Tutorial Nmap : 7 NSE Script Untuk Reconnaissance

Tutorial nmap kali ini membahas tentang NSE script reconnaissance, sebelumnya saya hanya memperkenalkan nse script di nmap saja,

Kita mulai dari reconnaissance. Apa itu reconnaissance? Adalah sebuah tahap persiapan attacker untuk mencari informasi target sistem yang ingin diserang sebanyak mungkin.

Termasuk network scanning bisa disebut seperti itu, baik melalui internal atau external, dan tentu saja ini tidak mengantongi ijin.

footprinting dan reconnaissance

Sekarang kita ke intinya, lalu apa saja 7 nse script yang saya maksud? Seperti yang sudah saya pekenalkan tentang fitur nse di artikel sebelumnya bahwa sekarang cukup banyak sekali jenis dari script nse sendiri.

Oke tanpa banyak basa basi kita langsung saja, kalian juga pasti penasaran tentang ini.

Tutorial Nmap Bahasa Indonesia: Kumpulan NSE Script Untuk Reconnaissance


tutorial nmap nse script reconnaissance

1. DNS BRUTE


Berusaha untuk enumerate nama host DNS dengan cara brute force subdomainnya.

Syntax : $ nmap --script dns-brute <target>
$ nmap --script dns-brute nmap.org

Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-22 10:27 WIB
Nmap scan report for nmap.org (45.33.49.119)
Host is up (0.29s latency).
Other addresses for nmap.org (not scanned): 2600:3c01::f03c:91ff:fe98:ff4e
rDNS record for 45.33.49.119: ack.nmap.org
Not shown: 993 filtered ports
PORT      STATE  SERVICE
22/tcp    open   ssh
25/tcp    open   smtp
70/tcp    closed gopher
80/tcp    open   http
113/tcp   closed ident
443/tcp   open   https
31337/tcp closed Elite

Host script results:
| dns-brute: 
|   DNS Brute-force hostnames: 
|     ipv6.nmap.org - 2600:3c01:0:0:f03c:91ff:fe70:d085
|     chat.nmap.org - 45.33.32.156
|     chat.nmap.org - 2600:3c01:0:0:f03c:91ff:fe18:bb2f
|     *AAAA: 2600:3c01:0:0:f03c:91ff:fe98:ff4e
|_    *A: 45.33.49.119

Nmap done: 1 IP address (1 host up) scanned in 117.39 seconds

2. TRACEROUTE GEOLOCATION


Mencantumkan lokasi geografis setiap sumber dalam traceroute dan secara optional menyimpan hasilnya ke file KML,

hasilnya juga dapat diaplikasikan di Google Earth dan peta.

Syntax : $ sudo --traceroute --script traceroute-geolocation -p 80 <target>

$ sudo nmap --traceroute --script traceroute-geolocation -p 80 whatsapp.com

Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-22 10:45 WIB
Nmap scan report for whatsapp.com (169.44.84.178)
Host is up (0.39s latency).
Other addresses for whatsapp.com (not scanned): 184.173.147.38 192.155.212.203 169.44.82.102 192.155.212.202 184.173.147.39
rDNS record for 169.44.84.178: b2.54.2ca9.ip4.static.sl-reverse.com

PORT   STATE SERVICE
80/tcp open  http

Host script results:
| traceroute-geolocation: 
|   HOP  RTT     ADDRESS                                               GEOLOCATION
|   1    5.54    _gateway (192.168.43.1)                               - ,- 
|   2    58.75   10.180.192.1                                          - ,- 
|   3    58.79   10.13.223.18                                          - ,- 
|   4    ...
|   5    ...
|   6    ...
|   7    ...
|   8    ...
|   9    ...
|   10   ...
|   11   ...
|   12   ...
|   13   ...
|   14   ...
|_  15   294.65  b2.54.2ca9.ip4.static.sl-reverse.com (169.44.84.178)  37.751,-97.822 United States ()

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   5.54 ms   _gateway (192.168.43.1)
2   58.75 ms  10.180.192.1
3   58.79 ms  10.13.223.18
4   ... 14
15  294.65 ms b2.54.2ca9.ip4.static.sl-reverse.com (169.44.84.178)

Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds


3. HTTP-SITEMAP-GENERATOR


Spiders server web dan menampilkan struktur direktori bersama dengan jumlah dan jenis file di setiap folder. Perhatikan bahwa file terdaftar sebagai
memiliki ekstensi ‘Lainnya’ adalah ekstensi yang tidak memiliki ekstensi atau yang merupakan dokumen root.

