Using Nmap to scan a website server can return some useful information. Below is what an Nmap scan looked like in the web server logs. This is very interesting.
10.12.141.56 - - [11/Jan/2024:18:21:23 -0500] "\x16\x03" 400 422 "-" "-" 10.12.141.56 - - [11/Jan/2024:18:21:24 -0500] "GET / HTTP/1.1" 200 6277 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:24 -0500] "GET /~1*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:24 -0500] "GET /administrator/index.php HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:24 -0500] "GET /wp-login.php HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:24 -0500] "GET / HTTP/1.1" 200 6277 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:25 -0500] "GET /~1/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:25 -0500] "GET /~2*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:26 -0500] "GET /~2/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:27 -0500] "GET /~3*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:27 -0500] "GET /~3/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:28 -0500] "GET /~4*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:29 -0500] "GET /~4/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:29 -0500] "GET /~5*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:30 -0500] "GET /~5/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:31 -0500] "GET /~6*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:31 -0500] "GET /~6/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:32 -0500] "GET /~7*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:33 -0500] "GET /~7/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:33 -0500] "GET /~8*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:34 -0500] "GET /~8/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:35 -0500] "GET /~9*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:35 -0500] "GET /~9/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:36 -0500] "GET /~10*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:37 -0500] "GET /~10/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:37 -0500] "GET /~11*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:38 -0500] "GET /~11/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:39 -0500] "GET /%3f*~11*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:40 -0500] "GET /%3f*~10*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:40 -0500] "GET /%3f*~9*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:41 -0500] "GET /%3f*~8*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:42 -0500] "GET /%3f*~7*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:42 -0500] "GET /%3f*~6*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:43 -0500] "GET /%3f*~5*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:44 -0500] "GET /%3f*~4*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:44 -0500] "GET /%3f*~3*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:45 -0500] "GET /%3f*~2*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 10.12.141.56 - - [11/Jan/2024:18:21:46 -0500] "GET /%3f*~1*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" |
I was using a brute force script and this made the web server very unhappy. This is an example Nmap brute force scan, this is useful for returning a list of all usernames in a MySQL database if it is exposed to the Internet.
╭──(john㉿DESKTOP-PF01IEE)───╮ ╰───────────────────────────╾╯(~/Documents)-(172.29.118.12)┋ sudo nmap 91.132.86.243 -P0 -script brute Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-12 10:21 AEDT Nmap scan report for 91.132.86.243 Host is up (0.31s latency). Not shown: 987 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh | ssh-brute: | Accounts: No valid accounts found | Statistics: Performed 43 guesses in 39 seconds, average tps: 1.3 |_ ERROR: The service seems to have failed or is heavily firewalled... 25/tcp open smtp | smtp-brute: | Accounts: No valid accounts found | Statistics: Performed 0 guesses in 1 seconds, average tps: 0.0 |_ ERROR: The service seems to have failed or is heavily firewalled... 53/tcp open domain 80/tcp open http |_citrix-brute-xml: FAILED: No domain specified (use ntdomain argument) | http-brute: |_ Path "/" does not require authentication 110/tcp open pop3 | pop3-brute: | Accounts: No valid accounts found |_ Statistics: Performed 498 guesses in 617 seconds, average tps: 0.7 143/tcp open imap | imap-brute: | Accounts: No valid accounts found | Statistics: Performed 0 guesses in 1 seconds, average tps: 0.0 |_ ERROR: The service seems to have failed or is heavily firewalled... 443/tcp open https | http-brute: |_ Path "/" does not require authentication |_citrix-brute-xml: FAILED: No domain specified (use ntdomain argument) 587/tcp open submission | smtp-brute: | Accounts: No valid accounts found | Statistics: Performed 0 guesses in 1 seconds, average tps: 0.0 |_ ERROR: The service seems to have failed or is heavily firewalled... 646/tcp filtered ldp 993/tcp open imaps |_imap-brute: ERROR: Script execution failed (use -d to debug) 995/tcp open pop3s | pop3-brute: | Accounts: No valid accounts found | Statistics: Performed 14 guesses in 28 seconds, average tps: 0.5 |_ ERROR: Failed to connect. 10000/tcp open snet-sensor-mgmt 20000/tcp open dnp Nmap done: 1 IP address (1 host up) scanned in 641.21 seconds |
This is an example of the brute force results. This has found a MySQL instance and valid user accounts exposed to the Internet.
