Skip to content

Latest commit

 

History

History
111 lines (72 loc) · 2.82 KB

File metadata and controls

111 lines (72 loc) · 2.82 KB

Lab 11 — Service Enumeration with Nmap NSE

Exam objective: 2.2 Service / protocol / share enumeration; 2.4 Nmap NSE; 4.2 Network attacks tools.

In this lab you will drive Nmap Scripting Engine (NSE) to pull deep service detail: SMB shares, SMTP users, HTTP titles, SSL ciphers, and known vulnerabilities. You will also use enum4linux-ng and smbclient to dig deeper into SMB.

We'll use the Metasploitable3 vulnerable VM. Spin it up via Docker:

sudo docker run --rm -d --name msf3 -p 0.0.0.0:0:0 rapid7/metasploitable3-ub1404
TARGET=$(docker inspect msf3 -f '{{.NetworkSettings.IPAddress}}')

(Or use a free TryHackMe room with SMB exposed.)


Step 1 — NSE category overview

ls /usr/share/nmap/scripts/ | head
nmap --script-help "smb*" | head -40

Categories: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln.


Step 2 — HTTP enumeration

sudo nmap -p 80,8080,8585 --script "http-title,http-headers,http-enum,http-robots.txt" $TARGET

http-enum walks the path dictionary; http-headers reveals server software, X-Powered-By, etc.


Step 3 — SMB enumeration

sudo nmap -p 139,445 --script "smb-os-discovery,smb-enum-shares,smb-enum-users,smb-security-mode" $TARGET

Cross-check with enum4linux-ng:

sudo apt install -y enum4linux-ng
enum4linux-ng -A $TARGET

List shares with smbclient:

smbclient -L //$TARGET/ -N
smbclient //$TARGET/tmp -N

Step 4 — SSL / TLS audit

sudo nmap -p 443,8443 --script "ssl-enum-ciphers,ssl-cert,ssl-heartbleed" $TARGET

Findings like SSLv3 enabled, RC4 cipher, Heartbleed CVE-2014-0160 are reportable.


Step 5 — Known-vulnerability scripts

sudo nmap -p 445 --script "smb-vuln-ms17-010,smb-vuln-cve-2009-3103" $TARGET
sudo nmap -p 80,8080 --script "http-shellshock,http-vuln-cve2017-5638" $TARGET

A clean VULNERABLE: block in the output is a high-confidence finding — promote it straight to the report.


Step 6 — SMTP / SNMP

sudo nmap -p 25 --script "smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344" $TARGET
sudo nmap -sU -p 161 --script "snmp-info,snmp-sysdescr,snmp-interfaces" $TARGET

For SNMP, also try public-string enumeration:

onesixtyone -c /usr/share/wordlists/snmp-default.txt $TARGET
snmpwalk -v2c -c public $TARGET

Step 7 — All-in-one "vuln" run

sudo nmap -sV --script "vuln" -oA target-vuln $TARGET

The vuln category triggers most of the above plus many more. Slow but exhaustive.


What you learned

  • How to drive NSE by category and individual script.
  • How to enumerate SMB shares, users and security mode.
  • How to detect TLS misconfigurations and known CVEs without leaving Nmap.