Syntax : $ nmap -p 80 --script http-sitemap-generator <target>
$ nmap -p 80 --script http-sitemap-generator vulnweb.com

Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-22 10:54 WIB
Nmap scan report for vulnweb.com (176.28.50.165)
Host is up (0.36s latency).
rDNS record for 176.28.50.165: rs202995.rs.hosteurope.de

PORT   STATE SERVICE
80/tcp open  http
| http-sitemap-generator: 
|   Directory structure:
|     /
|       Other: 1; png: 1
|   Longest directory structure:
|     Depth: 0
|     Dir: /
|   Total files found (by extension):
|_    Other: 1; png: 1

Nmap done: 1 IP address (1 host up) scanned in 3.19 seconds

4. HTTP-METHODS


Temukan opsi apa yang didukung oleh server HTTP dengan mengirim request OPTIONS. Daftar metode yang berpotensi berisiko.

Ini menguji metode-metode yang tidak disebutkan dalam header OPTIONS secara individual dan melihat apakah mereka diimplementasikan.

Setiap output selain 501/405 menunjukkan bahwa metode ini jika tidak dalam kisaran 400 hingga 600.

Syntax : $ nmap --script http-methods <target>
$ nmap --script http-methods iflix.com

Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-22 11:22 WIB
Nmap scan report for iflix.com (52.84.49.141)
Host is up (0.10s latency).
Other addresses for iflix.com (not scanned): 52.84.49.21 52.84.49.90 52.84.49.95
rDNS record for 52.84.49.141: server-52-84-49-141.hkg53.r.cloudfront.net
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
| http-methods: 
|_  Supported Methods: GET HEAD
443/tcp open  https
| http-methods: 
|_  Supported Methods: GET HEAD

Nmap done: 1 IP address (1 host up) scanned in 118.71 seconds

5. HTTP-ENUM


Salah satu script yang sudah di uji dengan benar, http-enum memungkinkan anda untuk brute force web path target tetapi dalam menggunakan nmap scripting engine akan memakan waktu yang lumayan lama.

Syntax : $ nmap --script http-enum <target>
$ nmap --script http-enum vnexpress.net

Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-22 13:41 WIB
Nmap scan report for vnexpress.net (111.65.248.132)
Host is up (0.11s latency).
Other addresses for vnexpress.net (not scanned): 2001:df0:66:40::16
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| http-enum: 
|   /login.html: Possible admin folder
|   /rss/: RSS or Atom feed
|   /test.html: Test page
|   /test.php: Test page
|   /robots.txt: Robots file
|   /crossdomain.xml: Adobe Flash crossdomain policy
|   /info.php: Possible information file
|   /0/: Potentially interesting folder
|   /default/: Potentially interesting folder
|_  /index/: Potentially interesting folder

Nmap done: 1 IP address (1 host up) scanned in 342.32 seconds


6.HTTP-TITLE


Nmap scripting engine yang satu ini memungkinkan untuk menampilkan title page dari sebuah web server,

script ini bertujuan hanya untuk mempermudah anda untuk mencari page tite di sebuah web.

Syntax : $ nmap -sV --script http-title -p 80 <target>

$ nmap -sV --script http-title -p 80 vulnweb.com

Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-22 14:24 WIB
Nmap scan report for vulnweb.com (176.28.50.165)
Host is up (0.45s latency).
rDNS record for 176.28.50.165: rs202995.rs.hosteurope.de

PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.4.1
|_http-server-header: nginx/1.4.1
|_http-title: Acunetix Web Vulnerability Scanner - Test websites

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.71 seconds


7.WHOIS-DOMAIN


Skrip ini dimulai dengan query whois.iana.org (yang merupakan root dari server whois).

Menggunakan beberapa pola, skrip dapat menentukan apakah respons mewakili referral ke rekaman yang dihosting di tempat lain. Jika itu kasusnya, kueri rujukan itu.

Skrip terus mengulanginya hingga respons tidak sesuai dengan salah satu pola, artinya tidak ada rujukan lain dan print output.

