Difference between revisions of "Brute-Force with NMAP"
Jump to navigation
Jump to search
(Removed redirect to Delete 1) Tag: Removed redirect |
m (Minor: Error correction and Stylish adaptations) |
||
| Line 1: | Line 1: | ||
= | <div style="max-width: 970px"> | ||
<div class="toccolours mw-collapsible mw-collapsed" style="border-color: #eaecf0; background-color: white; overflow:auto;"> | |||
<div style="font-weight: normal;line-height:1.6;">ⓘ Table of Contents</div> | |||
<div class="mw-collapsible-content"> | |||
__TOC__ | |||
</div> | |||
</div> | |||
<h1>Summary</h1> | |||
= | <p style="text-align: justify">Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Nmap can be also used for simple online attacks, by using the '''-script''' parameter with the desired script like '''telnet-brute.nse''' while passing the corresponding values for '''userdb''' and '''passdb''' with the additional '''-script-args''' parameter.</p> | ||
<nowiki>$ nmap -p </nowiki><b>$PORT</b><nowiki> -A --script </nowiki><b>$SCRIPT</b><nowiki> --script-args userdb=</nowiki><b>$USER_LIST</b><nowiki>,passdb=</nowiki><b>$PASS_LIST</b><nowiki> </nowiki><b>$TARGET</b><nowiki></nowiki> | |||
<h1>Requirements</h1> | |||
<h2>NMAP</h2> | |||
<table class="wikitable" style="width: 100%"> | |||
<tr><th style="text-align: left; width: 180px">Operating System</th><th style="text-align: left">Command</th></tr> | |||
<tr><td style="width: 180px">Debian</td><td style="background-color: white"><code>apt-get install nmap</code></td></tr> | |||
<tr><td style="width: 180px">Ubuntu</td><td style="background-color: white"><code>sudo apt install nmap</code></td></tr> | |||
<tr><td style="width: 180px">CentOS</td><td style="background-color: white"><code>yum install nmap</code></td></tr> | |||
<tr><td style="width: 180px">macOS</td><td style="background-color: white"><code>brew install nmap</code></td></tr> | |||
</table> | |||
---- | <div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Homebrew</b>: The missing packet manager for macOS (or Linux)<br> | ||
<code>/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"</code></div> | |||
<h1>Description</h1> | |||
<p style="text-align: justify">The Nmap Scripting Engine (NSE) allows users to write and share simple scripts using the Lua programming language to automate a variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency expected from Nmap. NSE can even be used for vulnerability exploitation. Currently defined [https://nmap.org/book/nse-usage.html#nse-categories categories] are '''auth''', '''broadcast''', '''default.discovery''', '''dos''', '''exploit''', '''external''', '''fuzzer''', '''intrusive''', '''malware''', '''safe''', '''version''', and '''vuln'''.</p> | |||
<div class="toccolours mw-collapsible mw-collapsed" style="border-color: #eaecf0; background-color: white; overflow:auto; font-size: 14px !important"> | |||
<div style="line-height:1.6;">ⓘ <b>NMAP</b>: List all available brute-force scripts (''70 Results: 28. November 2019''):</div> | |||
<div class="mw-collapsible-content"> | |||
<div style="font-size: 12px !important"> | |||
<nowiki>$ curl https://svn.nmap.org/nmap/scripts/ 2>/dev/null | grep brute | cut -d '"' -f2 | sort | |||
afp-brute.nse irc-brute.nse pgsql-brute.nse | |||
ajp-brute.nse irc-sasl-brute.nse pop3-brute.nse | |||
backorifice-brute.nse iscsi-brute.nse redis-brute.nse | |||
cassandra-brute.nse ldap-brute.nse rexec-brute.nse | |||
cics-user-brute.nse membase-brute.nse rlogin-brute.nse | |||
citrix-brute-xml.nse metasploit-msgrpc-brute.nse rpcap-brute.nse | |||
cvs-brute-repository.nse metasploit-xmlrpc-brute.nse rsync-brute.nse | |||
cvs-brute.nse mikrotik-routeros-brute.nse rtsp-url-brute.nse | |||
deluge-rpc-brute.nse mmouse-brute.nse sip-brute.nse | |||
dicom-brute.nse mongodb-brute.nse smb-brute.nse | |||
dns-brute.nse ms-sql-brute.nse smtp-brute.nse | |||
domcon-brute.nse mysql-brute.nse snmp-brute.nse | |||
dpap-brute.nse nessus-brute.nse socks-brute.nse | |||
