Post on 15-Mar-2018
NMAP BasicsMay 10, 2011
About Your Presenter
• Matt Neely
• Manager of the Profiling Team at SecureState
• Areas of Interest: convergence of physical and logical security, lock and lock picking, and all things wireless
• Co-host on the Security Justice podcast
• Co-founder of the Cleveland Chapter of TOOOL
2
About Your Presenter
• Gary McCully
• Consultant at SecureState
• CISSP, Security+, Network+, MCP
• Web Application Security Assessments, Penetration Tests, Physical Penetration Tests, War Dialing
• Formally worked for a Fortune 500 Company
3
Quick Intro
• Started as a port scanner
• Released 1997
• Gordon “Fyodor” Lyon
• Free
• Windows, Linux, Unix, Mac OS
What is NMAP
Features
• Port Scanner
• Version Detection
• OS Detection
• NMAP Scripting Engine
What is NMAP
IP
• Internet Protocol
• It is the address of a machine
• IPv4 is most common (10.0.0.1)
• IPv6 is on the horizon(1:1:1:1:1:1:1:1)
Network Basics
IP
Network Basics
10.0.0.1 10.0.0.2
FROM:10.0.0.1
TO:10.0.0.2
ICMP
• Internet Control Message Protocol
• Mostly used for troubleshooting
• Not Typically Used to Exchange Data
Network Basics
ICMP (Ping)
Network Basics
10.0.0.1 10.0.0.2
Are you home
ICMP (Ping)
Network Basics
10.0.0.1 10.0.0.2
Yes I am home
ICMP (Ping)
Network Basics
ICMP Type 8 (Echo Request)
ICMP Type 0 (Echo Reply)
TCP
• Transmission Control Protocol
• Connection Oriented
• Reliable
Network Basics
TCP
Network Basics
10.0.0.1 10.0.0.2
TCP
Network Basics
10.0.0.1 10.0.0.2
Please Sign For This Letter
Setting Up TCP Session
Network Basics
SYN
SYN, ACK
ACK
Tearing Down TCP Session
Network Basics
FIN/ACK
ACK
FIN/ACK
ACK
TCP
Network Basics
Source: http://learn-networking.com
UDP
• User Datagram Protocol
• Not Connection Oriented
• Not Reliable
Network Basics
UDP
Network Basics
10.0.0.1 10.0.0.2
UDP
Network Basics
10.0.0.1 10.0.0.2
Sending Data over UDP
Network Basics
Datagram
UDP
Network Basics
Source: http://learn-networking.com
Network Basics
Ports
• Ports are used to tell a server what service should read what incoming data
• Ports can either be TCP or UDP
• The standard mapping of port numbers with specific services is handled by IANA (Internet Assigned Numbers Authority)
Network Basics
Some Popular Ports
• TCP 21 (FTP) – Used for transferring files
• TCP 80 (HTTP) – Used to access Websites
• TCP 443 (HTTPS) – Used to access Websites using SSL
• TCP 3389 – Used for remote desktop
• UDP 123 – Used for time synchronization
Connecting to a Website
www.google.com (Web Browser forwards to port 80)
I understand your request here is the webpage
Network Basics
Web Server On Port 80
Basic Syntax
• nmap “Scan Type(s)” OPTIONS TARGETS
• Targets
– 10.0.0.1\16
– 10.0.1-255.1-255
– 10.0.0.1 10.0.0.2 10.0.0.3
– Can pull from a file
NMAP Basics
What is Host Discovery?
• Is Host Alive?