╭──(john㉿DESKTOP-PF01IEE)───╮ ╰───────────────────────────╾╯(~)-(172.29.123.37)┋ sudo nmap demotrend.com -P0 -script brute Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-12 11:01 AEDT Nmap scan report for demotrend.com (193.111.77.5) Host is up (0.36s latency). rDNS record for 193.111.77.5: biricloud.com Not shown: 893 filtered tcp ports (no-response), 35 filtered tcp ports (admin-prohibited), 61 closed tcp ports (reset) PORT STATE SERVICE 25/tcp open smtp 53/tcp open domain 80/tcp open http | http-brute: |_ Path "/" does not require authentication |_citrix-brute-xml: FAILED: No domain specified (use ntdomain argument) 110/tcp open pop3 | pop3-brute: | Accounts: No valid accounts found | Statistics: Performed 6 guesses in 32 seconds, average tps: 0.2 |_ ERROR: Failed to connect. 143/tcp open imap | imap-brute: | Accounts: No valid accounts found | Statistics: Performed 0 guesses in 1 seconds, average tps: 0.0 |_ ERROR: The service seems to have failed or is heavily firewalled... 443/tcp open https |_citrix-brute-xml: FAILED: No domain specified (use ntdomain argument) | http-brute: |_ Path "/" does not require authentication 465/tcp open smtps 587/tcp open submission 993/tcp open imaps | imap-brute: | Accounts: No valid accounts found | Statistics: Performed 0 guesses in 1 seconds, average tps: 0.0 |_ ERROR: The service seems to have failed or is heavily firewalled... 995/tcp open pop3s | pop3-brute: | Accounts: No valid accounts found | Statistics: Performed 8 guesses in 33 seconds, average tps: 0.2 |_ ERROR: Failed to connect. 3306/tcp open mysql | mysql-brute: | Accounts: No valid accounts found |_ Statistics: Performed 26 guesses in 314 seconds, average tps: 0.1 | mysql-enum: | Valid usernames: | webadmin:<empty> - Valid credentials | user:<empty> - Valid credentials | web:<empty> - Valid credentials | guest:<empty> - Valid credentials | sysadmin:<empty> - Valid credentials | netadmin:<empty> - Valid credentials | test:<empty> - Valid credentials |_ Statistics: Performed 183 guesses in 310 seconds, average tps: 0.4 Nmap done: 1 IP address (1 host up) scanned in 344.81 seconds |
Another brute forcing example.
╭──(john㉿DESKTOP-PF01IEE)───╮ ╰───────────────────────────╾╯(~)-(172.29.123.37)┋ sudo nmap 85.190.158.85 -P0 -script brute Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-12 11:10 AEDT Nmap scan report for 85.190.158.85 Host is up (0.23s latency). Not shown: 816 filtered tcp ports (no-response), 181 closed tcp ports (reset) PORT STATE SERVICE 21/tcp open ftp | ftp-brute: | Accounts: No valid accounts found |_ Statistics: Performed 10442 guesses in 600 seconds, average tps: 17.3 3306/tcp open mysql | mysql-brute: | Accounts: No valid accounts found | Statistics: Performed 0 guesses in 1 seconds, average tps: 0.0 |_ ERROR: The service seems to have failed or is heavily firewalled... | mysql-enum: | Valid usernames: | root:<empty> - Valid credentials | netadmin:<empty> - Valid credentials | guest:<empty> - Valid credentials | web:<empty> - Valid credentials | test:<empty> - Valid credentials | sysadmin:<empty> - Valid credentials | administrator:<empty> - Valid credentials | webadmin:<empty> - Valid credentials | admin:<empty> - Valid credentials | user:<empty> - Valid credentials |_ Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0 8443/tcp open https-alt Nmap done: 1 IP address (1 host up) scanned in 610.83 seconds |
This is how to search and replace an IP address in an Apache log file.
╭──(john㉿DESKTOP-PF01IEE)───╮ ╰───────────────────────────╾╯(~/Documents)-(172.29.118.12)┋ sed -i "s/10.12.141.56/193.10.128.13/g" log.txt |
That would be a very useful trick for editing an Apache log file. The changes will be written back to the log.txt file.