NMAP Ana Chanaba Robert Huylo. nmap “network mapper” Security tool Security tool - What does...
-
Upload
christine-sutton -
Category
Documents
-
view
212 -
download
0
Transcript of NMAP Ana Chanaba Robert Huylo. nmap “network mapper” Security tool Security tool - What does...
NMAPNMAP
Ana ChanabaAna Chanaba
Robert HuyloRobert Huylo
nmap “network mapper”nmap “network mapper”
Security toolSecurity tool- What does your system look like to someone - What does your system look like to someone who is trying to break inwho is trying to break in
- Find the holes in your security before somebody - Find the holes in your security before somebody else doeselse does
nmapFE v3.81nmapFE v3.81- graphical frontend to nmap- graphical frontend to nmap
- rpm available at - rpm available at www.insecure.org/nmapwww.insecure.org/nmap
- lab102 & lab103- lab102 & lab103
Basic nmap functionsBasic nmap functions
1.) Host Discovery1.) Host Discovery- Which hosts are up (IP Addresses)- Which hosts are up (IP Addresses)- Ping scans- Ping scans
2.) Port Scanning2.) Port Scanning- Which ports of a target host have servers - Which ports of a target host have servers listening on themlistening on them- Allows a guess of software and services a - Allows a guess of software and services a machine is runningmachine is running
3.) OS Detection3.) OS Detection- TCP/IP fingerprinting- TCP/IP fingerprinting
Anatomy of nmap argumentAnatomy of nmap argument
nmap –snmap –sSS -P -POO -O -p 1-1024 134.198.161.* -O -p 1-1024 134.198.161.*
-s_ : Scan type-s_ : Scan type
-P_ : Ping type-P_ : Ping type
-O : Optional OS detection-O : Optional OS detection
-p #-# : port range-p #-# : port range
IP range:IP range:
134.198.161.0/24, 134.198.161.1-254134.198.161.0/24, 134.198.161.1-254
1.) Host Discovery1.) Host Discovery
Determine which hosts are upDetermine which hosts are up- Does not include port scans or OS detection- Does not include port scans or OS detection
nmap –sP 134.198.161.*nmap –sP 134.198.161.*- Utilizes variety of messaging protocols- Utilizes variety of messaging protocols
- ICMP/TCP/UDP- ICMP/TCP/UDP Firewall interferenceFirewall interference
- Firewalls check to see if packets are part of a - Firewalls check to see if packets are part of a previously established connectionpreviously established connection
Used before portscanUsed before portscan- Ping sweep (-sP)- Ping sweep (-sP)- Check to see if host is up before scanning ports- Check to see if host is up before scanning ports
Customizing PingsCustomizing Pings
-PO : ICMP-PO : ICMP
-PA : TCP ACK-PA : TCP ACK
-PU : UDP-PU : UDP
-PP : ICMP timestamp-PP : ICMP timestamp
-PM : Netmask request-PM : Netmask request
-PS : TCP SYN-PS : TCP SYN
-PB : (default) TCP ACK & ICMP-PB : (default) TCP ACK & ICMP
Ping specific ports:Ping specific ports:
nmap –sP –PO25 ….nmap –sP –PO25 ….
