Nmap – Gathering Additional Host Information

The most important process during a penetration test is the information gathering phase. During this process we investigate our target with the goal of learning everything about it. The information we discover could be invaluable in further stages of our penetration test. During this process we gather information such as usernames, possible passwords, additional hosts and services, or even version banners, among many other interesting bits of data.

There are several tools that help us retrieve information about our target, using many different sources. Our success comes from using all available resources. Dare to ignore or neglect any of them and you could be missing out on the one piece of information that you need to completely compromise your target.

Nmap is well known for its information-gathering capabilities such as OS fingerprinting, port enumeration, and service discovery, but thanks to the Nmap Scripting Engine, it is now possible to perform several new information-gathering tasks such as geolocating an IP, checking if a host is conducting malicious activities, brute forcing DNS records, and collecting valid e-mail accounts using Google, among many others.

In this article I will cover a combination of Nmap options and NSE scripts to query WHOIS servers, discover UDP services, and match services against public security vulnerabilities.

Geolocating an IP address:

Identifying the location of an IP address helps system administrators in many situations, such as when tracing the origin of an attack, a network connection, or a harmless poster in their forums. Gorjan Petrovski submitted three Nmap NSE scripts that help us geolocate a remote IP address: ip-geolocation-maxmind, ip-geolocation-ipinfodb, and ipgeolocation-geobytes. This session will show you how to set up and use the geolocation scripts included with Nmap NSE.

Note:For the script ip-geolocation-maxmind an external database is needed. Download Maxmind’s city database from http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz and extract it to your local Nmap data folder (/usr/share/nmap/nselib).

 Note: For ip-geolocation-ipinfodb an API key is needed, so you need to register at http://ipinfodb.com/register.php to get it. This service does not impose a query limit, unlike Geobytes, so I highly recommend grabbing your own API key to enable this script.

#nmap –script ip-geolocation-* –script-args ip-geolocation-ipinfodb.apikey=<API_key>

The argument –script ip-geolocation-* tells Nmap to launch all scripts with the pattern ip-geolocation- at the beginning of the name. At the time of writing there are three geolocation scripts available: ip-geolocation-geoplugin, ip-geolocationmaxmind, and ip-geolocation-ipinfodb. Sometimes service providers will not return any information on a particular IP address, so it is recommended that you try and compare the results of all of them. The information returned by these scripts include latitude and longitude coordinates, country, state, and city where available.

Keep in mind that the ip-geolocation-geoplugin script works by querying a free public service. Before using this script, consider the amount of queries you need to do since many public services impose a limit of allowed queries.

Getting information from WHOIS records:

WHOIS records often contain important data such as the registrar name and contact information. System administrators have been using WHOIS for years now, and although there are many tools available to query this protocol, Nmap proves itself invaluable because of its ability to deal with IP ranges and hostname lists.

Open a terminal and enter the following command:
$nmap –script whois google.com

The argument –script whois tells Nmap to query a Regional Internet Registries WHOIS database in order to obtain the records of a given target. This script uses the IANA’s Assignments Data to select the RIR and it caches the results locally. Alternatively, you could override this behavior and select the order of the service providers to use in the argument whodb:

#nmap –script whois-* –script-args whois.whodb=arin+ripe+afrinic google.com

This script will query, sequentially, a list of WHOIS providers until the record or a referral

to the record is found. To ignore the referral records, use the value nofollow:

#nmap –script whois-* –script-args whois.whodb=nofollow google.com


Checking if a host is known for malicious activities:

System administrators hosting users often struggle with monitoring their servers against malware distribution. Nmap allows us to systematically check if a host is known for distributing malware or being used in phishing attacks, with some help from the Google Safe Browsing API. This recipe shows system administrators how to check if a host has been flagged by Google’s Safe Browsing Service as being used in phishing attacks or distributing malware.

The script http-google-malware depends on Google’s Safe Browsing service and it requires you to register to get an API key. Register at https://developers.google.com/safe-browsing/key_signup?csw=1

Open your favorite terminal and type:

#nmap -p80 –script http-google-malware –script-args http-google-malware.api=<API> <target>

The script will return a message indicating if the server is known by Google’s Safe Browsing for distributing malware or being used in a phishing attack.

The script http-google-malware queries Google Safe Browsing Service to determine if a host is suspected to be malicious. This service is used by web browsers such as Mozilla Firefox and Google Chrome to protect its users, and the lists are updated very frequently.

The script http-google-malware queries Google Safe Browsing Service to determine if a host is suspected to be malicious. This service is used by web browsers such as Mozilla Firefox and Google Chrome to protect its users, and the lists are updated very frequently.

