Nmap viene con 599 scripts NSE, y están organizados en categorías\\
puton@kremlin:$ ls -1 /usr/share/nmap/scripts/ | wc -l
599
puton@kremlin:$
Si queremos buscar a ver si existe algún script relacionado con algún sofware servidor podemos hacer\\
puton@kremlin:$ ls -1 /usr/share/nmap/scripts/ | grep apache
http-apache-negotiation.nse
http-apache-server-status.nse
puton@kremlin:$ ls -1 /usr/share/nmap/scripts/ | grep drupal
http-drupal-enum.nse
http-drupal-enum-users.nse
puton@kremlin:$ ls -1 /usr/share/nmap/scripts/ | grep joomla
http-joomla-brute.nse
puton@kremlin:$
Si queremos ver detalles de determinado script
puton@kremlin:$ nmap --script-help http-apache-negotiation.nse
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-25 02:58 CET
http-apache-negotiation
Categories: safe discovery
https://nmap.org/nsedoc/scripts/http-apache-negotiation.html
Checks if the target http server has mod_negotiation enabled. This
feature can be leveraged to find hidden resources and spider a web
site using fewer requests.
The script works by sending requests for resources like index and home
without specifying the extension. If mod_negotiate is enabled (default
Apache configuration), the target would reply with content-location header
containing target resource (such as index.html) and vary header containing
"negotiate" depending on the configuration.
For more information, see:
* http://www.wisec.it/sectou.php?id=4698ebdc59d15
* Metasploit auxiliary module
/modules/auxiliary/scanner/http/mod_negotiation_scanner.rb
Warning: File ./scripts/ exists, but Nmap is using /usr/bin/../share/nmap/scripts/ for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
puton@kremlin:$
Podemos hacer un script en bash que ejecute determinados scripts NSE al host o que ejecute todos los que pertenezcan a una categoría
for script in {"vuln","brute","safe","http-apache-negotiation"};do
echo "$script"
sudo nmap -sV -Pn -p80 -O --script=$script kremlin.ru
done
-sV: Información de servicio, versión\\
-O: Detección de sistema operativo\\
puton@kremlin:$ sudo nmap -sV -p80 -O kremlin.ru
[sudo] contraseña para puton:
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-23 01:11 CET
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 5.25 seconds
nmap por defecto hace ping para saber si el host está activo antes de proceder a hacer el escaneo, como kremlin.ru bloquea pings entonces nmap asume que está apagado pero nosotros sabemos que no porque la página está funcionando, para decirle a nmap que asuma que el host está activo y proceda se usa la opción -Pn
puton@kremlin:$ sudo nmap -sV -Pn -p80 -O kremlin.ru
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-23 01:14 CET
Nmap scan report for kremlin.ru (95.173.136.71)
Host is up (0.086s latency).
Other addresses for kremlin.ru (not scanned): 95.173.136.70 95.173.136.72
PORT STATE SERVICE VERSION
80/tcp open http?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|WAP|phone
Running: iPXE 1.X, Linux 2.4.X|2.6.X, Sony Ericsson embedded
OS CPE: cpe:/o:ipxe:ipxe:1.0.0%2b cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivaz
OS details: iPXE 1.0.0+, Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phone
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.64 seconds
puton@kremlin:$
vuln: busquedas de vulnerabilidades
puton@kremlin:$ sudo nmap -Pn --script=vuln kremlin.ru
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-23 01:32 CET
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for kremlin.ru (95.173.136.72)
Host is up.
Other addresses for kremlin.ru (not scanned): 95.173.136.70 95.173.136.71
servicio avahi identificado, pero no vulnerable
puton@kremlin:$ sudo nmap -Pn --script=exploit kremlin.ru
[sudo] contraseña para puton:
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-23 01:48 CET
Nmap scan report for kremlin.ru (95.173.136.72)
Host is up.
Other addresses for kremlin.ru (not scanned): 95.173.136.70 95.173.136.71
All 1000 scanned ports on kremlin.ru (95.173.136.72) are filtered
Nmap done: 1 IP address (1 host up) scanned in 207.41 seconds
puton@kremlin:$
All 1000 scanned ports on kremlin.ru (95.173.136.72) are filtered
Nmap done: 1 IP address (1 host up) scanned in 243.00 seconds
No obtenemos nada
puton@kremlin:$
puton@kremlin:$ sudo nmap -Pn -sV --script=version kremlin.ru
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-23 01:54 CET
Nmap scan report for kremlin.ru (95.173.136.71)
Host is up.
