I end up wasting a lot of time doing long and detailed scans with nmap, but in the end they were needed.
To get rid of this problem, I needed to be very accurate with what I was supposed to scan. A good way to speed up this process would be to extract a list of open ports and then scan these ports with the full scan to get all the details that I needed.
To do this, run masscan, get the list of open ports, and run a full scan with nmap. If masscan has a problem, run nmap's fast scan, get the list of open ports, and run a full scan later. See Details and Example to see how it works with this code.
Install some Python packages:
pip install netifacespip install python-nmappip install python-masscanThe python_masscan.py file contains 1 usable function:
- masscanProcess
- This function receives a string with the host IP or DNS
- The scan will start executing this argument in masscan :
--max-rate 1000 --adpter-ip (your ip) - When the scan is finished, some information will be displayed on the screen
- This function will return the dictionary generated by the scan and a string containing all the open ports in the host separated with a comma
- Output example:
nmap-python on main [!] via 🐍 v2.7.18 took 1m9s ❯ sudo /bin/python3 /home/kaio/Documentos/nmap-python/example.py [*] MasScan: [*] ---------------------------------------------------- [*] IP: 192.168.0.120 [*] Protocol : tcp [*] port : 53 state : open [*] port : 5900 state : open [*] port : 514 state : open [*] port : 6000 state : open [*] port : 8180 state : open [*] port : 445 state : open [*] port : 22 state : open [*] port : 80 state : open [*] port : 23 state : open [*] port : 25 state : open [*] port : 2049 state : open [*] port : 8009 state : open [*] port : 1524 state : open [*] port : 512 state : open [*] port : 2121 state : open [*] port : 3306 state : open [*] port : 513 state : open [*] port : 139 state : open [*] port : 21 state : open [*] port : 111 state : open [*] port : 5432 state : open [*] port : 1099 state : open [*] port : 6667 state : open [*] MasScan execution time: 23.2347 s
The python_nmap.py file contains 3 usable functions:
- nmapFastScanProcess
- This function receives a string with the host IP or DNS
- The scan will start executing this argument in nmap:
-A -T5 - When the scan is finished, some information will be displayed on the screen
- This function will return the dictionary generated by the scan and a string containing all the open ports in the host separated with a comma
- Output example:
nmap-python on main [!] via 🐍 v2.7.18 took 59s ❯ sudo /bin/python3 /home/kaio/Documentos/nmap-python/example.py [*] Nmap: [*] ---------------------------------------------------- [*] IP : 192.168.0.120 [*] port : 21 state : open [*] port : 22 state : open [*] port : 23 state : open [*] port : 25 state : open [*] port : 53 state : open [*] port : 80 state : open [*] port : 111 state : open [*] port : 139 state : open [*] port : 445 state : open [*] port : 512 state : open [*] port : 513 state : open [*] port : 514 state : open [*] port : 1099 state : open [*] port : 1524 state : open [*] port : 2049 state : open [*] port : 2121 state : open [*] port : 3306 state : open [*] port : 5432 state : open [*] port : 5900 state : open [*] port : 6000 state : open [*] port : 6667 state : open [*] port : 8009 state : open [*] port : 8180 state : open [*] Nmap fast scan execution time: 36.2570 s
- nmapCompleteScanProcess
- This function receives two strings with the host IP or DNS and a port list
- The scan will start executing this argument in nmap:
-p (port_list) -O -sT -sV -sC -A -T5 - When the scan is finished, some information will be displayed on the screen
- This function will return the dictionary generated by the scan
- Output example:
