NMAPNMAP

Ana ChanabaAna Chanaba

Robert HuyloRobert Huylo

nmap “network mapper”nmap “network mapper”

Security toolSecurity tool- What does your system look like to someone - What does your system look like to someone who is trying to break inwho is trying to break in

- Find the holes in your security before somebody - Find the holes in your security before somebody else doeselse does

nmapFE v3.81nmapFE v3.81- graphical frontend to nmap- graphical frontend to nmap

- rpm available at - rpm available at www.insecure.org/nmapwww.insecure.org/nmap

- lab102 & lab103- lab102 & lab103

Basic nmap functionsBasic nmap functions

1.) Host Discovery1.) Host Discovery- Which hosts are up (IP Addresses)- Which hosts are up (IP Addresses)- Ping scans- Ping scans

2.) Port Scanning2.) Port Scanning- Which ports of a target host have servers - Which ports of a target host have servers listening on themlistening on them- Allows a guess of software and services a - Allows a guess of software and services a machine is runningmachine is running

3.) OS Detection3.) OS Detection- TCP/IP fingerprinting- TCP/IP fingerprinting

Anatomy of nmap argumentAnatomy of nmap argument

nmap –snmap –sSS -P -POO -O -p 1-1024 134.198.161.* -O -p 1-1024 134.198.161.*

-s_ : Scan type-s_ : Scan type

-P_ : Ping type-P_ : Ping type

-O : Optional OS detection-O : Optional OS detection

-p #-# : port range-p #-# : port range

IP range:IP range:

134.198.161.0/24, 134.198.161.1-254134.198.161.0/24, 134.198.161.1-254

1.) Host Discovery1.) Host Discovery

Determine which hosts are upDetermine which hosts are up- Does not include port scans or OS detection- Does not include port scans or OS detection

nmap –sP 134.198.161.*nmap –sP 134.198.161.*- Utilizes variety of messaging protocols- Utilizes variety of messaging protocols

- ICMP/TCP/UDP- ICMP/TCP/UDP Firewall interferenceFirewall interference

- Firewalls check to see if packets are part of a - Firewalls check to see if packets are part of a previously established connectionpreviously established connection

Used before portscanUsed before portscan- Ping sweep (-sP)- Ping sweep (-sP)- Check to see if host is up before scanning ports- Check to see if host is up before scanning ports

Customizing PingsCustomizing Pings

-PO : ICMP-PO : ICMP

-PA : TCP ACK-PA : TCP ACK

-PU : UDP-PU : UDP

-PP : ICMP timestamp-PP : ICMP timestamp

-PM : Netmask request-PM : Netmask request

-PS : TCP SYN-PS : TCP SYN

-PB : (default) TCP ACK & ICMP-PB : (default) TCP ACK & ICMP

Ping specific ports:Ping specific ports:

nmap –sP –PO25 ….nmap –sP –PO25 ….

2.) Port Scanning2.) Port Scanning

Insight to what services a host may be Insight to what services a host may be runningrunning

““Well-known” or “Interesting” portsWell-known” or “Interesting” ports- 1-1024- 1-1024

- 65,535 total TCP & UDP ports- 65,535 total TCP & UDP ports Scan displays (for each port)Scan displays (for each port)

• Service nameService name• Port numberPort number• Port StatePort State• ProtocolProtocol

Scanning OptionsScanning Options nmap –sS … nmap –sS …

- TCP SYN scan- TCP SYN scan- default port scan for nmap user with root - default port scan for nmap user with root privilegesprivileges- “half-open” – skips last step of 3-way handshake - “half-open” – skips last step of 3-way handshake and probes without actual connection for stealthand probes without actual connection for stealth

nmap –sT …nmap –sT …- TCP connect() scan- TCP connect() scan- default port scan for default nmap user- default port scan for default nmap user- requires full connection – easily detectable- requires full connection – easily detectable

Port StatesPort States

openopen: will accept connections: will accept connections

filteredfiltered: firewall or other network : firewall or other network obstacle is covering portobstacle is covering port

unfiltered or closedunfiltered or closed: determined to : determined to be closed with no obstacles or be closed with no obstacles or interferenceinterference

