Nmap is not only the best port-scanning tool out there, but also a very good service-level enumeration tool with support for customized scripts and hundreds of publicly available scripts ready to use out of the box. This is possible through the Nmap Scripting Engine (NSE), Nmap’s most powerful feature that gives its users the ability to write their own scripts and use Nmap for more than just port scanning.
Nmap’s pre-installed scripts can be found at
/usr/share/nmap/scripts. Script names are assigned prefixes according to which service they are meant for - making it easier to search for service-specific scripts:
root@server:/usr/share/nmap/scripts# ls ssh-* ssh-auth-methods.nse ssh-brute.nse ssh-hostkey.nse ssh-publickey-acceptance.nse ssh-run.nse
SSH (Secure Shell) is a widely used remote access protocol present in almost any network, making it a very important service to enumerate. Nmap ships with multiple ready-to-use SSH enumeration scripts that aid in identifying authentication methods, grabbing SSH host keys, checking if certain public keys are accepted, detecting SSHv1 servers and running brute-force attacks.
SSH servers by default allow both key-based and password-based authentication, but the latter is commonly considered insecure and may be disabled as an effort towards security hardening. A system administrator managing multiple SSH servers might be interested in ensuring that no SSH server in the network is accepting password-based authentication.
This is where the
ssh-auth-methods script comes in. It communicates with the SSH server directly to identify supported authentication methods:
nmap --script ssh-auth-methods 192.168.6.134
The supported authentication methods will be returned:
| ssh-auth-methods: | Supported authentication methods: | publickey |_ password
Nmap is also equipped with a basic SSH brute-force script that uses username and password wordlists, and tries the combinations against an SSH server. Keep in mind however that this script is not optimized or recommended for brute-force attacks, and may not work as well as fully-fledged brute-force tools.
As with any other tool, specifying username and password wordlists is recommended:
nmap --script ssh-brute --script-args userdb=usernames.txt,passdb=passwords.txt 192.168.6.134
The script will try the credentials and return any match:
| ssh-brute: | Accounts: | root:letmein - Valid credentials
SNMP (Simple Network Management Protocol) is a network management protocol used to remotely monitor or manage a system - making SNMP servers a common target as they can be used to extract a wide range of information from the system.
SNMP uses community strings for authentication, which are communicated in plaintext in SNMP versions 1 and 2. Moreover, SNMP does not have a defense mechanism against brute-force attacks - making it easier for an attacker to find a community string.
Nmap includes various scripts for enumerating SNMP services:
root@server:/usr/share/nmap/scripts# ls snmp-* snmp-brute.nse snmp-hh3c-logins.nse snmp-info.nse snmp-interfaces.nse snmp-ios-config.nse snmp-netstat.nse snmp-processes.nse snmp-sysdescr.nse snmp-win32-services.nse snmp-win32-shares.nse snmp-win32-software.nse snmp-win32-users.nse
Brute-force community strings
SNMP servers may be configured to accept any number of community strings, each of which may be assigned different permissions and restrictions on what information can be accessed. Community strings are either read-only or read-write,
public being read-only and
private being read-write in most default installations.
snmp-brute script is used to brute-force community strings. For better results it can be paired with a wordlist retrieved from SecLists that contains common SNMP community strings:
nmap -p 161 -sU --script snmp-brute --script-args snmp-brute.communitiesdb=./SecLists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.6.2
Valid community strings will be returned:
PORT STATE SERVICE | snmp-brute: | public - Valid credentials |_ private - Valid credentials |_ Secret - Valid credentials
Once a valid community string is found, we can dive deeper into the enumeration scripts and extract information about the target’s network interfaces, network connections and processes - which is essentially very important information looked for during the reconnaissance phase.
