06 NSE, Vulnerability Testing & Explotation.md

NSE, Vulnerability Testing & Explotation

In previous topics, we've covered various aspects of Nmap scripting engine. I've shown you how to perform a couple script scans and get help information about scripts from both the command line and in Zenmap. We will go over some of that stuff, but we'll focus on the use of NSC for vulnerability scanning and target exploitation. The truth is NSA could be an entire series on its own. So this section will focus on giving you the tools to get started.

• What is the Nmap scripting engine?

  • Users can run scripts to automate networking tasks. many of the features and functions that we've learned about in MAP basically require you to execute one command at a time, then gather the results, which generally leads to more and more single commands for further investigation. One of the neat things that NSE allows us to do is write out a series of commands in the form of a script that can be dependent and related to one another in such a way that our time can be much more better focused on analyzing the results instead of on typing in a command at a time and weighting.

  • Use the Lua programming language (lua.org). The creators of that Nmap like to say that NSE provides the ability to automate networking tasks. Lua works very nicely for Nmap because it is an interpreted language and not compiled. That basically means that you can use any text editor to create your scripts, then run them from the Nmap command line or within Zenmap. Lua is extremely lightweight and has been around and refined since the early 1990s. Learning it is very easy and I think you'll find that it is well worth your time is fully documented on their website and best of all, it's free and built into and map.

  • Scripts contain a field associating it with one or more categories. Each and every script contains a field that associates it with one or more categories. Those categories are AUTH for authorization, Broadcast, Default, Discovery (most of what Nmap is known for), DOS (Denial of Service), Exploit, External Fuzzer Intrusive which are potentially hostile, Malware (for remote malware detection), Safe (which has little risk), Version (for version detection signatures) and VOM for vulnerability detection.

  • Nmap is installed with hundreds of scripts built-in (nmap.org/nsedoc). What is really great is that there are hundreds of NSE scripts that "ship" (meaning download and install) within Nmap. We'll go over how to find them, how to open and examine them and how to run them in different ways. They're all very well documented on nmap.org/nsedoc. Also, I should note that the code base of scripts Nmap site is constantly being added to.

  • Danger: Scripts do not run in a sandbox!: finally, you really need to be careful with NSE scripts. They have the potential to do harmful things to your computer, computers on your network and target hosts. Make sure you only run scripts that you downloaded from the map Web site wrote yourself or got from someone you really trust. As with any unmap scan, understand the effects of the scan on both your computer and the target.

• How does it work?

  • So how does the end map scripting engine work while this is sort of a trick question because thereare several regular command line switches that cause scripts to run by default. For example, I've shown you the nmap -A in the past, which I call the advanced and aggressive scan. That scan actually runs every NSE script that has been labeled in the category default, among other things.
  • For the sake of clarity, there are two command line switches that can be used to specifically initiate the Nmap script scripting engine, they are nmap -sC <target> and nmap --script <name/category>.
  • Like nmap -A and nmap -sC also runs Nmap scan using all of the scripts that have been labeled in the default category. On the other hand, nmap --script allows you to specify the exact script you wish to run or even an entire category of scripts.
  • There's some other flexibility with the --script command line switch too, for example, you can run every script that starts with a specific name, two or more scripts at the same time, or even use Boolean arguments to tell Nmap to run scripts that match certain criteria. I'll show you the stuff in the lab. The main point I'm trying to make here is that for the most part, if you want to run Nmap and NSE scripts, you'll be using the --script command line switch.
  • Link to the online manual page for NSE: https://nmap.org/book/man-nse.html. There are a couple other features and options that I won't be covering in this, so I recommend that you navigate to this page to see some of the other options available to you as you run NSE scripts.

• Lab - NSE: Vulnerability Scanning & Exploitation

  In this lab, I'm going to demonstrate some of these capabilities:

  1. Host Discovery
  2. OS Detection
  3. Running NSE scripts, getting help
  4. Vulnerability Analysis
  5. Exploitation

The goal of this lab is to find a Cisco switch on the network. I'm going to run a vulnerability scan against it, and then I'll exploit it, and then we'll look at the results together.

First, we'll run a ping sweep, like we've run a lot of times in the past.

nmap -sn 192.168.1.0/28

We use CIDR notation, but I'm going to limit the scope of this scan since I have a little bit of insight into this network.

We have two Cisco devices here. I happen to know that we're most interested in this device at 192.168.1.2.

I'm going to do an OS discovery on that device:

nmap -O 192.168.1.2

There's our results:

It says no exact OS matches for hosts and gives us the fingerprint. Does show us that port 23 and port 80 are open, but doesn't really give us very good information about what operating system that host is running other than we know the MAC address is here and it's a Cisco device.

