Nmap(network mapping)
-
Upload
ssasit -
Category
Engineering
-
view
105 -
download
2
Transcript of Nmap(network mapping)
Information Networking Security and Assurance LabNational Chung Cheng University
1
Port Scanners
Information Networking Security and Assurance LabNational Chung Cheng University 2
Introduction
The first step in the process of hackingDiscover the servicesVersion labelOperation System
Send few packets to the host
Information Networking Security and Assurance LabNational Chung Cheng University 3
Pre Study
TCP Packet Header
Information Networking Security and Assurance LabNational Chung Cheng University 4
TCP conversation
Client Server
SYN
SYN/ACK
ACK
Connection Established
Client Server
FIN
ACK/FIN
ACK
Connection Closed
Connect Disconnect
Three-way handshake
Information Networking Security and Assurance LabNational Chung Cheng University 5
TCP Flag Definitions
FlagSYN The beginning of a connection
ACK Acknowledge receipt of a previous packet or transmission
FIN Close a TCP connection
RST Abort a TCP connection
Information Networking Security and Assurance LabNational Chung Cheng University 6
Scanning for Hosts
Is the host alive ?Method
Pingnmap –sP 192.168.0.1
TCP Pingnmap –sT 192.168.0.1
Information Networking Security and Assurance LabNational Chung Cheng University 7
Scanning for TCP Ports
TCP connectnmap –sT 192.168.0.1
RPC servicenmap –sR 192.168.0.1
Information Networking Security and Assurance LabNational Chung Cheng University 8
SYN Scan
Nmap sends to Host Port
Nmap receives from Host Port
Nmap Assumes
SYN SYN/ACK Port is openHost is up
SYN RST Port is closedHost is up
SYN Nothing Port is blocked by firewallOr Host is down
Nmap –sS <target host>
Information Networking Security and Assurance LabNational Chung Cheng University 9
ACK Scan
Nmap sends to Host Port
Nmap receives from Host Port
Nmap Assumes
ACK RST Port is not firewall-protectPort may be open or closedHost is up
ACK Nothing or ICMP unreachable
Port is blocked by firewall if host is up
No firewall~
Protected by firewall~
Nmap –sA <target host>
Information Networking Security and Assurance LabNational Chung Cheng University 10
FIN Scan
Connect
Nmap sends to Host Port
Nmap receives from Host Port
Nmap Assumes
FIN RST Port is closed Host is up
FIN Nothing Port is open if host is up and not firewall-protected
Nmap –sF <target host>
Information Networking Security and Assurance LabNational Chung Cheng University 11
Xmas Scan
Non-normal TCP operationSet the flags FIN,URG,PUSHWith –sX
Nmap –sX <target host>
Information Networking Security and Assurance LabNational Chung Cheng University 12
Null scan
Turn off all flags
With -sN
Nmap –sN <target host>
Information Networking Security and Assurance LabNational Chung Cheng University 13
Scanning for UDP Ports
Nmap sends to Host Port
Nmap receives from Host Port
Nmap Assumes
Empty UDP packet
Nothing Port assumed open if host responds to Ping.Port may be closed if firewall blocking ICMP
Empty UDP packet
ICMP unreachable Port is closed
Nmap –sU <target host>
Information Networking Security and Assurance LabNational Chung Cheng University 14
Scanning for Protocol
IP HeaderNmap –sO <target host>
Information Networking Security and Assurance LabNational Chung Cheng University 15
DecoysFragmentation
Hiding Your Scan
(-D) (-r)(-f)
Nmap –sS –f <target host>
With –sS –sF –sN -sX
FTP Bounce
Nmap –b anonymous@<ftp server> –p <targer port> <target host>Nmap –D <spoof host> <target host>
Disable Randomizing Ports
Nmap –r <target host>
Information Networking Security and Assurance LabNational Chung Cheng University 16
Timing Your Scan
Time-based algorithmUsing -T option
Nmap –T <name> <target host>name Probe
Response Timeout
Time Spent on One Host
Time between Probes
Use Parallelized Probes
Paranoid 5 min Unlimited 5 min No
Sneaky 15 sec Unlimited 12 sec NoPolite 6 sec Unlimited 0.4 sec NoNormal 6 sec Unlimited None NoAggressive 1 sec 5 min None YesInsane 0.3 sec 75 sec None Yes
Information Networking Security and Assurance LabNational Chung Cheng University 17
TCP Reverse Ident Scanning
Who runs the process (-I)
Nmap –I <target host>
Information Networking Security and Assurance LabNational Chung Cheng University 18
OS Fingerprinting
With –O flag
Sending specially TCP and UDP headers
Analyze the result and compare information
OS information
Information Networking Security and Assurance LabNational Chung Cheng University 19
OS Detection on Linux
Nmap –O 192.168.0.1
Information Networking Security and Assurance LabNational Chung Cheng University 20
Mapping Networks
Scanning a Class C subnet
Information Networking Security and Assurance LabNational Chung Cheng University 21
Mapping Networks
Port scans in IP section
Information Networking Security and Assurance LabNational Chung Cheng University 22
Scanning Tools on windows
NetscantoolsSuperscanIPEYEWUPS