP, external tools that OpenVAS can use have not been installed. These external tools are mostly web application vulnerability detection tools, including wapiti, Arachni, Nikto and Dirb.
• OpenVAS version 5 has been tested with the full scan profile. Ports were all TCP ports scanned with Nmap and top 100 UDP ports.
• Nessus version 5 was launched using the External network scan profile. It was also tested with Internal Network Scan however, results were similar.
• The Nexpose scanner was executed with the Full audit profile.
• No tweaking of default scan profiles was undertaken.
• No credentials were used during the scan. It was an external network service focused scan.

These results are only a quick overview. I have not followed up every discovered vulnerability to determine false positives and false negatives.

Edit 1st of September 2012 (clarification of scanner versions and plugins used)
Nessus : The home feed was used for the Nessus testing. According to the Tenable website The Nessus HomeFeed gives you the ability to scan your personal home network (up to 16 IP addresses) with the same high-speed, in-depth assessments and agentless scanning convenience that ProfessionalFeed subscribers enjoy.. Note when using the Nessus scanner with the home feed it cannot be used in a professional or commercial environment.
OpenVAS : The default OpenVAS 5 open source signatures and software was used. This is free to use under the GNU General Public License (GNU GPL).
Nexpose : The community version of Nexpose was tested. According to the Rapid7 website " Nexpose Community Edition is powered by the same scan engine as award-winning Nexpose Enterprise Edition and offers many of the same features." With this version you can scan up to 32 IP addresses.

And now for the results.....

Nessus 5 External Network Profile	Critical 3 High 6 Medium 22 Low 8 Info 137
OpenVAS 5 Full Audit Scan Profile	High 38 Medium 24 Low 36 Log 44
Nexpose Full Audit Scan Profile	Critical 49 Severe 103 Moderate 18

These total numbers, without any context around the categorization of findings or the accuracy of the results, provides us little value, except to highlight the wide variation in results from the different scanners.

Analysing a specific sample of Security Issues

In order to look at some more meaningful results, I have examined a sample set of exploitable and mis-configured services on the Metasploitable system.

At the last minute I decided to include Nmap with its NSE scripts against the Metasploitable host. The results were interesting to say the least, while not a full blown vulnerability scanner the development of the NSE scripting ability in Nmap makes this powerful tool even more capable.

the numbers get interesting...

These are the numbers of vulnerabilities correctly discovered and rated by each vulnerability scanner from the sample set of exploitable services.

Security Issue	Nessus	OpenVAS	Nexpose	Nmap
FTP 21 Anonymous FTP Access
FTP 21 VsFTPd Smiley Face Backdoor
FTP 2121 ProFTPD Vulnerabilities
SSH 22 Weak Host Keys
PHP-CGI Query String Parameter Injection
CIFS Null Sessions
INGRESLOCK 1524 known backdoor drops to root shell
NFS 2049 /* exported and writable
MYSQL 3306 weak auth (root with no password)
RMI REGISTRY 1099 Insecure Default Config
DISTCCd 3632 distributed compiler
POSTGRESQL 5432 weak auth (postgresql)
VNC 5900 weak auth (password)
IRC 6667 Unreal IRCd Backdoor
Tomcat 8180 weak auth (tomcat/tomcat)

Notes about the sample set of tests

• All the above vulnerabilities and mis-configurations, except for Anonymous FTP, can be exploited to gain shells on the system (in most cases with root privileges) using Metasploit or other methods.
• There are a number of examples where the scanners do not detect weak or default credentials. While not specifically testing passwords, if MySQL is being checked for weak credentials why not other services?
• Items such as the INGRESLOCK backdoor and the Unreal IRCd vulnerability are fairly obscure, however, this makes them good examples for testing overall capability.
• The Metasploitable version 2 release page has good examples of exploiting many of the mis-configurations in this list. This highlights not only how a poorly configured service can lead to a root shell but also the fact that vulnerability scanners need to be able to detect these types of security related mis-configurations.

