Category: Web App Security

20 Oct 2017

SQL injection exploitation with and without SQLmap

Hey everyone. Welcome in this brand new tutorial in which we are going to look at “SQL Injection”, one of the most dangerous web application vulnerability considered by the OWASP Top 10.

What really is SQL Injection?

SQL injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s query can then trick the interpreter into executing unintended commands or accessing data without any authorization from the site’s database.

The main purpose of SQL Injection is to dump the whole database to the attacker. Now it can be seriously dangerous. An attacker can change user’s credentials such as their passwords or can get the user’s credit card numbers and much more. The attacker can also delete the whole database and that can be a disaster for the company. That is why it has been considered as the most dangerous vulnerability because if exploited, personal data of each and every user is in danger.

Types of SQL Injections

SQL injection is generally divided into four sub-categories:

    • Classic SQLI
    • Blind or Inference SQL injection
    • Database management system-specific SQLI
    • Compounded SQLI

SQL Injection requires input fields to carry out the attack. An attacker needs to construct the input in such a way that it gets executed as a database command when being transmitted from the browser to the web application.

A successful SQL Injection attack requires the attacker to craft a syntactically correct SQL Query. If the application returns an error message when the attacker uses an incorrect query or give out the details of the database or the table name, then it is vulnerable to SQL Injection.
Many times it will happen that the application will show error but will hide the error details such as which database is being used or the version, then the tester must be able to reverse engineer the logic of the original query.

How to test for SQL Injection(manual testing)?

In order to perform SQL injection attack, we need to make a list of the inputs which interacts with the database server for accessing some data. It can be username and password in a login form, search queries etc.

Let’s consider an e-commerce website. A normal user will visit the website and log in to his account there to see the various offers only for him.

Now how does this log in really work in the background?

SELECT * FROM Users WHERE Username='$username' AND Password='$password'

Consider the above query. This query takes the input data by the user and matches it with the information in the database. If both the username and password matches, then the user is given can log in else the access is denied.

Now what an attacker does here is to inject code in place of giving a valid username and password.

1' or '1' = '1 in place of username and 1' or '1' = '1 in place of password

So the query now becomes something like this,

SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'

Now if the application is vulnerable to SQL Injection it will return a set of values because the condition 1=1 will be always true.

One thing which will come in quite handy is if you can find out which database is the application using. There are syntactical differences between Oracle, MSSql, and MySQL distributions. That’s why some queries might not work as expected.

Now let’s see some practical SQL Injection.
Here is an example of String SQL injection from WebGoat.

In this task, we had to input the last name in such a way that it will be a syntactically correct SQL query which will then dump all the details from the database. Here, the query which is being used by the Database was also given. It won’t happen in real life. You have to try out by injecting different codes there so that you could get some error or information which can tell you which query is being used in the backend.

The query in this case was

SELECT * FROM user_data WHERE last_name = 'Your Name'

So we injected Smith' OR '1'='1 there and the query became

SELECT * FROM user_data WHERE last_name = 'Smith' OR '1'='1'

The next condition is always TRUE, so it gives out all the records from the database.

It’s just a simple example but this is how SQL injection works in general.
It will require a whole page to write a complete tutorial on SQL injection. So we will recommend you to check the different types of manual testing from this page. Meanwhile, check out some youtube tutorials and solve SQL injection problems from DVWA, WebGoat, and Mutillidae to get a hang of it.

SQL injection using Sqlmap

We just saw how manual testing works, but there is a wonderful automation tool known as SQLmap for finding and exploiting SQL vulnerabilities in a website.

Sqlmap is one of the most powerful and famous automation tools for SQL injection. The only thing that Sqlmap requires is a vulnerable URL. Sqlmap can extract the whole database, tables, columns and all the data inside these columns. For downloading and installing sqlmap go here.

Now, let’s consider a PHP page which has an id parameter which looks something like this:

http://www.test.com/index.php?id=23

If we try to insert a single quote in the id parameter in the URL to check if the application does anything unusual or show us some unexpected error messages,

http://www.test.com/index.php?id=23'

If the developer did not escape the id parameter properly, then it will give us some error. Let’s consider for now that it works unexpectedly for the sake of this tutorial.

