قالب وردپرس درنا توس
Home / Tips and Tricks / Top 5 Intrusive Nmap Scripts Hackers and commuters should know «zero byte :: WonderHowTo

Top 5 Intrusive Nmap Scripts Hackers and commuters should know «zero byte :: WonderHowTo



Nmap is more powerful than you know. With a few scripts, we can extend functionality beyond a simple port scanner and identify details about target servers that system administrators do not want to know.

Perhaps the most popular and well-known enlightenment tool currently available in hacking world, Nmap has been repeatedly treated to zero bytes. For example, we showed how to recognize CVEs, automate brute-force attacks, and perform advanced exploration, to name just a few Nmap tutorials.

This article assumes readers have experience with Nmap fundamentals. I will target most of the commands on ports 80 and 443 ( -p80,443 ) as these are common web server ports. I will also tackle Nmap's NSE features with the script argument.

Most well-known for its ability to accurately identify ports on web servers, Nmap's NSE capabilities make it an extremely powerful multipurpose tool that scales well beyond a normal port scanner. In this multi-part Nmap series, I'll show you some of the advanced features for aggressively detecting Web server error pages, web application fingerprints, subdomains, and extracting metadata from photos. Intrusive Nmap scripts consume and can consume significant resources (CPU and bandwidth) on the destination Web server cause them to crash, break or inadvertently cause denial of service attacks. Based on the scope of your penetration testing engagement, this may not be allowed by a particular employer. Pentester should use the following scripts with caution

Update Nmap on your Kali system

Before looking at Nmap scripts, we first make sure we install the latest available version of Nmap on our Kali Linux system to have. At the time of this writing, Kali offers v7.70

Nmap can be installed using the following apt-get commands.

  apt-get update && apt-get install nmap [19659011] When done, we can verify that it was installed with the  version  argument. 

  nmap --version

Nmap Version 7.70 (https://nmap.org)
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.0h libssh2-1.8.0 libz-1.2.11 libpcre-8.39 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6 

And as always we can use that - help Argument to display the available options. These options can be coupled with Nmap scripts to further enhance the commands in this article.

  nmap --help

Nmap 7.70 (https://nmap.org)
Usage: nmap [Scan Type(s)] [Options]   {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Example: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-IL : Entry from the list of hosts / networks
-iR : Choose random targets
--exclude : Exclude hosts / networks
--excludefile : Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list the targets to be scanned
-sn: Ping Scan - disable port scan
-Pn: treat all hosts as online - skip host detection
-PS / PA / PU / PY [portlist]: TCP SYN / ACK, UDP or SCTP detection on specific ports
-PE / PP / PM: ICMP echo, timestamp, and netmask request detection probes
-PO [protocol list]: IP Protocol Ping
-n / -R: Never DNS Resolution / Always Dissolve [default: sometimes]
-dns-servers : Specify custom DNS servers
--system-dns: Use the DNS resolver from OS
--traceroute: Trace-hop path to each host
SCAN TECHNIQUES:
-sS / ST / SA / SW / SM: TCP SYN / Connect () / ACK / Window / Maimon Scans
-sU: UDP scan
-sN / sF / sX: TCP Null, FIN, and Xmas scans
--scanflags : Customize TCP Scan Flags
-sI : Idle scan
-sY / sZ: SCTP INIT / COOKIE-ECHO scans
-sO: IP protocol scan
-b : FTP Bounce Scan
PORT SPECIFICATION AND SCAN ORDER:
-p : Only scan specific ports
Example: -p22; -p1-65535; -p U: 53,111,137, T: 21-25,80,139,8080, S: 9
--exclude-ports : Excludes the specified ports from scanning
-F: Fast mode - Scans fewer ports than the default scan
-r: Scans ports sequentially - not by chance
--top-ports : Scan  the most common ports
--port-ratio : scan ports more often than 
SERVICE / VERSION DETECTION:
-sV: Check open ports to get service / version information
--version-intensity : Set from 0 (light) to 9 (try all probes)
--version-light: Limitation to the most probable probes (Intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Shows detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: Equals -script = default
--script = :  is a comma separated list of
Directories, script files or script categories
--script-args = : Provide arguments for scripts
--script-args-file = filename: Provides NSE script arguments in a file
--script-trace: Displays all sent and received data
--script-updatedb: Update the script database.
--script-help = : Show help for scripts.
 is a comma-separated list of script files or
Script categories.
OS detection:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-rate: Guess OS more aggressive
Schedule and Performance:
Options that accept 