If you remember from our OS detection scans in the past, we did an nmap -O --osscan-guess. What the scan does is it gives us a reasonable amount of certainty about the operating system that the target is running.

nmap -O --osscan-guess 192.168.1.2

Result:

Aggressive OS guesses: Cisco 2950 switch (IOS 12.1) (98%)

First of all, we'll run a typical default Nmap NSE scan, and that is with nmap-sC against our target. This runs every NSE script that is categorized as a default.

It does give us some good information, shows us the ports again that are open, and you can see that the HTTP auth: script came back with results. Not earth-shattering, but I wanted to show you that scan nonetheless.

This applies to any operating system that you're running really, but one of the ways that you can run an Nmap scan is simply by using the command nmap --script, and then the name of the script that you want to run. Well, where we're at right now we don't know the name of any of the scripts. Unless you just happen to memorize them all, you wouldn't really know what to run. What I like to do when I'm running Nmap scripts, personally, if I'm doing it from the command line is I like to navigate into the scripts directory.

If on Windows, you can visit the directory path for Nmap "scripts" folder (Nmap\scripts>) and type dir*., or Linux or macOS cd /usr/share/nmap/scripts/, then list all files (dir Alternative): Use the ls -l command. It will show you all the folders in the Nmap directory.

You'll see that there's hundreds of scripts, all with the extension of NSE. Any of these scripts can be run from any location at the command line because Nmap, as we learned earlier, is in the path in this operating system. But I like to run the nse scripts from the scripts folder simply because I can narrow down what script I'm interested in the most, and there's just a ton of them here, I think you get my main point.

For instance, we see that there's xmpp-info.nse. If I want to run that script we can do an nmap --script xmpp-info.

Nmap has a lot of flexibility. we can even do nmap --script=xmpp-info.nse, or without .nse, or you can leave out the = sign and do xmpp-info both will run.

As we learned in the past, if you're interested in learning what a particular script does, you run a nmap --script help. Here's a brief description that the programmer provided for us by running nmap --script-help=xmpp-info.nse:

xmpp-info
Categories: default safe discovery version
https://nmap.org/nsedoc/scripts/xmpp-info.html
  Connects to XMPP server (port 5222) and collects server information such as:
  supported auth mechanisms, compression methods, whether TLS is supported
  and mandatory, stream management, language, support of In-Band registration,
  server capabilities.  If possible, studies server vendor.

The main point I wanted to provide to you was that there's multiple ways that you can run scripts in nse. You can run them from multiple locations, but I like to run them in the scripts folder personally because it's easy to get help on them, learn about them, and easy to see a list of all the ones that you're interested in. Another thing I want to show you is that you can run scripts. For instance, this is in the category default, safe, discovery, and version, you can run scripts by their category by simply doing nmap --script and then putting the category.

This one is a default script: nmap --script default

But it's also a safe script. If I wanted to I could also add safe to it, and then put your target.

nmap --script default,safe 192.168.1.2

You can run multiple categories by simply naming the category and separating by a comma. The same is true with a particular script.

Let's say I'm interested in these "vnc" scripts:

If on Windows: I'll do a dir *vnc*. wildcards. On Linux Debian: Navigate to the directory (e.g., /usr/share/nmap/scripts) where you want to search for files, then use ls with a wildcard: ls *vnc*

Here's all the scripts related to vnc:

I'm interested in vnc-info and vnc-title. I can do:

nmap --script vnc-info,vnc-title 192.168.1.2

My point is, next to the script, you can put an equals sign if you want, and you can either list the categories that you're interested in or you can actually put the specific scripts.

We've got our results. I'll move on to the next thing, and that is one of the most important reasons why I wanted to do this lab. Now that we found our Cisco switch on our network, I want to do a vulnerability scan against it.

In Nmap, one of the simplest ways that you can do a vulnerability scan against any device is by using the category vuln:

nmap --script vuln 192.168.1.2

Essentially that ran every NSE script that had a category of vulnerability or vuln and you can see several different vulnerabilities here.

It's not vulnerable to this dos attack:

Does have "telnet" open, and shows that it's vulnerable to "Authentication bypass by HTTP Verb tampering", gives all the details here, the URLs where you can find out more information about those vulnerabilities.

First of all, we know that it's running telnet. Since I'm in the script folder, so you can do dir *telnet* (for Windows) or ls *telnet* (for Linux Debian) for all the telnet related attacks or exploits that we can run in and map against telnet enabled devices. There's a telnet brute script, so we'll go ahead and run:

There's a telnet brute script. We'll go ahead and run:

nmap --script telnet-brute 192.168.1.2

Actually, this isn't a true brute force attack that tries every combination of letters and numbers and special characters, it's really a dictionary attack. In other words, it uses a list of credentials. Because of that, it actually runs a little bit faster than a brute force attack would, especially given the fact that we're having to provide a username and password. I didn't adjust the timing on this attack, so it'll take a little bit of time. In the future I'll probably adjust the timing just to make it go a little bit faster.

