Find vulnerability of any target to hack

Scanning is the initial phase of pentesting. Security researchers/ pentesters are very well aware of this phase. This is the phase where pentester spend most of the time. As this phase gives many information to pentester to prepare for further pentesting phases. There are many automated and manual tools which are used in pentesting. But pentester always start with manual scanning as it makes more things clear, as per experience of ethical hacking experts. Today we will show you how pentester/ security researcher can use nmap scripts to search vulnerability.

Nmap is an open source tool design to scan/ check open ports of web/ mobile applications. Nmap uses raw IP packets to scan given URL/ host. Nmap gathers services, open ports, application server, operating system OS version. All type of services which are associated with web server. Nmap do give many options like using scripts to scan for the target. Nmap scripting uses whois to scan for the target. According to ethical hacking experts of International Institute of Cyber Security, you can also write or share your own nmap script. We will show you how to use an external script. This nmap sripts has tested on Kali Linux 2018.4

  • Clone script, type git clone https://github.com/OCSAF/freevulnsearch.git
root@kali:/home/iicybersecurity/Downloads# git clone https://github.com/OCSAF/freevulnsearch.git 

Cloning into 'freevulnsearch'... remote: Enumerating objects: 114, done. remote: Counting objects: 100% (114/114), done. remote: Compressing objects: 100% (85/85), done. remote: Total 114 (delta 64), reused 60 (delta 29), pack-reused 0 Receiving objects: 100% (114/114), 34.58 KiB | 2.66 MiB/s, done. Resolving deltas: 100% (64/64), done.
  • Then type cd freevulnsearch
  • Type ls
root@kali:/home/iicybersecurity/Downloads# cd freevulnsearch/
root@kali:/home/iicybersecurity/Downloads/freevulnsearch# ls
freevulnsearch.nse LICENSE README.md
  • cp freevulnsearch.nse to scripting location. For that type cp freevulnsearch.nse /usr/share/nmap/scripts
root@kali:/home/iicybersecurity/Downloads/freevulnsearch# cp freevulnsearch.nse /usr/share/nmap/scripts
  • Then type locate *.nse
  • This query will list all the scripts that are available in nmap scritpting engine.
root@kali:/home/iicybersecurity# locate *.nse
  • Then type nmap -sV –script freevulnsearch certified.com
  • -sV, s will spoof the IP address and V will scan the target in verbosely.
  • –freevulnsearch is the script used to scan the target.
  • certified.com is the target.
root@kali:/home/iicybersecurity/Downloads/freevulnsearch# nmap -sV --script freevulnsearch certified.com