Related Book: " Network Scanning Cookbook: Practical Network Security with Nmap and Nessus 7" by Sairam Jetty

1. Web Application Firewall Detection

A web application firewall, abbreviated as WAF, detects and blocks malicious traffic to and from the Web server that is being protected. Most commonly, WAFs are used to protect Web sites from SQL injection, file inclusion, and cross-site scripting (XSS) attacks.

A server well protected by a WAF could mean that all potential Web-based vulnerabilities would be slowed down. Conversely, a server that is not WAF protected could be catastrophic for system administrators trying to defend themselves against hackers. Our ability to detect web application firewalls on target web servers is critical as a PenTester.

The http-waf-detect script is designed to help us learn the existence of a web application firewall. It will examine the destination web server with multiple requests. First, it sends a normal web request and records the response from the server. Then it sends another request with a payload (invalid URL) and compares the answers. This method of detecting WAFs is far from perfect and may vary depending on the type of Web server and WAF product.

To enable the script http-waf-detect use the following nmap command

  nmap -p80,443 - script http-waf-detect - script args = http-waf-detect.aggro, http-waf-detect.detectBodyChanges "targetWebsite.com 

Here, I use the http-waf-detect.aggro argument, which instructs Nmap, all to try out its built-in attack vectors to trigger the servers WAF. Also enabled is the http-waf-detect.detectBodyChanges argument, which looks for changes in the body of HTTP requests and further increases the likelihood of detection.

  Starting Nmap 7.70 (https: // nmap .org)
Nmap Scan report for targetWebsite.com
Host is active (0.65s latency).

Port State Service
80 / TCP open http
| http-waf-detect: IDS / IPS / WAF detected:
| _targetWebsite.com: 80 /? p4yl04d = hostname% 00
443 / TCP open https
| http-waf-detect: IDS / IPS / WAF detected:
| _targetWebsite.com: 443 /? p4yl04d = hostname% 00 

As we can see in the above output, Nmap found a kind of web application firewall on the target web server. There are many commercial WAF products for administrators. To find out which WAF is in production, we need to use a different Nmap script.

. 2 Web Application Firewall Fingerprint Recognition

Learning which WAF is used can be important because each WAF has its own predefined rate limiting and detection methods. Identifying the WAF type can help the pester to avoid detecting (or remaining under the radar ) if we can preemptively learn the limitations and detection triggers of the WAFs. http-waf-fingerprint The Nmap script is designed to help us learn the exact web application firewall that will be used on a target web server. It will also try to identify its type and exact version number.

In its simplest form, we do not have to insert script arguments to get this Nmap script.

  nmap -p80,443 - Script http waf fingerprint targetWebsite.com

Starting Nmap 7.70 (https://nmap.org)
Nmap Scan report for targetWebsite.com
Host is active (0.71s latency).

Port State Service
80 / TCP open http
| http waf Fingerprint:
| Detected WAF
| _ Cloudflare
443 / tcp open https 

As you can see above, this particular website uses the popular Cloudflare service as a front-end to protect its website from attackers.

We can further enhance Nmap's ability to detect WAF types and versions using the http-waf-fingerprint.intensive argument. This increases the scan time and also increases the amount of noise (web traffic) generated by the script.

  nmap -p80,443 - script http-waf-fingerprint - script arguments http -waf-fingerprint.intensiv = 1 targetwebsite

Starting Nmap 7.70 (https://nmap.org)
Nmap Scan report for targetWebsite
Host is active (0.84s latency).