The first and basic command for Sqlmap is this one. The -u option is for the URL. This command will check if the parameter is really vulnerable to SQL injection or not.

$ python sqlmap.py -u "http://www.test.com/index.php?id=23"

This command will give us information like operating system, the database being used along with its version number. Now, we know that the parameter is vulnerable to SQL injection. So we dig a little deeper.

    • Getting the databasesTo find out all the databases, we will use the following command. The --dbs is used for getting all the databases.$ python sqlmap.py -u "http://www.test.com/index.php?id=23" --dbs

      let’s assume that we get three databases:

      information_schema
      users
      purchase list

    • Getting the tables inside a databaseNow the next step is to find out all the tables inside a database. For this, we will use the below command:$ python sqlmap.py -u "http://www.test.com/index.php?id=23" --tables -D users

      The --table is for getting all the tables and -D option specifies the database which in this case is users. Let’s say we get 2 tables but we are interested in the one which has User’s personal information named the table personal.

    • Getting the columns inside the tableTo get all the columns inside the table, we need to use the below command.$ python sqlmap.py -u "http://www.test.com/index.php?id=23" --columns -D users -T personal

      It will give us the layout of the table.

      Column | Type |

      | email | text |
      | hash | varchar(128) |
      | id | int(11) |
      | name | text |
      | password | text |

  • Getting the data for each columnNow, this is what we hackers truly desire, the data. This command will dump the data of the entire table$ python sqlmap.py -u "http://www.test.com/index.php?id=23" --dump -D users -T personal

    The output will look something like this:

    | id | hash | name | email | password |
    +———————————————– ————————————-
    | 1 | 5DIpzzDHFOwnCvPonu | admin | admin123@yahoo.com | letmein |

    | 2 | 8DIpzhfDHFkyndCvPo | john | john400@gmail.com | hackerxss |

These are the basic commands for Sqlmap. Sqlmap has several advanced features also, for this check their official page. There are tools like SqlNinja also. You can check that out also from here.

SQL injection is a very broad topic in itself. But it’s like a blessing for bug bounty hackers because companies will give a good amount of bounty if you can find a critical vulnerability such as SQL Injection. We will be writing on topics like Time Based SQL injection and various advanced SQL Injections in the meantime. Stay tuned for that. Also, if you have any queries or having any problems with SQL Injection please comment below and we will surely help you.

Till then, Happy hacking.:)

20 Oct 2017

3 must have tools for Penetration testers

Welcome folks. In the previous posts, we have been talking about web application penetration testing in depth. But in this post, we will look at the 3 most useful tools which many bug bounty hunters and penetration testers use for their daily testing and bug hunting.

Why only 3 tools?

This post is totally based on our own opinion after talking to many professionals in this field. If you see the Kali distribution itself, you will find a lot of tools for penetration testing. But it isn’t mandatory to use each and every tool. If we start talking about all the tools, then it will be a never-ending post because there are hundreds of tools available and one person’s choices may differ from the other. But there are some tools which come above all the rest and you can say that they are used "Generally and most of the times" by penetration testers and bug hunters.

And the Hall of Fame goes to

    • SubBrute
    • Nmap
    • BURP SUITE

Let’s discuss them one by one.

SubBrute

You must have come across the term Scope in penetration testing and in bug bounty programs. Most of the times it will be a target site like www.target.com But nowadays, many companies are going with the all domains penetration testing approach. Now, what does it mean?

If you are new to penetration testing, did you ever come across a Scope such as *.target.com? Maybe yes maybe no? So how do you find the whole scope in this case?
For targets like this, you will need a subdomain enumeration tool. That’s where a tool like Subbrute comes into play.

“SubBrute is a community-driven project with the goal of creating the fastest, and most accurate subdomain enumeration tool.” You can download SubBrute from this Github page. There are many ways to use SubBrute but the command which I use personally the most is:

./subbrute.py target.com

This is the most basic command and it will give out all (not really) the subdomains of the domain www.target.com. It will give out the subdomains like:
sales.target.com
blog.target.com
users.target.com

In this way, you will get all the hosts on which you are required to do a penetration test. There are other tools also available for doing subdomain enumeration like Knockpy and Google Dorks. Feel free to use them also, and while testing use all the three to check which one works the best for you.

