Exam objective: 2.2 Service / protocol / share enumeration; 2.4 Nmap NSE; 4.2 Network attacks tools.
In this lab you will drive Nmap Scripting Engine (NSE) to pull deep service detail: SMB shares, SMTP users, HTTP titles, SSL ciphers, and known vulnerabilities. You will also use enum4linux-ng and smbclient to dig deeper into SMB.
We'll use the Metasploitable3 vulnerable VM. Spin it up via Docker:
sudo docker run --rm -d --name msf3 -p 0.0.0.0:0:0 rapid7/metasploitable3-ub1404
TARGET=$(docker inspect msf3 -f '{{.NetworkSettings.IPAddress}}')(Or use a free TryHackMe room with SMB exposed.)
ls /usr/share/nmap/scripts/ | head
nmap --script-help "smb*" | head -40Categories: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln.
sudo nmap -p 80,8080,8585 --script "http-title,http-headers,http-enum,http-robots.txt" $TARGEThttp-enum walks the path dictionary; http-headers reveals server software, X-Powered-By, etc.
sudo nmap -p 139,445 --script "smb-os-discovery,smb-enum-shares,smb-enum-users,smb-security-mode" $TARGETCross-check with enum4linux-ng:
sudo apt install -y enum4linux-ng
enum4linux-ng -A $TARGETList shares with smbclient:
smbclient -L //$TARGET/ -N
smbclient //$TARGET/tmp -Nsudo nmap -p 443,8443 --script "ssl-enum-ciphers,ssl-cert,ssl-heartbleed" $TARGETFindings like SSLv3 enabled, RC4 cipher, Heartbleed CVE-2014-0160 are reportable.
sudo nmap -p 445 --script "smb-vuln-ms17-010,smb-vuln-cve-2009-3103" $TARGET
sudo nmap -p 80,8080 --script "http-shellshock,http-vuln-cve2017-5638" $TARGETA clean VULNERABLE: block in the output is a high-confidence finding — promote it straight to the report.
sudo nmap -p 25 --script "smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344" $TARGET
sudo nmap -sU -p 161 --script "snmp-info,snmp-sysdescr,snmp-interfaces" $TARGETFor SNMP, also try public-string enumeration:
onesixtyone -c /usr/share/wordlists/snmp-default.txt $TARGET
snmpwalk -v2c -c public $TARGETsudo nmap -sV --script "vuln" -oA target-vuln $TARGETThe vuln category triggers most of the above plus many more. Slow but exhaustive.
- How to drive NSE by category and individual script.
- How to enumerate SMB shares, users and security mode.
- How to detect TLS misconfigurations and known CVEs without leaving Nmap.