drda-brute.nse nessus-xmlrpc-brute.nse ssh-brute.nse | |||
ftp-brute.nse netbus-brute.nse svn-brute.nse | |||
http-brute.nse nexpose-brute.nse telnet-brute.nse | |||
http-form-brute.nse nje-node-brute.nse tso-brute.nse | |||
http-iis-short-name-brute.nse nje-pass-brute.nse vmauthd-brute.nse | |||
http-joomla-brute.nse nping-brute.nse vnc-brute.nse | |||
http-proxy-brute.nse omp2-brute.nse xmpp-brute.nse | |||
http-wordpress-brute.nse openvas-otp-brute.nse | |||
iax2-brute.nse oracle-brute-stealth.nse | |||
imap-brute.nse oracle-brute.nse | |||
informix-brute.nse oracle-sid-brute.nse | |||
ipmi-brute.nse pcanywhere-brute.nse</nowiki> | |||
</div> | |||
</div> | |||
</div> | |||
<h2>Example</h2> | |||
Usage and results of the NMAP SSH-brute script. | |||
<nowiki># Download SSH-brute script | |||
$ wget https://svn.nmap.org/nmap/scripts/ssh-brute.nse | |||
# Commandline | |||
$ nmap -p </nowiki><b>$PORT</b><nowiki> -A --script </nowiki><b>$SCRIPT</b><nowiki> --script-args userdb=</nowiki><b>$USER_LIST</b><nowiki>,passdb=</nowiki><b>$PASS_LIST</b><nowiki> </nowiki><b>$TARGET</b><nowiki> | |||
-- @output | |||
-- 22/ssh open ssh | |||
-- | ssh-brute: | |||
-- | Accounts | |||
-- | username:password | |||
-- | Statistics | |||
-- |_ Performed 32 guesses in 25 seconds. | |||
-- | |||
-- @args ssh-brute.timeout Connection timeout (default: "5s")</nowiki> | |||
<div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: .nse can be omitted for scripts on execution and the standard nmap -T flag is used to set aggressiveness.</div> | |||
<h1>Additional Information</h1> | |||
<h2>Linux</h2> | |||
<table class="wikitable" style="width: 100%"> | |||
<tr><th style="text-align: left; width: 180px">Description</th><th style="text-align: left">Command</th></tr> | |||
<tr><td style="width: 180px">Default home</td><td style="background-color: white"><code>/usr/share/nmap/</code></td></tr> | |||
<tr><td style="width: 180px">Available scripts (if any)</td><td style="background-color: white"><code>find / -name *.nse 2>/dev/null</code></td></tr> | |||
<tr><td style="width: 180px">Default files (if any)</td><td style="background-color: white"><code>find / -type f \( -name "ssh-brute.nse" -o -name "pass.lst" -o -name "user.lst" \) 2>/dev/null</code></td></tr> | |||
</table> | |||
<h2>macOS</h2> | |||
<table class="wikitable" style="width: 100%"> | |||
<tr><th style="text-align: left; width: 180px">Description</th><th style="text-align: left">Command</th></tr> | |||
<tr><td style="width: 180px">Default user/password lists</td><td style="background-color: white"><code>/usr/local/Cellar/nmap/'''$NMAP_VERSION'''/share/nmap/nselib/data/user.lst</code><br><code>/usr/local/Cellar/nmap/'''$NMAP_VERSION'''/share/nmap/nselib/data/pass.lst</code></td></tr> | |||
<tr><td style="width: 180px">Available scripts (if any)</td><td style="background-color: white"><code>ls -al /usr/local/Cellar/nmap/'''$NMAP_VERSION'''/share/nmap/scripts/</code></td></tr> | |||
</table> | |||
= | |||
Default user | |||
<h1>Used Hardware</h1> | |||
[[MacBook Pro (15-inch, 2017), macOS 10.14, 2,8GHz Intel Core i7, 16GB LPDDR3]] | [[MacBook Pro (15-inch, 2017), macOS 10.14, 2,8GHz Intel Core i7, 16GB LPDDR3]] | ||
<h1>References</h1> | |||
* https://brew.sh | * https://brew.sh | ||
* https://www.lua.org/ | * https://www.lua.org/ | ||
| Line 110: | Line 114: | ||
* https://nmap.org/book/man-nse.html | * https://nmap.org/book/man-nse.html | ||
* https://svn.nmap.org/nmap/scripts/ | * https://svn.nmap.org/nmap/scripts/ | ||
</div> | |||
[[Category:Documentation]] | [[Category:Documentation]] | ||
Latest revision as of 09:02, 18 June 2020
ⓘ Table of Contents
Summary
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Nmap can be also used for simple online attacks, by using the -script parameter with the desired script like telnet-brute.nse while passing the corresponding values for userdb and passdb with the additional -script-args parameter.