There's the results. As you all know, running telnet on any modern device is a terrible idea. If any half decent hacker or network administrator is listening on traffic, telnet usernames and passwords are sent in plain text and really without any script arguments at all, and not very much time. This discovered the username and password for that device at 1.2. Granted, it's not an extremely complicated username and password.

But just to prove that it works, we'll do a telnet of 192.168.1.2, username: admin, password: trustno1, and I'm in.

It's a Cisco switch, and I got in with just a simple NSE script.

Running the vulnerability scan showed us what the vulnerability was and I ran an exploit using the telnet brute script.

Another one of the vulnerabilities had to do with HTTP since HTTP was open, I'll do a "dir" of all the HTTP attacks that we can run against this device. There's a ton of them but the one I'm most interested in is the default accounts script:

I'll do a script help first. Gives us a ton of detail about how it works and what arguments you can pass to it and where you can get more information about it.

nmap --script-help http-default-accounts:

http-default-accounts
Categories: discovery auth intrusive
https://nmap.org/nsedoc/scripts/http-default-accounts.html
  Tests for access with default credentials used by a variety of web applications and devices.

  It works similar to http-enum, we detect applications by matching known paths and launching a login routine using default credentials when found.
  This script depends on a fingerprint file containing the target's information: name, category, location paths, default credentials and login routine.

  You may select a category if you wish to reduce the number of requests. We have categories like:
  * <code>web</code> - Web applications
  * <code>routers</code> - Routers
  * <code>security</code> - CCTVs and other security devices
  * <code>industrial</code> - Industrial systems
  * <code>printer</code> - Network-attached printers and printer servers
  * <code>storage</code> - Storage devices
  * <code>virtualization</code> - Virtualization systems
  * <code>console</code> - Remote consoles

  You can also select a specific fingerprint or a brand, such as BIG-IQ or Siemens. This matching is based on case-insensitive words. This means that "nas" will select Seagate BlackArmor NAS storage but not Netgear ReadyNAS.

  For a fingerprint to be used it needs to satisfy both the category and name criteria.

  By default, the script produces output only when default credentials are found, while staying silent when the target only matches some fingerprints (but no credentials are found). With increased verbosity (option -v), the script will also report all matching fingerprints.

  Please help improve this script by adding new entries to nselib/data/http-default-accounts.lua

  Remember each fingerprint must have:
  * <code>name</code> - Descriptive name
  * <code>category</code> - Category
  * <code>login_combos</code> - Table of login combinations
  * <code>paths</code> - Table containing possible path locations of the target
  * <code>login_check</code> - Login function of the target

  In addition, a fingerprint should have:
  * <code>target_check</code> - Target validation function. If defined, it will be called to validate the target before attempting any logins.
  * <code>cpe</code> - Official CPE Dictionary entry (see https://nvd.nist.gov/cpe.cfm)

  Default fingerprint file: /nselib/data/http-default-accounts-fingerprints.lua
  This script was based on http-enum.

I'm going to adjust the timing too, we'll make it a T5, it should go a little bit faster.

nmap --script http-default-accounts -T5 192.168.1.2

it shows me the default accounts, it's a username and password of Cisco. We know it's port 80. We'll go ahead and open up our browser and we'll navigate to that address.

The username and password provided in that NSE script was cisco:cisco.

We're in.

Granted. This device is vulnerable, I'm not going to act like it isn't. It has some obvious flaws, has a default username and password enabled, has a very weak telnet password, but nevertheless it was pretty easy to break in using standard NSE scripts, and that's the main point. We saw the vulnerabilities, we saw how to attack it, and usernames and passwords.

I want to go over one more exploit, that is one that is actually very common out there. Don't do this against a device or a target that you don't own or that you don't have a written contract for.

That is the slowloris attack, I'll do the timing of T5. In this case, it really matters because this is a denial of service attack. I'm pretty sure that this one continues to run and I don't think that it has a timeout.

nmap --script http-slowloris -T5 192.168.1.2

While this runs, it's running against the same device that we were just on I'm going to do a refresh on this device:

You can already see it's taken it down.

The slowloris attack, the denial of service attack, you can look at the details about how it works, but it is basically opening up so many connections against this web server that it can't keep up. I'm not even running it from multiple hosts so it's not a sophisticated denial of service attack in the sense that it's not using a botnet or not. It's not distributed, it's not a reflective or amplified attack. It's a simple attack against a Cisco switch which really could affect production if you're in an enterprise network. Even still, I'm refreshing and at least the web interface is completely down right now.

I'll go ahead and hit "Control C" and stop that, it might take it a second. I'll minimize the Nmap scan and I'll do a refresh. Eventually, the device should catch up and be able to respond.

I encourage you to look into that slowloris attack. The main point is try it against your networks, potentially vulnerable devices and see if they can handle it. Then do a --script-help and go to the URL provided and learn more about it.