Nmap with snmp-brute script freezes at 33.33%

I’m currently undergoing a penetration testing course where I discover the basics and I have a task where I need to perform SNMP enumeration on a target.

My working environment is as follows :
Host : Windows 10 (64-bit)
Oracle VM VirutalBox machines :

  • Kali Linux 2019.4 (64-bit) : attacker machine, 4GB of RAM, 4 vCPUs, fully up-to-date, NAT network 10.10.10.0/24 with address 10.10.10.11
  • Windows Server 2012R2 (64-bit) : target machine, 5GB of RAM, 2 vCPUs, fully up-to-date, same NAT network 10.10.10.0/24 with address 10.10.10.12

On the target machine, SNMP service has been activated via the “Add roles and features” window and configured to have a basic “public” community string and to allow SNMP packets from any host.

The problem :

I need to use the following command : nmap -sU -p 161 --script=snmp-brute 10.10.10.12 on Kali Linux to brute-force the community string of the target machine.

But when I do so, UDP scan goes on without a problem, but the NSE script just freezes at 33.33%. If I use combination CTRL+X (found it accidentally, didn’t know it was a thing) I get the following information :

Stats: 12:26:31 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 33.33% done; ETC: 04:57 (24:53:00 remaining) 

and the “time remaining” keeps on rising.

If I increase debugging level to 2 with d, I get these similar packets forever :

NSOCK INFO [47243.1930s] nsock_pcap_read_packet(): Pcap read request from IOD #2  EID 262533 NSOCK INFO [47243.4940s] nsock_trace_handler_callback(): Callback: READ-PCAP TIMEOUT for EID 262533  

Can someone please shed some light on this problem for me ? Thank you very much

Nessus detect more open ports than nmap

I scan my site via namp , I only see 3 ports open.

nmap -sV {ip}                                                               Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-25 09:42 EST                                     Nmap scan report for {ip}                                                                Host is up (0.023s latency).                                                                        Not shown: 997 filtered ports                                                                       PORT    STATE  SERVICE VERSION                                                                      22/tcp  open   ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)              80/tcp  open   http    nginx                                                                        443/tcp closed https                                                                                Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel                                              Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .      Nmap done: 1 IP address (1 host up) scanned in 11.72 seconds   

When I scan that same IP on Nessus, I see

Output

Port 2052/tcp was found to be open Port    Hosts 2052 / tcp / www     www.my-site.com Port 2053/tcp was found to be open Port    Hosts 2053 / tcp / www     www.my-site.com Port 2082/tcp was found to be open Port    Hosts 2082 / tcp / www     www.my-site.com Port 2083/tcp was found to be open Port    Hosts 2083 / tcp / www     www.my-site.com Port 2086/tcp was found to be open Port    Hosts 2086 / tcp / www     www.my-site.com Port 2087/tcp was found to be open Port    Hosts 2087 / tcp / www     www.my-site.com Port 2095/tcp was found to be open Port    Hosts 2095 / tcp / www     www.my-site.com Port 2096/tcp was found to be open Port    Hosts 2096 / tcp / www     www.my-site.com Port 443/tcp was found to be open Port    Hosts 443 / tcp / www  www.my-site.com Port 80/tcp was found to be open Port    Hosts 80 / tcp / www   www.my-site.com Port 8080/tcp was found to be open Port    Hosts 8080 / tcp / www     www.my-site.com Port 8443/tcp was found to be open Port    Hosts 8443 / tcp / www     www.my-site.com Port 8880/tcp was found to be open Port    Hosts 8880 / tcp / www     www.my-site.com 

Why they’re different? Are they hidden ports?

What nmap commands should I use to same amount of port listed from Nessus ?

nmap different results when scanning from different sources

I get slightly different results when scanning a IP from 2 different hosts. Here is scan 1 from an internet server with a public IP:

Nmap 7.80 scan initiated Tue Jan 21 18:48:08 2020 as: nmap -Pn -sS -p25 -T 2 --reason -v 3.XXX.XXX.XXX Nmap scan report for XXX.eu-central-1.compute.amazonaws.com Host is up, received user-set.  PORT   STATE    SERVICE REASON 25/tcp filtered smtp    no-response  Read data files from: /usr/bin/../share/nmap Nmap done at Tue Jan 21 18:48:22 2020 -- 1 IP address (1 host up) scanned in 13.49 seconds 

And here scan 2 from a local network PC:

root@kali:/# nmap -Pn -sS -p25 -T 2 --reason -v 3.XXX.XXX.XXX Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-21 17:52 CET [ ... ] Scanning XXX.eu-central-1.compute.amazonaws.com [1 port] Completed SYN Stealth Scan at 17:52, 0.40s elapsed (1 total ports) Nmap scan report for XXX.eu-central-1.compute.amazonaws.com Host is up, received user-set (0.0013s latency).  PORT   STATE  SERVICE REASON 25/tcp closed smtp    reset ttl 62  Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds            Raw packets sent: 1 (44B) | Rcvd: 1 (40B) 

The nmap command line was exactly the same, but the port state differs. And since my local machine gets more info – it gets an actual response from the target – it shouldn’t be a firewall-related problem or sth. similar.