Let’s start by querying network interfaces from the SNMP server, which is done with the
snmp-interfaces script. Keep in mind that by default the
public community string is used for queries, but a different one may be specified via the
nmap -p 161 -sU --script snmp-interfaces --script-args creds.snmp=Secret 192.168.6.2
This reveals all the network interfaces and assigned IP addresses:
| snmp-interfaces: | eth0 | IP address: 192.168.6.2 Netmask: 255.255.255.0 | MAC address: 52:54:00:bb:8e:bf (QEMU virtual NIC) | Type: ethernetCsmacd Speed: 0 Kbps | Status: up |_ Traffic stats: 53.08 Kb sent, 605.08 Kb received
Similarly, we can use the
snmp-netstat script to query all active network connections:
root@desktop:~# nmap -p 161 -sU --script snmp-netstat --script-args creds.snmp=Secret 192.168.6.2 | snmp-netstat: | TCP 0.0.0.0:22 0.0.0.0:0 | TCP 10.77.25.1:9728 0.0.0.0:0 | TCP 127.0.0.1:42965 0.0.0.0:0 | TCP 127.0.0.53:53 0.0.0.0:0 | TCP 172.17.0.1:50250 172.17.0.2:22 | TCP 192.168.6.2:22 192.168.6.254:58802 | UDP 0.0.0.0:161 *:* |_ UDP 127.0.0.53:53 *:*
Apart from network connections, it’s also possible to reveal all processes running in the target server via the
root@desktop:~# nmap -p 161 -sU --script snmp-processes --script-args creds.snmp=Secret 192.168.6.2 | snmp-proc | 1: | Name: System Idle Process | 4: | Name: System | 256: | Name: smss.exe | Path: \SystemRoot\System32\ [output omitted]
More information can be accessed if the SNMP server is running on a windows environment:
- Services - snmp-win32-services.nse
- File shares - snmp-win32-shares.nse
- Installed software - snmp-win32-software.nse
- Users - snmp-win32-users.nse
SMB (Server Message Block) is a communication protocol for sharing files, printers and serial ports over a network. The protocol was primarily developed and designed for Windows environments, but is also used to share files between Windows and Linux/Unix environments thanks to the Samba project.
SMB comes with a big history of vulnerabilities, making it a primary target and quite dangerous if left insecure, either due to unpatched vulnerabilities or misconfigurations. To give you an idea, the WannaCry ransomware exploited a vulnerability affecting SMB in Windows.
Nmap includes over 30 ready-to-use SMB scripts that offer service-level enumeration and vulnerability scanning, which can help identify potential misconfigurations and/or vulnerabilities.
An SMB server may be configured to accept only one of two security levels, which differ in how a user is authenticated:
- User-level authentication - classic username and password authentication
- Share-level authentication - anonymous account is used to log in, after which the password is given
On top of the chosen security level, additional security measures such as message signing and challenge/response passwords can be configured:
- Challenge/response passwords - any type of password can be used for authentication
- Message signing - all messages exchanged between the client and the server must be signed
Different configurations of security levels are called security modes.
The general security configuration of an SMB server can be retrieved with the
nmap --script smb-security-mode <target>
The script queries the SMB server and shows which security measures are configured:
| smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default)
From the above output, we can see that user-level authentication is used with support for challenge/response passwords.
System users can be enumerated through SMB with the
nmap --script smb-enum-users <target>
Valid user RIDs are retrieved and converted to names with the help of an internal function, after which more information about the user is given:
| smb-enum-users: | SERVER\admin (RID: 1000) | Full name: Davey | Description: I manage thee | Flags: Normal user account | SERVER\david (RID: 1001) | Full name: David | Description: Software engineer | Flags: Normal user account | SERVER\john (RID: 1002) | Full name: John | Description: Intern |_ Flags: Normal user account
Depending on the SMB server, this may either list all system users or only users that have access to the SMB server.