NMAP

Nmap(Network Mapper) is a security scanner which is used to discover hosts and services on a computer network. It’s one of the most common tools used by penetration testers as it gives out a lot of information on the application.

Aside from telling which ports are open and which are closed, Nmap also provides further information on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses. These are very useful information for a penetration tester. Once known, they can use this information to then exploit the vulnerability.

Also, take a look at the Nmap Scripting Engine. It is one of the Nmap’s most powerful features.Vulnerability Detection and Exploitation both are important features of the Nmap scripting engine. Learn more about this from here.

Nmap is such a big topic that it will need a post on itself. I have already done that. Check out this post if you want to learn different scan types for Nmap.

Moreover, there is no place better than the official documentation itself for in-depth learning. When you are done with all the above references, keep in mind to check out the Official page to have a solid understanding of how to use Nmap.

Burp Suite

Here comes the best one. If you ask most of the bug bounty hunters on their favorite tool for bug hunting, almost 90% of them will say that it’s Burp Suite. Burp Suite is considered to be the best tool (not official data, but we believe it’s true) for web application penetration testing.
Burp Suite comes in two editions: Free and Professional. If you are new to Burp Suite, download the Free edition and play along with it. There are many useful features like the Proxy, Spider, Repeater, and Intruder. Features like Active and Passive scanning of the target comes with the Professional version of Burp Suite. Go with the Professional version only when you have practiced on the free version because it’s quite expensive but useful at the same time.

For Burp Suite to work, you will have to change the proxy settings in your favorite browser(Recommended Firefox) for Burp Suite to work. You can do that with an add-on like FoxyProxy. Get it from here. Just choose the target as 127.0.0.1 and Port as 8080 and you will be good to go. You can also do it manually by changing the proxy in Network Proxy Settings in Firefox preferences. Take a look at this page for instructions on how to do that.

Here is a screenshot when you first open Burp Suite:

This is what you will get with a new installation of Burp Suite. Burp Suite comes for all the major operating systems and pre-installed in Kali Linux.

Don’t get overwhelmed with a lot of information here.
The main thing you have to do now is:

    • Download and install Burp Suite.
    • Setup BurpSuite by changing the proxy and check that the proxy works for https:// sites also (import the Burp’s SSL cert inside the browser).
    • Then learn the 4 most used features in Burpsuite Proxy, Spider, Intruder, and Repeater.

This tool is highly recommended if you are thinking of a career in bug hunting or penetration testing. There are a whole lot of tutorials and videos available on the internet which can give you a head start.
Meanwhile, the official documentation is also a great place to start learning Burp Suite. Check the documentation here.

If you are thinking why we are focussing so much on this one tool, then first learn and use this and you will see it can do miracles for you.

Learn Burp Suite: Swiss Army Knife for penetration testers and bug bounty hunters here

Final points

There will always be alternatives. As we told before, we can use Knockpy in place of SubBrute. Similarly, you can also opt for OWASP ZAP in place of Burp Suite for intercepting the Request-Response and doing other things like vulnerability scanning. The only thing which matters is which one is easiest for you to use and how well does it perform the task at hand. So check out all of them and then refine your arsenal of tools.

We may have left out many people’s favorite tools. We wanted to make this post to tell you about the general tools which are required most of the times. There are other tools like SqlMap, WebSlayer, Wfuzz which are very helpful in penetration testing. Bugcrowd has got an awesome thread mentioning different tools used by bug bounty hunters and their references. Have a look at the thread here.

Meanwhile, if you think that another tool will better fit here, do write in the comment section. We are open to suggestions and will keep updating this post with time. In case of any problems regarding installation or something which you can’t understand, don’t be shy to comment because we will be always there for your help.

Till then, Keep learning and Start hacking now..:)

12 Oct 2017

How to approach for XSS hunting in a web application.

Hi, every security enthusiast out there. In this blog, we are going to tell you how to approach to find Cross-Site Scripting vulnerabilities in a web application.

So what is XSS and why is it so dangerous?

XSS or Cross-site scripting is a type of web application vulnerability. It is considered to be one of the most dangerous vulnerabilities present in a website.

