Posted: . At: 10:10 PM. This was 10 years ago. Post ID: 7334
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.

How to scan for vulnerable ports on a host with the Kali Linux distribution.

Scanning for vulnerable ports is easy with the Kali Linux distribution. Here is a simple port scan of my Windows Server 2012 R2 laptop host OS using Kali Linux.

homer@kali:~$ sudo nmap 192.168.1.6
 
Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-28 20:44 EST
Nmap scan report for 192.168.1.6
Host is up (1.0s latency).
Not shown: 987 closed ports
PORT      STATE    SERVICE
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
443/tcp   open     https
445/tcp   open     microsoft-ds
514/tcp   filtered shell
902/tcp   open     iss-realsecure
912/tcp   open     apex-mesh
49152/tcp open     unknown
49153/tcp open     unknown
49154/tcp open     unknown
49155/tcp open     unknown
49156/tcp open     unknown
49157/tcp open     unknown
 
Nmap done: 1 IP address (1 host up) scanned in 136.96 seconds

This scan is a more verbose scan that shows more information about the host.

homer@kali:~$ sudo nmap -A -T4 192.168.1.6
 
Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-28 20:47 EST
Nmap scan report for 192.168.1.6
Host is up (0.40s latency).
Not shown: 987 closed ports
PORT      STATE    SERVICE         VERSION
135/tcp   open     msrpc           Microsoft Windows RPC
139/tcp   open     netbios-ssn
443/tcp   open     ssl/http        VMware VirtualCenter Web service
|_http-methods: No Allow or Public header in OPTIONS response (status code 501)
|_http-title: Site doesn't have a title (text; charset=plain).
| ssl-cert: Subject: commonName=VMware/countryName=US
| Not valid before: 2014-05-21T11:08:13+00:00
|_Not valid after:  2015-05-21T11:08:13+00:00
445/tcp   open     netbios-ssn
514/tcp   filtered shell
902/tcp   open     ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp   open     vmware-auth     VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
49152/tcp open     msrpc           Microsoft Windows RPC
49153/tcp open     msrpc           Microsoft Windows RPC
49154/tcp open     msrpc           Microsoft Windows RPC
49155/tcp open     msrpc           Microsoft Windows RPC
49156/tcp open     msrpc           Microsoft Windows RPC
49157/tcp open     msrpc           Microsoft Windows RPC
Device type: general purpose
Running: Microsoft Windows 7|XP
OS CPE: cpe:/o:microsoft:windows_7:::enterprise cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 7 Enterprise, Microsoft Windows XP SP3
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
|_nbstat: NetBIOS name: WIN-EM8GK0ROU41, NetBIOS user: , NetBIOS MAC: 4c:0f:6e:5d:e1:25 (Hon Hai Precision Ind. Co.)
| smb-security-mode: 
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
 
TRACEROUTE (using port 8888/tcp)
HOP RTT      ADDRESS
1   1.10 ms  192.168.233.2
2   16.18 ms 192.168.1.6
 
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.18 seconds

The nikto website scanner tool for Kali Linux is another useful scanning tool. In the example below; I am scanning my Windows Server installation again.

homer@kali:~$ nikto -host 192.168.1.6
- Nikto v2.1.6
---------------------------------------------------------------------------
+ No web server found on 192.168.1.6:80
---------------------------------------------------------------------------
+ 0 host(s) tested

But there is no active web server on the laptop.

This scanner does work on a live website though…

homer@kali:~$ nikto -host yahoo.com
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          98.139.183.24
+ Target Hostname:    yahoo.com
+ Target Port:        80
+ Start Time:         2014-05-28 20:58:57 (GMT10)
---------------------------------------------------------------------------
+ Server: ATS
+ Retrieved via header: http/1.1 ir17.fp.bf1.yahoo.com (ApacheTrafficServer/4.0.2)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Root page / redirects to: https://www.yahoo.com/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0xYM:1:becce64f 0xe9f6 0x462e 0xafc2 0x7c827645c1750004fa68d17f0ff8 
+ Uncommon header 'x-ysws-request-id' found, with contents: cd4e1f5d-a1d5-4dc0-aa49-35c27d3c63b0
+ Uncommon header 'x-ysws-visited-replicas' found, with contents: gops.use26.mobstor.vip.bf1.yahoo.com
+ Uncommon header 'x-cache-lookup' found, with contents: HIT from logo18.global.media.ne1.yahoo.com:80
+ Uncommon header 'x-cache' found, with contents: HIT from logo18.global.media.ne1.yahoo.com
+ ERROR: Error limit (20) reached for host, giving up. Last error: 
+ Scan terminated:  0 error(s) and 7 item(s) reported on remote host
+ End Time:           2014-05-28 21:12:19 (GMT10) (802 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

The ua-tester utility for Kali Linux is yet another useful command to use when testing a website. This utility will scan a website using multiple user-agent strings and show the responses.

Type: ua-tester -u yahoo.com to try this out.

This scan takes a long time though.

Here I am using the nmap scan string that Trinity used in the Matrix Reloaded.

homer@kali:~$ sudo nmap -v -sS -O 192.168.1.6
[sudo] password for homer: 
 
Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-28 21:43 EST
Initiating Ping Scan at 21:43
Scanning 192.168.1.6 [4 ports]
Completed Ping Scan at 21:43, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:43
Completed Parallel DNS resolution of 1 host. at 21:43, 0.08s elapsed
Initiating SYN Stealth Scan at 21:43
Scanning 192.168.1.6 [1000 ports]
Discovered open port 443/tcp on 192.168.1.6
Discovered open port 445/tcp on 192.168.1.6
Discovered open port 139/tcp on 192.168.1.6
Discovered open port 135/tcp on 192.168.1.6
Discovered open port 912/tcp on 192.168.1.6
Discovered open port 49154/tcp on 192.168.1.6
Increasing send delay for 192.168.1.6 from 0 to 5 due to 85 out of 281 dropped probes since last increase.
Discovered open port 49152/tcp on 192.168.1.6
Discovered open port 49156/tcp on 192.168.1.6
Discovered open port 902/tcp on 192.168.1.6
Discovered open port 49157/tcp on 192.168.1.6
Discovered open port 49155/tcp on 192.168.1.6
Discovered open port 49153/tcp on 192.168.1.6
Completed SYN Stealth Scan at 21:46, 121.26s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.1.6
Nmap scan report for 192.168.1.6
Host is up (0.39s latency).
Not shown: 987 closed ports
PORT      STATE    SERVICE
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
443/tcp   open     https
445/tcp   open     microsoft-ds
514/tcp   filtered shell
902/tcp   open     iss-realsecure
912/tcp   open     apex-mesh
49152/tcp open     unknown
49153/tcp open     unknown
49154/tcp open     unknown
49155/tcp open     unknown
49156/tcp open     unknown
49157/tcp open     unknown
Device type: general purpose
Running: Microsoft Windows 7|XP
OS CPE: cpe:/o:microsoft:windows_7:::enterprise cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 7 Enterprise, Microsoft Windows XP SP3
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
 
Read data files from: /usr/bin/../share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.40 seconds
           Raw packets sent: 1841 (82.642KB) | Rcvd: 1020 (41.216KB)

This returns more information than the movie command did; but my firewall is letting through far more traffic. Way more ports open.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.