Port State Service
80 / TCP open http
| http waf Fingerprint:
| Detected WAF
| _ BinarySec Version 3.4.0
443 / tcp open https 

We have just learned that the BinarySec WAF (version 3.4) is being used. An attack could study the WAF manual to better understand the triggers to avoid detection during penetration tests.

. 3 Find HTTP Errors

Hypertext Transfer Protocol (HTTP) Status codes, also known as "response codes", are issued by web servers to our web browsers when we make inquiries. These codes are a way for web servers to communicate errors to server administrators, web developers, and end users alike.

HTTP status codes are divided into multiple categories or "classes." The first digit defines the categories and the following numbers are subcategories specific to different types of error messages. For example, the 4xx category is a class of errors that are specific to HTTP requests that the web server can not satisfy. Like trying to display a web page that does not exist. This is defined as the "404 Not Found" status, probably one of the most popular status codes on the Internet.

Status codes are particularly useful for Pentesters because they help us identify bad, bad, and misconfigured parts of a server that may be delivering sensitive information, or they can provide us with an exploitable way to control aspects of the server.

Following Wikipedia is a list of the five HTTP status code categories below. Web application penetration testers should become familiar with all status codes and their definitions.

  • 1xx (Informative): The request has been received, process continues
  • 2xx (Successful): The request was successfully received, understood and accepted
  • 3xx (redirect): Further steps must be taken to complete the request
  • 4xx (Client Error): The request contains a malformed syntax or can not be met
  • 5xx (Server Error): The server could have a seemingly valid Do Not Meet Requirement

The http-errors Nmap script can be used to identify interesting status codes for further investigation. [19659010] nmap -p80,443 --script http-errors targetWebsite.com

Simply calling the script http-errors is enough to get started. Ports 80 and 443 are command web server ports, but they can be changed to meet your needs.

  Nmap scan report for targetWebsite.com
Host is active (latency of 0.67s).

Port State Service
80 / TCP open http
| http error:
| Spidering limited to: maxpagecount = 40; withinhost = targetWebsite.com
| The following error pages were found:
|
| Error code: 403
| _ http://targetWebsite.com:80/
443 / TCP open https
| http error:
| Spidering limited to: maxpagecount = 40; withinhost = targetWebsite.com
| The following error pages were found:
|
| Error code: 400
| _ http://targetWebsite.com:443/

In the above output, Nmap has detected a status of 403 indicating that the server file permissions are misconfigured and visitors have no access to the requested resource. The following is a refined command that contains several script arguments.

  nmap -vv -p80,443 --script http-error --script-args "httpspider.url = / docs /, httpspider.maxpagecount = 3, httpspider. Maxdepth = 1" targetwebsite.com 

This particular Nmap script uses the httpspider library, so we can use arguments like httpspider.url httpspider.maxpagecount . and httpspider.maxdepth to refine our scan to specific URLs and define how many pages Nmap should crawl before stopping.

4. Finding Shared and New Servers

Subdomains are often used to host additional sites for a particular subset of users. For example, null byte (null-byte.wonderhowto.com) is one of many subdomains in the WonderHowTo network of websites. Popular subdomains are m .facebook.com, mobile .twitter.com, and Developer .github.com

These subdomains are useful for hackers because of the Subdomain and maindomain can actually be hosted on completely different virtual private servers in different parts of the world and may not have the same level of security.

The DNS Brute script built into Nmap is designed to enumerate subdomains and their corresponding server IP addresses.

  nmap -p80,443 --script dns-brute targetWebsite.com

Starting Nmap 7.70 (https://nmap.org)
Nmap Scan report for targetWebsite.com
Host is active (0.16s latency).

