12/15/2024

Network Scanning and Vulnerability Detection with Nmap and Ruby

Nmap Commands for IP Discovery

To perform a network sweep for active IPs, you can use the following Nmap command. This will scan a list of IP ranges and output the results to a file:

bash
sudo nmap -sn -iL discovery/range.txt -oA discovery/hosts/pingsweep -PE

Next, use grep to extract only the IPs that are up:

bash
grep "Up" pingsweep.gnmap | cut -d " " -f2 > targets.txt

Note: Running these commands will alert the Network Operations Center (NOC) that someone is scanning the network.

Common Open Ports

When scanning networks, certain ports are typically open:

• Microsoft Remote Desktop (TCP 3389)
• Secure Shell (SSH) (TCP 22, 2222)
• HTTP/HTTPS (TCP 80, 443)

Scan Specific Ports

To scan for common ports (22, 80, 443, 3389, 2222), use the following Nmap command:

bash
nmap -Pn -n -p 22,80,443,3389,2222 -iL discovery/range.txt -oA discovery/hosts/rmisweep --min-hostgroup 256 --min-rate 1280

To view the open ports from the scan, use cat:

bash
cat discovery/hosts/rmisweep.gnmap | grep open | cut -d " " -f2

Alternative Methods for Finding IPs

You can also find IPs by obtaining the reverse IP from a DNS server. For example, to resolve the host mail.jeremiahonealtechsupport.com, you can run a reverse DNS lookup.

Scan a Subnet

To scan a specific subnet, use this Nmap command:

bash
sudo nmap -sn 10.0-255.0-255.1 -PE --min-hostgroup 10000 --min-rate 10000

Discover Network Services

To sweep for open ports across a list of hosts, use the following Nmap command:

bash
nmap -Pn -n -p 22,25,53,80,443,445,1433,3306,3389,4800,5900,8080,8443 -iL hosts/targets.txt -oA services/quick-sweep

To check for open ports in the scan results, use this command:

bash
cat services/quick-sweep.gnmap | grep open

To perform a full TCP scan on all ports, use:

bash
nmap -Pn -n -iL hosts/targets.txt -p 0-65535 -sV -A -oA services/full-sweep --min-rate 50000 --min-hostgroup 22

Ruby Script to Parse Nmap Results

Here’s a Ruby script that parses Nmap’s XML output and extracts information about open ports:

ruby
#!/usr/bin/env ruby
require 'rubygems'
require 'nmap/parser'

# Check for input argument
if ARGV.empty?
  puts "Usage: #{$PROGRAM_NAME} <nmap_xml_output>"
  exit(1)
end

# Parse Nmap XML file
nmap_file = ARGV[0]
parser = Nmap::Parser.parsefile(nmap_file)

# Iterate through hosts
parser.hosts("up") do |host|
  portstring = ""

  # Iterate through open ports
  host.ports("open") do |port|
    service = port.service
    # Print port details
    puts "#{host.addr}, #{port.num}, #{service.name}, #{service.product}, #{service.version}, #{service.extrainfo}"

    # Build a comma-separated list of ports for later use
    portstring << "#{port.num},"
  end

  # Generate Nmap command for further enumeration
  unless portstring.empty?
    puts "sudo nmap -sS -p #{portstring.chop} -sV -A -vv -oA enumeration -iL ranges.txt"
  end
end

Export Full Sweep Results to CSV

To convert the full-sweep results into a CSV file, use the following:

bash
parseenmap services/full-sweep.xml > services/all-ports.csv

---

EternalBlue (MS17-010) Vulnerability

MS17-010, also known as the EternalBlue vulnerability, is a critical flaw in Microsoft’s SMBv1 protocol, patched in March 2017. Exploited by the EternalBlue exploit, it allows remote code execution (RCE) on unpatched systems, enabling attackers to gain SYSTEM-level access and propagate malware across networks. EternalBlue was used in the WannaCry and NotPetya ransomware attacks, which disrupted systems globally by targeting vulnerable SMBv1 services. To detect this vulnerability, use Nmap’s smb-vuln-ms17-010 script to scan port 445. Mitigation involves applying the MS17-010 patch, disabling SMBv1, and restricting access to SMB ports. This incident highlights the importance of patching systems and disabling outdated protocols to prevent widespread exploitation and worm-like propagation.