• By Default, First Step in Scanning
• Uses TCP, UDP and ICMP
Host Discovery
-PS Switch
• -PS (TCP SYN Ping)
• Just see if Host is Online
• Host online determined by response to SYN
• Syntax: nmap 192.168.17.130-135
• Syntax: nmap –PS8080 192.168.17.130-135
Host Discovery
TCP SYN to 80
Host Online
SYN to port 80
SYN ACK (Open Port)
RST
Host Discovery
TCP SYN to 80
Host Online
SYN to port 80
RST (Closed Port)
Host Discovery
TCP SYN to 80
SYN to port 80
Host Discovery
Host Discovery
-PS Switch
• Advantages:
– Looks just like normal TCP traffic
– Reliable for finding open ports
• Disadvantage
– Many Firewalls are configured to drop SYN packets destined for closed ports
Host Discovery
-PA Switch
• -PA (TCP ACK Ping)
• Just see if Host is Online
• Host online determined by response to ACK
• Syntax: nmap –PA8080 192.168.17.130-135
Host Discovery
-PA Switch (Important Note)
• A port will respond with RST
• RST is the response of a closed port
• RST is the response of a out of band ACK
• Basically tells which ports are not blocked
Host Discovery
-PA Switch
• Advantages:
– When firewalls are configured to drop SYN packets they may allow ACK packets
• Disadvantage
– If not responding to a SYN packet many firewalls will block this traffic because its viewed as invalid
Host Discovery
-sP Switch (NMAP Default)
• -sP (Ping Scan)
• Just see if Host is Online
• Default (ICMP and TCP to port 80)
• Syntax: nmap –sP 192.168.17.130-135
Host Discovery
-sP Switch
• Advantages:
–Quick
• Disadvantage
–May miss machines which are online
Host Discovery
-sL Switch
• -sL (List Scan)
• Simply Lists Targets to Scan
• No packets are sent to the hosts
• By default, DNS still resolves names
• Syntax: nmap -sL 192.168.17.130-135
Host Discovery
-sL Switch
• Advantage:
–Nice Sanity Check
• Disadvantage:
–Never checks to see if the host is online
Host Discovery
-PN Switch
• -PN (Skips Host Discovery Phase)
• Performs other scanning steps without determining if host is online
• Takes Longer
• Scans Hosts that may be otherwise missed
Host Discovery
-PN Switch
• Advantages:
–Port scans machines which host discovery would have missed
• Disadvantage
–Can take a very long time
Host Discovery
43
Host Discovery Lab
Connect to “Lab_Network”
192.168.10.2
Username: lab
Password: lab
Host Discovery Lab
nmap –PS25-30 192.168.10.10-20 (TCP SYN)
nmap –PA135,445 192.168.10.10-20 (TCP ACK)
nmap –sP 192.168.10.10-20 (Default Option)
nmap -sL 192.168.10.1/24(nmap list scan)
nmap –PN 192.168.10.13 (No Host Discovery)
Host Discovery Lab
What is Port Scanning?
• What ports are open
• The more ports the higher the attack
surface
• Quickly identify high risk services
Port Scanning
-sS Switch (NMAP Default)
• -sS (SYN Scan)
• Find what ports are open based on response to TCP SYN flag
• Ports are open, closed, or filtered
• Syntax: nmap –sS 192.168.17.130-135
• Syntax: nmap –sS –p21 192.168.17.130-135
Port Scanning
TCP SYN to 80
Port Open
SYN to port 80
SYN ACK
RST
Port Scanning
Port Scanning
TCP SYN to 80
Port Closed
SYN to port 80
RST
Port Scanning
Port Scanning
TCP SYN to 80
Port Filtered
SYN to port 80
Port Scanning
Port Scanning
-sS Switch
• Advantages:
– Looks just like normal TCP traffic
– Reliable for finding open ports
• Disadvantage:
– Many Firewalls are configured to drop SYN packets destined for closed ports
Port Scanning
-sA Switch
• -sA (TCP ACK Scan)
• Find what ports are not filtered based on response to TCP ACK flag
• Ports are unfiltered, or filtered
• Syntax: nmap –sA 192.168.17.130-135
• Syntax: nmap –sA –p21 192.168.17.130-135
Port Scanning
TCP ACK to 80
Port Unfiltered
ACK to port 80
RST
Port Scanning
Port Scanning
TCP ACK to 80
Port is Filtered
ACK to port 80
Host Discovery
Port Scanning
-sA Switch
• Advantages:
– When firewalls are configured to drop SYN packets they may allow ACK packets.
– Lets you know what ports are blocked by a firewall.
• Disadvantage:
– If not responding to a SYN packet, many firewalls will block this traffic because its viewed as invalid.