$ nmap -p $PORT -A --script $SCRIPT --script-args userdb=$USER_LIST,passdb=$PASS_LIST $TARGET
Requirements
NMAP
| Operating System | Command |
|---|---|
| Debian | apt-get install nmap |
| Ubuntu | sudo apt install nmap |
| CentOS | yum install nmap |
| macOS | brew install nmap |
Homebrew: The missing packet manager for macOS (or Linux)
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"Description
The Nmap Scripting Engine (NSE) allows users to write and share simple scripts using the Lua programming language to automate a variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency expected from Nmap. NSE can even be used for vulnerability exploitation. Currently defined categories are auth, broadcast, default.discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.
ⓘ NMAP: List all available brute-force scripts (70 Results: 28. November 2019):
$ curl https://svn.nmap.org/nmap/scripts/ 2>/dev/null | grep brute | cut -d '"' -f2 | sort afp-brute.nse irc-brute.nse pgsql-brute.nse ajp-brute.nse irc-sasl-brute.nse pop3-brute.nse backorifice-brute.nse iscsi-brute.nse redis-brute.nse cassandra-brute.nse ldap-brute.nse rexec-brute.nse cics-user-brute.nse membase-brute.nse rlogin-brute.nse citrix-brute-xml.nse metasploit-msgrpc-brute.nse rpcap-brute.nse cvs-brute-repository.nse metasploit-xmlrpc-brute.nse rsync-brute.nse cvs-brute.nse mikrotik-routeros-brute.nse rtsp-url-brute.nse deluge-rpc-brute.nse mmouse-brute.nse sip-brute.nse dicom-brute.nse mongodb-brute.nse smb-brute.nse dns-brute.nse ms-sql-brute.nse smtp-brute.nse domcon-brute.nse mysql-brute.nse snmp-brute.nse dpap-brute.nse nessus-brute.nse socks-brute.nse drda-brute.nse nessus-xmlrpc-brute.nse ssh-brute.nse ftp-brute.nse netbus-brute.nse svn-brute.nse http-brute.nse nexpose-brute.nse telnet-brute.nse http-form-brute.nse nje-node-brute.nse tso-brute.nse http-iis-short-name-brute.nse nje-pass-brute.nse vmauthd-brute.nse http-joomla-brute.nse nping-brute.nse vnc-brute.nse http-proxy-brute.nse omp2-brute.nse xmpp-brute.nse http-wordpress-brute.nse openvas-otp-brute.nse iax2-brute.nse oracle-brute-stealth.nse imap-brute.nse oracle-brute.nse informix-brute.nse oracle-sid-brute.nse ipmi-brute.nse pcanywhere-brute.nse
Example
Usage and results of the NMAP SSH-brute script.
# Download SSH-brute script $ wget https://svn.nmap.org/nmap/scripts/ssh-brute.nse # Commandline $ nmap -p $PORT -A --script $SCRIPT --script-args userdb=$USER_LIST,passdb=$PASS_LIST $TARGET -- @output -- 22/ssh open ssh -- | ssh-brute: -- | Accounts -- | username:password -- | Statistics -- |_ Performed 32 guesses in 25 seconds. -- -- @args ssh-brute.timeout Connection timeout (default: "5s")
Note: .nse can be omitted for scripts on execution and the standard nmap -T flag is used to set aggressiveness.
Additional Information
Linux
| Description | Command |
|---|---|
| Default home | /usr/share/nmap/ |
| Available scripts (if any) | find / -name *.nse 2>/dev/null |
| Default files (if any) | find / -type f \( -name "ssh-brute.nse" -o -name "pass.lst" -o -name "user.lst" \) 2>/dev/null |
macOS
| Description | Command |
|---|---|
| Default user/password lists | /usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/nselib/data/user.lst/usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/nselib/data/pass.lst |
| Available scripts (if any) | ls -al /usr/local/Cellar/nmap/$NMAP_VERSION/share/nmap/scripts/ |
Used Hardware
MacBook Pro (15-inch, 2017), macOS 10.14, 2,8GHz Intel Core i7, 16GB LPDDR3