These scans were conducted in a black box manner, when running internal scans it is recommended to perform credential supplied scanning. This means providing the vulnerability scanning tool with valid Windows domain, SSH, or other valid authorisation so it can perform checks against the local system. This is of most value when looking for missing patches in an operating system or third party software and detecting installed applications.

Conclusion

An organisation wishing to secure its IT infrastructure needs to implement Vulnerability scanning as it is essential to Security Control.

Vulnerability scanning is recommended by the SANS Institute as a Critical Control and US-based NIST as a Security Management Control.

The results shown in this article show significant variation in discovered security vulnerabilities by different tools. It may be helpful to compare vulnerability scanners to anti-virus solutions. Both are important to security control and will enhance an organisation's security posture. However, as with anti-virus, a vulnerability scanner will not find all the bad things.

The following is common knowledge for most in the security industry who perform network vulnerability testing;

• Check results for accuracy -> false positives.
• Actively look for things that were missed -> false negatives.

A recommended approach to vulnerability scanning

• Tune the vulnerability scan profiles to suit your requirements
• Perform a detailed analysis of the results
• Run secondary tools such as Nmap, a secondary vulnerability scanning solution and/or specialised tools. The use of multiple tools will provide a greater level of coverage and assist in confirming discovered vulnerabilities.

Performing internal focused testing in conjunction with external facing vulnerability scans adds value when working to secure Internet connected networks or servers.

The post Nessus, OpenVAS and Nexpose VS Metasploitable appeared first on HackerTarget.com.

Our scan does not perform brute forcing of accounts, passwords or plugins. Brute Forcing is more appropriate in a targeted pen-test or black-box vulnerability assessment.

Simply put brute forcing:

• Plugins is achieved by testing URL's: http://myexampleblog.cm/wp-content/plugins/$pluginname
• Usernames can be brute forced with a POST request to the login form (Incorrect username)
• Passwords can be brute forced (with valid username) by hitting the login form

Additionally username's can also be gathered through some WordPress themes, RSS feeds, and author page URI's such as /blog/author/admin/.

These tools and scripts that can be utilized in your Penetration Testing of WordPress.

Metasploit has a module for enumerating usernames and brute forcing passwords. It is solid and convenient; everyone has Metasploit installed... don't they?

An NSE (nmap scripting engine) script was released for Nmap that does plugin brute forcing.

Just in the last few days a new tool hit the tubes wpscan. Still under development it does a few different checks including brute forcing for accounts.

All the tools referenced above are dedicated towards external testing of wordpress installations. There are other options that involve installation of plugins into the wordpress installations for deeper monitoring.

The post Security Testing WordPress appeared first on HackerTarget.com.

It is a new web interface for Snort that is very pretty, but also simple. An excellent introduction to Intrusion Detection Systems, that is not going to scare anyone away.

Now how to I get hold of this I hear you cry.... head over here and grab the preconfigured security appliance.

I downloaded the iso, fired up a virtualbox machine and away it went. Seriously a working Snort install in under 10mins. Nice!

Obviously you want to test your snort, so I fired off an nmap scan with the script option against my Windows XP SP2 test machine.

# nmap -sC 192.168.56.101

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-06-02 10:19 EST
Nmap scan report for 192.168.56.101
Host is up (0.0032s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:22:22:22:22:22 

Host script results:
|_nbstat: NetBIOS name: ASDF, NetBIOS user: , NetBIOS MAC: 22:22:22:22:22:22
| smb-os-discovery:  
|   OS: Windows XP (Windows 2000 LAN Manager)
|   Name: WORKGROUP\ASDF
|_  System time: 2010-06-02 10:19:58 UTC-7
|_smbv2-enabled: Server doesn't support SMBv2 protocol

Nmap done: 1 IP address (1 host up) scanned in 12.09 seconds

Snorby showed me some nice port scan alerts (see image)

Now I was running through my guide to Metasploit 3.4.0 and figured I would see something in Snorby. As shown in the guide I successfully ran metasploit with ms08_067 exploit using a meterpreter payload and a vnc dll injection payload. Gaining full access to the Windows XP SP2 machine.