2.) Port Scanning2.) Port Scanning
Insight to what services a host may be Insight to what services a host may be runningrunning
““Well-known” or “Interesting” portsWell-known” or “Interesting” ports- 1-1024- 1-1024
- 65,535 total TCP & UDP ports- 65,535 total TCP & UDP ports Scan displays (for each port)Scan displays (for each port)
• Service nameService name• Port numberPort number• Port StatePort State• ProtocolProtocol
Scanning OptionsScanning Options nmap –sS … nmap –sS …
- TCP SYN scan- TCP SYN scan- default port scan for nmap user with root - default port scan for nmap user with root privilegesprivileges- “half-open” – skips last step of 3-way handshake - “half-open” – skips last step of 3-way handshake and probes without actual connection for stealthand probes without actual connection for stealth
nmap –sT …nmap –sT …- TCP connect() scan- TCP connect() scan- default port scan for default nmap user- default port scan for default nmap user- requires full connection – easily detectable- requires full connection – easily detectable
Port StatesPort States
openopen: will accept connections: will accept connections
filteredfiltered: firewall or other network : firewall or other network obstacle is covering portobstacle is covering port
unfiltered or closedunfiltered or closed: determined to : determined to be closed with no obstacles or be closed with no obstacles or interferenceinterference
- most common case- most common case
Scanning OptionsScanning Options
Avoid SYN scanning to probe beyond firewallAvoid SYN scanning to probe beyond firewall-sF : Stealth FIN scan-sF : Stealth FIN scan
-sX : Xmas tree scan-sX : Xmas tree scan
-sN : Null scan-sN : Null scan
-sV : Version detection-sV : Version detection
-sU : UDP scan-sU : UDP scan
-sI : Idlescan-sI : Idlescan
-sA : ACK scan-sA : ACK scan
-b : bounce attack (FTP)-b : bounce attack (FTP)
3.) OS Detection3.) OS Detection nmap –O …nmap –O … TCP/IP fingerprintingTCP/IP fingerprinting OS guess made by looking at the particulars of how a host OS guess made by looking at the particulars of how a host
implements TCP/IPimplements TCP/IP- Includes possible range of versions and “uptime” test- Includes possible range of versions and “uptime” test
Fingerprint compared to DB of known OS fingerprintsFingerprint compared to DB of known OS fingerprints Nmap sends seven TCP/IP crafted packets (called tests) and Nmap sends seven TCP/IP crafted packets (called tests) and
waits for the answer. Results are checked against a waits for the answer. Results are checked against a database of known results (OS signatures database).database of known results (OS signatures database).
This database is a text file that contains the result This database is a text file that contains the result answered (signature) by each OS known. answered (signature) by each OS known.
OS DetectionOS DetectionReasons to hide OSReasons to hide OS
Security: Hacker could base an attack on a host from known Security: Hacker could base an attack on a host from known weaknesses in the target OSweaknesses in the target OS
Revealing your OS makes things easier to find and successfully run an exploit against any of your devices.
Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS
It could be convenient for other software companies, to offer you a new OS environment
OS DetectionOS Detection
Many techniques to fingerprint Many techniques to fingerprint networking stacks. If you combine networking stacks. If you combine enough of these. You can narrow enough of these. You can narrow down the OS very tightly.down the OS very tightly.
You can start out as simply as "nmap -O -sS targethost".
OS DetectionOS Detection
-O requires root privileges, it uses this information to create a fingerprint, and decide what type of system you are scanning.
OS detection is far more effective if OS detection is far more effective if at least one open and one close TCP at least one open and one close TCP port are found.port are found.
Miscellaneous optionsMiscellaneous options
-A which turn on OS detection too. -A which turn on OS detection too. -F tells nmap to scan only ports -F tells nmap to scan only ports registered in nmap-services. registered in nmap-services. -T4 causes nmap to go faster.-T4 causes nmap to go faster. -I -I gives the username that owns
available processes -iR Use this command to instruct
nmap to scan random hosts for you.
Misc. OptionsMisc. Options
-v verbose -v verbose This is a highly recommended option and This is a highly recommended option and it gives out more information. You can use it twice for it gives out more information. You can use it twice for better effects. better effects.
-d debug mode-d debug mode-p : port range, -p : port range, what ports you want to specifywhat ports you want to specify-T : scan timing or throttling options-T : scan timing or throttling options<Paranoid|Sneaky|Polite|Normal|Aggressive|Insane><Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
- Addresses concerns about detection and crashing - Addresses concerns about detection and crashing hosthost
OS DETECTIONOS DETECTION
nmap -0 134.198.161.254nmap -0 134.198.161.254 nmap -A -T4 -F 134.198.161.101nmap -A -T4 -F 134.198.161.101 nmap -A -T4 134.198.161.101 nmap -A -T4 134.198.161.101 RPC services are treated with brute RPC services are treated with brute
force. RPC scanner to determine force. RPC scanner to determine version.version.
nmap -sS -p 80 -O -v nmap -sS -p 80 -O -v 134.198.161.254134.198.161.254
ReferencesReferences
nmap & nmapFE man pagesnmap & nmapFE man pages www.insecure.orgwww.insecure.org Text Chp 21.7Text Chp 21.7 www.linux.orgwww.linux.org