SecureState Powerpoint Tempate - ISSA: Pittsburgh...

NMAP BasicsMay 10, 2011

About Your Presenter

• Matt Neely

• Manager of the Profiling Team at SecureState

• Areas of Interest: convergence of physical and logical security, lock and lock picking, and all things wireless

• Co-host on the Security Justice podcast

• Co-founder of the Cleveland Chapter of TOOOL

2

About Your Presenter

• Gary McCully

• Consultant at SecureState

• CISSP, Security+, Network+, MCP

• Web Application Security Assessments, Penetration Tests, Physical Penetration Tests, War Dialing

• Formally worked for a Fortune 500 Company

3

Quick Intro

• Started as a port scanner

• Released 1997

• Gordon “Fyodor” Lyon

• Free

• Windows, Linux, Unix, Mac OS

What is NMAP

Features

• Port Scanner

• Version Detection

• OS Detection

• NMAP Scripting Engine

What is NMAP

IP

• Internet Protocol

• It is the address of a machine

• IPv4 is most common (10.0.0.1)

• IPv6 is on the horizon(1:1:1:1:1:1:1:1)

Network Basics

IP

Network Basics

10.0.0.1 10.0.0.2

FROM:10.0.0.1

TO:10.0.0.2

ICMP

• Internet Control Message Protocol

• Mostly used for troubleshooting

• Not Typically Used to Exchange Data

Network Basics

ICMP (Ping)

Network Basics

10.0.0.1 10.0.0.2

Are you home

ICMP (Ping)

Network Basics

10.0.0.1 10.0.0.2

Yes I am home

ICMP (Ping)

Network Basics

ICMP Type 8 (Echo Request)

ICMP Type 0 (Echo Reply)

TCP

• Transmission Control Protocol

• Connection Oriented

• Reliable

Network Basics

TCP

Network Basics

10.0.0.1 10.0.0.2

TCP

Network Basics

10.0.0.1 10.0.0.2

Please Sign For This Letter

Setting Up TCP Session

Network Basics

SYN

SYN, ACK

ACK

Tearing Down TCP Session

Network Basics

FIN/ACK

ACK

FIN/ACK

ACK

TCP

Network Basics

Source: http://learn-networking.com

UDP

• User Datagram Protocol

• Not Connection Oriented

• Not Reliable

Network Basics

UDP

Network Basics

10.0.0.1 10.0.0.2

Sending Data over UDP

Network Basics

Datagram

UDP

Network Basics

Source: http://learn-networking.com

Network Basics

Ports

• Ports are used to tell a server what service should read what incoming data

• Ports can either be TCP or UDP

• The standard mapping of port numbers with specific services is handled by IANA (Internet Assigned Numbers Authority)

Network Basics

Some Popular Ports

• TCP 21 (FTP) – Used for transferring files

• TCP 80 (HTTP) – Used to access Websites

• TCP 443 (HTTPS) – Used to access Websites using SSL

• TCP 3389 – Used for remote desktop

• UDP 123 – Used for time synchronization

Connecting to a Website

www.google.com (Web Browser forwards to port 80)

I understand your request here is the webpage

Network Basics

Web Server On Port 80

http://www.google.com/

Basic Syntax

• nmap “Scan Type(s)” OPTIONS TARGETS

• Targets

– 10.0.0.1\16

– 10.0.1-255.1-255

– 10.0.0.1 10.0.0.2 10.0.0.3

– Can pull from a file

NMAP Basics

What is Host Discovery?

• Is Host Alive?

• By Default, First Step in Scanning

• Uses TCP, UDP and ICMP

Host Discovery

-PS Switch

• -PS (TCP SYN Ping)

• Just see if Host is Online

• Host online determined by response to SYN

• Syntax: nmap 192.168.17.130-135

• Syntax: nmap –PS8080 192.168.17.130-135

Host Discovery

TCP SYN to 80

Host Online

SYN to port 80

SYN ACK (Open Port)

RST

Host Discovery

TCP SYN to 80

Host Online

SYN to port 80

RST (Closed Port)

Host Discovery

TCP SYN to 80

SYN to port 80

Host Discovery

Host Discovery

-PS Switch

• Advantages:

