Kali system learning: practical demonstration of vulnerability scanning tool NMAP

Kali system learning: practical demonstration of vulnerability scanning tool NMAP

1 Introduction to Nmap

Nmap, the abbreviation of Network Mapper, is maintained by Gordon Lyon (for more information about the author Mr. Lyon, you can visit this webpage:http://insecure.org/fyodor/) and is used by many security professionals around the world. It is installed in our kali system by default, no additional installation is required, it is very convenient to use, and because of its powerful functions, it is deeply loved by network security practitioners.

In fact, there is a front-end version of the graphical interface for Nmap, called Zenmap. Zenmap is the GUI version of Nmap, officially provided by Nmap, and usually released together with the Nmap installation package. Zenmap is written in Python language and can run on different systems such as Windows, Linux, UNIX, and Mac OS. The main purpose of developing Zenmap is to provide a simpler operation method for Nmap.

But I still sincerely recommend that everyone learn the command line version of Nmap. First of all, the main reason is that I personally think that the command line version of Nmap is more flexible to use than Zenmap. Secondly, as a person in network-related industries, the command line (also Hair loss…) is an unavoidable experience. If you are a veteran, the command line will naturally be familiar and not difficult, so why not choose the more flexible Nmap? And if you are a novice, using Nmap can help you become familiar with the use of the Kali system faster and help you advance quickly!

There are four main basic functions of Nmap;

1. Host Discovery

2. Port Scanning

3. Version Detection

4. Operating System Detection

2 Nmap common commands

Nmap is very powerful and contains many parameters. You can use nmap -h to view detailed operation instructions.

nmap -h #View Nmap operation instructions

Combined with our daily use, here I only list some commonly used parameters for your use and reference:

parameterComment
-pSpecify the port number to scan
-vShow scanning process
-FPerform a quick scan
-nDisable reverse domain name resolution
-RReverse domain name resolution
-6Start ipv6 scan
-PnSkip the host discovery process for port scanning
-AComprehensive scan, this command will scan the operating system information, version information, path tracking, etc. of the IP/domain name, but the scanning speed…, dddd
-sSTCP SYN scan
-sUUDP scan
-sTTCP scan
-sVScan system version to detect program version number
–script=vulnComprehensive vulnerability scan
-PA/-PS/-PRScan hosts included in the LAN

3 Practical exercises

3.1 Search for active hosts on the network

In the early stage of penetration, we first need to determine how many hosts are currently “alive” in the corresponding target network segment to facilitate our search for targets. Since we are here for demonstration purposes, our target host is my Metasploitable 2. Here we can use nmap <target ip> <parameter> to scan our target

nmap 192.168.254.0/24 #Scan all IP addresses in the 192.168.254.0/24 network segment

As you can see, we have scanned a total of 4 active hosts in this network segment, including the services, ports, IP addresses and other information that the host is opening, which is very detailed.

However, in daily penetration testing, we will find that many operating systems will process port scan traffic, which will lead to the following situation:

No host can be scanned out

Therefore, I would like to share a little trick for daily use. We can add the -sn parameter to disable nmap’s default behavior of scanning host ports and let nmap only try to ping the host, so that it can be scanned out. Use this method. Compared with adding no parameters, scanning has advantages in terms of speed, and secondly, it prevents the host from processing the port scan data, causing us to be unable to scan out anything.

nmap 192.168.254.0/24 -sn#For all IP addresses in the 192.168.254.0 network segment, skip the port scan function and ping the host directly

Hey, the query results came out instantly.

3.2 Scan the target host

Now that we can determine that our target host is 192.168.254.129, we can now add the parameter -sV to scan the specific host and obtain the services and ports it opens, and at the same time try to determine the version number of the service it opens.

nmap -sV 192.168.254.129 #Scan 192.168.254.129 port information and service version number

You can see that our scan was very successful. The yellow box is the operating system and host name of the target host, and the red box is the focus of our scan!

