The objective of this project is to conduct a network discovery test for scanme.nmap.org to identify any potential vulnerabilities, using Nmap on a Linux command line interface.
The target of this network discovery test is scanme.nmap.org, a system set up specifically for Nmap usage and testing purposes. Authorization to scan this system and its ports is provided on their website.
Performing an unconfigured Nmap scan on the target reveals the following open ports:
- Port 22 (SSH service)
- Port 80 (HTTP service)
- Port 9929 (Nping-echo service)
- Port 31337 (Elite service)
All ports utilize the TCP protocol.
Utilizing a customized script scanning.nse
to display a message for any open HTTP ports on scanme.nmap.org. The scanning.nse script can provide valuable insights into open HTTP ports, potentially revealing additional information about the web services running on the target. In this case of this target, the only open HTTP port is port 90.
![alt text][task2_1]
Using the -sV
configuration option to detect the service and version of each open port.
Port 22, identified as the SSH service, is commonly used for secure remote access to systems. Vulnerabilities associated with the OpenSSH service include:
- CVE-2014-1692 (OpenSSH Weak Key Generation)
- CVE-2014-2532 (OpenSSH User Enumeration)
- CVE-2014-2653 (OpenSSH Privilege Separation Bypass)
- CVE-2014-3127 (OpenSSH Environment Variable Injection)
- CVE-2014-3659 (OpenSSH Agent Authentication Bypass)
- CVE-2014-5352 (OpenSSH Weak HMAC Comparison)
The listed vulnerabilities are all on the CVE (Common Vulnerabilties and Exposures) list and therefore pose significant risks to system security. It's essential to regularly update and secure SSH configurations to mitigate these vulnerabilities.
Port 9929, identified as the Nping-echo service, is used by Nping, a tool used for network packet generation and analysis. The vulnerabilities associated with the Nping-echo service include:
- Denial of Service (DoS)
- Buffer Overflows
- Privilege Escalation
- Information Disclosure
Port 31337, also known as the "Elite" port, is often associated with backdoor access and is historically used by hackers for unauthorized access to systems. It's imperative to closely monitor and secure this port to prevent potential exploitation by malicious actors. Vulnerabilities associated with the tcpwrapped service include:
- Buffer Overflows
- Denial of Service (DoS)
- Bypassing Access Controls
Port 80 is commonly used for HTTP web services. HTTP Enumeration Enumerates directories used by popular web applications and servers. The HTTP-enum script scan intiailly reveals an interesting directory. This prompted a further investigation into the http port, conudcting the scan with the display all argument, which reveals:
- Potential path traversal vulnerabilities in VMWare (CVE-2009-3733)
- Detection of a
400 Bad Request
status code - Identification of interesting directories like 'icons', 'server-status', 'shared', and 'images'
The detection of a 400 Bad Request
status code suggests that the server detected a malicious request and responded with an error, indicating potential security measures in place.
Utilizing preloaded NSE scripts to gather additional information about the target system:
- The ssh-auth-methods script reveals support for public key and password authentication methods.
- The ssh-hostkey script displays the host key in different encryption methods.
- The unusual ports script confirms no unusual port usage.
SSH Authentication Methods script
SSH Hostkey script
Scan for unusual ports
By examining the SSH authentication methods and host key encryption, potential security risks related to SSH access can be identified and addressed. The confirmation of no unusual port usage provides reassurance regarding the network's standard configuration.
This network discovery test using Nmap on scanme.nmap.org identified various open ports, potential vulnerabilities, and interesting directories. Further analysis and mitigation strategies can be implemented based on the findings.