nmap-python on main [!] via 🐍 v2.7.18 took 59s ❯ sudo /bin/python3 /home/kaio/Documentos/nmap-python/example.py [*] Details: [*] ---------------------------------------------------- [*] Hostname : [*] State : up [*] OS guess: Linux 2.6.9 - 2.6.33 , accuracy: 100 [*] Last boot: Tue Dec 21 19:06:08 2021 [*] ---------------------------------------------------- [*] Protocol : tcp [*] port : 21 state : open service : ftp product : vsftpd 2.3.4 [*] port : 22 state : open service : ssh product : OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0 [*] port : 23 state : open service : telnet product : Linux telnetd [*] port : 25 state : open service : smtp product : Postfix smtpd [*] port : 53 state : open service : domain product : ISC BIND 9.4.2 [*] port : 80 state : open service : http product : Apache httpd 2.2.8 (Ubuntu) DAV/2 [*] port : 111 state : open service : rpcbind product : 2 RPC #100000 [*] port : 139 state : open service : netbios-ssn product : Samba smbd 3.X - 4.X workgroup: WORKGROUP [*] port : 445 state : open service : netbios-ssn product : Samba smbd 3.X - 4.X workgroup: WORKGROUP [*] port : 512 state : open service : exec product : netkit-rsh rexecd [*] port : 513 state : open service : login product : OpenBSD or Solaris rlogind [*] port : 514 state : open service : tcpwrapped product : [*] port : 1099 state : open service : java-rmi product : GNU Classpath grmiregistry [*] port : 1524 state : open service : bindshell product : Metasploitable root shell [*] port : 2049 state : open service : nfs product : 2-4 RPC #100003 [*] port : 2121 state : open service : ftp product : ProFTPD 1.3.1 [*] port : 3306 state : open service : mysql product : MySQL 5.0.51a-3ubuntu5 [*] port : 5432 state : open service : postgresql product : PostgreSQL DB 8.3.0 - 8.3.7 [*] port : 5900 state : open service : vnc product : VNC protocol 3.3 [*] port : 6000 state : open service : X11 product : access denied [*] port : 6667 state : open service : irc product : UnrealIRCd [*] port : 8009 state : open service : ajp13 product : Apache Jserv Protocol v1.3 [*] port : 8180 state : open service : http product : Apache Tomcat/Coyote JSP engine 1.1 [*] Nmap complete scan execution time: 36.3461 s
- nmapCustomScanProcess
- This function receives 3 parameters, 1 host IP or DNS, 1 string with the custom nmap argument and 1 port to scan
- The scan will start executing the following argument
-p (port) (custom argument) - This function will return the dictionary generated by the scan and an summary dictionary, with the main information extracted
I usually use these functions like that:
import python_masscan
import python_nmap
# Setting the target
host = '192.168.0.120'
# Try, Except to execute masscan first, if it fails for some reason, execute nmap fast scan instead
try:
# Extracting the dictionary and the list of ports from the masscan module
scan_ms, port_list_ms = python_masscan.masscanProcess(host)
# Extracting the dictionary from the nmap module, passing the port list from the masscan module
complete_scan = python_nmap.nmapCompleteScanProcess(host, port_list_ms)
except:
# Extracting the dicionary and the list os ports from the nmap module
scan_nm, port_list_nm = python_nmap.nmapFastScanProcess(host)
# Extracting the dictionary from the nmap module, passing the port list from the nmap module
complete_scan = python_nmap.nmapCompleteScanProcess(host, port_list_nm)
# Printing the dictionary
print(complete_scan)This example will generate the following output after the scan that I did on the metasploitable machine:
{
"nmap":{
"command_line":"nmap -oX - -p 514,1524,1099,21,6000,6667,445,512,111,139,53,22,25,23,2121,5900,5432,3306,513,8009,80,2049,8180 -O -sT -sV -sC -A -T5 192.168.0.120",
"scaninfo":{
"tcp":{
"method":"connect",
"services":"21-23,25,53,80,111,139,445,512-514,1099,1524,2049,2121,3306,5432,5900,6000,6667,8009,8180"
}
},
"scanstats":{
"timestr":"Tue Dec 21 19:13:38 2021",
"elapsed":"36.47",
"uphosts":"1",
"downhosts":"0",
"totalhosts":"1"
}
},
"scan":{
"192.168.0.120":{
"hostnames":[
{
"name":"",
"type":""
}
],
"addresses":{
"ipv4":"192.168.0.120",
"mac":"08:00:27:62:D8:33"
},
"vendor":{
"08:00:27:62:D8:33":"Oracle VirtualBox virtual NIC"
},
"status":{
"state":"up",
"reason":"arp-response"
},
"uptime":{
"seconds":"450",
"lastboot":"Tue Dec 21 19:06:08 2021"
},
"tcp":{
"21":{
"state":"open",
"reason":"syn-ack",
"name":"ftp",
"product":"vsftpd",
"version":"2.3.4",
"extrainfo":"",
"conf":"10",
"cpe":"cpe:/a:vsftpd:vsftpd:2.3.4",
"script":{
"ftp-anon":"Anonymous FTP login allowed (FTP code 230)",