An attacker can get various sensitive and personal details like the username or password by redirecting you to a spoofed website, steal your cookies and the worst of them hijack your user-session.

If you are new to XSS please check out these two references before reading any further. Since in this post we will only focus on how to test for XSS instead of what it is and the prerequisites.

Read the second reference and all the other links mentioned in it carefully. In case you don’t understand check out some videos on Youtube on XSS, it will give you a basic knowledge of what XSS is and why many web applications are vulnerable to them.

Bug bounty hunters, try different platforms to learn and practice XSS. These are one of the most dangerous vulnerabilities and have been in the OWASP Top 10 for quite a long time. Companies provide good bounties for XSS hunting in their web application.

How do I test if this web application has XSS vulnerability?

A web application can contain several XSS vulnerabilities in different parts of the application. That’s why an application needs to be thoroughly tested without leaving any page because even “one vulnerable input field” can lead to the privacy leakage of users.

XSS can be found in the places where there is some sort of user input required. For example, it can be a search box, a comment section and form input fields like name, address or credit card information.

How does XSS occur?

Let’s consider a site www.askyourqueries.com. The website has a search box where a user can ask any personal or professional queries. But the attacker instead of that tries to insert a payload something like this:

“;alert('XSS');”

If the search input field is vulnerable to XSS, a popup will be shown in the browser on clicking the Submit button. The popup will look something like this,

Now, what is happening here?

Improper HTML sanitization and encoding lead to this. This payload instead of being treated as a simple text is getting executed as a code. Read more about sanitization here.

Note: Payload is a fancy term for code snippets simply. Different payloads are injected at different input fields for XSS testing.

Cool, I get the theoretical part, but in practice how do we approach for finding XSS vulnerabilities?

This is the main part of the blog. We hope that you have already gone through all the previous references about XSS and HTML sanitization.

As mentioned before, the code “;alert('XSS');” is actually a payload. An attacker tries to insert different payloads in an input field for finding an XSS vulnerability. You can find many XSS payloads on the internet but you need to understand which type of payloads will work for that particular field. When you can distinguish between the different contexts then you will be able to create your own payloads.

For choosing a payload, you need to understand the context.
Now, what is a context?

When hunting for XSS, we need to check where the payload shows up in the source code. You can use a proxy like Burp Suite for this and in the Repeater tab can take a look at both the Request and Response side by side. Now in the Response tab, you need to search for the payload you injected. Make a note where the payload is going. It can be directly between HTML tags, or between script tags or in the attribute field.

Burpsuite is an excellent tool for Web Application penetration testing. Try to learn to use Burpsuite more proficiently and effectively. Check the official site here for getting started.

For example when the Response shows the payload in between the script tags:

You will need to inject payloads like

";alert(1);"
in the Injection Point.

The motive of payloads is to insert the code in such a way that it gets executed instead of being treated as raw data. If you look at the two payloads closely and insert it in place of the injection point, you will note that all they are trying to do is to execute the payload simply by closing and opening the script tags or opening and closing of quotes.

There is another type of context called the Attribute context. For example, if the place where your payload gets reflected is:

So what should we do now? You can’t just use the previous payload "alert(1);" and think that it will work somehow. It is not the correct attribute for this context. Look again and you will find that there are no script tags present here to execute the code alert(1).

That’s why we need to think of some other payload that will make the code execute. Something like this, "onmouseover=" alert(1);. It will close the first quotes and then it will execute the code after that.

Some developers use single quotes instead of the double quotes, so make sure you are using the correct payload for that context. That means use 'alert(1);' instead of "alert(1);".

Few points to remember:

  • Don’t get discouraged if you can’t find XSS. Nowadays, developers are taking special care by properly sanitizing their tags so that there is no chance for vulnerabilities like XSS. Just keep checking on all the input fields on all the pages of the website.
  • Not only this but Encoding is also being used so that the code can be treated as normal text. Take a brief look on HTML encoding at this page. It’s an important topic for understanding XSS.

