nmap is a swiss knife

Nmap, the popular port scanning tool, is more than that. Beside port scanning it can do much more:


It can scan for vulnerabilities:

# nmap -Pn --script vuln latebits.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-12 12:43 GTB Daylight Time
Nmap scan report for latebits.com (35.198.120.103)
Host is up (0.064s latency).
rDNS record for 35.198.120.103: 103.120.198.35.bc.googleusercontent.com
Not shown: 997 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
443/tcp open  https
| http-aspnet-debug:
|_  status: DEBUG is enabled
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=latebits.com
|   Found the following possible CSRF vulnerabilities:
|
|     Path: https://latebits.com:443/
|     Form id:
|_    Form action: https://latebits.com/
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

Here is a link with more info on vulnerability scanning:
https://securitytrails.com/blog/nmap-vulnerability-scan

It can do whois and ASN lookups:

# nmap --script=whois-ip latebits.com

Host script results:
| whois-ip: Record found at whois.arin.net
| netrange: 35.192.0.0 - 35.207.255.255
| netname: GOOGLE-CLOUD
| orgname: Google LLC
| orgid: GOOGL-2
| country: US stateprov: CA
| orgtechname: Google LLC
|_orgtechemail: arin-contact@google.com

# nmap --script=asn-query latebits.com

Host script results:
| asn-query:
| BGP: 35.198.0.0/16 | Country: US
|   Origin AS: 15169 - GOOGLE, US
|_    Peer AS: 209 6453

It can check the SSL/TLS ciphers and the certificate :

# nmap -sV -p 443 --script ssl-enum-ciphers latebits.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-12 12:22 GTB Daylight Time
Nmap scan report for latebits.com (35.198.120.103)
Host is up (0.046s latency).
rDNS record for 35.198.120.103: 103.120.198.35.bc.googleusercontent.com

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http nginx
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

# nmap -sV -p 443 --script ssl-cert latebits.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-12 13:08 GTB Daylight Time
Nmap scan report for latebits.com (35.198.120.103)
Host is up (0.046s latency).
rDNS record for 35.198.120.103: 103.120.198.35.bc.googleusercontent.com

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http nginx
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-cert: Subject: commonName=latebits.com
| Subject Alternative Name: DNS:latebits.com
| Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's Encrypt/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-08-07T17:24:28
| Not valid after:  2020-11-05T17:24:28
| MD5:   d96f ba51 7079 7b41 f816 1c40 5cd8 ea79
|_SHA-1: b5c1 35cc 372f 4692 cf7c 4ef5 419b 53e2 9c54 e28b

It can check SSH algorithms:

# nmap --script ssh2-enum-algos -sV -p 22  latebits.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-12 12:23 GTB Daylight Time
Nmap scan report for latebits.com (35.198.120.103)
Host is up (0.045s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (4)
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|   server_host_key_algorithms: (4)
|       ssh-rsa
|       rsa-sha2-512
|       rsa-sha2-256
|       ecdsa-sha2-nistp256
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|   mac_algorithms: (2)
|       hmac-sha2-256
|       hmac-sha2-512
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com

It can do IP geolocation also:

# nmap --traceroute --script traceroute-geolocation cisco.com

Starting Nmap 7.60 ( https://nmap.org ) at 2020-08-12 10:34 UTC
Nmap scan report for cisco.com (72.163.4.185)
Host is up (0.12s latency).
Other addresses for cisco.com (not scanned): 2001:420:1101:1::185
rDNS record for 72.163.4.185: redirect-ns.cisco.com
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Host script results:
| traceroute-geolocation:
|   HOP  RTT     ADDRESS                                             GEOLOCATION
|   1    109.08  209.85.246.211                                      37.751,-97.822 United States ()
|   2    116.90  209.85.250.54                                       37.751,-97.822 United States ()
|   3    128.81  108.170.228.87                                      37.751,-97.822 United States ()
|   4    116.97  108.170.252.139                                     37.751,-97.822 United States ()
|   5    116.95  eqix-da1.cisco2.com (206.223.118.167)               37.751,-97.822 United States ()
|   6    119.35  72.163.0.98                                         32.947,-96.703 United States (Texas)
|   7    117.75  72.163.0.98                                         32.947,-96.703 United States (Texas)
|   8    118.25  rcdn9-cd2-dmzdcc-gw2-por1.cisco.com (72.163.0.182)  32.947,-96.703 United States (Texas)
|   9    117.86  rcdn9-16b-dcz05n-gw2-por1.cisco.com (72.163.2.102)  32.947,-96.703 United States (Texas)
|_  10   117.86  redirect-ns.cisco.com (72.163.4.185)                32.947,-96.703 United States (Texas)

# nmap --traceroute --script traceroute-geolocation 1.1.1.1

Starting Nmap 7.60 ( https://nmap.org ) at 2020-08-12 10:34 UTC
Nmap scan report for one.one.one.one (1.1.1.1)
Host is up (0.0014s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https

Host script results:
| traceroute-geolocation:
|   HOP  RTT   ADDRESS                    GEOLOCATION
|   1    1.45  209.85.242.0               37.751,-97.822 United States ()
|   2    1.70  162.158.84.65              50.119,8.684 Germany (Hesse)
|_  3    1.23  one.one.one.one (1.1.1.1)  -33.494,143.210 Australia ()

It has many other scripts, but these are the ones that I’ve used more frequently.

And to make things easier , i’ve automated the process. Here is an example to scan a server (ssh,http,https) :

- name: Advanced NMAP Scan using NSE
  hosts: localhost
  vars:
    ports:
      - 22
      - 443
    scan_host: latebits.com
  tasks:
  - name: Running Nmap NSE scan
    shell: "nmap -Pn -p {{ ports|join(',') }} --script {{ item }} -oA nmap-{{ item }}-results-%Y-%m-%d {{ scan_host }}"
    with_items:
      - ssl-enum-ciphers
      - ssl-cert
      - ssh2-enum-algos

https://github.com/czirakim/Ansible.nmap

About the author

Mihai is a Network Aficionado with more than 10 years experience

Leave a Reply

Your email address will not be published. Required fields are marked *