"ftp-syst":"\n STAT: \nFTP server status:\n Connected to 192.168.0.113\n Logged in as ftp\n TYPE: ASCII\n No session bandwidth limit\n Session timeout in seconds is 300\n Control connection is plain text\n Data connections will be plain text\n vsFTPd 2.3.4 - secure, fast, stable\nEnd of status"
}
},
"22":{
"state":"open",
"reason":"syn-ack",
"name":"ssh",
"product":"OpenSSH",
"version":"4.7p1 Debian 8ubuntu1",
"extrainfo":"protocol 2.0",
"conf":"10",
"cpe":"cpe:/o:linux:linux_kernel",
"script":{
"ssh-hostkey":"\n 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)\n 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)"
}
},
"23":{
"state":"open",
"reason":"syn-ack",
"name":"telnet",
"product":"Linux telnetd",
"version":"",
"extrainfo":"",
"conf":"10",
"cpe":"cpe:/o:linux:linux_kernel"
},
"25":{
"state":"open",
"reason":"syn-ack",
"name":"smtp",
"product":"Postfix smtpd",
"version":"",
"extrainfo":"",
"conf":"10",
"cpe":"cpe:/a:postfix:postfix",
"script":{
"smtp-commands":"metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, ",
"ssl-date":"2021-12-21T22:13:22+00:00; -2s from scanner time.",
"sslv2":"\n SSLv2 supported\n ciphers: \n SSL2_RC2_128_CBC_EXPORT40_WITH_MD5\n SSL2_RC4_128_EXPORT40_WITH_MD5\n SSL2_RC2_128_CBC_WITH_MD5\n SSL2_DES_192_EDE3_CBC_WITH_MD5\n SSL2_RC4_128_WITH_MD5\n SSL2_DES_64_CBC_WITH_MD5"
}
},
"53":{
"state":"open",
"reason":"syn-ack",
"name":"domain",
"product":"ISC BIND",
"version":"9.4.2",
"extrainfo":"",
"conf":"10",
"cpe":"cpe:/a:isc:bind:9.4.2",
"script":{
"dns-nsid":"\n bind.version: 9.4.2"
}
},
"80":{
"state":"open",
"reason":"syn-ack",
"name":"http",
"product":"Apache httpd",
"version":"2.2.8",
"extrainfo":"(Ubuntu) DAV/2",
"conf":"10",
"cpe":"cpe:/a:apache:http_server:2.2.8",
"script":{
"http-server-header":"Apache/2.2.8 (Ubuntu) DAV/2",
"http-title":"Metasploitable2 - Linux"
}
},
"111":{
"state":"open",
"reason":"syn-ack",
"name":"rpcbind",
"product":"",
"version":"2",
"extrainfo":"RPC #100000",
"conf":"10",
"cpe":""
},
"139":{
"state":"open",
"reason":"syn-ack",
"name":"netbios-ssn",
"product":"Samba smbd",
"version":"3.X - 4.X",
"extrainfo":"workgroup: WORKGROUP",
"conf":"10",
"cpe":"cpe:/a:samba:samba"
},
"445":{
"state":"open",
"reason":"syn-ack",
"name":"netbios-ssn",
"product":"Samba smbd",
"version":"3.X - 4.X",
"extrainfo":"workgroup: WORKGROUP",
"conf":"10",
"cpe":"cpe:/a:samba:samba"
},
"512":{
"state":"open",
"reason":"syn-ack",
"name":"exec",
"product":"netkit-rsh rexecd",
"version":"",
"extrainfo":"",
"conf":"10",
"cpe":"cpe:/o:linux:linux_kernel"
},
"513":{
"state":"open",
"reason":"syn-ack",
"name":"login",
"product":"",
"version":"",
"extrainfo":"",
"conf":"10",
"cpe":""
},
"514":{
"state":"open",
"reason":"syn-ack",
"name":"tcpwrapped",
"product":"",
"version":"",
"extrainfo":"",
"conf":"8",
"cpe":""
},
"1099":{
"state":"open",
"reason":"syn-ack",
"name":"java-rmi",
"product":"GNU Classpath grmiregistry",
"version":"",
"extrainfo":"",
"conf":"10",
"cpe":""
},
"1524":{
"state":"open",
"reason":"syn-ack",
"name":"bindshell",
"product":"Metasploitable root shell",
"version":"",
"extrainfo":"",
"conf":"10",
"cpe":""
},
"2049":{
"state":"open",
"reason":"syn-ack",
"name":"nfs",
"product":"",
"version":"2-4",
"extrainfo":"RPC #100003",
"conf":"10",
"cpe":""
},
"2121":{
"state":"open",
"reason":"syn-ack",
"name":"ftp",
"product":"ProFTPD",
"version":"1.3.1",
"extrainfo":"",
"conf":"10",
"cpe":"cpe:/a:proftpd:proftpd:1.3.1"
},
"3306":{
"state":"open",
"reason":"syn-ack",
"name":"mysql",
"product":"MySQL",
"version":"5.0.51a-3ubuntu5",
"extrainfo":"",
"conf":"10",
"cpe":"cpe:/a:mysql:mysql:5.0.51a-3ubuntu5",
"script":{
"mysql-info":"\n Protocol: 10\n Version: 5.0.51a-3ubuntu5\n Thread ID: 11\n Capabilities flags: 43564\n Some Capabilities: SupportsCompression, Support41Auth, SupportsTransactions, SwitchToSSLAfterHandshake, Speaks41ProtocolNew, ConnectWithDatabase, LongColumnFlag\n Status: Autocommit\n Salt: Tg(-Jmf:,kZbZ!0lQ1B6"
}
},
"5432":{
"state":"open",
"reason":"syn-ack",
"name":"postgresql",
"product":"PostgreSQL DB",
"version":"8.3.0 - 8.3.7",
"extrainfo":"",
"conf":"10",
"cpe":"cpe:/a:postgresql:postgresql:8.3",
"script":{
"ssl-date":"2021-12-21T22:13:22+00:00; -2s from scanner time."
