How to scan for vulnerable ports on a host with the Kali Linux distribution.

Posted: May 28, 2014. At: 10:10 PM. This was 3 years ago. Post ID: 7334
Page permalink: http://securitronlinux.com/bejiitaswrath/how-to-scan-for-vulnerable-ports-on-a-host-with-the-kali-linux-distribution/

Now, we must convince Congress to stop the FCC. Can you display an alert?

Scanning for vulnerable ports is easy with the Kali Linux distribution. Here is a simple port scan of my Windows Server 2012 R2 laptop host OS using Kali Linux.

homer@kali:~$ sudo nmap 192.168.1.6
 
Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-28 20:44 EST
Nmap scan report for 192.168.1.6
Host is up (1.0s latency).
Not shown: 987 closed ports
PORT      STATE    SERVICE
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
443/tcp   open     https
445/tcp   open     microsoft-ds
514/tcp   filtered shell
902/tcp   open     iss-realsecure
912/tcp   open     apex-mesh
49152/tcp open     unknown
49153/tcp open     unknown
49154/tcp open     unknown
49155/tcp open     unknown
49156/tcp open     unknown
49157/tcp open     unknown
 
Nmap done: 1 IP address (1 host up) scanned in 136.96 seconds

This scan is a more verbose scan that shows more information about the host.

homer@kali:~$ sudo nmap -A -T4 192.168.1.6
 
Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-28 20:47 EST
Nmap scan report for 192.168.1.6
Host is up (0.40s latency).
Not shown: 987 closed ports
PORT      STATE    SERVICE         VERSION
135/tcp   open     msrpc           Microsoft Windows RPC
139/tcp   open     netbios-ssn
443/tcp   open     ssl/http        VMware VirtualCenter Web service
|_http-methods: No Allow or Public header in OPTIONS response (status code 501)
|_http-title: Site doesn't have a title (text; charset=plain).
| ssl-cert: Subject: commonName=VMware/countryName=US
| Not valid before: 2014-05-21T11:08:13+00:00
|_Not valid after:  2015-05-21T11:08:13+00:00
445/tcp   open     netbios-ssn
514/tcp   filtered shell
902/tcp   open     ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp   open     vmware-auth     VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
49152/tcp open     msrpc           Microsoft Windows RPC
49153/tcp open     msrpc           Microsoft Windows RPC
49154/tcp open     msrpc           Microsoft Windows RPC
49155/tcp open     msrpc           Microsoft Windows RPC
49156/tcp open     msrpc           Microsoft Windows RPC
49157/tcp open     msrpc           Microsoft Windows RPC
Device type: general purpose
Running: Microsoft Windows 7|XP
OS CPE: cpe:/o:microsoft:windows_7:::enterprise cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 7 Enterprise, Microsoft Windows XP SP3
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
|_nbstat: NetBIOS name: WIN-EM8GK0ROU41, NetBIOS user: , NetBIOS MAC: 4c:0f:6e:5d:e1:25 (Hon Hai Precision Ind. Co.)
| smb-security-mode: 
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
 
TRACEROUTE (using port 8888/tcp)
HOP RTT      ADDRESS
1   1.10 ms  192.168.233.2
2   16.18 ms 192.168.1.6
 
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.18 seconds

The nikto website scanner tool for Kali Linux is another useful scanning tool. In the example below; I am scanning my Windows Server installation again.

homer@kali:~$ nikto -host 192.168.1.6
- Nikto v2.1.6
---------------------------------------------------------------------------
+ No web server found on 192.168.1.6:80
---------------------------------------------------------------------------
+ 0 host(s) tested

But there is no active web server on the laptop.