Important tips for finding XSS

Penetration testers do know how to search for XSS and which payloads they should use but sometimes they miss out on the little things. Some of these are:

  • “Try 100 different input fields instead of using 100 different payloads on the same field.” You should try out a maximum of 10 different payloads on a field, else start moving on to the other. That’s the basic formula for finding an XSS.
  • Many times while testing, the popup will be on a different page than the one you were testing on. So keep that in mind.
  • Use Mozilla instead of Chrome when testing for XSS vulnerabilities. Google Chrome uses an XSS auditor, which when testing thinks that you are doing that with malicious intent and many times you won’t get the popup. So try using Firefox until you learn how to bypass the XSS auditor.

This post was intentionally written to give you the approach to finding XSS vulnerabilities. It’s not a post on XSS or XSS payloads or different types of XSS present. For that, you can read the OWASP reference. Many times new professionals can’t understand where to start and that’s what this post was for.
To sum up the blog you need to do these things in sequence,

  • Learn using Burpsuite(Watch Youtube videos and the official site here).
  • Read the OWASP reference from here.
  • Practice on vulnerable applications like Webgoat and DVWA. When ready for live action, switch to bug bounty sites like Hackerone and Bugcrowd. Pick up a target of your choice and start XSS hunting using Burpsuite.

Feel free to comment in case you need to clarify any query, can’t understand something on XSS or think that we should update this blog with something. We will be more than happy to help you and will reply to you as soon as possible.

Till then keep learning and start hacking now.:)

06 Oct 2017

Pentesting a wordpress website using WPSCAN

Ever thought of quickly testing a WordPress website for known vulnerabilities and expired plugins or themes? Well, here is a blog on one of such fantastic tool

$wpscan

What is WordPress and why is it famous?

WordPress is an online, open source website creation tool. It makes website creation super easy and is very user-friendly. Nowadays people tend to use WordPress more instead of learning to code in HTML, CSS, and Javascript to create the website. The reason is even a non-technical guy can learn how to use WordPress and can create a website in a couple of hours. That’s why it is famous and most of the personal blogs, websites for various startups, are mostly on WordPress.

Pro Tip: If you are a bug bounty hunter or a penetration tester, finding a vulnerable wordpress installation under scope may give you numerous easily exploitable vulnerabilities and huge cash rewards.

But how am I supposed to know if a website is created on WordPress?

Don’t worry, you don’t have to get very technical for that. There are several tools already available for it. The tool I personally use is:

Just install any of these add-ons for your favorite browser and when you visit a website it will show all the technologies that have been used on the website. For websites created through WordPress, it will show an icon W. In this way, you will be able to find out which part of the Website is on WordPress.

Note that in many cases, the whole website might be built on a different framework, but a part of the website like Blog Section can be on WordPress. So keep watching the addon.

Why is it important to test vulnerabilities in a WordPress website? Won’t the people who manage WordPress take care of that?

Yes, WordPress will make sure that no one will be able to use your site in a way that it isn’t meant to. WordPress security engineers maintain their own database of vulnerabilities and they patch it in the next upcoming version. So you just have to make sure that you keep the version of your WordPress updated and don’t use any old plugins or themes.

So where do I need to start then?

While browsing the target, you came to know that this domain is on WordPress platform. The first thing you can do is try adding wp-admin in the URL at the end.

For example, let’s consider that the domain blog.examplewebsite.com is on WordPress platform(by looking at the addon). Now you just have to do blog.examplewebsite.com/wp-admin/ to get the below form.

This page is what users use to login to their respective accounts. So how to crack the username and password? We all know that cracking the password is every hacker’s dream.

This is where a tool like Wpscan comes into play. Wpscan has several different options to get the vulnerabilities in a WordPress website and also brute-force a user login.

How to download and install Wpscan?

Using Wpscan is rather pretty easy. Just go to this page and download Wpscan the way most suitable for you. If you have downloaded the zip or tar file just extract them and you are good to go. Wpscan comes pre-installed in Kali Linux, so need to do all of these. Just jump to the next section.

Important commands

For all the below commands to work, you need to go the folder where you have extracted the Wpscan zip file using terminal.

Command 1: Update WPScan’s databases.

ruby wpscan.rb --update

This command is the first command to use when you are using Wpscan for the first time. It will update the full Wpscan database which contains the whole vulnerabilities and exploits list for WordPress websites.

Command 2: To enumerate all the usernames

ruby wpscan.rb --url www.example.com --enumerate u

Let’s break the command step by step.

