Saturday, May 16, 2009

Scanning with nmap

Nmap Security Scanner
  • Developed by Fyodor, Nmap (“Network Mapper”) is free / open-source utility for network exploration or security auditing.
  • Linux Journal’s Editor’s Choice Award for Best Security Tool
  • LinuxQuestions.Org Security App of the Year award
  • - 1. Nmap (56.45%), 2. Snort (15.5%), 3. Nessus (14.9%)
  • Info World’s Best Information Security Product award
  • Codetalker Digest Security Product of the Year award

Sweeping with nmap
  • # nmap [options]
  • By default Nmap will ping targets before scanning them and only scan ‘up’
  • Sweep types:
  • -sP: Ping Scan (only)
  • -PN: Disable Ping
  • -PS: TCP SYN Ping (comma sep list)
  • -PA: TCP ACK Ping (requires priv)
  • -PU: UDP Ping
  • -PE,-PP,-PM: ICMP Ping Types [Echo (8/0), Timestamp (13/14), Address Mask (17/18)]
  • -PO: IP Protocol Ping [def ICMP+IGMP+IP-in-IP]
  • -PR: ARP Scan
  • Defaults:
  • Privileged Users: -PA+-PE | Local=-PR
  • Unprivileged: -PS

Traceroute with Nmap
  • --traceroute
  • Determines what sort of probe will be most effective based on scan results
  • - ICMP | TCP specific port | UDP specific port
  • Sends probes in parallel
  • “goes backwards” for efficiency
  • Sends probe with high TTL based on guess derived from scan results so far and determines exact number of hops
  • - If response from end host, lowers TTL
  • - If ICMP Time Exceeded message, raises TTL

Port Selection Examples (-p | -F)
  • -p 22 (Scan a single port)
  • -p ssh (Specify port names rather than numbers)
  • -p 22,25,80 (Multiple ports seperated with commas (protocol determined by scan))
  • -p 80-85,443,8000-8005,8080-8085 (Ranges specified by [-] multiple ranges separated by [,])
  • -p -100,60000- (Can omit beginning or ending of range to imply ports 1 & T:65535 | U:255)
  • -p- (Omit beginning and end numbers to scan the entire range (excluding 0))
  • -pT:21,23,110,U:53,111,137,161 (For scans which include UDP and TCP types, port lists can specify ports for each protocol)
  • -p http* (Wildcards may be used to match ports with similar names (may need to shell-escape))
  • -p 1-1023,[1024-] (Enclosing a range in brackets causes those port numbers to be scanned only if they are registered in nmap-services)

TCP Header (RFC 793 + 3168)

Port Scanning with Nmap
  • -sT: Connect TCP scan (aka “polite”)
  • -sS: SYN scan (aka “half-open”)
  • - Harder to detect
  • - Much quicker
  • -sF, -sN, -sX: FIN, NULL, and Xmas scans
  • - RFC 793 p.65: “if the [destination] port state is CLOSED…an incoming segment not containing a RST causes a RST to be sent in response.” p.66 - regarding packets sent to open ports without the SYN, RST, or ACK bits set: “you are unlikely to get here, but if you do, drop the segment and return.”
  • - Compliant systems respond to packets not containing SYN,RST, or ACK bits with RST if closed and no response if port is open
  • --scanflags: Custom Scan Types
  • - Any combination of URG, ACK, PSH, RST, SYN, and FIN
  • - Non-delimited list (URGACKPSHRSTSYNFIN)
  • -sA: TCP ACK scan
  • - Does not determine port state
  • - Useful to map firewall rulesets and whether they are stateful or not
  • - ‘open’ and ‘closed’ reachable ports reply RST = ‘unfiltered’
  • - ‘filtered’ ports don’t respond or send ICMP errors
  • -sW: Window TCP scan
  • - Same as ACK scan, however examines TCP Window value of RST
  • -sM: Maimon scan (FIN/ACK)
  • - Uriel Maimon (Phrack Magazine, Nov. 1996)