This scanner does work on a live website though…

homer@kali:~$ nikto -host yahoo.com
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          98.139.183.24
+ Target Hostname:    yahoo.com
+ Target Port:        80
+ Start Time:         2014-05-28 20:58:57 (GMT10)
---------------------------------------------------------------------------
+ Server: ATS
+ Retrieved via header: http/1.1 ir17.fp.bf1.yahoo.com (ApacheTrafficServer/4.0.2)
+ The anti-clickjacking X-Frame-Options header is not present.
+ Root page / redirects to: https://www.yahoo.com/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0xYM:1:becce64f 0xe9f6 0x462e 0xafc2 0x7c827645c1750004fa68d17f0ff8 
+ Uncommon header 'x-ysws-request-id' found, with contents: cd4e1f5d-a1d5-4dc0-aa49-35c27d3c63b0
+ Uncommon header 'x-ysws-visited-replicas' found, with contents: gops.use26.mobstor.vip.bf1.yahoo.com
+ Uncommon header 'x-cache-lookup' found, with contents: HIT from logo18.global.media.ne1.yahoo.com:80
+ Uncommon header 'x-cache' found, with contents: HIT from logo18.global.media.ne1.yahoo.com
+ ERROR: Error limit (20) reached for host, giving up. Last error: 
+ Scan terminated:  0 error(s) and 7 item(s) reported on remote host
+ End Time:           2014-05-28 21:12:19 (GMT10) (802 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

The ua-tester utility for Kali Linux is yet another useful command to use when testing a website. This utility will scan a website using multiple user-agent strings and show the responses.

Type: ua-tester -u yahoo.com to try this out.

This scan takes a long time though.

Here I am using the nmap scan string that Trinity used in the Matrix Reloaded.

homer@kali:~$ sudo nmap -v -sS -O 192.168.1.6
[sudo] password for homer: 
 
Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-28 21:43 EST
Initiating Ping Scan at 21:43
Scanning 192.168.1.6 [4 ports]
Completed Ping Scan at 21:43, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:43
Completed Parallel DNS resolution of 1 host. at 21:43, 0.08s elapsed
Initiating SYN Stealth Scan at 21:43
Scanning 192.168.1.6 [1000 ports]
Discovered open port 443/tcp on 192.168.1.6
Discovered open port 445/tcp on 192.168.1.6
Discovered open port 139/tcp on 192.168.1.6
Discovered open port 135/tcp on 192.168.1.6
Discovered open port 912/tcp on 192.168.1.6
Discovered open port 49154/tcp on 192.168.1.6
Increasing send delay for 192.168.1.6 from 0 to 5 due to 85 out of 281 dropped probes since last increase.
Discovered open port 49152/tcp on 192.168.1.6
Discovered open port 49156/tcp on 192.168.1.6
Discovered open port 902/tcp on 192.168.1.6
Discovered open port 49157/tcp on 192.168.1.6
Discovered open port 49155/tcp on 192.168.1.6
Discovered open port 49153/tcp on 192.168.1.6
Completed SYN Stealth Scan at 21:46, 121.26s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.1.6
Nmap scan report for 192.168.1.6
Host is up (0.39s latency).
Not shown: 987 closed ports
PORT      STATE    SERVICE
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
443/tcp   open     https
445/tcp   open     microsoft-ds
514/tcp   filtered shell
902/tcp   open     iss-realsecure
912/tcp   open     apex-mesh
49152/tcp open     unknown
49153/tcp open     unknown
49154/tcp open     unknown
49155/tcp open     unknown
49156/tcp open     unknown
49157/tcp open     unknown
Device type: general purpose
Running: Microsoft Windows 7|XP
OS CPE: cpe:/o:microsoft:windows_7:::enterprise cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 7 Enterprise, Microsoft Windows XP SP3
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
 
Read data files from: /usr/bin/../share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.40 seconds
           Raw packets sent: 1841 (82.642KB) | Rcvd: 1020 (41.216KB)

This returns more information than the movie command did; but my firewall is letting through far more traffic. Way more ports open.

No comments have been made. Use this form to start the conversation :)

Leave a Reply