Scribd Logo
Upload

Welcome to Scribd!

  • 70 views

    Nmap Commands

    Uploaded by

    ginggers
    The document summarizes the results of various vulnerability scans and security checks on a target system. The scans found that the system has Remote Desktop Protocol vulnerabilities, supports weak encryption standards for remote access and TLS, has default or weak credentials for SNMP access, and allows anonymous guest login to SMB shares. Overall, the scans revealed several configuration issues leaving the system exposed to network attacks.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd

    Nmap Commands

    Uploaded by

    ginggers
    70 views8 pages
    The document summarizes the results of various vulnerability scans and security checks on a target system. The scans found that the system has Remote Desktop Protocol vulnerabilities, supports weak encryption standards for remote access and TLS, has default or weak credentials for SNMP access, and allows anonymous guest login to SMB shares. Overall, the scans revealed several configuration issues leaving the system exposed to network attacks.

    Original Description:

    Nmap

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document summarizes the results of various vulnerability scans and security checks on a target system. The scans found that the system has Remote Desktop Protocol vulnerabilities, supports weak encryption standards for remote access and TLS, has default or weak credentials for SNMP access, and allows anonymous guest login to SMB shares. Overall, the scans revealed several configuration issues leaving the system exposed to network attacks.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    70 views8 pages

    Nmap Commands

    Uploaded by

    ginggers
    The document summarizes the results of various vulnerability scans and security checks on a target system. The scans found that the system has Remote Desktop Protocol vulnerabilities, supports weak encryption standards for remote access and TLS, has default or weak credentials for SNMP access, and allows anonymous guest login to SMB shares. Overall, the scans revealed several configuration issues leaving the system exposed to network attacks.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    You are on page 1of 8

    TNA - Leblon - Avaliação de Infraestrutura

    Windows Terminal Services habilitado


    --> Fazer acesso remoto a estação 192.168.79.253 e printar a tela de login

    Example Usage
    --> nmap -sV --script=rdp-vuln-ms12-020 -p 3389 <target>

    Script Output
    PORT STATE SERVICE VERSION
    3389/tcp open ms-wbt-server?
    | rdp-vuln-ms12-020:
    | VULNERABLE:
    | MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
    | State: VULNERABLE
    | IDs: CVE:CVE-2012-0152
    | Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
    | Description:
    | Remote Desktop Protocol vulnerability that could allow remote
    attackers to cause a denial of service.
    |
    | Disclosure date: 2012-03-13
    | References:
    | http://technet.microsoft.com/en-us/security/bulletin/ms12-020
    | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
    |
    | MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
    | State: VULNERABLE
    | IDs: CVE:CVE-2012-0002
    | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
    | Description:
    | Remote Desktop Protocol vulnerability that could allow remote
    attackers to execute arbitrary code on the targeted system.
    |
    | Disclosure date: 2012-03-13
    | References:
    | http://technet.microsoft.com/en-us/security/bulletin/ms12-020
    |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002

    Terminal services com autenticação desabilitada no nível de rede

    Example Usage
    --> nmap -p 3389 --script rdp-enum-encryption <ip>

    Script Output
    PORT STATE SERVICE
    3389/tcp open ms-wbt-server
    | rdp-enum-encryption:
    | Security layer
    | CredSSP: SUCCESS
    | Native RDP: SUCCESS
    | SSL: SUCCESS
    | RDP Encryption level: High
    | 128-bit RC4: SUCCESS
    |_ FIPS 140-1: SUCCESS
    Utilização de comunidade padrão do SNMP
    --> nmap -sU --script snmp-brute

    Example Usage
    -->nmap -sU --script snmp-brute <target> [--script-args snmp-
    brute.communitiesdb=<wordlist> ]

    Script Output
    PORT STATE SERVICE
    161/udp open snmp
    | snmp-brute:
    | dragon - Valid credentials
    |_ jordan - Valid credentials

    Suporte ao uso de cifras RC4 no certificado SSL


    -->nmap --script ssl-enum-ciphers -p 443

    Example Usage
    -->nmap -sV --script ssl-enum-ciphers -p 443 <host>

    Script Output
    PORT STATE SERVICE REASON
    443/tcp open https syn-ack
    | ssl-enum-ciphers:
    | TLSv1.0:
    | ciphers:
    | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
    | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
    | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
    | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
    | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
    | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) - C
    | TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
    | TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
    | TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
    | compressors:
    | NULL
    | cipher preference: server
    | warnings:
    | 64-bit block cipher 3DES vulnerable to SWEET32 attack
    | Broken cipher RC4 is deprecated by RFC 7465
    | Ciphersuite uses MD5 for message integrity
    | Weak certificate signature: SHA1
    | TLSv1.2:
    | ciphers:
    | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
    | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
    | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
    | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
    | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
    | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
    | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
    | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
    | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
    | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) - C
    | TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
    | TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
    | TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
    | compressors:
    | NULL
    | cipher preference: server
    | warnings:
    | 64-bit block cipher 3DES vulnerable to SWEET32 attack
    | Broken cipher RC4 is deprecated by RFC 7465
    | Ciphersuite uses MD5 for message integrity
    |_ least strength: C