Any idea why I get diffrent results?

Proper vulnerability scan on LAN devices (nmap)

I’m playing around with nmap sometimes to understand and remember different parameters. I would like to scan devices on my LAN for vulnerabilities. Something like:

$ nmap -sU --script vuln 192.168.52.0/24 -v

I got pretty much accurate information about devices and vulnerabilities on my LAN in stdout, but its not pretty readable so my question is: what is a good manner to perform a representative vulnerability scan on the local network (192.168.52.0/24)? I was thinking about -oX, and I am curious to different new manners.

Regards, Lajos.

Nmap giving different result between Mac OS scan and Linux (Kali) scan

I try to do a simple TCP scan on an Kubunt VM (is on VirtualBox), from two different OS. From the Host (Mac OS system) and from a Kali Linux VM (tried VirtualBox and Parallels also). Kali Linux (same result VirtualBox and Parallels) gives:

enter image description here

From Mac OS (run with root privileges, to simulate the same scan from Kali):

enter image description here

So run a Nmap scan from Mac OS gives more open ports on the same VM, with the same privilege of scan, etc. Mind blowing…

If I scan just a port (from Kali VM) try the 110, the result is that is closed:

enter image description here

Why is it happening?

Block ping request and Nmap scan

I am learning nmap scanning from beginning.

I tried to scan my office pc with the following command

nmap -sP -PP 192.168.1.104 --disable-arp-ping 

and it works fine..It shows that 1 host is up

BUT

when I tried to scan for open ports then it shows errors.

I have used all commands like nmap -f, nmap -sI etc but I can’t scan the host.

Actually my target pc is using Symantec antivirus and he is blocking my IP address because when I used to ping then it shows nothing.

nmap: Same IP, different domain names, different results?

I’m scanning a network (whose name will not be stated). It has >1 IP addresses. When I tried scanning its subdomains, there are several subdomains that are translated to the same IP address but return different scan reports (like different ports being reported).

For example:

nmap subdomain1 nmap subdomain2 nmap i.p.v.4 # The IPv4 that both subdomains translate to  nmap subdomain1 -A -p- nmap subdomain2 -A -p- nmap i.p.v.4 -A -p- # This also returns different results 

Those 3 all return different port findings.

From what I know, the URL/domain name should just be translated to the IP then scan, so I think they should all return the same results.

Why are different results returned? Is it because of domain translation (something I missed?) or is it something else?

Also, if given an IP address of a domain and its subdomains with the same IP, should I just scan the IP (save time and resources) or should I also scan every subdomain?

nmap – Searching a string from some standard services using nmap

I wanted to know if there is a way of searching a string trough the responses given by standard commands of standard services like telnet, smtp, etc using nmap.

For example, given a smtp server that answers “This is the searched string” when it receives the helo command, I want a way of using nmap that indicates that i should use helo to find that string.

Firebase ports scanning using nmap

Purely for research purposes used nmap to check security of my application deployed to Firebase. However, there some questions which I can’t understand:

  1. Why Firebase has open so many ports? Something like few hundreds.
  2. Almost on every port I’m getting an error auth-owners: ERROR: Script execution failed without any information about it. Why is that? The only one which gives some information are the following ports: 80, 443, 5269, and 65389.
  3. Is TCP Sequence Prediction difficulty=17 and Network Distance 2 hops a good or bad result?
  4. What means ssl-date: TLS randomness does not represent time?
  5. What means IP ID Sequence Generation: Incremental?
  6. What are Aggressive OS guesses?
  7. I could see the open few hundreds of ports only after first scan, later on couldn’t replicate this. Is it possible that Firebase/Google closed the ports or blocked me for some of them? In second scan and every other I could see only information about open ports 80, and 443 with a log “Not shown: 998 filtered ports”.
  8. I did test this on Kali Linux using VirtualBox. In the nmap output I can see Running: Oracle Virtualbox, OS CPE: cpe:/o:oracle:virtualbox, OS details: Oracle Virtualbox, is it about my system or the scanned website hsoted on Firebase?

Even answers for some of this questions would be already really appreciated!