650 likes | 2.11k Views
NMAP. Ana Chanaba Robert Huylo. nmap “network mapper”. Security tool - What does your system look like to someone who is trying to break in - Find the holes in your security before somebody else does nmapFE v3.81 - graphical frontend to nmap - rpm available at www.insecure.org/nmap
E N D
NMAP Ana Chanaba Robert Huylo
nmap “network mapper” • Security tool - What does your system look like to someone who is trying to break in - Find the holes in your security before somebody else does • nmapFE v3.81 - graphical frontend to nmap - rpm available at www.insecure.org/nmap - lab102 & lab103
Basic nmap functions 1.) Host Discovery - Which hosts are up (IP Addresses) - Ping scans 2.) Port Scanning - Which ports of a target host have servers listening on them - Allows a guess of software and services a machine is running 3.) OS Detection - TCP/IP fingerprinting
Anatomy of nmap argument nmap –sS -PO -O -p 1-1024 134.198.161.* -s_ : Scan type -P_ : Ping type -O : Optional OS detection -p #-# : port range IP range: 134.198.161.0/24, 134.198.161.1-254
1.) Host Discovery • Determine which hosts are up - Does not include port scans or OS detection nmap –sP 134.198.161.* - Utilizes variety of messaging protocols - ICMP/TCP/UDP • Firewall interference - Firewalls check to see if packets are part of a previously established connection • Used before portscan - Ping sweep (-sP) - Check to see if host is up before scanning ports
Customizing Pings -PO : ICMP -PA : TCP ACK -PU : UDP -PP : ICMP timestamp -PM : Netmask request -PS : TCP SYN -PB : (default) TCP ACK & ICMP Ping specific ports: nmap –sP –PO25 ….
2.) Port Scanning • Insight to what services a host may be running • “Well-known” or “Interesting” ports - 1-1024 - 65,535 total TCP & UDP ports • Scan displays (for each port) • Service name • Port number • Port State • Protocol
Scanning Options • nmap –sS … - TCP SYN scan - default port scan for nmap user with root privileges - “half-open” – skips last step of 3-way handshake and probes without actual connection for stealth • nmap –sT … - TCP connect() scan - default port scan for default nmap user - requires full connection – easily detectable
Port States • open: will accept connections • filtered: firewall or other network obstacle is covering port • unfiltered or closed: determined to be closed with no obstacles or interference - most common case
Scanning Options • Avoid SYN scanning to probe beyond firewall -sF : Stealth FIN scan -sX : Xmas tree scan -sN : Null scan -sV : Version detection -sU : UDP scan -sI : Idlescan -sA : ACK scan -b : bounce attack (FTP)
3.) OS Detection • nmap –O … • TCP/IP fingerprinting • OS guess made by looking at the particulars of how a host implements TCP/IP - Includes possible range of versions and “uptime” test • Fingerprint compared to DB of known OS fingerprints • Nmap sends seven TCP/IP crafted packets (called tests) and waits for the answer. Results are checked against a database of known results (OS signatures database). • This database is a text file that contains the result answered (signature) by each OS known.
OS DetectionReasons to hide OS • Security: Hacker could base an attack on a host from known weaknesses in the target OS • Revealing your OS makes things easier to find and successfully run an exploit against any of your devices. • Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS • It could be convenient for other software companies, to offer you a new OS environment
OS Detection • Many techniques to fingerprint networking stacks. If you combine enough of these. You can narrow down the OS very tightly. • You can start out as simply as "nmap -O -sS targethost".
OS Detection • -O requires root privileges, it uses this information to create a fingerprint, and decide what type of system you are scanning. • OS detection is far more effective if at least one open and one close TCP port are found.
Miscellaneous options • -A which turn on OS detection too. • -F tells nmap to scan only ports • registered in nmap-services. • -T4 causes nmap to go faster. • -I gives the username that owns available processes • -iR Use this command to instruct nmap to scan random hosts for you.
Misc. Options -v verbose This is a highly recommended option and it gives out more information. You can use it twice for better effects. -d debug mode -p : port range, what ports you want to specify -T : scan timing or throttling options <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> - Addresses concerns about detection and crashing host
OS DETECTION • nmap -0 134.198.161.254 • nmap -A -T4 -F 134.198.161.101 • nmap -A -T4 134.198.161.101 • RPC services are treated with brute force. RPC scanner to determine version. • nmap -sS -p 80 -O -v 134.198.161.254
References • nmap & nmapFE man pages • www.insecure.org • Text Chp 21.7 • www.linux.org