Snorby (and Snort) results show nothing.

Hmm, Snorby is running with up to date rules from emerging threats and snort. I was quite surprised and will be looking into the reasons for this in the near future. I would have thought I would have triggered something in the snort rules during this exploit.

The post Metasploit vs Snort as Snorby appeared first on HackerTarget.com.

Nmap Target Selection

These are all default scans, which will scan 1000 TCP ports. Host discovery will take place.

Nmap Port Selection

Nmap Port Scan types

Privileged access is required to perform the default SYN scans. If privileges are insufficient a TCP connect scan will be used. A TCP connect requires a full TCP connection to be established and therefore is a slower scan.

Ignoring discovery is often required as many firewalls or hosts will not respond to PING. Selection option to disable Ping -Pn. This can make scan times much longer as you could end up sending scan probes to hosts that are not there.

Take a look at the Nmap Tutorial for a detailed look at the scan process.

Service and OS Detection

Service and OS detection rely on different methods to determine the operating system or service running on a particular port. The more aggressive service detection is often helpful if there are services running on unusual ports. On the other hand the lighter version of the service will be much faster as it does not really attempt to detect the service simply grabbing the banner of the open service.

Nmap Output Formats

The default format could also be saved to a file using a simple file redirect command > file. Using the -oN option allows the results to be saved but also can be monitored in the terminal as the scan is under way.

Nmap Output to CSV

Nmap by default has no csv output format. Use the XML output to extract the relevant fields into csv with python.

Jump over to github and grab our sample script that can be easily modified depending on your requirements. With csv files it is easy to convert into xlsx for reporting. This can be done manually or using our python conversion script.

Digging deeper with NSE Scripts

A search on Kali shows 609 NSE scripts. These scripts can perform a wide range of security-related testing and discovery functions. Get serious about network scanning and take the time to get familiar with some of them.

The option --script-help=$scriptname will display help for the individual scripts. To get a list of the installed scripts use locate *.nse.

The above examples use the --sV service detection flag. Generally, most NSE scripts will be more effective and will achieve better coverage by including service detection.

A scan to search for DDOS reflection UDP services

UDP based DDOS reflection attacks are a common problem that network defenders come up against. This is a handy Nmap command that will scan a target list for systems with open UDP services that allow these attacks to take place. Full details of the command and the background can be found on the Sans Institute Blog where it was first posted.

HTTP Service Information

There are many HTTP information gathering scripts, here are a few that are simple but helpful when examining larger networks. Helps in quickly identifying what the HTTP service that is running on the open port. Note the http-enum script is particularly noisy. It is similar to Nikto in that it will attempt to enumerate known paths of web applications and scripts. This will inevitably generated hundreds of 404 HTTP responses in the web server error and access logs.

Detect Heartbleed SSL Vulnerability

Heartbleed detection is one of the available SSL scripts. It will detect the presence of the well known Heartbleed vulnerability in SSL services. Specify alternative ports to test SSL on mail and other protocols (Requires Nmap 6.46).

IP Address information

Gather information related to the IP address and netblock owner of the IP address. Uses ASN, whois and geoip location lookups. See the IP Tools for more information and similar IP address and DNS lookups.

Remote Scanning

Testing your network perimeter from an external perspective is key when you wish to get the most accurate results. By assessing your exposure from the attackers perspective you can validate firewall rule audits and understand exactly what is allowed into your network.

To enable remote scanning easily and effectively use the hosted or online version of the Nmap port scanner. Because anyone who has played with shodan.io knows very well how badly people test their perimeter networks.

Additional Resources

The above commands are just a taste of the power of Nmap. Check out the following articles for more information and go further with Nmap.

To view the full set of features run Nmap with no options. The creator of Nmap, Fyodor, has a book available that covers the tool in depth.

The post Nmap Cheat Sheet appeared first on HackerTarget.com.