Port Scanning
61
TCP Port Scanning Lab
nmap –sS –p1-100 192.168.10.10-20 (SYN Scan 1-100)
nmap –sS –p135,445 192.168.10.10-20 (SYN Scan 135,445)
nmap –sS 192.168.10.10-20 (Default)
nmap -sA 192.168.10.1/24(ACK Scan)
nmap –sA –p1-100 192.168.10.10-20 (ACK SCAN 1-100)
Port Scanning Lab
-sU Switch
• -sU (UDP Scan)
• Slow compared to TCP Based Scans
• Find what ports are not open, open-filtered, closed or filtered
• Syntax: nmap –sU 192.168.17.130-135
• Syntax: nmap –sU –p161 192.168.17.130-135
Port Scanning
-sUV Switch
• -sUV (UDP Version Detection Scan)
• Higher Success rate of finding open ports
• Identifies versions of software through database of valid UDP probes
• In some cases, can take longer than -sU
Port Scanning
UDP to 161
Port Open
UDP port 161
Service Responds
Port Scanning
UDP to 161
Port Open|Filtered
UDP port 161
Port Scanning
No Response
UDP to 161
Port Closed
UDP port 161
ICMP port unreachable errorType 3, code 3
Port Scanning
UDP to 161
Port Filtered
UDP port 161
Other ICMP unreachable errorsType 3, code 1,2,9,10, or 13
Port Scanning
Port Scanning
Port Scanning
-sU Switch
• Advantage:
– Faster than -sUV
• Disadvantage:
–No Version Information
Port Scanning
-sUV Switch
• Advantages:
–Provides specific version information
– Identifies more open ports
• Disadvantage:
–Slower than –sU switch
Port Scanning
73
UDP Port Scanning Lab
nmap –sU –p53,123,161 192.168.10.10-20 (UDP Scan)
nmap –sUV –p53,123,161 192.168.10.10-20 (UDP Service Detection Scan)
nmap –sU –p50-55 192.168.10.10-20 (UDP Scan 120-130)
nmap –sUV –p50-55 192.168.10.10-20 (UDP Service Detection Scan 50-55)
Port Scanning Lab
What is Operating System Detection?
• Identifies what operating system is
running
• Does this by sending up to 15 TCP, UDP,
and ICMP probes
Operating System Detection
What is Operating System Detection?
• Matches packet attributes with a database
of packet attributes it has already
identified.
• Syntax: nmap –O 192.168.17.135
Operating System Detection
15 TCP, UDP, ICMP
Misc Responses
Operating System Detection
Attributes of response data compared to database of attributes
Operating System Detection
Example: Integrity of returned UDP data300 „C‟ Returned G otherwise I (Invalid)
Operating System Detection
What Service Version is Behind a Port?
• Uses response from a particular port to
find the version of the service.
• Syntax: nmap –sV 192.168.130.130-135
Service Detection
Service Detection
Service Detection
83
OS Identification and Service Detection Lab
nmap –O 192.168.10.16 (OS Identification)
nmap –O 192.168.10.13 (OS Identification)
nmap –sV 192.168.10.16 (Service Identification)
nmap –sV 192.168.10.13 (Service Identification)
nmap –sV –p1-100 192.168.10.13 (Service Identification Ports 1-100)
OS Identification and Service Detection Lab
-sC Switch
• Write and Share Scripts to automate networking tasks
• -sC (Runs NSE Default Scripts)
• Syntax: nmap –sC 192.168.17.130-135
• Syntax: nmap --scrpt ftp-anon.nse 192.168.17.130-135
NMAP Scripting Engine
NMAP Scripting Engine
NMAP Scripting Engine
NMAP Scripting Engine
Other NSE Scripts
• smb-check-vulns.nse
• smbv2-enabled.nse
• sslv2.nse
• ssl-enum-ciphers.nse
• ftp-anon.nse
• snmp-brute.nse
NMAP Scripting Engine
90
NMAP Scripting Engine Lab
nmap -sC 192.168.10.16 (Default Scripts)
nmap --script ftp-anon.nse 192.168.10.10-20 (Anonymous FTP)
nmap --script smb-check-vulns.nse 192.168.10.10-20 (SMB Vulns)
nmap -sU –p53,123,161 -sC 192.168.10.10-20 (UDP Default Scripts)
nmap -sU –p53,123,161 --script snmp-brute.nse 192.168.10.10-20 (SNMP Community Strings)
NMAP Scripting Engine
Thank you for your time!
Q U E S T I O N SA N S W E R S
92
Matt Neely Gary McCully
mneely@securestate.com gmccully@securestate.com