– Looks just like normal TCP traffic

– Reliable for finding open ports

• Disadvantage

– Many Firewalls are configured to drop SYN packets destined for closed ports

Host Discovery

-PA Switch

• -PA (TCP ACK Ping)


• Host online determined by response to ACK

• Syntax: nmap –PA8080 192.168.17.130-135

Host Discovery

-PA Switch (Important Note)

• A port will respond with RST

• RST is the response of a closed port

• RST is the response of a out of band ACK

• Basically tells which ports are not blocked

Host Discovery

-PA Switch

• Advantages:

– When firewalls are configured to drop SYN packets they may allow ACK packets

• Disadvantage

– If not responding to a SYN packet many firewalls will block this traffic because its viewed as invalid

Host Discovery

-sP Switch (NMAP Default)

• -sP (Ping Scan)


• Default (ICMP and TCP to port 80)

• Syntax: nmap –sP 192.168.17.130-135

Host Discovery

-sP Switch

• Advantages:

–Quick

• Disadvantage

–May miss machines which are online

Host Discovery

-sL Switch

• -sL (List Scan)

• Simply Lists Targets to Scan

• No packets are sent to the hosts

• By default, DNS still resolves names

• Syntax: nmap -sL 192.168.17.130-135

Host Discovery

-sL Switch

• Advantage:

–Nice Sanity Check

• Disadvantage:

–Never checks to see if the host is online

Host Discovery

-PN Switch

• -PN (Skips Host Discovery Phase)

• Performs other scanning steps without determining if host is online

• Takes Longer

• Scans Hosts that may be otherwise missed

Host Discovery

-PN Switch

• Advantages:

–Port scans machines which host discovery would have missed

• Disadvantage

–Can take a very long time

Host Discovery

43

Host Discovery Lab

Connect to “Lab_Network”

192.168.10.2

Username: lab

Password: lab

Host Discovery Lab

nmap –PS25-30 192.168.10.10-20 (TCP SYN)

nmap –PA135,445 192.168.10.10-20 (TCP ACK)

nmap –sP 192.168.10.10-20 (Default Option)

nmap -sL 192.168.10.1/24(nmap list scan)

nmap –PN 192.168.10.13 (No Host Discovery)

Host Discovery Lab

What is Port Scanning?

• What ports are open

• The more ports the higher the attack

surface

• Quickly identify high risk services

Port Scanning

-sS Switch (NMAP Default)

• -sS (SYN Scan)

• Find what ports are open based on response to TCP SYN flag

• Ports are open, closed, or filtered

• Syntax: nmap –sS 192.168.17.130-135

• Syntax: nmap –sS –p21 192.168.17.130-135

Port Scanning

TCP SYN to 80

Port Open

SYN to port 80

SYN ACK

RST

Port Scanning

Port Scanning

TCP SYN to 80

Port Closed

SYN to port 80

RST

Port Scanning

Port Scanning

TCP SYN to 80

Port Filtered

SYN to port 80

Port Scanning

Port Scanning

-sS Switch

• Advantages:

– Looks just like normal TCP traffic

– Reliable for finding open ports

• Disadvantage:

– Many Firewalls are configured to drop SYN packets destined for closed ports

Port Scanning

-sA Switch

• -sA (TCP ACK Scan)

• Find what ports are not filtered based on response to TCP ACK flag

• Ports are unfiltered, or filtered

• Syntax: nmap –sA 192.168.17.130-135

• Syntax: nmap –sA –p21 192.168.17.130-135

Port Scanning

TCP ACK to 80

Port Unfiltered

ACK to port 80

RST

Port Scanning

Port Scanning

TCP ACK to 80

Port is Filtered

ACK to port 80

Host Discovery

Port Scanning

-sA Switch

• Advantages:

– When firewalls are configured to drop SYN packets they may allow ACK packets.

– Lets you know what ports are blocked by a firewall.

• Disadvantage:

– If not responding to a SYN packet, many firewalls will block this traffic because its viewed as invalid.