Credentials of SMB users can be brute-forced with the
nmap --script smb-brute --script-args smbtype=v2 <target>
The authentication type used by this script is not always compatible with what the target SMB server supports. For this reason, another authentication type was specified via the smbtype script argument.
| smb-brute: | david:monkey => Valid credentials |_ john:john => Valid credentials
Enumerating & Listing Shares
Available file shares can be enumerated with the
nmap --script smb-enum-shares <target>
By default, the script uses guest permissions to list only publicly available shares - private shares will be left out as they are not accessible with guest permissions.
| smb-enum-shares: | account_used: guest | \\192.168.6.2\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (server server (Samba, Ubuntu)) | Users: 1 | Max Users: <unlimited> | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\192.168.6.2\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: <unlimited> | Path: C:\var\lib\samba\printers | Anonymous access: <none> | Current user access: <none> | \\192.168.6.2\employees: | Type: STYPE_DISKTREE | Comment: | Users: 0 | Max Users: <unlimited> | Path: C:\samba\public_share | Anonymous access: READ/WRITE |_ Current user access: READ/WRITE
The script can be paired with
smb-ls script for automatic listing of all enumerated shares:
nmap --script smb-enum-shares,smb-ls <target>
All available shares identified by the
smb-enum-shares script will be passed on to the
smb-ls script, and then listed:
| smb-enum-shares: | account_used: guest | \\192.168.6.2\employees: | Type: STYPE_DISKTREE | Comment: | Users: 0 | Max Users: <unlimited> | Path: C:\samba\public_share | Anonymous access: READ/WRITE |_ Current user access: READ/WRITE | smb-ls: Volume \\192.168.6.2\employees | SIZE TIME FILENAME | <DIR> 2020-02-25 14:36:12 . | <DIR> 2020-02-21 14:46:20 .. | 57310 2020-02-21 14:46:20 company_clients.csv |_
NFS (Network File System) is a network file sharing protocol that gives servers the capability to export and share file systems, which can then be mounted and locally accessed by permitted clients. A table of all exports is kept in
/etc/exports, along with whitelisted IP address(es) and access control lists.
Nmap ships with three out-of-the-box NFS enumeration scripts:
root@server:/usr/share/nmap/scripts# ls nfs-* nfs-ls.nse nfs-showmount.nse nfs-statfs.nse
Enumerating Shares (Exports)
Retrieving all configured exports is pretty simple and can be done with the
nmap --script nfs-showmount <target>
The script retrieves all exports and whitelisted IP addresses:
| nfs-showmount: | /var/nfs/public 192.168.1.1/24 |_ /var/nfs/Jack-confidential 192.168.1.67
This is similar to
showmount -e <host> which shows exactly the same information:
root@desktop:~# showmount -e server Export list for server: /var/nfs/public 192.168.1.1/24 /var/nfs/Jack-confidential 192.168.1.67
nfs-ls script is useful for getting an overview of file contents without manually mounting and accessing a remote share:
nmap --script nfs-ls <target>
When executed, all files in the share’s parent directory and permitted access rights are shown:
| nfs-ls: Volume /var/nfs/public | access: Read Lookup Modify Extend Delete NoExecute | PERMISSION UID GID SIZE TIME FILENAME | rwxr-xr-x 65534 65534 4096 2020-05-05T11:25:58 . | rwxr-xr-x 0 0 4096 2020-05-05T11:25:58 .. | rw-r--r-- 0 0 90 2020-05-05T11:25:58 README.md | rwxr-xr-x 0 0 4096 2020-05-05T11:25:58 files
Keep in mind that the
nfs-ls script is only meant for a general overview of a share’s contents and doesn’t have features such as recursive listing implemented. However, it’s fairly easy to manually mount a share and take a look around:
sudo mkdir -p /nfs/public sudo mount server:/var/nfs/public /nfs/public
That’s all it takes to mount a share locally - you can now head to
/nfs/public in your machine and browse the file share.
The Nmap Scripting Engine offers advanced service-level enumeration and takes it one step further by allowing for customized scripts, which may be written from scratch to meet personal demands. Hundreds of enumeration scripts for common services are included out of the box - which may be utilized by anyone interested in testing the security of their network services.