Saturday, January 21, 2012

Using Nmap to Hack a Server


Nmap is a network mapping program used by both sysadmins and hackers identify live hosts, see what services they're running, see the versions of this service, ect. This is very useful because you can use this information to find exploits to use against the server.


While the chances of you getting in trouble for using nmap on someone are low, it's best not to risk it. Always use a VPN when using nmap because it is a hacking tool and you can get in trouble for using it on someone without permission. Don't take the chance, just use a VPN. (If you ahve windows or mac, use Pro XPN, if you know what to use for linux, see my thread:

You can download nmap from:
Installation should be very easy, there are guides online that show you step-by-step, but you should only have to follow the prompts. Nmap is already installed on Backtrack, you should use it. Once nmap is installed, you're ready to begin.
Things to Note
* All commands should be typed into cmd, or terminal.
* [Target] = your target
* The target should be in the format of "" not ""
* You can press 'A' during a scan to see how long until it's done.
* A list of Egyptian sites can be found to practice on here:

Preliminary Investigation

Once you've selected your target, you can make sure it's alive (or online) by using the following command:

nmap -sP [Target]
-sP is a Ping-Scan, it does nothing more than ping the host to make sure it's online.

The output will look like:

Starting Nmap 5.51 ( ) at 2012-01-01 2:30 EST
Nmap scan report for (
Host is up (0.0071s latency).
Nmap done: 1 IP address (1 host up) scanned in 13.27 seconds

Normally, your target will show up as online, but sometimes they will try to be tricky by not responding to your requests, there are some neat tricks to getting around this problem, here are a few:
* Use -PE
* Use -PP
* Use -PM
* The nmap program will also say: "The host appears to be down but..." and then will give you advice on what to do.

Operating System Detection
Now that the server is responding to our requests, lets figure out what Operating System it's using. Finding the OS is fairly simple, use this command:
nmap -O --osscan-guess [Target]
If the server does not respond, use the tips I gave you above to trick it.
-O tells nmap to scan for the OS
--osscan-guess tells nmap to guess the OS aggressively.

Now that you know the operating system, lets see if we can exploit it.

Operating System Exploitation
The first thing to know is that you won't find too many good exploits to use against the operating system, but that instead, it will give you a better idea of what you're dealing with. If their OS is the very latest version of Red Hat Linux, they're probably less vulnerable than if they're running Windows Server SP1. If you're trying to hack a bunch of servers in one day to be all 1337, that tip can come in handy. Don't waste valuable time on the secure sites, strike the weak ones.

Anyway, there ARE Some exploits for severally well used operating system so search google for, "[Their OS] exploit" and try your luck. In time you'll automatically know if an OS has a big vulnerability or not.

Service Discovery and Service Version Discovery

For me, this is the most fun part, finding out what this server does. So lets get started! The command you should use is:
nmap -sV [Target]
-sV Probes for open ports and determines their service and version

The output should look like:

Starting Nmap 5.51 ( ) at 2012-01-01 3:21 EST
Nmap scan report for (
Host is up (0.023s latency).
Not shown: 999 filtered ports
80/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

So here is what that means:
"Port 80 is open and it's running an http service. They are using Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)"

Like above, all you have to search is the service version and "exploit" to find good stuff, unlike above, you are quite likely to find an exploit to use against them.

Like I said in the caution, you can get in trouble for using nmap so you should always use a VPN, but there are more reasons to say safe when using nmap, for one, if you're succesfull in hacking the server, and a few hours before they were hacked, someone was using nmap on them, who do you think is their prime suspect?

It's not just that either, if you aren't sneaky when you're scanning, some super-secure servers will start giving you false information or stop responding to your requests. Here are a few ways to avoid that:

*Change your IP by switching to a different VPN serve
* Use the "--scan-delay <time>" function where <time> = the ammount of time to wait in between probes
* Use the "-D <decoy1, decoy2>" function where <decoy1, decoy2> = IP addresses that you want to appear to start probing the target, so the server doesn't think you're the only one probing them.
* Use "--spoof-mac <MAC Address>" where <MAC address> is what you want them to think your MAC Address is.
*Look elsewhere for more tips!


If you use "-oS", the output will be in s|<r1pt k1ddi3 AKA 1337 5p33k


  Please let me know if you have anything to add, or any grammar/spelling corrections to make. If you have any questions, please let me know and leave a comment! If you enjoyed this tutorial please let me know in the comments, it would really make my day.

1 comment:

  1. Love the site man! Keep it up!!!
    Your tutourials are in-depth and don't treat me like I am an idiot! Love it!