Other addresses for kremlin.ru (not scanned): 95.173.136.70 95.173.136.72
All 1000 scanned ports on kremlin.ru (95.173.136.71) are filtered
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 208.07 seconds
puton@kremlin:$
tampoco obtenemos nada
puton@kremlin:$ sudo nmap -Pn -sV --script=discovery kremlin.ru
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-23 02:01 CET
too short
Pre-scan script results:
| ipv6-multicast-mld-list:
| fe80::e8d4:9fff:fefd:c085:
| device: wlp9s0
| mac: ea:d4:9f:fd:c0:85
| multicast_ips:
| ff02::1:fffd:c085 (NDP Solicited-node)
| ff05::2 (unknown)
| ff02::2 (All Routers Address)
|_ ff02::1:ff00:0 (Solicited-Node Address)
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
| targets-ipv6-multicast-echo:
| IP: fe80::e8d4:9fff:fefd:c085 MAC: ea:d4:9f:fd:c0:85 IFACE: wlp9s0
|_ Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-invalid-dst:
| IP: fe80::e8d4:9fff:fefd:c085 MAC: ea:d4:9f:fd:c0:85 IFACE: wlp9s0
|_ Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-mld:
| IP: fe80::e8d4:9fff:fefd:c085 MAC: ea:d4:9f:fd:c0:85 IFACE: wlp9s0
|
|_ Use --script-args=newtargets to add the results as targets
Nmap scan report for kremlin.ru (95.173.136.72)
Host is up.
Other addresses for kremlin.ru (not scanned): 95.173.136.70 95.173.136.71
All 1000 scanned ports on kremlin.ru (95.173.136.72) are filtered
Host script results:
|_asn-query: No Answers
| dns-brute:
| DNS Brute-force hostnames:
| news.kremlin.ru - 95.173.136.80
| ns.kremlin.ru - 194.226.127.34
| en.kremlin.ru - 95.173.136.70
| en.kremlin.ru - 95.173.136.71
| en.kremlin.ru - 95.173.136.72
| blog.kremlin.ru - 95.173.136.80
| www.kremlin.ru - 95.173.136.70
| www.kremlin.ru - 95.173.136.71
|_ www.kremlin.ru - 95.173.136.72
|_fcrdns: FAIL (No PTR record)
| hostmap-crtsh:
| subdomains:
| *.kremlin.ru\nkremlin.ru
|_ admin.accred.kremlin.ru
|_hostmap-robtex: ERROR: Script execution failed (use -d to debug)
| ip-geolocation-geoplugin:
|_95.173.136.72 (kremlin.ru)
| resolveall:
| Host 'kremlin.ru' also resolves to:
| 95.173.136.70
| 95.173.136.71
| Use the 'newtargets' script-arg to add the results as targets
|_ Use the --resolve-all option to scan all resolved addresses without using this script.
| whois-domain:
|
| Domain name record found at whois.tcinet.ru
| % TCI Whois Service. Terms of use:
| % https://tcinet.ru/documents/whois_ru_rf.pdf (in Russian)
| % https://tcinet.ru/documents/whois_su.pdf (in Russian)
|
| domain: KREMLIN.RU
| nserver: acl.dns.ripn.net.
| nserver: bcl.dns.ripn.net.
| nserver: ccl.dns.ripn.net.
| nserver: ns2.gov.ru.
| nserver: ns.gov.ru.