Syntax : $ nmap --script whois-domain <target>

$ nmap --script whois-domain vulnweb.com

Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-22 14:32 WIB
Nmap scan report for vulnweb.com (176.28.50.165)
Host is up (0.22s latency).
rDNS record for 176.28.50.165: rs202995.rs.hosteurope.de
Not shown: 987 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
25/tcp   open     smtp
53/tcp   open     domain
80/tcp   open     http
106/tcp  open     pop3pw
110/tcp  open     pop3
143/tcp  open     imap
465/tcp  open     smtps
993/tcp  open     imaps
995/tcp  open     pop3s
3128/tcp filtered squid-http
8443/tcp open     https-alt

Host script results:
| whois-domain: 
| 
| Domain name record found at whois.verisign-grs.com
|    Domain Name: VULNWEB.COM\x0D
|    Registry Domain ID: 1602006391_DOMAIN_COM-VRSN\x0D
|    Registrar WHOIS Server: whois.eurodns.com\x0D
|    Registrar URL: http://www.EuroDNS.com\x0D
|    Updated Date: 2018-06-08T03:21:41Z\x0D
|    Creation Date: 2010-06-14T07:50:29Z\x0D
|    Registry Expiry Date: 2019-06-14T07:50:29Z\x0D
|    Registrar: EuroDNS S.A\x0D
|    Registrar IANA ID: 1052\x0D
|    Registrar Abuse Contact Email: legal@eurodns.com\x0D
|    Registrar Abuse Contact Phone: +352.27220150\x0D
|    Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\x0D
|    Name Server: NS1.EURODNS.COM\x0D
|    Name Server: NS2.EURODNS.COM\x0D
|    Name Server: NS3.EURODNS.COM\x0D
|    Name Server: NS4.EURODNS.COM\x0D
|    DNSSEC: unsigned\x0D
|    URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/\x0D
| >>> Last update of whois database: 2018-09-22T07:33:11Z <<<\x0D
| \x0D
| For more information on Whois status codes, please visit https://icann.org/epp\x0D
| \x0D
| NOTICE: The expiration date displayed in this record is the date the\x0D
| registrar's sponsorship of the domain name registration in the registry is\x0D
| currently set to expire. This date does not necessarily reflect the expiration\x0D
| date of the domain name registrant's agreement with the sponsoring\x0D
| registrar.  Users may consult the sponsoring registrar's Whois database to\x0D
| view the registrar's reported date of expiration for this registration.\x0D
| \x0D
| TERMS OF USE: You are not authorized to access or query our Whois\x0D
| database through the use of electronic processes that are high-volume and\x0D
| automated except as reasonably necessary to register domain names or\x0D
| modify existing registrations; the Data in VeriSign Global Registry\x0D
| Services' ("VeriSign") Whois database is provided by VeriSign for\x0D
| information purposes only, and to assist persons in obtaining information\x0D
| about or related to a domain name registration record. VeriSign does not\x0D
| guarantee its accuracy. By submitting a Whois query, you agree to abide\x0D
| by the following terms of use: You agree that you may use this Data only\x0D
| for lawful purposes and that under no circumstances will you use this Data\x0D
| to: (1) allow, enable, or otherwise support the transmission of mass\x0D
| unsolicited, commercial advertising or solicitations via e-mail, telephone,\x0D
| or facsimile; or (2) enable high volume, automated, electronic processes\x0D
| that apply to VeriSign (or its computer systems). The compilation,\x0D
| repackaging, dissemination or other use of this Data is expressly\x0D
| prohibited without the prior written consent of VeriSign. You agree not to\x0D
| use electronic processes that are automated and high-volume to access or\x0D
| query the Whois database except as reasonably necessary to register\x0D
| domain names or modify existing registrations. VeriSign reserves the right\x0D
| to restrict your access to the Whois database in its sole discretion to ensure\x0D
| operational stability.  VeriSign may restrict or terminate your access to the\x0D
| Whois database for failure to abide by these terms of use. VeriSign\x0D
| reserves the right to modify these terms at any time.\x0D
| \x0D
| The Registry database contains ONLY .COM, .NET, .EDU domains and\x0D
|_Registrars.\x0D

Nmap done: 1 IP address (1 host up) scanned in 26.69 seconds

Bagaimana tutorial nmap tentang 7 nse script untuk recon? apakah membantu anda? apakah ini sesuatu yang sudah anda cari beberapa waktu yang lalu dan baru menemukannya sekarang? jawab kolom komentar !

Comments

  1. Nice bang postnya ..
    Bermanfaaat sekali :)

    ReplyDelete
    Replies
    1. Btw tutor termux dong bang supaya bisa ngambil akses root , tkp ane error mulu..
      Maklum newbie bang hehe

      Delete
    2. sebelumnya terimakasih gan, tapi supaya ngambil akses root gimana ya? setau saya kalau mau rooting android ada cara yang berbeda dari beberapa device, sebagai contoh pakai kingroot.
      atau maksud anda biar bisa pakai sudo? anda cuma harus install package yang bernama tsu.

      command instalasinya :

      $ apt install tsu

      Delete

Post a Comment