}
},
"5900":{
"state":"open",
"reason":"syn-ack",
"name":"vnc",
"product":"VNC",
"version":"",
"extrainfo":"protocol 3.3",
"conf":"10",
"cpe":"",
"script":{
"vnc-info":"\n Protocol version: 3.3\n Security types: \n VNC Authentication (2)"
}
},
"6000":{
"state":"open",
"reason":"syn-ack",
"name":"X11",
"product":"",
"version":"",
"extrainfo":"access denied",
"conf":"10",
"cpe":""
},
"6667":{
"state":"open",
"reason":"syn-ack",
"name":"irc",
"product":"UnrealIRCd",
"version":"",
"extrainfo":"",
"conf":"10",
"cpe":"cpe:/a:unrealircd:unrealircd",
"script":{
"irc-info":"\n users: 1\n servers: 1\n lusers: 1\n lservers: 0\n server: irc.Metasploitable.LAN\n version: Unreal3.2.8.1. irc.Metasploitable.LAN \n uptime: 0 days, 0:11:54\n source ident: nmap\n source host: 37B90734.F0D9233E.FFFA6D49.IP\n error: Closing Link: jfcsgrgdq[192.168.0.113] (Quit: jfcsgrgdq)"
}
},
"8009":{
"state":"open",
"reason":"syn-ack",
"name":"ajp13",
"product":"Apache Jserv",
"version":"",
"extrainfo":"Protocol v1.3",
"conf":"10",
"cpe":"",
"script":{
"ajp-methods":"Failed to get a valid response for the OPTION request"
}
},
"8180":{
"state":"open",
"reason":"syn-ack",
"name":"http",
"product":"Apache Tomcat/Coyote JSP engine",
"version":"1.1",
"extrainfo":"",
"conf":"10",
"cpe":"cpe:/a:apache:coyote_http_connector:1.1",
"script":{
"http-favicon":"Apache Tomcat",
"http-server-header":"Apache-Coyote/1.1",
"http-title":"Apache Tomcat/5.5"
}
}
},
"hostscript":[
{
"id":"clock-skew",
"output":"mean: -2s, deviation: 0s, median: -2s"
},
{
"id":"ms-sql-info",
"output":"ERROR: Script execution failed (use -d to debug)"
},
{
"id":"nbstat",
"output":"NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)"
},
{
"id":"smb-os-discovery",
"output":"ERROR: Script execution failed (use -d to debug)"
},
{
"id":"smb-security-mode",
"output":"ERROR: Script execution failed (use -d to debug)"
},
{
"id":"smb2-time",
"output":"Protocol negotiation failed (SMB2)"
}
],
"portused":[
{
"state":"open",
"proto":"tcp",
"portid":"21"
},
{
"state":"closed",
"proto":"udp",
"portid":"41096"
}
],
"osmatch":[
{
"name":"Linux 2.6.9 - 2.6.33",
"accuracy":"100",
"line":"59153",
"osclass":[
{
"type":"general purpose",
"vendor":"Linux",
"osfamily":"Linux",
"osgen":"2.6.X",
"accuracy":"100",
"cpe":[
"cpe:/o:linux:linux_kernel:2.6"
]
}
]
}
]
}
}
}