Whether you’re in the Information Security industry,played Capture The Flags competitions or maybe you’re just someone that likes Cyber Security. You probably have heard the tool named NMAP.
What is NMAP?
Basically short for Network Mapper, it’s used by numerous professionals for network discovery and security auditing.
What makes NMAP special?
Let me save you some time and read it on the official nmap page.
They also are featured in some popular movies.
Example of NMAP in action? Sure
Enough talking. Let me walk the talk.
There are different versions of NMAP, if you prefer GUI and fancy displays you might want to use Zenmap which is also found on the nmap page. But if you’re a command line hero like me you can use nmap executable/binary whatever you want to call it.
- Okay so first of all, to use nmap in the terminal or command prompt. Basically we first call the name of the tool or binary which is
nmap. - How I like to supply arguments or information to nmap is :
nmap <target> - By default NMAP scans for top 1000 ports if you didn’t supply any flags.
- What are flags you might ask?
nmap <target> -sCV- See that
-sCV? It’s short for-sVand-sC.-sVstands for probe the port to determine the version or service. Basically if we scan port 80,-sVwill knock on the door and ask questions like
Who are you? Oh you’re a HTTP service?
How old are you? Oh you’re Apache 2.4.7?
-sCbasically stands for run default scripts. NMAP has a lot of scripts to run against a target, that’s another blog post for another day.- How do I know all this? It’s from muscle memory and the help command is always there.
nmap -houtputs :
Still want to see how NMAP script works? Sure.
- So earlier in the screenshot, we saw in the
http-generatorthat it’s running Drupal 7. - If you don’t know Drupal 7, it’s basically a content management system. Think of it like brothers of WordPress. It’s something you use to create a blog or perhaps a website for your customers.
- From my experience, I already know Drupal 7 is usually a red flag and is usually exploitable.
- Sure I can use any scripts or scanners to detect or exploit the vulnerability but let’s use NMAP
- Searching on the nmap page, there is a script we can use for this called
http-vuln-cve2014-3704 - How do we use the script? Let’s look at the nmap official page.
nmap --script http-vuln-cve2014-3704 --script-args http-vuln-cve2014-3704.cmd="uname -a",http-vuln-cve2014-3704.uri="/drupal" <target>- Whoa, that’s a lot. First of all we use
--scriptflag to specify what script we want to use in this casehttp-vuln-cve2014-3704. - The script has arguments we can supply with
--script-argsand the argument is calledhttp-vuln-cve2014-3704.cmd=and we can supply any command we want. In this case, we are runninguname -awhich is basically print the OS version of the system. - Finally it expects another argument which is
http-vuln-cve2014-3704.uri=and it is default set at/drupalso thats fine. - And finally we just enter our target!
- For my solution, I basically added the
-pflag which means specify which port we want to target and basically since I know Drupal 7 was running on port 80 we set it to that. Do know that, you can use set target in my case it was192.168.64.193anywhere whether it is in the front or in the back of the command. - Here we can see some info outputted from NMAP.
- You might not understand it but that’s another blog post for another day.
Conclusion
NMAP super cool tool. Rustscan is also something that I use for port scanning and can be used together with NMAP to make a perfect combo. But mastering and using NMAP is a step that you must take.