Port State Service
80 / TCP open http
443 / TCP open https

Host script results:
| Dns-Brute:
| DNS brute force hostnames:
| http.targetWebsite.com - 198,105,244,228
| http.targetWebsite.com - 198.105.254.228
| mysql.targetWebsite.com - 198.105.244.228
| mysql.targetWebsite.com - 198.105.254.228
| news.targetWebsite.com - 104.17.202.106
| news.targetWebsite.com - 104.17.203.106
| news.targetWebsite.com - 104.17.204.106
| news.targetWebsite.com - 104.17.205.106
| news.targetWebsite.com - 104.17.206.106
| app.targetWebsite.com - 104.97.95.87
| apps.targetWebsite.com - 12.18.141.21
| web.targetWebsite.com - 198.105.244.228
| web.targetWebsite.com - 198.105.254.228
| auth.zielWebsite.com - 204.238.150.111
| web2test.targetWebsite.com - 198.105.244.228
| web2test.targetWebsite.com - 198.105.254.228
| beta.targetWebsite.com - 98.99.252.42
| id.targetWebsite.com - 98.99.254.9
| blog.targetWebsite.com - 216.87.148.114
| www.targetWebsite.com - 104.97.95.87
| www2.targetWebsite.com - 207.76.137.99
| cms.targetWebsite.com - 98.99.252.57
| ldap.targetWebsite.com - 98.99.254.57
| owa.targetWebsite.com - 98.99.252.118
| sip.targetWebsite.com - 199.233.179.46
| mail.targetWebsite.com - 98.99.254.8
| mobile.targetWebsite.com - 216.87.148.114
| help.targetWebsite.com - 98.99.252.46
| home.targetWebsite.com - 198.105.244.228
| _ home.targetWebsite.com - 198.105.254.228

Nmap finished: 1 IP address (1 host-up) scanned in 32.62 seconds 

This particular website has many subdomains configured and not all have the same IP address. At this point, a penetration tester can further expand its education on the newly discovered servers under this website control.

Below is a dns-brutal command that contains several script arguments .

  nmap -p80,443 --script dns-brute --script -args dns-brute.threads = 25, dns-brute.hostlist = / root / desktop / custom-subdomain-wordlist.txt targetWebsite. com

Starting Nmap 7.70 (https://nmap.org)
Nmap Scan report for targetWebsite.com
Host is active (0.17s latency).