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-13 02:17 EST
Nmap scan report for certified.com (162.241.216.11)
Host is up (0.30s latency).
rDNS record for 162.241.216.11: box5331.bluehost.com
Not shown: 978 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
|freevulnsearch: *Error with API query. API or network possibly not available. 25/tcp open smtp Exim smtpd 4.91 | freevulnsearch: | *No CVE found with NMAP-CPE: (cpe:/a:exim:exim:4.91) | *Check other sources like https://www.exploit-db.com
26/tcp open smtp Exim smtpd 4.91
| freevulnsearch:
| *No CVE found with NMAP-CPE: (cpe:/a:exim:exim:4.91)
|_ *Check other sources like https://www.exploit-db.com
53/tcp open domain ISC BIND 9.8.2rc1 (RedHat Enterprise Linux 6)
| freevulnsearch:
| CVE-2017-3145 Medium 5.0 https://cve.circl.lu/cve/CVE-2017-3145
| CVE-2017-3143 Medium 4.3 https://cve.circl.lu/cve/CVE-2017-3143
| CVE-2017-3142 Medium 4.3 https://cve.circl.lu/cve/CVE-2017-3142
| CVE-2017-3141 High 7.2 EDB https://cve.circl.lu/cve/CVE-2017-3141
| CVE-2017-3136 Medium 4.3 https://cve.circl.lu/cve/CVE-2017-3136
| CVE-2016-9131 Medium 5.0 https://cve.circl.lu/cve/CVE-2016-9131
| CVE-2016-8864 Medium 5.0 https://cve.circl.lu/cve/CVE-2016-8864
| CVE-2016-6170 Medium 4.0 https://cve.circl.lu/cve/CVE-2016-6170
| CVE-2016-2848 Medium 5.0 https://cve.circl.lu/cve/CVE-2016-2848
| CVE-2016-2775 Medium 4.3 https://cve.circl.lu/cve/CVE-2016-2775
| CVE-2016-1286 Medium 5.0 https://cve.circl.lu/cve/CVE-2016-1286
| CVE-2016-1285 Medium 4.3 https://cve.circl.lu/cve/CVE-2016-1285
| CVE-2015-8461 High 7.1 https://cve.circl.lu/cve/CVE-2015-8461
| CVE-2015-8000 Medium 5.0 https://cve.circl.lu/cve/CVE-2015-8000
| CVE-2015-4620 High 7.8 https://cve.circl.lu/cve/CVE-2015-4620
| CVE-2015-1349 Medium 5.4 https://cve.circl.lu/cve/CVE-2015-1349
| CVE-2014-0591 Low 2.6 https://cve.circl.lu/cve/CVE-2014-0591
| CVE-2013-6230 Medium 6.8 https://cve.circl.lu/cve/CVE-2013-6230
| CVE-2013-4854 High 7.8 https://cve.circl.lu/cve/CVE-2013-4854
| CVE-2013-2266 High 7.8 https://cve.circl.lu/cve/CVE-2013-2266
| CVE-2012-5689 High 7.1 https://cve.circl.lu/cve/CVE-2012-5689
| CVE-2012-5688 High 7.8 https://cve.circl.lu/cve/CVE-2012-5688
| CVE-2012-5166 High 7.8 https://cve.circl.lu/cve/CVE-2012-5166
| CVE-2012-4244 High 7.8 https://cve.circl.lu/cve/CVE-2012-4244
| CVE-2012-3817 High 7.8 https://cve.circl.lu/cve/CVE-2012-3817
| *No CVE found with NMAP-CPE: (cpe:/a:isc:bind:9.8.2rc1)
|_ *CVE found with freevulnsearch function: (cpe:/a:isc:bind:9.8.2:rc1)
80/tcp open http nginx 1.14.1
| freevulnsearch:
| *No CVE found with NMAP-CPE: (cpe:/a:igor_sysoev:nginx:1.14.1)
|_ *Check other sources like https://www.exploit-db.com
|http-server-header: nginx/1.14.1 110/tcp open pop3 Dovecot pop3d 139/tcp filtered netbios-ssn 143/tcp open imap Dovecot imapd 443/tcp open ssl/http nginx 1.14.1 | freevulnsearch: | *No CVE found with NMAP-CPE: (cpe:/a:igor_sysoev:nginx:1.14.1) | *Check other sources like https://www.exploit-db.com
|http-server-header: nginx/1.14.1 445/tcp filtered microsoft-ds 465/tcp open tcpwrapped 587/tcp open tcpwrapped 993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d 1720/tcp filtered h323q931 2222/tcp open ssh OpenSSH 5.3 (protocol 2.0) |_freevulnsearch: *Error with API query. API or network possibly not available. 3306/tcp open mysql MySQL 5.6.41-84.1 | freevulnsearch: | *No CVE found with NMAP-CPE: (cpe:/a:mysql:mysql:5.6.41-84.1) | *No CVE found with freevulnsearch function: (cpe:/a:mysql:mysql:5.6.41) | *Check other sources like https://www.exploit-db.com
5060/tcp filtered sip
5432/tcp open postgresql PostgreSQL DB
| fingerprint-strings:
| SMBProgNeg:
| SFATAL
| C0A000
| Munsupported frontend protocol 65363.19778: server supports 1.0 to 3.0
| Fpostmaster.c
| L1624
|_ RProcessStartupPacket
8080/tcp open http nginx 1.14.1
| freevulnsearch:
| *No CVE found with NMAP-CPE: (cpe:/a:igor_sysoev:nginx:1.14.1)
|_ *Check other sources like https://www.exploit-db.com
|http-server-header: nginx/1.14.1 8443/tcp open ssl/http nginx 1.14.1 | freevulnsearch: | *No CVE found with NMAP-CPE: (cpe:/a:igor_sysoev:nginx:1.14.1) | *Check other sources like https://www.exploit-db.com
|_http-server-header: nginx/1.14.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5432-TCP:V=7.70%I=7%D=2/13%Time=5C63C488%P=x86_64-pc-linux-gnu%r(SM
SF:BProgNeg,85,"E\0\0\0\x84SFATAL\0C0A000\0Munsupported\x20frontend\x20pro
SF:tocol\x2065363.19778:\x20server\x20supports\x201.0\x20to\x203.0\0Fpo
SF:stmaster.c\0L1624\0RProcessStartupPacket\0\0");
Service Info: OS: Linux; CPE: cpe:/o:redhat:enterprise_linux:6
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.09 seconds
  • After executing above query, nmap script has found vulnerabilities that can be used in further attacks.
  • This query shows the CVE list which are most common vulnerabilities and can be used in creating flaws in the web application.
  • Type nmap -sV –script broadcast-dhcp-discover certified.com
  • -sV s will spoof the IP address and V will scan the target in verbosely.
  • –script broadcast-dhcp-discover will obtain local parameters without allocating new address.
  • certified.com is the target.
root@kali:/home/iicybersecurity/Downloads/freevulnsearch# nmap -sV --script broadcast-dhcp-discover certified.com

