nmap scan (windows machine)

While doing pentest it is important that you know the service that end machine is running. No matter what the victim machine OS (Linux/Windows) is we can use nmap to reveal the open ports and services.

Lets start by doing simple nmap:

# nmap 10.10.10.10

Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-03 10:34 EST
Nmap scan report for 10.10.10.10
Host is up (0.18s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE
135/tcp  open     msrpc
139/tcp  open     netbios-ssn
445/tcp  open     microsoft-ds
1042/tcp filtered afrog
1433/tcp open     ms-sql-s

If you do nmap and IP only then it will show above result with port and the service it runs. If you want more verbose then you can use following nmap command

# nmap -sC -sV 10.10.10.10

Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-03 10:44 EST
Nmap scan report for 10.10.10.10
Host is up (0.18s latency).

PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
1433/tcp  open  ms-sql-s      Microsoft SQL Server  14.00.1000.00
| ms-sql-ntlm-info: 
|   Target_Name: CLI
|   NetBIOS_Domain_Name: CLI
|   NetBIOS_Computer_Name: CLIENT
|   DNS_Domain_Name: CLI.LOCAL
|   DNS_Computer_Name: CLIENT.CLI.LOCAL
|   DNS_Tree_Name: CLI.LOCAL
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2019-03-03T15:44:21
|_Not valid after:  2049-03-03T15:44:21
|_ssl-date: 2019-03-03T15:45:38+00:00; 0s from scanner time.

Host script results:
| ms-sql-info: 
|   10.10.10.10:1433: 
|     Version: 
|       name: Microsoft SQL Server 
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 
|_    TCP port: 1433
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-03-03 10:45:39
|_  start_date: N/A

By doing this you will be able to grab the banner and run default scripts. To know more about the above option and other option I encourage you to check nmap manual page.

By default nmap only scans top 1000 ports. To scan all ports you can use ‘-p-‘ option as below:

# nmap 10.10.10.10 -p-

I have not included the result here. Think it as your task to do.

If you want to know the default service in each port and by chance if you are a ubuntu user then you can open /etc/services file to know about it. Here, in above result we can see 139 and 445 which is SMB port. Another interesting port might be mssql port which is 1433. We can further dig more on it using other tools available.

Note: If you are going to test mssql in ubuntu then you can use sqlectron which is lightweight simple mssql cross platform client .

Leave a Reply

Your email address will not be published. Required fields are marked *