Port State Service
80 / TCP open http
443 / TCP open https

Host script results:
| Dns-Brute:
| DNS brute force hostnames:
| www7.targetWebsite.com - 198.105.244.228
| www7.targetWebsite.com - 198.105.254.228
| www.targetWebsite.com - 104.97.95.87
| webdisk.test.targetWebsite.com - 198.105.244.228
| webdisk.test.targetWebsite.com - 198.105.254.228
| www4.targetWebsite.com - 198.105.244.228
| www4.targetWebsite.com - 198.105.254.228
| www1.targetWebsite.com - 198.105.244.228
| www1.targetWebsite.com - 198.105.254.228
| app.targetWebsite.com - 104.97.95.87
| mail.targetWebsite.com - 98.99.254.8
| www.mtargetWebsite.com - 198.105.244.228
| www.mtargetWebsite.com - 198.105.254.228
| meet.targetWebsite.com - 199.233.179.60
| members.targetWebsite.com - 52.85.88.11
| members.targetWebsite.com - 52.85.88.178
| members.targetWebsite.com - 52.85.88.184
| members.targetWebsite.com - 52.85.88.186
| webmail2.targetWebsite.com - 198.105.244.228
| webmail2.targetWebsite.com - 198.105.254.228
| ww2.targetWebsite.com - 198.105.244.228
| ww2.targetWebsite.com - 198.105.254.228
| sip.targetWebsite.com - 199.233.179.46
| www.beta.targetWebsite.com - 198.105.244.228
| www.beta.targetWebsite.com - 198.105.254.228
| news.targetWebsite.com - 104.17.202.106
| news.targetWebsite.com - 104.17.203.106
| news.targetWebsite.com - 104.17.204.106
| news.targetWebsite.com - 104.17.205.106
| news.targetWebsite.com - 104.17.206.106
| www.news.targetWebsite.com - 198.105.244.228
| www.news.targetWebsite.com - 198.105.254.228
| www.shop.targetWebsite.com - 198.105.244.228
| www.shop.targetWebsite.com - 198.105.254.228
| portal.targetWebsite.com - 192.237.142.31
| preview.targetWebsite.com - 104.97.95.87
| search.targetWebsite.com - 98.99.252.118
| www.support.targetWebsite.com - 198.105.244.228
| www.support.targetWebsite.com - 198.105.254.228
| api.targetWebsite.com - 98.99.252.56
| share.targetWebsite.com - 69.28.231.168
| mobile.targetWebsite.com - 216.87.148.114
| lyncdiscover.targetWebsite.com - 199.233.179.60
| mysql.targetWebsite.com - 198.105.244.228
| mysql.targetWebsite.com - 198.105.254.228
| owa.targetWebsite.com - 98.99.252.118
| webdisk.forum.targetWebsite.com - 198.105.244.228
| webdisk.forum.targetWebsite.com - 198.105.254.228
| www.blog.targetWebsite.com - 198.105.244.228
| www.blog.targetWebsite.com - 198.105.254.228
| beta.targetWebsite.com - 98.99.252.42
| partner.targetWebsite.com - 98.99.252.118
| a.targetWebsite.com - 63.149.195.18
| a.targetWebsite.com - 67.134.222.254
| a.targetWebsite.com - 8.33.184.254
| blogs.targetWebsite.com - 98.99.252.176
| webdisk.m.targetWebsite.com - 198.105.244.228
| webdisk.m.targetWebsite.com - 198.105.254.228
| webdisk.demo.targetWebsite.com - 198.105.244.228
| webdisk.demo.targetWebsite.com - 198.105.254.228
| ldap.targetWebsite.com - 98.99.254.57
| www.webmail.targetWebsite.com - 198.105.244.228
| www.webmail.targetWebsite.com - 198.105.254.228
| webmail.targetWebsite.com - 98.99.254.8
| web3.targetWebsite.com - 198.105.244.228
| web3.targetWebsite.com - 198.105.254.228
| community.targetWebsite.com - 216.87.148.114
| webmail.cp.targetWebsite.com - 198.105.244.228
| webmail.cp.targetWebsite.com - 198.105.254.228
| www.demo.targetWebsite.com - 198.105.244.228
| www.demo.targetWebsite.com - 198.105.254.228
| remote.targetWebsite.com - 216.87.148.114
| my.targetWebsite.com - 198.105.244.228
| my.targetWebsite.com - 198.105.254.228
| webdisk.dev.targetWebsite.com - 198.105.244.228
| webdisk.dev.targetWebsite.com - 198.105.254.228
| www.forum.targetWebsite.com - 198.105.244.228
| www.forum.targetWebsite.com - 198.105.254.228
| webdisk.targetWebsite.com - 198.105.244.228
| webdisk.targetWebsite.com - 198.105.254.228
