How To: Use NMAP 7 to Discover Vulnerabilities, Launch DoS Attacks and More!

Use NMAP 7 to Discover Vulnerabilities, Launch DoS Attacks and More!

How to Use NMAP 7 to Discover Vulnerabilities, Launch DoS Attacks and More!

NMAP is an essential tool in any hacker's arsenal. Originally written by Gordon Lyon aka Fydor, it's used to locate hosts and services and create a map of the network. NMAP has always been an incredibly powerful tool, but with it's newest release, which dropped mid-November of last year, they've really out done themselves.

NMAP version 7 comes equipped with a ton of new scripts you can use to do everything from DoSing targets to exploiting them (with written permission, of course). The scripts cover the following categories

Auth: Use to test whether you can bypass authentication mechanism

Broadcast: Use to find other hosts on the network and automatically add them to scanning que.

Brute: Use for brute password guessing.

Discovery: Use to discover more about the network.

Dos: Use to test whether a target is vulnerable to DoS

Exploit: Use to actively exploit a vulnerability

Fuzzer: Use to test how server responds to unexpected or randomized fields in packets and determine other potential vulnerabilities

Intrusive: Use to perform more intense scans that pose a much higher risk of being detected by admins.

Malware: Use to test target for presence of malware

Safe: Use to perform general network security scan that's less likely to alarm remote administrators

Vuln: Use to find vulnerabilities on the target

For this tutorial, I will show you how to scan a target for vulnerabilities, actively try and exploit any vulnerabilities, test whether the target is vulnerable to DoS, and then finally launch a DoS attack.

Step 1: Download NMAP

Download nmap from https://nmap.org/download.html and follow the installation instructions for your particular Operating System. NMAP works easily on both Windows and Linux. After installing you will have NMAP and ZENMAP on your computer.

ZENMAP and NMAP are the same thing except ZENMAP provides you with a graphical user interface. For the rest of this tutorial you can chose to either run NMAP from your command line, or launch ZENMAP and enter the commands in the GUI.

Step 2: Run NMAP

Now that we've got NMAP installed, it's time to scan our target for vulnerabilities. As mentioned there is an entire category of scripts dedicated to finding vulnerabilities on a target. Invoking the following command will run all of the scripts against your target.

nmap -Pn --script vuln <target.com or ip> <enter>

*I always throw a -Pn in there just in case the target blocks ping probes, although it's optional.

Step 3: Review Results

After your scan completes, review NMAPs output to determine what vulnerabilities were found. It will list it's findings along with applicable CVEs and links to any exploits that exist in Offensive Security's Exploit Database.

Use NMAP to Actively Exploit Detected Vulnerabilities

As mentioned, you can also use NMAP's exploit script category to have NMAP actively exploit detected vulnerabilities by issuing the following command:

nmap --script exploit -Pn <target.com or ip> <enter>

Use NMAP to Brute Force Passwords

Nmap contains scripts for brute forcing dozens of protocols, including http-brute, oracle-brute, snmp-brute, etc. Use the following command to perform brute force attacks to guess authentication credentials of a remote server.

nmap --script brute -Pn <target.com or ip> <enter>

Use NMAP to Test if Target Is Vulnerable to Dos

Use the following command to check whether the target is vulnerable to DoS:

nmap --script dos -Pn <target.com or ip> <enter>

This will tell you whether the target is vulnerable without actually launching a dos attack.

Use NMAP to Perform DOS Attack

Use the following command to perform an active DoS attack against a target for an indefinite period of time:

nmap --max-parallelism 750 -Pn --script http-slowloris --script-args http-slowloris.runforever=true

These are just a few very cool features NMAP has to offer. NMAP is very noob friendly so get yourself a copy.

On a side note, this week I was tasked with identifying vulnerabilities in a company's server as apart of the interview process Thanks to NMAP, I was able to identify, and then successfully verify, their server had the POODLE issue. This was something (shockingly) the company was not aware of. Nessus, Openvas, Acunetix, and BurpSuite did not identify the vulnerability and it did prove legit.

16 Comments

Nicely written. +1 A few commands you left out though which I think you should have mentioned.

thanks. what other commands would you have liked me to mention? There are tons of commands for nmap. This post was more about category based scans.

I would take note of your use of the -T3 argument. It is essentially the default Nmap scan intensity and there is no need to specify it.

But overall the post was well written and easy to understand.

TRT

hmm i didn't realize. thx!

yeah --script default will take care of the basics for you too :)

Thanks for the guide. Well explained and just the scripts I was after. Are these the common scripts you would run when scanning networks? What I mean is are these the scripts you would take with you on a job?

Yes, definitely, minus the actual dos attack unless they don't mind you taking them offline. You'd be using nmap during a pentest anyway because you need to map the network. The fact that you can now do all this extra stuff with it too is awesome!

Ok thanks, will be using this more often. I knew nmap was good, but I didn't realize it was this good. Another keeper in the good old digital tool box.

yeah it's getting better with every new release. The creator and I grew up in the same hometown, went to same HS except he's two yrs older. He's got a lot of very talented pple working on it w him and he's excited about the advancements. :)

if u will bypass AV detection, use -f option

nice. I'll add that to the tut

Love it.. Thanks man.

what command will you run if you want set a Dos attack at finite period of time

nmap --script dos -Pn <target.com or ip> <enter>, How does this command work. And does it launch a DoS attack? I'm a noob...

Share Your Thoughts

  • Hot
  • Latest