    Servidor DNS Cache Snooping

    -->nmap -sU -p 53 --script dns-cache-snoop.nse --script-args='nonrecursive,timed'


    192.168.61.252

    -->nmap -sU -p 53 --script dns-cache-snoop.nse

    Example Usage
    -->nmap -sU -p 53 --script=dns-recursion <target>

    Script Output
    PORT STATE SERVICE REASON
    53/udp open domain udp-response
    |_dns-recursion: Recursion appears to be enabled

    Example Usage
    -->nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-
    snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' <target>

    Script Output
    PORT STATE SERVICE REASON
    53/udp open domain udp-response
    | dns-cache-snoop: 10 of 100 tested domains are cached.
    | www.google.com
    | facebook.com
    | www.facebook.com
    | www.youtube.com
    | yahoo.com
    | twitter.com
    | www.twitter.com
    | www.google.com.hk
    | www.google.co.uk
    |_www.linkedin.com

    RDP - Criptografia

    nmap -p 3389 --script rdp-enum-encryption 192.168.61.252


    Protocolo de criptografia desatualizado

    --> sslscan 192.168.78.202:1433

    Example Usage
    -->nmap -sV -sC 92.168.78.202

    Script Output
    443/tcp open https syn-ack
    | sslv2:
    | SSLv2 supported
    | ciphers:
    | SSL2_DES_192_EDE3_CBC_WITH_MD5
    | SSL2_IDEA_128_CBC_WITH_MD5
    | SSL2_RC2_128_CBC_WITH_MD5
    | SSL2_RC4_128_WITH_MD5
    | SSL2_DES_64_CBC_WITH_MD5
    | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
    |_ SSL2_RC4_128_EXPORT40_WITH_MD5

    Example Usage
    -->nmap -sV --version-light --script ssl-poodle -p 443 <host>

    Script Output
    PORT STATE SERVICE REASON
    443/tcp open https syn-ack
    | ssl-poodle:
    | VULNERABLE:
    | SSL POODLE information leak
    | State: VULNERABLE
    | IDs: CVE:CVE-2014-3566 OSVDB:113251
    | The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and
    | other products, uses nondeterministic CBC padding, which makes it
    easier
    | for man-in-the-middle attackers to obtain cleartext data via a
    | padding-oracle attack, aka the "POODLE" issue.
    | Disclosure date: 2014-10-14
    | Check results:
    | TLS_RSA_WITH_3DES_EDE_CBC_SHA
    | References:
    | https://www.imperialviolet.org/2014/10/14/poodle.html
    | http://osvdb.org/113251
    | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
    |_ https://www.openssl.org/~bodo/ssl-poodle.pdf

    Possibilidade de negação de serviço com SNMP

    --> snmp-check 192.168.79.249

    --> nmap -sU --script snmp-brute 192.168.79.249

    Example Usage
    -->nmap -sV 192.168.79.249:161

    Script Output
    161/udp open snmp udp-response ttl 244 ciscoSystems SNMPv3 server (public)
    | snmp-info:
    | enterprise: ciscoSystems
    | engineIDFormat: mac
    | engineIDData: 00:d4:8c:00:11:22
    | snmpEngineBoots: 6
    |_ snmpEngineTime: 358d01h13m46s

    Example Usage
    -->nmap -sV <target>

    Script Output
    161/udp open snmp udp-response ttl 244 ciscoSystems SNMPv3 server (public)
    | snmp-info:
    | enterprise: ciscoSystems
    | engineIDFormat: mac
    | engineIDData: 00:d4:8c:00:11:22
    | snmpEngineBoots: 6
    |_ snmpEngineTime: 358d01h13m46s

    Possibilidade de login via SMB

    -->smbclient -L 192.168.79.253 -U guest

    Example Usage
    -->nmap --script smb-enum-users.nse -p445 <host>
    -->nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host>

    Script Output
    Host script results:
    | smb-enum-users:
    |_ |_ Domain: RON-WIN2K-TEST; Users: Administrator, Guest, IUSR_RON-WIN2K-TEST,
    IWAM_RON-WIN2K-TEST, test1234, TsInternetUser

    Host script results:


    | smb-enum-users:
    | | RON-WIN2K-TEST\Administrator (RID: 500)
    | | | Description: Built-in account for administering the computer/domain
    | | |_ Flags: Password does not expire, Normal user account
    | | RON-WIN2K-TEST\Guest (RID: 501)
    | | | Description: Built-in account for guest access to the computer/domain
    | | |_ Flags: Password not required, Password does not expire, Normal user
    account
    | | RON-WIN2K-TEST\IUSR_RON-WIN2K-TEST (RID: 1001)
    | | | Full name: Internet Guest Account
    | | | Description: Built-in account for anonymous access to Internet Information
    Services
    | | |_ Flags: Password not required, Password does not expire, Normal user
    account
    | | RON-WIN2K-TEST\IWAM_RON-WIN2K-TEST (RID: 1002)
    | | | Full name: Launch IIS Process Account
    | | | Description: Built-in account for Internet Information Services to start
    out of process applications
    | | |_ Flags: Password not required, Password does not expire, Normal user
    account
    | | RON-WIN2K-TEST\test1234 (RID: 1005)
    | | |_ Flags: Normal user account
    | | RON-WIN2K-TEST\TsInternetUser (RID: 1000)
    | | | Full name: TsInternetUser
    | | | Description: This user account is used by Terminal Services.
    |_ |_ |_ Flags: Password not required, Password does not expire, Normal user
    account