Port Scanning

61

TCP Port Scanning Lab

nmap –sS –p1-100 192.168.10.10-20 (SYN Scan 1-100)

nmap –sS –p135,445 192.168.10.10-20 (SYN Scan 135,445)

nmap –sS 192.168.10.10-20 (Default)

nmap -sA 192.168.10.1/24(ACK Scan)

nmap –sA –p1-100 192.168.10.10-20 (ACK SCAN 1-100)

Port Scanning Lab

-sU Switch

• -sU (UDP Scan)

• Slow compared to TCP Based Scans

• Find what ports are not open, open-filtered, closed or filtered

• Syntax: nmap –sU 192.168.17.130-135

• Syntax: nmap –sU –p161 192.168.17.130-135

Port Scanning

-sUV Switch

• -sUV (UDP Version Detection Scan)

• Higher Success rate of finding open ports

• Identifies versions of software through database of valid UDP probes

• In some cases, can take longer than -sU

Port Scanning

UDP to 161

Port Open

UDP port 161

Service Responds

Port Scanning

UDP to 161

Port Open|Filtered

UDP port 161

Port Scanning

No Response

UDP to 161

Port Closed

UDP port 161

ICMP port unreachable errorType 3, code 3

Port Scanning

UDP to 161

Port Filtered

UDP port 161

Other ICMP unreachable errorsType 3, code 1,2,9,10, or 13

Port Scanning

Port Scanning

-sU Switch

• Advantage:

– Faster than -sUV

• Disadvantage:

–No Version Information

Port Scanning

-sUV Switch

• Advantages:

–Provides specific version information

– Identifies more open ports

• Disadvantage:

–Slower than –sU switch

Port Scanning

73

UDP Port Scanning Lab

nmap –sU –p53,123,161 192.168.10.10-20 (UDP Scan)

nmap –sUV –p53,123,161 192.168.10.10-20 (UDP Service Detection Scan)

nmap –sU –p50-55 192.168.10.10-20 (UDP Scan 120-130)

nmap –sUV –p50-55 192.168.10.10-20 (UDP Service Detection Scan 50-55)

Port Scanning Lab

What is Operating System Detection?

• Identifies what operating system is

running

• Does this by sending up to 15 TCP, UDP,

and ICMP probes

Operating System Detection

What is Operating System Detection?

• Matches packet attributes with a database

of packet attributes it has already

identified.

• Syntax: nmap –O 192.168.17.135


15 TCP, UDP, ICMP

Misc Responses


Attributes of response data compared to database of attributes


Example: Integrity of returned UDP data300 „C‟ Returned G otherwise I (Invalid)

What Service Version is Behind a Port?

• Uses response from a particular port to

find the version of the service.

• Syntax: nmap –sV 192.168.130.130-135

Service Detection

Service Detection

83

OS Identification and Service Detection Lab

nmap –O 192.168.10.16 (OS Identification)

nmap –O 192.168.10.13 (OS Identification)

nmap –sV 192.168.10.16 (Service Identification)

nmap –sV 192.168.10.13 (Service Identification)

nmap –sV –p1-100 192.168.10.13 (Service Identification Ports 1-100)

OS Identification and Service Detection Lab

-sC Switch

• Write and Share Scripts to automate networking tasks

• -sC (Runs NSE Default Scripts)

• Syntax: nmap –sC 192.168.17.130-135

• Syntax: nmap --scrpt ftp-anon.nse 192.168.17.130-135

NMAP Scripting Engine

Other NSE Scripts

• smb-check-vulns.nse

• smbv2-enabled.nse

• sslv2.nse

• ssl-enum-ciphers.nse

• ftp-anon.nse

• snmp-brute.nse


90

NMAP Scripting Engine Lab

nmap -sC 192.168.10.16 (Default Scripts)

nmap --script ftp-anon.nse 192.168.10.10-20 (Anonymous FTP)

nmap --script smb-check-vulns.nse 192.168.10.10-20 (SMB Vulns)

nmap -sU –p53,123,161 -sC 192.168.10.10-20 (UDP Default Scripts)

nmap -sU –p53,123,161 --script snmp-brute.nse 192.168.10.10-20 (SNMP Community Strings)


Thank you for your time!

Q U E S T I O N SA N S W E R S

92

Matt Neely Gary McCully

[email protected] [email protected]

SecureState Powerpoint Tempate - ISSA: Pittsburgh...

Documents

Transcript of SecureState Powerpoint Tempate - ISSA: Pittsburgh...