# nmap -p80 –script http-google-malware -v google.com

Collecting valid e-mail accounts:

Valid e-mail accounts are very handy to penetration testers since they can be used for exploiting trust relationships in phishing attacks, brute-force password auditing to mail servers, and as usernames in many IT systems.

#nmap -p80 –script http-email-harvest <Target>

You should see something similar to the following output:

Pattrik Karlsson’s http-email-harvest spiders the given web server and extracts all of the e-mail  addresses found.The argument -p80 –script http-email-harvest limits port scanning to port 80 and initiates the scripts mentioned previously to try to gather as many valid e-mail accounts as possible.

The script http-email-harvest depends on the httpspider library, which is highly customizable. For example, to allow the spider to crawl additional pages, use the argument httpspider.maxpagecount:

#nmap -p80 –script http-email-harvest –script-args httpspider.maxpagecount=50 <Target>

To start spidering from a different page than the root folder, use the argument httpspider.url:

#nmap -p80 –script http-email-harvest –script-args httpspider.url=/welcome.php <Target>

There are some packet filtering products that block requests made using Nmap’s default HTTP User Agent. You can set a different HTTP UserAgent by setting the argument http.useragent:

#nmap -p80 –script http-email-harvest –script-args http.useragent=”Mozilla 42″ <Target>

Brute forcing DNS records:

DNS records hold a surprising amount of host information. By brute forcing them we can reveal additional targets. Also, DNS entries often give away information, for example “mail” indicating that we are obviously dealing with the mail server, or Cloudflare’s default DNS entry “direct” which most of the time will point to the IP that they are trying to protect.

#nmap –script dns-brute http://www.google.com

The argument –script dns-brute initiates the NSE script dns-brute. dns-brute was developed by Cirrus and it attempts to discover new hostnames by brute forcing the target’s DNS records. The script basically iterates through a hostname list, checking if the DNS entry exists to find valid records.

This brute force attack is easily detected by security mechanism monitoring for NXDOMAIN responses.

The default dictionary used by dns-brute is hardcoded in the NSE file located in your local script folder /scripts/dns-brute.nse. To use your own dictionary file, use the argument dns-brute.hostlist:

#nmap –script dns-brute –script-args dns-brute.hostlist=words.txt <target>

To set the number of threads, use the argument dns-brute.threads:

#nmap –script dns-brute –script-args dns-brute.threads=8 <target>

You can set a different DNS server with –dns-servers <serv1[,serv2],…>:
# nmap –dns-servers, scanme.nmap.org

Fingerprinting the operating system of a host:

Determining the operating system of a host is essential to every penetration tester for many reasons including listing possible security vulnerabilities, determining the available system calls to set the specific exploit payloads, and for many other OS-dependent tasks. Nmap is known for having the most comprehensive OS fingerprint database and functionality.

#nmap -O 

The option -O tells Nmap to enable OS detection. Nmap’s OS detection is very powerful due to its user community, which abidingly contributes fingerprints that identify a wide variety of systems, including residential routers, IP webcams, operating systems, and many other hardware devices.

OS detection requires raw packets, and Nmap needs enough privileges to create these packets.

Nmap uses the CPE (Common Platform Enumeration) as the naming scheme for service and operating system detection. This convention is used in the information security industry to identify packages, platforms, and systems. In case OS detection fails, you can use the argument –osscan-guess to try to guess the operating system:

#nmap -O -p- –osscan-guess

To launch OS detection only when the scan conditions are ideal, use the argument –osscan-limit:

#nmap -O –osscan-limit <target>

OS detection in verbose mode:

Try OS detection in verbose mode to see additional host information, such as the IP ID sequence number used for idle scanning:
#nmap -O -v <target>

Discovering UDP services:

UDP services are often ignored during penetration tests, but good penetration testers know that they frequently reveal important host information and can even be vulnerable and used to compromise a host. 

#nmap -sU -p 1-1000

# nmap -sU -F

The argument -sU tells Nmap to launch a UDP scan against the target host. Nmap sends UDPprobes to the selected ports and analyzes the response to determine the port’s state. Nmap’s UDP scanning technique works in the following way:

  • A UDP packet is sent to the target with an empty UDP payload unless one is specified in the file nmap-payloads.
  • If the port is closed, a ICMP Port Unreachable message is received from the target.
  • If the port is open, UDP data is received.
  • If the port does not respond at all, we assume the port state is filtered|open.