    Example Usage
    -->nmap --script smb-security-mode.nse -p445 127.0.0.1
    -->sudo nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139 127.0.0.1

    Script Output
    | smb-security-mode:
    | account_used: guest
    | authentication_level: user
    | challenge_response: supported
    |_ message_signing: disabled (dangerous, but default)

    Example Usage
    -->nmap -p445 --script smb-vuln-ms17-010 <target>
    -->nmap -p445 --script vuln <target>

    Script Output
    Host script results:
    | smb-vuln-ms17-010:
    | VULNERABLE:
    | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
    | State: VULNERABLE
    | IDs: CVE:CVE-2017-0143
    | Risk factor: HIGH
    | A critical remote code execution vulnerability exists in Microsoft SMBv1
    | servers (ms17-010).
    |
    | Disclosure date: 2017-03-14
    | References:
    | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
    | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
    |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-
    wannacrypt-attacks/

    Detecção do Servidor DHCP

    Example Usage
    -->nmap -sU -p 67 --script=dhcp-discover <target>

    Script Output
    Interesting ports on 192.168.1.1:
    PORT STATE SERVICE
    67/udp open dhcps
    | dhcp-discover:
    | DHCP Message Type: DHCPACK
    | Server Identifier: 192.168.1.1
    | IP Address Lease Time: 1 day, 0:00:00
    | Subnet Mask: 255.255.255.0
    | Router: 192.168.1.1
    |_ Domain Name Server: 208.81.7.10, 208.81.7.14

    Example Usage
    -->sudo nmap --script broadcast-dhcp-discover

    Script Output
    | broadcast-dhcp-discover:
    | IP Offered: 192.168.1.114
    | DHCP Message Type: DHCPOFFER
    | Server Identifier: 192.168.1.1
    | IP Address Lease Time: 1 day, 0:00:00
    | Subnet Mask: 255.255.255.0
    | Router: 192.168.1.1
    | Domain Name Server: 192.168.1.1
    |_ Domain Name: localdomain

    Utilização de algoritmo de criptografia fraco

    -->nmap -p 3389 --script ssl-enum-ciphers

    Certificado SSL não confiável

    Example Usage
    -->nmap -p 443 --script ssl-cert-intaddr <target>

    Script Output
    443/tcp open https
    | ssl-cert-intaddr:
    | Subject commonName:
    | 10.5.5.5
    | Subject organizationName:
    | 10.0.2.1
    | 10.0.2.2
    | Issuer emailAddress:
    | 10.6.6.6
    | X509v3 Subject Alternative Name:
    |_ 10.3.4.5

    Certificado SSL com hostname errado

    -->sslscan --show-certificate

    Example Usage
    -->nmap -p 1433 --script ssl-cert-intaddr 192.168.78.202

    Script Output
    443/tcp open https
    | ssl-cert-intaddr:
    | Subject commonName:
    | 10.5.5.5
    | Subject organizationName:
    | 10.0.2.1
    | 10.0.2.2
    | Issuer emailAddress:
    | 10.6.6.6
    | X509v3 Subject Alternative Name:
    |_ 10.3.4.5

    Cadeia de certificados SSL contém chaves RSA menores que 2048 bits

    nmap --script=ssl-cert.nse
    Example Usage
    -->nmap -sV -sC <target>

    Script Output
    443/tcp open https | ssl-cert: Subject:
    commonName=www.paypal.com/organizationName=PayPal, Inc.\
    /stateOrProvinceName=California/countryName=US | Not valid before: 2011-03-23
    00:00:00 |_Not valid after: 2013-04-01 23:59:59

    Example Usage
    -->nmap -p 443 --script ssl-cert-intaddr <target>

    Script Output
    443/tcp open https | ssl-cert-intaddr: | Subject commonName: | 10.5.5.5 | Subject
    organizationName: | 10.0.2.1 | 10.0.2.2 | Issuer emailAddress: | 10.6.6.6 | X509v3
    Subject Alternative Name: |_ 10.3.4.5

    Método de depuração habilitado - HTTP Options

    Example Usage
    -->nmap --script http-methods <target>
    -->nmap --script http-methods --script-args http-methods.url-path='/website'
    <target>

    Script Output
    PORT STATE SERVICE REASON
    80/tcp open http syn-ack
    | http-methods:
    |_ Supported Methods: GET HEAD POST OPTIONS

    Ip-forwarding

    Example Usage
    sudo nmap -sn 192.168.78.254 --script ip-forwarding --script-
    args='target=www.amazon.com'

    Script Output
    | ip-forwarding:
    |_ The host has ip forwarding enabled, tried ping against (www.example.com)

    You might also like

    pFad - Phonifier reborn

    Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

    Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy