About a month and half ago, Nmap 7.50 was released. Today, a few minutes ago – Nmap 7.60 was made available with SSH support, improved SMB2/SMB3 support by Paulino Calderon (@calderpwn), addition of 14 NSE scripts and a new Npcap version. Nmap is now the default tool to discover services running on a remotely connected system. None of us really need any introduction to this very popular “network mapper“.
What is Nmap?
Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
Whats’s new in Nmap 7.60?
Most importantly, Nmap scripts now crack SSH passwords via brute force. This version can also now query servers about what authentication methods and public keys are accepted, and even log onto devices using known or discovered credentials to execute arbitrary commands! Also updated is Npcap 0.93, which had an issue with the Microsoft Windows 10 Creators Update. The following Nmap Nse scripts were updated:
- ftp-syst.nse: This Nmap Nse script ends FTP SYST and STAT commands and returns the result.
- http-vuln-cve2017-8917.nse: An SQL Injection vulnerability affecting Joomla! 3.7.x before 3.7.1 allows for unauthenticated users to execute arbitrary SQL commands. This vulnerability was caused by a new component, com_fields, which was introduced in version 3.7. This component is publicly accessible, which means this can be exploited by any malicious individual visiting the site. The script attempts to inject an SQL statement that runs the user() information function on the target website. A successful injection will return the current MySQL user name and host name in the extra_info table.
- openwebnet-discovery.nse: OpenWebNet is a communications protocol developed by Bticino since 2000. This script retrieves device identifying information and number of connected devices.
- puppet-naivesigning.nse: This Nse script detects if naive signing is enabled on a Puppet server. This enables attackers to create any Certificate Signing Request and have it signed, allowing them to impersonate as a puppet agent. This can leak the configuration of the agents as well as any other sensitive information found in the configuration files. This script makes use of the Puppet HTTP API interface to sign the request.
- smb-protocols.nse: This script attempts to list the supported protocols and dialects of a SMB server by initiating a connection using the following dialects:
- NT LM 0.12 (SMBv1)
- 2.02 (SMBv2)
- 2.10 (SMBv2)
- 3.00 (SMBv3)
- 3.02 (SMBv3)
- 3.11 (SMBv3)
Additionally if SMBv1 is found enabled, it will mark it as insecure.
- smb2-capabilities.nse: Attempts to list the supported capabilities in a SMBv2 server for each enabled dialect. The script sends a SMB2_COM_NEGOTIATE command and parses the response using the SMB dialects:
- smb2-time.nse: Attempts to obtain the current system date and the start date of a SMB2 server.
- smb2-security-mode.nse: Determines the message signing configuration in SMBv2 servers for all supported dialects. The Nmap script sends a SMB2_COM_NEGOTIATE request for each SMB2/SMB3 dialect and parses the security mode field to determine the message signing configuration of the SMB server.
- smb2-vuln-uptime.nse: Attempts to detect missing patches in Windows systems by checking the uptime returned during the SMB2 protocol negotiation. SMB2 protocol negotiation response returns the system boot time pre-authentication. This information can be used to determine if a system is missing critical patches without triggering IDS/IPS/AVs.
- ssh-auth-methods.nse: This “intrusive” script returns authentication methods that a SSH server supports.
- ssh-brupte.nse: Performs brute-force password guessing against ssh servers.
- ssh-publickey-acceptance.nse: This script takes a table of paths to private keys, passphrases, and usernames and checks each pair to see if the target ssh server accepts them for publickey authentication. If no keys are given or the known-bad option is given, the script will check if a list of known static public keys are accepted for authentication.
- ssh-run.nse: Runs remote command on ssh server and returns command output.
- iec-identify.nse: This script attempts to identify IEC 60870-5-104 ICS protocol. After probing with a TESTFR (test frame) message, a STARTDT (start data transfer) message is sent and general interrogation is used to gather the list of information object addresses stored.
SSH support is provided via libssh2. Additionally, FTP scripts like ftp-anon and ftp-brute now correctly handle TLS-protected FTP services and use STARTTLS when necessary. Among other changes, the http-useragent-checker.nse now checks for changes in HTTP status (usually 403 Forbidden) in addition to redirects to indicate forbidden User Agents.
Kudos to the guys at Nmap and awesome GSoC student team for the awesome Nmap 7.60 release!
Download Nmap 7.60:
Latest stable sources and Windows installers: nmap-7.60.tar.bz2/nmap-7.60-setup.exe can be downloaded here.