Since wpscan.rb is a ruby file, we need to use ruby to run it. Then we are using --url option with the target’s URL. And for the last part, the --enumerate is the argument and we are giving ‘u’ as the option to enumerate all the usernames available.

If the site owner isn’t using any plugin to stop the attackers from enumerating the usernames, this command will list out all the available usernames registered on the WordPress.

Command 3: Password brute-force attack

ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50

Knowing only usernames won’t do us any good. We need to know the password before thinking of it as a critical vulnerability.

Here, we are using two new arguments. The first argument is --wordlist and with it, you need to give the full path to where you have downloaded the wordlist file. If you have the wordlist in the folder of Wpscan you just need to write the name of the wordlist. The --thread argument is the number of threads to use for multi-threading. Greater the number the faster will be the Wpscan but it depends on your computer architecture also. So it’s better to use it between 20-50.

It has been said that “Human is the weakest link in any company’s security”. We as humans tend to use passwords which are easy to remember. Many times admin use passwords like their date of birth, letmein, password, 123456789 and many other which can be cracked with a little use of social engineering and in many cases by brute force attack. This command uses dictionary-based attack and in case such passwords are used it will be very easy to crack.

A good place to download passwords lists is here. It’s very useful, don’t forget to $git clone.

Command 4: Enumerating vulnerable plugins

ruby wpscan.rb --url www.example.com --enumerate vp

This command is specially used to find the vulnerable plugins in the WordPress website. vp option denotes vulnerable plugins. The wpscan will also give you the reference to where you can read about the vulnerability. The vulnerabilities will have different color flags on them. The Red flag means that this vulnerability is the most critical whereas Green means it’s the least.

Command 5: Enumerating vulnerable themes

ruby wpscan.rb --url www.example.com --enumerate vt

This command checks for vulnerable themes within the website. vt denotes vulnerable themes. Here also, try to find vulnerabilities with the Red sign because they are the most critical vulnerability which if exploited could be lethal for a company.

Important points

  • First of all, don’t try to use this on any WordPress site you come across. Many times after a certain number of incorrect logins, or wpscan, the site may permanently block your IP, so that you won’t be able to access it and not to forget it would be illegal.
  • Don’t think that you will get results every time. Brute Forcing username and password will be useless if the admin is using a password with the strong password policy( to use each of small and capital letters, numbers, and special characters).
  • Check each and every vulnerability and try to exploit those. Even one vulnerability can lead to the breaking of the whole system.

There are many more commands and arguments available for Wspcan. To see the complete list available, check out the Wpscan official page.

In case of any queries while downloading or using wpscan or anything, feel free to ask them in the comment section and we will be more than happy to help you out.

Till then, keep learning and Happy hacking..:)

06 Oct 2017

5 nmap scans to help you in Penetration testing

Hi, everyone. In this post, we are going to discuss the 5 Nmap scans every penetration tester should add in their arsenal.

So what is Nmap and why is it widely used?

In simple terms, Nmap(Network Mapper) is a security scanner which is used to discover hosts and services on a computer network. It is widely used during penetration testing process because lots of information can be gathered by doing the correct Nmap scan on your target.
Information like

  • Which operating system the target is using
  • Which ports are open or closed
  • Identifying different hosts on the network
  • Which version of software the target is running

can be found out from a Nmap scan which is very useful in the information gathering process.

Installing Nmap

To use Nmap, you need to download and install it on your system. Nmap comes for all flavors of Operating Systems. It comes pre-installed with Kali Linux. We would like this post to be on the specific topic of Nmap commands so it will be better if you could search on how to install Nmap for your respective Operating System. There are many Youtube videos tutorials on that. In case of any problems, please comment and we will be glad to help.

Basic Syntax for Nmap:

nmap [ Scan Type ] [ Options ] { target specification }

e.g. nmap -A -T4 192.168.213.129

Don’t worry about what -A and -T4 for now. Just keep reading and you will understand everything by the time you complete this post.

Tools required to follow along with this post

1. Nmap correctly installed on the system.Check by using the command nmap in terminal.

2. Install VMware Player or VirtualBox.

3. Download metasploitable from here -> Extract the zip file -> Open VMware or VirtualBox whichever you have installed -> select the Open a Virtual Machine option -> Browse to where you have extracted Metasploitable -> Select Metasploitable.vmx -> Both Username and password are msfadmin.

