Recon: Gaining Credentials with Nmap Scripts

(Yawn) Morning once again. Valentine here with another Nmap tutorial. This time I’m gonna talk about Scripts in Nmap.

Scripts in Nmap are probably one of my favorite features. Not only can they figure out the users on the system but also bruteforce the password. I discovered these scripts not to long ago, like yesterday, when I ran into a issue, getting the admin credentials. In this tutorial I’m gonna do my best to explain how to use scripts effectively, but I claim no responsibility. Cheers.

On a more serious note, in my last tutorial I explained basics (if you could call it that, lulz). There’s one issue with just a scan that I’ve concluded, sometimes exploits work best when you’ve cracked the admin credentials. This scenario happens more often then most expect, for example the microsoft-ds vulnerability which runs on Windows XP and Windows 2000. Some of you who are reading this may think that this vulnerability is rare, but truth be told a lot of people still run Windows XP or Windows 2000 (mainly Windows XP from my experiences). Security to most doesn’t matter. The vulnerability runs on port 445 and from my research there’s even a exploit for it. As this article states:

“While ports 137-139 were known technically as “NBT over IP”, port 445 is “SMB over IP”. (SMB is known as “Samba” and stands for “Server Message Blocks”.)After all of the trouble the personal computer industry has had with Microsoft’s original Windows NetBIOS ports 137 through 139, it is difficult to imagine or believe that Microsoft could have actually made things significantly worse with their replacement port 445 . . . but they did.”
( )

Why am I telling you all this? Not only is this interesting or educational, but if the target is vulnerable the exploit does require the credentials, even if metasploit says no in the required section, it’s in my opinion required as I’ve learned from OTW’s fabulous article, he states:

“Metasploit has module called psexec that enables you to hack the system and leave very little evidence behind, given that you already have sysadmin credentials, of course.”
( )

There are many ways to gain credentials, but for now I’m only gonna show you how to do it with Nmap Scripts. The first scan is a simple Nmap scan, type:

Nmap -sF

(replace the with your own Ip)

If Nmap says that the host seems down… Then try:

Nmap -sF -Pn

The -Pn stands for no ping and is useful if for some reason the target is blocking your packets that you’ve sent with Nmap.

If no ports show up then you can add other flags, -A, -o, etc. Now that we know which ports are open and which ports are closed, let’s review the results. What ports are open? Which services are running? Do you recognize any of the services? What version? These questions are some that come to my mind. I usually google the services that I don’t recognize and if they’re vulnerable. Sometimes you don’t have to gain anything more except figure out if the version is outdated because most of the time if the service is outdated then there’s possibly a exploit out there that we could use and we don’t need to do nothing more. Now, what if there’s a FTP server or port 445 is open running microsoft-ds? Now what? This is where we try to gain the credentials. The first script will show us the users on the system, the nmap scan is:

nmap --script=smb-enum-users

(If the host seems down then use the -Pn flag)

Once the scan is done, at the bottom of the scan Nmap should show you the users. Sometimes this script shows nothing. If this happens different methods are needed, which I won’t discuss in this tutorial. Now that we have the credentials of the usernames it’s time to run the brute force password script. The command would look like this:

map --script=smb-brute

That’s litterly it, but sometimes you would have to add different flags to the scan. I personally add the -A flag and the -T sneaky flag, but that’s just me. That’s that. Please if you like this tutorial, I would appreciate if you would give me some lovins. Other than that, please use this information as you like because I’m not responsible. Cheers.

P.S. a good link to view is:


I’m starting to like your series, amazing tutorial. Keep it up. :slight_smile:


Very good!
another good option is -sC and --script=vuln

Nice post!

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.

This topic was automatically closed after 30 days. New replies are no longer allowed.