Port selection Because UDP scanning can be very slow, it is recommended that you use the flag -p for
port selection:
#nmap -p1-500 -sU <target>

The alias -F can also be used for fast port scanning:
#nmap -F -sU <target>
Listing protocols supported by a remote host:

An IP Protocol scan is useful for determining what communication protocols are being used by a host. This information serves different purposes, including packet filtering testing and remote operating system fingerprinting.
 #nmap -sO

The flag -sO tells Nmap to perform an IP Protocol Scan. This type of scan iterates through the protocols found in the file nmap-protocols, and creates IP packets for every entry. For the IP protocols TCP, ICMP, UDP, IGMP, and SCTP, Nmap will set valid header values but for the rest, an empty IP packet will be used.

To determine the protocol state, Nmap classifies the different responses received, as follows:

  • If it receives an ICMP protocol unreachable error type 3 code 2, the protocol is marked as closed
  • ICMP unreachable errors type 3 code 1,3,9,10 or 13 indicate that a protocol is filtered
  • If no response is received, the protocol is marked as filtered|open
  • Any other response will cause the protocol to be marked as opened

To specify what protocols should be scanned, we could set the argument -p:
#nmap -p1,3,5 -sO <target>
#nmap -p1-10 -sO <target>

Discovering stateful firewalls by using a TCP ACK scan:

The TCP ACK scanning technique uses packets with the flag ACK on to try to determine if a port is filtered. This technique comes handy when checking if the firewall protecting a host is stateful or stateless.
# nmap -sA

The argument -sA tells Nmap to launch a TCP ACK port scan against the target host. The TCP ACK port scanning technique works in the following way:

  • A packet with the flag ACK is sent to each selected port.
  • If the port is open or closed, a RST packet is sent by the target machine.
    This response also indicates that the target host is not behind a stateful firewall.
  • We can determine that a host is firewalled if it does not return a response, or if it
    returns an ICMP error message.

Port states:
Nmap categorizes ports using the following states:

  • Open: Indicates that an application is listening for connections on this port.
  • Closed: Indicates that the probes were received but there is no application listening on this port.
  •  Filtered: Indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering.
  • Unfiltered: Indicates that the probes were received but a state could not be established.
  • Open/Filtered: Indicates that Nmap couldn’t determine if the port is filtered or open.
  • Closed/Filtered: Indicates that Nmap couldn’t determine if the port is filtered or closed.

Matching services with known security vulnerabilities:

Idle scanning is a very powerful technique, where Nmap takes advantage of an idle host with a predictable IP ID sequence number to spoof the origin IP of a port scan. This session illustrates how to find zombie hosts and use them to spoof your IP address when scanning a remote host with Nmap.

To launch an idle scan we need a zombie host. A zombie host is a machine with a predictable IP ID sequence number that will be used as the spoofed IP address. A good candidate must not be communicating with other hosts, in order to maintain the correct IP ID sequence number and avoid false positives.
To find hosts with an incremental IP ID sequence, you could use the script ipidseq as follows:
#nmap -p80 –script ipidseq <your ip>/24
#nmap -p80 –script ipidseq -iR 1000

To launch an idle scan, open your terminal and type the following command:
#nmap -Pn -sI <zombie host> <target>

Idle scanning should work if the zombie host meets the previously-discussed requirements. If something did not work as expected, the returned error message should give you an idea of what went wrong:

Idle scanning was originally discovered by Salvatore Sanfilipo (author of hping) in 1998. It is a clever and very stealthy scanning technique where the origin IP is spoofed by forging packets and analyzing IP ID sequence numbers of an idle host usually referred as the zombie host.

The flag -sI <zombie> is used to tell Nmap to initiate an idle port scan using <zombie> as the origin IP. Idle scanning works in the following way:

  • Nmap determines the IP ID sequence of the zombie host.
  • Nmap sends a forged SYN packet to the target as if it were sent by the zombie host.
  • If the port is open, the target sends to the zombie host a SYN/ACK packet and increases its IP ID sequence number.
  • Nmap analyzes the increment of the zombie’s IP ID sequence number to know if a SYN/ACK packet was received from the target and to determine the port state.

The IP ID sequence number:
The ID field in the IP header is mostly used to track packets for reassembling but because a lot of systems implement this number in different ways, it has been used by security enthusiasts to fingerprint, analyze, and gather information from these systems. Home routers, printers, IP webcams, and primitive often use incremental IP ID sequence numbers and are great candidates to be used as zombie hosts. They also tend to sit idle most of the time, which is an important requirement for idle scanning. To find out if a host has an incremental IP ID sequence there are two options:

Using verbose mode with OS detection.
#nmap -sV -v -O <target>

Using Kriss Katterjon’s ipidseq NSE script.
#nmap -p80 –script ipidseq <target>


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s