Everything has been set up and you are good to go now. Let’s start some Nmap scanning.

Previously we used. nmap -A -T4 192.168.213.129
Let’s break it part by part.

You need to use the nmap command for doing Nmap scan. '-A' is the scan type. It is to enable OS and version detection, script scanning, and traceroute. '-T4' is the option for faster scanning. Its values can be from 0 (slowest) to 5 (fastest). The last part is the target’s name or IP address.

Note that '-A' and '-T4' are not the only scan type and option available, there are others available also. To check out the full list of different flags that can be used just use the command nmap in the terminal.

Now, let’s do something practical.

In the real world, you will either be given the target specification or the IP address for penetration testing. We can’t just do Nmap scan on any application available on the internet because it is illegal so we are using Metasploitable as our target because it is meant to be used for testing purposes.

Step 1: To find the IP address of Metasploitable. Since we have already downloaded and installed Metasploitable just use the command ifconfig in the Metasploitable terminal.
It will show two options eth0 and lo. The inet addr given in the eth0 section is the IP address of Metasploitable.

Now, we know the target’s address, so all we have to do is scan using different scan types and options to get the most useful information. This information can then be used to test if malicious activities could be performed on the open ports and how the version of different services running can lead to the hacking of the whole system.

We have installed nmap on my Ubuntu OS. The IP address for Metasaploitable in my case is 192.168.213.129.

Command 1: Scanning for open ports.(Default stealth scan)

$ nmap -sS 192.168.213.129

This is the most used default scan for nmap. It is used for checking if the host is up. With the help of this scan, Nmap attempts a TCP SYN connection to 1000 of the most common ports.
Type the command as it is by changing the IP address with the IP address of your Metasploitable instance.
The command and the output will look like this:

Command 2: TCP Connect Scan.

$ nmap -sT 192.168.213.129

This command is similar to the first one i.e TCP SYN scan however rather than sending a SYN packet and reviewing the headers it will ask the OS to establish a TCP connection to the 1000 common ports.

The output will look like this. On first glance, both the results will look same. But if you look at the execution time they will be different because the first command performs a stealth scan while the second is a non-stealthy scan.

After reading this far, if you are still confused what TCP,SYN or packets mean, search for how TCP works and the 3 way handshake for TCP.

Command 3: To scan a specific port or a port ranges

To scan a specific port, use the command

$ nmap -p 80 192.168.213.129

Here, we are scanning the port 80 which is the HTTP port.

To scan ports between a certain range, use
$ nmap -p 80-2000 192.168.213.129
Nmap scanning for ports between 80 and 2000

Command 4: Aggressive scan
$ nmap -T4 -A 192.168.213.129

This is used for aggressively scanning of the target system.
The ‘-A‘ simply means to perform OS and version checking.
-T4‘ is the speed factor on how quickly to perform the scan. Its values can be from 0(slowest) to 5(fastest).
The output will look like this and most of the times the output can be quite large.

Command 5: TCP SYN and UDP scan for all ports.

$ nmap -sS -sU -Pn -p 1-65535 192.168.213.129

This command is used when we are scanning all the 65535 TCP and 65535 UDP ports. The flag ‘-Pn‘ means that we are assuming that the host is up. This is done because sometimes firewalls are setup which prevents ICMP replies.

Some Important Points:

  • Many times, some Nmap features will not work if you are not a root user(Linux) or an user with Administrative privileges (Windows). So in case of any errors, try to use Nmap as the root user.
  • Try different combinations for scan types and options. Nmap has many interesting things. We have only described the most common scans that are used by penetration testers.

Additional references:

Now if you think that you are ready to learn Nmap in depth, check out this page:

Nmap Official page

You can find the whole list of things for which Nmap is used. Also, we have left an important portion Nmap scripts. We will write about it in depth in another post. But feel free to learn what it is and why is it so popular.

Have any questions about a problem in installation or any errors obtained during scanning? Feel free to comment and we will reply back as soon as possible.

Till then keep learning and Happy hacking..:)