| state: REGISTERED, DELEGATED, VERIFIED
| org: Special Communications and Information Service of the Federal Guard Service of the Russian Federation (Spetssvyaz FSO RF)
| taxpayer-id: 7702358248
| registrar: CC-RU
| admin-contact: http://www.cctld.ru
| created: 1998-07-22T12:02:55Z
| paid-till: 2025-07-31T21:00:00Z
| free-date: 2025-09-01
| source: TCI
|
| Last updated on 2025-01-23T01:03:01Z
|_
|_whois-ip: ERROR: Script execution failed (use -d to debug)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 231.28 seconds
Interpretación del resultado:
ip primaria detectada 95.173.136.72 mas las 2 secundarias 95.173.136.70 y 95.173.136.71
Los 1000 puertos escaneados están marcados como filtrados, es posible que un firewall bloquee el tráfico
Detección de direcciones relacionadas con IPv6 multicast:
Dirección link-local: fe80::e8d4:9fff:fefd:c085
Se detectaron los siguientes subdominios asociados a kremlin.ru:
news.kremlin.ru - 95.173.136.80
ns.kremlin.ru - 194.226.127.34
en.kremlin.ru - 95.173.136.70
en.kremlin.ru - 95.173.136.71
en.kremlin.ru - 95.173.136.72
blog.kremlin.ru - 95.173.136.80
www.kremlin.ru - 95.173.136.70
www.kremlin.ru - 95.173.136.71
www.kremlin.ru - 95.173.136.72
WHOIS del dominio
Información general:
Registrado por: Special Communications and Information Service of the Federal Guard Service of the Russian Federation (Spetssvyaz FSO RF).
Fecha de creación: 1998-07-22.
Expiración del registro: 2025-07-31.
Servidores dns de kremlin.ru
acl.dns.ripn.net.
bcl.dns.ripn.net.
ccl.dns.ripn.net.
ns2.gov.ru.
ns.gov.ru.
Scripts utilizados:
dns-brute: Realizó fuerza bruta para encontrar subdominios asociados al dominio
whois-domain: Proporciona detalles del registro de dominio
whois-ip: Falla al obtener información específica para la ip (primaria 95.173.136.72), como su ubicación geográfica, registro regional correspondiente (RIR, como ARIN, RIPE, APNIC, LACNIC, o AFRINIC)
sudo nmap -Pn -sV --script=external kremlin.ru
[sudo] contraseña para puton:
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-23 02:39 CET
Pre-scan script results:
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
Nmap scan report for kremlin.ru (95.173.136.71)
Host is up.
Other addresses for kremlin.ru (not scanned): 95.173.136.72 95.173.136.70
All 1000 scanned ports on kremlin.ru (95.173.136.71) are filtered
Host script results:
|_asn-query: No Answers
| dns-blacklist:
| SPAM
|_ l2.apews.org - FAIL
| hostmap-crtsh:
| subdomains:
| *.kremlin.ru\nkremlin.ru
|_ admin.accred.kremlin.ru
|_hostmap-robtex: ERROR: Script execution failed (use -d to debug)
| ip-geolocation-geoplugin:
|_95.173.136.71 (kremlin.ru)
|_tor-consensus-checker: ERROR: Script execution failed (use -d to debug)
| whois-domain:
|
| Domain name record found at whois.tcinet.ru
| % TCI Whois Service. Terms of use:
| % https://tcinet.ru/documents/whois_ru_rf.pdf (in Russian)
| % https://tcinet.ru/documents/whois_su.pdf (in Russian)
|
| domain: KREMLIN.RU
| nserver: acl.dns.ripn.net.
| nserver: bcl.dns.ripn.net.
| nserver: ccl.dns.ripn.net.
| nserver: ns2.gov.ru.
| nserver: ns.gov.ru.
| state: REGISTERED, DELEGATED, VERIFIED
| org: Special Communications and Information Service of the Federal Guard Service of the Russian Federation (Spetssvyaz FSO RF)
| taxpayer-id: 7702358248
| registrar: CC-RU
| admin-contact: http://www.cctld.ru
| created: 1998-07-22T12:02:55Z
| paid-till: 2025-07-31T21:00:00Z
| free-date: 2025-09-01
| source: TCI
|
| Last updated on 2025-01-23T01:43:01Z
|_
|_whois-ip: ERROR: Script execution failed (use -d to debug)
Post-scan script results:
|_ip-geolocation-map-bing: Need to specify an API key, get one at https://www.bingmapsportal.com/.
|_ip-geolocation-map-google: Need to specify an API key, get one at https://developers.google.com/maps/documentation/static-maps/.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 219.62 seconds
de aquí lo único mas que se extrae es el subdominio admin.accred.kremlin.ru
Escaneo sin afectar a redes locales ni intermedias, sólo al objetivo
puton@kremlin:$ sudo nmap -Pn --script=brute --exclude 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 95.173.136.72
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-23 03:46 CET
Nmap scan report for 95.173.136.72
Host is up.
All 1000 scanned ports on 95.173.136.72 are filtered
Nmap done: 1 IP address (1 host up) scanned in 202.38 seconds
En este caso no encontró nada