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-13 03:05 EST
Pre-scan script results:
| broadcast-dhcp-discover:
| Response 1 of 1:
| IP Offered: 192.168.1.9
| DHCP Message Type: DHCPOFFER
| Subnet Mask: 255.255.255.0
| Router: 192.168.1.1
| Domain Name Server: 192.168.1.1
| Server Identifier: 192.168.1.1
|_ IP Address Lease Time: 1d00h00m00s
Nmap scan report for certified.com (162.241.216.11)
Host is up (0.30s latency).
rDNS record for 162.241.216.11: box5331.bluehost.com
Not shown: 978 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
25/tcp open tcpwrapped
26/tcp open smtp Exim smtpd 4.91
53/tcp open domain ISC BIND 9.8.2rc1 (RedHat Enterprise Linux 6)
80/tcp open http nginx 1.14.1
|http-server-header: nginx/1.14.1 110/tcp open pop3 Dovecot pop3d 139/tcp filtered netbios-ssn 143/tcp open imap Dovecot imapd 443/tcp open ssl/http nginx 1.14.1 |_http-server-header: nginx/1.14.1 445/tcp filtered microsoft-ds 465/tcp open ssl/smtps? 587/tcp open tcpwrapped 993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d 1720/tcp filtered h323q931 2222/tcp open ssh OpenSSH 5.3 (protocol 2.0) 3306/tcp open mysql MySQL 5.6.41-84.1 5060/tcp filtered sip 5432/tcp open postgresql PostgreSQL DB | fingerprint-strings: | SMBProgNeg: | SFATAL | C0A000 | Munsupported frontend protocol 65363.19778: server supports 1.0 to 3.0 | Fpostmaster.c | L1624 | RProcessStartupPacket
8080/tcp open http nginx 1.14.1
|_http-server-header: nginx/1.14.1
8443/tcp open ssl/http nginx 1.14.1
|_http-server-header: nginx/1.14.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5432-TCP:V=7.70%I=7%D=2/13%Time=5C63CFD1%P=x86_64-pc-linux-gnu%r(SM
SF:BProgNeg,85,"E\0\0\0\x84SFATAL\0C0A000\0Munsupported\x20frontend\x20pro
SF:tocol\x2065363.19778:\x20server\x20supports\x201.0\x20to\x203.0\0Fpo
SF:stmaster.c\0L1624\0RProcessStartupPacket\0\0");
Service Info: OS: Linux; CPE: cpe:/o:redhat:enterprise_linux:6
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.67 seconds
  • The above query has obtained rDNS record which shows the open ports and services. This information can be used in further hacking activities.
  • The above query shows listed version with each ports.
  • Type nmap –script http-security-headers certified.com
  • –script http-security-headers is used to check http response security header.
  • certified.com is the target URL.
root@kali:/home/iicybersecurity/Downloads/freevulnsearch# nmap --script http-security-headers certified.com

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-13 04:31 EST
Nmap scan report for certified.com (162.241.216.11)
Host is up (0.29s latency).
rDNS record for 162.241.216.11: box5331.bluehost.com
Not shown: 978 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
26/tcp open rsftp
53/tcp open domain
80/tcp open http
|http-security-headers: 110/tcp open pop3 139/tcp filtered netbios-ssn 143/tcp open imap 443/tcp open https | http-security-headers: | Strict_Transport_Security: | HSTS not configured in HTTPS Server
445/tcp filtered microsoft-ds
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
1720/tcp filtered h323q931
2222/tcp open EtherNetIP-1
3306/tcp open mysql
5060/tcp filtered sip
5432/tcp open postgresql
8080/tcp open http-proxy
8443/tcp open https-alt
Nmap done: 1 IP address (1 host up) scanned in 9.67 seconds
  • After executing above query, https security header has shown that hosts is not configured in https server.
  • HSTS is the strict transport authority that helps websites from protocol downgrade attacks. The above information can also be used in further hacking activities.
  • Use can also use nmap dos script to launch dos attacks