Scanning for vulnerable ports is easy with the Kali Linux distribution. Here is a simple port scan of my Windows Server 2012 R2 laptop host OS using Kali Linux.
homer@kali:~$ sudo nmap 192.168.1.6 Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-28 20:44 EST Nmap scan report for 192.168.1.6 Host is up (1.0s latency). Not shown: 987 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 514/tcp filtered shell 902/tcp open iss-realsecure 912/tcp open apex-mesh 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 136.96 seconds |
This scan is a more verbose scan that shows more information about the host.
homer@kali:~$ sudo nmap -A -T4 192.168.1.6 Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-28 20:47 EST Nmap scan report for 192.168.1.6 Host is up (0.40s latency). Not shown: 987 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 443/tcp open ssl/http VMware VirtualCenter Web service |_http-methods: No Allow or Public header in OPTIONS response (status code 501) |_http-title: Site doesn't have a title (text; charset=plain). | ssl-cert: Subject: commonName=VMware/countryName=US | Not valid before: 2014-05-21T11:08:13+00:00 |_Not valid after: 2015-05-21T11:08:13+00:00 445/tcp open netbios-ssn 514/tcp filtered shell 902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP) 912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Device type: general purpose Running: Microsoft Windows 7|XP OS CPE: cpe:/o:microsoft:windows_7:::enterprise cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows 7 Enterprise, Microsoft Windows XP SP3 Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_nbstat: NetBIOS name: WIN-EM8GK0ROU41, NetBIOS user: , NetBIOS MAC: 4c:0f:6e:5d:e1:25 (Hon Hai Precision Ind. Co.) | smb-security-mode: | Account that was used for smb scripts: guest | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) |_smbv2-enabled: Server supports SMBv2 protocol TRACEROUTE (using port 8888/tcp) HOP RTT ADDRESS 1 1.10 ms 192.168.233.2 2 16.18 ms 192.168.1.6 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 122.18 seconds |
The nikto website scanner tool for Kali Linux is another useful scanning tool. In the example below; I am scanning my Windows Server installation again.
homer@kali:~$ nikto -host 192.168.1.6 - Nikto v2.1.6 --------------------------------------------------------------------------- + No web server found on 192.168.1.6:80 --------------------------------------------------------------------------- + 0 host(s) tested |
But there is no active web server on the laptop.
This scanner does work on a live website though…
homer@kali:~$ nikto -host yahoo.com - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 98.139.183.24 + Target Hostname: yahoo.com + Target Port: 80 + Start Time: 2014-05-28 20:58:57 (GMT10) --------------------------------------------------------------------------- + Server: ATS + Retrieved via header: http/1.1 ir17.fp.bf1.yahoo.com (ApacheTrafficServer/4.0.2) + The anti-clickjacking X-Frame-Options header is not present. + Root page / redirects to: https://www.yahoo.com/ + No CGI Directories found (use '-C all' to force check all possible dirs) + Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0xYM:1:becce64f 0xe9f6 0x462e 0xafc2 0x7c827645c1750004fa68d17f0ff8 + Uncommon header 'x-ysws-request-id' found, with contents: cd4e1f5d-a1d5-4dc0-aa49-35c27d3c63b0 + Uncommon header 'x-ysws-visited-replicas' found, with contents: gops.use26.mobstor.vip.bf1.yahoo.com + Uncommon header 'x-cache-lookup' found, with contents: HIT from logo18.global.media.ne1.yahoo.com:80 + Uncommon header 'x-cache' found, with contents: HIT from logo18.global.media.ne1.yahoo.com + ERROR: Error limit (20) reached for host, giving up. Last error: + Scan terminated: 0 error(s) and 7 item(s) reported on remote host + End Time: 2014-05-28 21:12:19 (GMT10) (802 seconds) --------------------------------------------------------------------------- + 1 host(s) tested |
The ua-tester utility for Kali Linux is yet another useful command to use when testing a website. This utility will scan a website using multiple user-agent strings and show the responses.
Type: ua-tester -u yahoo.com
to try this out.
This scan takes a long time though.
Here I am using the nmap scan string that Trinity used in the Matrix Reloaded.
homer@kali:~$ sudo nmap -v -sS -O 192.168.1.6 [sudo] password for homer: Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-28 21:43 EST Initiating Ping Scan at 21:43 Scanning 192.168.1.6 [4 ports] Completed Ping Scan at 21:43, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 21:43 Completed Parallel DNS resolution of 1 host. at 21:43, 0.08s elapsed Initiating SYN Stealth Scan at 21:43 Scanning 192.168.1.6 [1000 ports] Discovered open port 443/tcp on 192.168.1.6 Discovered open port 445/tcp on 192.168.1.6 Discovered open port 139/tcp on 192.168.1.6 Discovered open port 135/tcp on 192.168.1.6 Discovered open port 912/tcp on 192.168.1.6 Discovered open port 49154/tcp on 192.168.1.6 Increasing send delay for 192.168.1.6 from 0 to 5 due to 85 out of 281 dropped probes since last increase. Discovered open port 49152/tcp on 192.168.1.6 Discovered open port 49156/tcp on 192.168.1.6 Discovered open port 902/tcp on 192.168.1.6 Discovered open port 49157/tcp on 192.168.1.6 Discovered open port 49155/tcp on 192.168.1.6 Discovered open port 49153/tcp on 192.168.1.6 Completed SYN Stealth Scan at 21:46, 121.26s elapsed (1000 total ports) Initiating OS detection (try #1) against 192.168.1.6 Nmap scan report for 192.168.1.6 Host is up (0.39s latency). Not shown: 987 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 514/tcp filtered shell 902/tcp open iss-realsecure 912/tcp open apex-mesh 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown Device type: general purpose Running: Microsoft Windows 7|XP OS CPE: cpe:/o:microsoft:windows_7:::enterprise cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows 7 Enterprise, Microsoft Windows XP SP3 TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: Incremental Read data files from: /usr/bin/../share/nmap OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 134.40 seconds Raw packets sent: 1841 (82.642KB) | Rcvd: 1020 (41.216KB) |
This returns more information than the movie command did; but my firewall is letting through far more traffic. Way more ports open.