| www.test.targetWebsite.com - 198.105.244.228
| www.test.targetWebsite.com - 198.105.254.228
| www.mobile.targetWebsite.com - 198.105.244.228
| www.mobile.targetWebsite.com - 198.105.254.228
| web1.targetWebsite.com - 198.105.244.228
| web1.targetWebsite.com - 198.105.254.228
| relay.targetWebsite.com - 98.99.254.28
| web2.targetWebsite.com - 198.105.244.228
| web2.targetWebsite.com - 198.105.254.228
| web.targetWebsite.com - 198.105.244.228
| web.targetWebsite.com - 198.105.254.228
| dialin.targetWebsite.com - 199.233.179.60
| jobs.targetWebsite.com - 216.87.148.114
| webdisk.blog.targetWebsite.com - 198.105.244.228
| webdisk.blog.targetWebsite.com - 198.105.254.228
| home.targetWebsite.com - 198.105.244.228
| home.targetWebsite.com - 198.105.254.228
| www3.targetWebsite.com - 198.105.244.228
| www3.targetWebsite.com - 198.105.254.228
| www.store.targetWebsite.com - 104.16.53.60
| www.store.targetWebsite.com - 104.16.54.60
| www6.targetWebsite.com - 198.105.244.228
| www6.targetWebsite.com - 198.105.254.228
| www.my.targetWebsite.com - 198.105.244.228
| www.my.targetWebsite.com - 198.105.254.228
| www5.targetWebsite.com - 198.105.244.228
| www5.targetWebsite.com - 198.105.254.228
| autodiscover.targetWebsite.com - 98.99.254.176
| www.admin.targetWebsite.com - 198.105.244.228
| www.admin.targetWebsite.com - 198.105.254.228
| store.targetWebsite.com - 104.16.206.251
| store.targetWebsite.com - 104.16.207.251
| web01.targetWebsite.com - 198.105.244.228
| web01.targetWebsite.com - 198.105.254.228
| cms.targetWebsite.com - 98.99.252.57
| www.old.targetWebsite.com - 198.105.244.228
| www.old.targetWebsite.com - 198.105.254.228
| blog.targetWebsite.com - 216.87.148.114
| www2.targetWebsite.com - 207.76.137.99
| webservices.targetWebsite.com - 198.105.244.228
| webservices.targetWebsite.com - 198.105.254.228
| www.video.targetWebsite.com - 198.105.244.228
| www.video.targetWebsite.com - 198.105.254.228
| web4.targetWebsite.com - 198.105.244.228
| web4.targetWebsite.com - 198.105.254.228
| e.targetWebsite.com - 63.149.195.18
| e.targetWebsite.com - 67.134.222.254
| e.targetWebsite.com - 8.33.184.254
| auth.zielWebsite.com - 204.238.150.111
| www.targetWebsite.com - 198.105.244.228
| www.targetWebsite.com - 198.105.254.228
| help.targetWebsite.com - 98.99.252.46
| jira.targetWebsite.com - 98.99.254.68
| outlook.targetWebsite.com - 98.99.254.66
| www.mail.targetWebsite.com - 198.105.244.228
| www.mail.targetWebsite.com - 198.105.254.228
| MAIL.targetWebsite.com - 98.99.254.8
| www.new.zielwebsite.com - 198.105.244.228
| www.new.zielwebsite.com - 198.105.254.228
| mdm.targetWebsite.com - 192.30.68.141
| Origin-www.targetWebsite.com - 104.97.95.87
| sslvpn.targetWebsite.com - 204.238.150.49
| assets.targetWebsite.com - 107.14.46.27
| assets.targetWebsite.com - 107.14.46.35
| www.en.targetWebsite.com - 198.105.244.228
| www.en.targetWebsite.com - 198.105.254.228
| docs.targetWebsite.com - 98.99.254.67
| www.dev.targetWebsite.com - 198.105.244.228
| www.dev.targetWebsite.com - 198.105.254.228
| www.forums.targetWebsite.com - 198.105.244.228
| www.forums.targetWebsite.com - 198.105.254.228
| www.ads.targetWebsite.com - 198.105.244.228
| www.ads.targetWebsite.com - 198.105.254.228
| apps.targetWebsite.com - 12.18.141.21
| www.wiki.targetWebsite.com - 198.105.244.228
| www.wiki.targetWebsite.com - 198.105.254.228
| webconf.targetWebsite.com - 198.105.244.228
| webconf.targetWebsite.com - 198.105.254.228
| ww.targetWebsite.com - 198.105.244.228
| ww.targetWebsite.com - 198.105.254.228
| webcam.targetWebsite.com - 198.105.244.228
| webcam.targetWebsite.com - 198.105.254.228
| www.chat.targetWebsite.com - 198.105.244.228
| _ www.chat.targetWebsite.com - 198.105.254.228

