Transcript Slide 1

NMAP
Ana Chanaba
Robert Huylo
nmap “network mapper”

Security tool
- What does your system look like to someone
who is trying to break in
- Find the holes in your security before somebody
else does

nmapFE v3.81
- graphical frontend to nmap
- rpm available at www.insecure.org/nmap
- lab102 & lab103
Basic nmap functions
1.) Host Discovery
- Which hosts are up (IP Addresses)
- Ping scans
2.) Port Scanning
- Which ports of a target host have servers
listening on them
- Allows a guess of software and services a
machine is running
3.) OS Detection
- TCP/IP fingerprinting
Anatomy of nmap argument
nmap –sS -PO -O -p 1-1024 134.198.161.*
-s_ : Scan type
-P_ : Ping type
-O : Optional OS detection
-p #-# : port range
IP range:
134.198.161.0/24, 134.198.161.1-254
1.) Host Discovery

Determine which hosts are up
- Does not include port scans or OS detection
nmap –sP 134.198.161.*
- Utilizes variety of messaging protocols
- ICMP/TCP/UDP

Firewall interference
- Firewalls check to see if packets are part of a
previously established connection

Used before portscan
- Ping sweep (-sP)
- Check to see if host is up before scanning ports
Customizing Pings
-PO : ICMP
-PA : TCP ACK
-PU : UDP
-PP : ICMP timestamp
-PM : Netmask request
-PS : TCP SYN
-PB : (default) TCP ACK & ICMP
Ping specific ports:
nmap –sP –PO25 ….
2.) Port Scanning


Insight to what services a host may be
running
“Well-known” or “Interesting” ports
- 1-1024
- 65,535 total TCP & UDP ports

Scan displays (for each port)
•
•
•
•
Service name
Port number
Port State
Protocol
Scanning Options


nmap –sS …
- TCP SYN scan
- default port scan for nmap user with root
privileges
- “half-open” – skips last step of 3-way
handshake and probes without actual connection
for stealth
nmap –sT …
- TCP connect() scan
- default port scan for default nmap user
- requires full connection – easily detectable
Port States



open: will accept connections
filtered: firewall or other network
obstacle is covering port
unfiltered or closed: determined to
be closed with no obstacles or
interference
- most common case
Scanning Options

Avoid SYN scanning to probe beyond firewall
-sF : Stealth FIN scan
-sX : Xmas tree scan
-sN : Null scan
-sV : Version detection
-sU : UDP scan
-sI : Idlescan
-sA : ACK scan
-b : bounce attack (FTP)
3.) OS Detection






nmap –O …
TCP/IP fingerprinting
OS guess made by looking at the particulars of how a host
implements TCP/IP
- Includes possible range of versions and “uptime” test
Fingerprint compared to DB of known OS fingerprints
Nmap sends seven TCP/IP crafted packets (called tests)
and waits for the answer. Results are checked against a
database of known results (OS signatures database).
This database is a text file that contains the result
answered (signature) by each OS known.
OS Detection
Reasons to hide OS




Security: Hacker could base an attack on a host from
known weaknesses in the target OS
Revealing your OS makes things easier to find
and successfully run an exploit against any of
your devices.
Knowing your OS can also become more
dangerous, because people can guess which
applications are you running in that OS
It could be convenient for other software
companies, to offer you a new OS environment
OS Detection


Many techniques to fingerprint
networking stacks. If you combine
enough of these. You can narrow
down the OS very tightly.
You can start out as simply as
"nmap -O -sS targethost".
OS Detection


-O requires root privileges, it uses
this information to create a
fingerprint, and decide what type of
system you are scanning.
OS detection is far more effective if
at least one open and one close TCP
port are found.
Miscellaneous options






-A which turn on OS detection too.
-F tells nmap to scan only ports
registered in nmap-services.
-T4 causes nmap to go faster.
-I gives the username that owns
available processes
-iR Use this command to instruct
nmap to scan random hosts for you.
Misc. Options
-v verbose This is a highly recommended option and
it gives out more information. You can use it twice
for better effects.
-d debug mode
-p : port range,
what ports you want to specify
-T : scan timing or throttling options
<Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
- Addresses concerns about detection and crashing
host
OS DETECTION





nmap -0 134.198.161.254
nmap -A -T4 -F 134.198.161.101
nmap -A -T4 134.198.161.101
RPC services are treated with brute
force. RPC scanner to determine
version.
nmap -sS -p 80 -O -v
134.198.161.254
References




nmap & nmapFE man pages
www.insecure.org
Text Chp 21.7
www.linux.org