- most common case- most common case

Scanning OptionsScanning Options

Avoid SYN scanning to probe beyond firewallAvoid SYN scanning to probe beyond firewall-sF : Stealth FIN scan-sF : Stealth FIN scan

-sX : Xmas tree scan-sX : Xmas tree scan

-sN : Null scan-sN : Null scan

-sV : Version detection-sV : Version detection

-sU : UDP scan-sU : UDP scan

-sI : Idlescan-sI : Idlescan

-sA : ACK scan-sA : ACK scan

-b : bounce attack (FTP)-b : bounce attack (FTP)

3.) OS Detection3.) OS Detection nmap –O …nmap –O … TCP/IP fingerprintingTCP/IP fingerprinting OS guess made by looking at the particulars of how a host OS guess made by looking at the particulars of how a host

implements TCP/IPimplements TCP/IP- Includes possible range of versions and “uptime” test- Includes possible range of versions and “uptime” test

Fingerprint compared to DB of known OS fingerprintsFingerprint compared to DB of known OS fingerprints Nmap sends seven TCP/IP crafted packets (called tests) and Nmap sends seven TCP/IP crafted packets (called tests) and

waits for the answer. Results are checked against a waits for the answer. Results are checked against a database of known results (OS signatures database).database of known results (OS signatures database).

This database is a text file that contains the result This database is a text file that contains the result answered (signature) by each OS known. answered (signature) by each OS known.

OS DetectionOS DetectionReasons to hide OSReasons to hide OS

Security: Hacker could base an attack on a host from known Security: Hacker could base an attack on a host from known weaknesses in the target OSweaknesses in the target OS

Revealing your OS makes things easier to find and successfully run an exploit against any of your devices.

Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS

It could be convenient for other software companies, to offer you a new OS environment

OS DetectionOS Detection

Many techniques to fingerprint Many techniques to fingerprint networking stacks. If you combine networking stacks. If you combine enough of these. You can narrow enough of these. You can narrow down the OS very tightly.down the OS very tightly.

You can start out as simply as "nmap -O -sS targethost".

OS DetectionOS Detection

-O requires root privileges, it uses this information to create a fingerprint, and decide what type of system you are scanning.

OS detection is far more effective if OS detection is far more effective if at least one open and one close TCP at least one open and one close TCP port are found.port are found.

Miscellaneous optionsMiscellaneous options

-A which turn on OS detection too. -A which turn on OS detection too. -F tells nmap to scan only ports -F tells nmap to scan only ports registered in nmap-services. registered in nmap-services. -T4 causes nmap to go faster.-T4 causes nmap to go faster. -I -I gives the username that owns

available processes -iR Use this command to instruct

nmap to scan random hosts for you.

Misc. OptionsMisc. Options

-v verbose -v verbose This is a highly recommended option and This is a highly recommended option and it gives out more information. You can use it twice for it gives out more information. You can use it twice for better effects. better effects.

-d debug mode-d debug mode-p : port range, -p : port range, what ports you want to specifywhat ports you want to specify-T : scan timing or throttling options-T : scan timing or throttling options<Paranoid|Sneaky|Polite|Normal|Aggressive|Insane><Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>

- Addresses concerns about detection and crashing - Addresses concerns about detection and crashing hosthost

OS DETECTIONOS DETECTION

nmap -0 134.198.161.254nmap -0 134.198.161.254 nmap -A -T4 -F 134.198.161.101nmap -A -T4 -F 134.198.161.101 nmap -A -T4 134.198.161.101 nmap -A -T4 134.198.161.101 RPC services are treated with brute RPC services are treated with brute

force. RPC scanner to determine force. RPC scanner to determine version.version.

nmap -sS -p 80 -O -v nmap -sS -p 80 -O -v 134.198.161.254134.198.161.254

ReferencesReferences

nmap & nmapFE man pagesnmap & nmapFE man pages www.insecure.orgwww.insecure.org Text Chp 21.7Text Chp 21.7 www.linux.orgwww.linux.org