3.3 Find how to use the vulnerability (can be skipped)

We can see that we successfully scanned the version number of the service enabled by the target host. With the version number, it is easy to handle. Here I will teach you two more representative methods. Taking the ftp service as an example, we can See, according to Nmap, vsftpd 2.3.4 is running on this host.

Method 1: We can go directly to ExploitDB (the URL is here:https://www.exploit-db.com/) to search for vulnerabilities and exploitation methods of this vsftpd2.3.4 version. In the pop-up results, just select the method you need to exploit.

However, although this method is more comprehensive in hot search, it still requires switching to an external browser, which is a little troublesome, so we can also choose to be lazy and directly use the searchsploit vulnerability finding tool that comes with the kali system.

Method 2: Go to our tool menu bar, find searchsploit, and click Run


According to the prompts of the searchsploit tool, we can directly enter searchsploit <keyword> to search for vulnerabilities.

searchsploit vsftpd 2.3.4#Find vulnerabilities related to vsftpd 2.3.4 version

Two results are returned. We can use less to check the exploitation methods of these vulnerabilities according to the path on the right.

less /usr/share/exploitdb/exploits/unix/remote/49757.py#View the vulnerability exploitation methods of vsftpd2.3.4

It’s clear at a glance and very convenient!

3.4 Port scanning

Continuing back to our Nmap, we can use Nmap plus the -p parameter plus the -sC parameter to run the Nmap default script on the specified port.

Nmap -sC 192.168.254.129 -p 21#Run Nmap default script on port 21 of the host with IP address 192.168.254.129


Through the returned results, we can clearly see that the ftp service of this host allows anonymous login. Seeing this, this can already give us unlimited room for imagination. Therefore, this should attract the attention of administrators.

3.5 Use scripts to check for vulnerabilities

Since the above is a scan using the default script, the Internet is ever-changing. For further scanning, we can check whether Nmap has a scanning script for the corresponding service.

locate .nse | grep ftp #Find scripts about ftp

have! Let’s take a look at what this script can do for us. We can continue to view the description of the corresponding file through less

less /usr/share/nmap/scripts/ftp-vsftpd-backdoor.nse#View corresponding files

As we can see from the description, it is obvious that this script can be used to try to see if this specific machine is vulnerable to the ExploitDB issue identified earlier. Note that the content below the script is exactly what we mentioned before in Section 3.3. How to use the vulnerability!

So now that the script has been found and its usage principle and content are known, we can now start trying to use this script on the target host.

nmap --script=ftp-vsftpd-backdoor.nse 192.168.254.129 -p 21#Execute the specified script on port 21 of the host with IP address 192.168.254.129

Nice! The report returned by Nmap tells us a lot of information. For example, as indicated in the red box, the status of the vsftpd 2.3.4 version backdoor is very vulnerable. The follow-up content includes the date the vulnerability was discovered, how to use it, the consequences, etc. It is very detailed, and security personnel can perform maintenance based on this report. Similarly, those with malicious intentions will naturally be able to follow this report for infiltration. This deserves our necessary attention.

4 Afterwords

As the old saying goes: If you learn kali well, you will inevitably get food in prison. I have to say that Nmap is indeed a very good vulnerability scanning tool. It is portable, easy to use, flexible, comprehensive, highly selective, and very stable. For most of the scans I’ve done so far, nmap’s network traffic has remained moderately smooth. But as I said in the previous chapter, since this tool can help security practitioners improve their services, it can also help those with malicious intentions. Tools are innocent. Whether they are good or bad depends on the person who uses them. This article is only for learning and communication. You are welcome to leave a message or communicate via private message, but remember to use it with caution while studying! ! !

Related Posts

Multi-threaded learning

[Resolved]Error: Failed to download metadata for repo ‘appstream’ : Cannot prepare internal mirrorlist

Linux[JavaEE]——Building a JavaEE development environment (with software installation tutorial and download address)

ESXI 7.0 version configures N card graphics card pass-through

7 tools that can replace the top command

unity3D terrain editor—Terrain

Use the make tool to compile all .c in any directory and link & specify the output directory

HarmonyOS IoT device kernel programming interface—–Message queue

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*