Nmap done: scanned 1 IP address (1 host-up) in 62.15 seconds 

By default, DNS brute scans with five concurrent threads. We can increase or decrease this value with dns-bruxe.threads . Depending on the type of web server, many threads cause a server crash or denial of service, which slows down or stops the site from being used by other users. Adjust this value with caution.

Dns-Brute tries about 125 popular subdomains. We can use custom subdomain lists with the argument dns-bruxe.hostlist . As we can see in the previous issue, we were able to use a comprehensive word list to identify more subdomains and IP addresses controlled by this site.

Related Book: "Nmap 6: Network Explorer and Security Audit Cookbook" by Paulino Calderon (Available from Amazon | Walmart)

5. Extract EXIF ​​data from photos

Interchangeable image files, better known as EXIF, are information stored in JPEG, PNG, PDF, and many other file types. This embedded data can sometimes contain interesting information, including timestamps, device information, and GPS coordinates. Most websites still do not properly clean up EXIF ​​data from images, exposing them or their users to risk.

As a penetration tester, knowing what type of device a target uses, what types of payloads are generated helps us. A classic example of EXIF ​​data used to catch a black hat is the arrest of Higinio Ochoa. FBI agents extrapolated his girlfriend's geographic location using GPS data found on a photo uploaded to the Internet.

Nmap's http-exif-spider script can be used to extract interesting EXIF ​​data from photos. Such a script is not suitable for mainstream sites like Instagram, Twitter and Facebook. Large sites scrub EXIF ​​data when users upload new photos. However, personal blogs, small businesses, and businesses can not take strong security precautions or monitor what employees hire online. It is not unusual to find GPS data in photos.

  nmap -p80,443 --script http-exif-spider targetWebsite.com

Starting Nmap 7.70 (https://nmap.org)
Nmap Scan-Bericht für targetWebsite.com
Host ist aktiv (0,12s Latenzzeit).

Hafenstaatdienst
80 / TCP öffnen http
| http-Exif-Spinne:
| http://targetWebsite.com:80/image_10012.jpg
| Stellen Sie her: NIKON CORPORATION
| Modell: NIKON D4
| Datum: 2017: 04: 26 21:22:49
| http://targetWebsite.com:80/ips.jpg
| Marke: Samsung
| Modell: Galaxy S6
| _ Datum: 2017: 02: 24 23:37:14
443 / TCP öffnen https
| http-Exif-Spinne:
| https://targetWebsite.com:443/clifton.jpg
| Machen: Canon
| _ Modell: Canon EOS 5D Mark III

Nmap fertig: 1 IP-Adresse (1 Host-Up) gescannt in 30,43 Sekunden 

Wir können sehen, das oben genannte Ziel ist ein Android-Handy und eine Vielzahl von Digitalkameras. Wir können nun (mit einiger Sicherheit) eine Android-spezifische Nutzlast generieren und sie an das Ziel senden, um ihre Geräte, Konten und Netzwerke weiter zu kompromittieren.

Wenn man versucht, EXIF-Daten aus großen Fotos zu extrahieren, erzeugt Nmap möglicherweise ein Fehlermeldung, dass "Aktuelle http-Cache-Größe die maximale Größe überschreitet." Dies ist Nmap, die uns mitteilt, dass das Foto zu groß ist und den Standardwert für die maximale Dateigröße überschreitet. Verwenden Sie das Argument http.max-cache-size und erhöhen Sie den Wert nach Bedarf. Unten habe ich es auf eine beliebig hohe Zahl gesetzt.

 nmap -p80,443 --script http-exif-spinne --script-args = "http.max-cache-size = 99999999" targetWebsite.com [19659074] Weitere Nmap-Skripte zu kommen ... 

Ob wir Subdomains auflisten, WAF-Versionsinformationen erkennen oder beschädigte Webseiten für eine kleine Bug-Bounty melden, Nmap-Skripte haben uns abgedeckt. Und wir haben kaum mit der Oberfläche gekratzt, zu der Nmap-Skripte fähig sind. In meinem nächsten Artikel werde ich über Skripts sprechen, die keine Firewalls für Webanwendungen auslösen oder Systemadministratoren nicht auf unsere Erkundungsversuche aufmerksam machen.

Titelbild von Justin Meyers / Null Byte

Source link