FTP Bounce Scan
  • RFC 959 October 1985 - File Transfer Protocol
  • DATA PORT (PORT)
  • “The argument is a HOST-PORT specification for the data port to be used in data connection. There are defaults for both the user and server data ports, and under normal circumstances this command and its reply are not needed. If this command is used, the argument is the concatenation of a 32-bit internet host address and a 16-bit TCP port address. This address information is broken into 8-bit fields and the value of each field is transmitted as a decimal number (in character string representation).
  • The fields are separated by commas.
  • A port command would be:
  • PORT h1,h2,h3,h4,p1,p2
  • where h1 is the high order 8 bits of the internet host address.”

FTP Bounce Scan (-b) with Nmap
  • -b [][:]@[:]
  • Most modern FTP servers have fixed this vulnerability, but many modern printers that support FTP have forwarding capabilities turned on by default

Nmap FTP Bounce Scans
  • Most common results of FTP bounce scan attempts
# nmap -PN -b ftp.microsoft.com google.com

Starting Nmap ( http://nmap.org )
Your FTP bounce server doesn’t allow privileged ports, skipping them.
Your FTP bounce servers sucks, it won’t let us feed bogs ports!
  • Successful FTP bounce scan
# nmap -p 22,25,135 -PN -v -b XXX.YY.111.2 scanme.nmap.org

Starting Nmap ( http://nmap.org )
Attempting connection to ftp://anonymous:-wwwuser@@XXX.YY.111.2:21
Connected:220 JD FTP Server Ready
Login credentials accepted by ftp server!
Initiating TCP ftp bounce scan against scanme.nmap.org (64.13.134.52)
Adding open port 22/tcp
Adding open port 25/tcp
Scanned 3 ports in 12 seconds via the Bounce scan.
Interesting ports on scanme.nmap.org (64.13.134.52):
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
135/tcp filtered msrpc

Nmap done: 1 IP address (1 host up) scanned in 21.79 seconds

Nmap Idle Scans (-sI)
  • Find a suitable Zombie
  • - We didn't just choose a printer icon to represent a zombie in our illustrations to be funny—simple network devices often make great zombies because they are commonly both underused (idle) and built with simple network stacks which are vulnerable to IPID traffic detection.
  • Execute the scan
  • - Once a suitable zombie has been found, performing a scan is easy. Simply specify the zombie hostname to the -sI option and Nmap does the rest.
  • Example: # nmap -PN -p -sI [:src-port]

# nmap -PN -p- -sI kiosk.adobe.com www.riaa.com

Starting Nmap ( http://nmap.org )
Idlescan using zombie kiosk.adobe.com (192.150.13.111:80); Class: Incremental
Interesting ports on 208.225.90.120:
(The 65522 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
25/tcp open smtp
80/tcp open http
111/tcp open sunrpc
135/tcp open loc-srv
443/tcp open https
1027/tcp open IIS
1030/tcp open iad1
2306/tcp open unknown
5631/tcp open pcanywheredata
7937/tcp open unknown
7938/tcp open unknown
36890/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 2594.47 seconds

Nmap UDP Scans (-sU)
  • Scans generally slower and more difficult than TCP
  • Sends empty (no data) UDP header to target ports
  • ICMP response rate-limiting detection
  • - Closed ports typically respond ICMP Port Unreachable
  • - OS limits ICMP responses (Linux limits to 1/sec)
  • - Nmap slows down to avoid wasting packets
  • - 65,536-ports @ 1/sec > 18 hours for one host
Nmap Runtime Interaction
  • p = turn on packet tracing
  • v = increase verbosity
  • d = increase debugging level
  • Shift + [p,v,d] inverts
  • AnyOtherKey = print status message
  • - Elapsed time, # of hosts completed, # of hosts up, # of hosts currently being scanned
  • - % done, ETA remaining

Nmap Timing Options (-T)
  • Paranoid (0) - scan serially, wait 5min between packets
  • Sneaky (1) - scan serially, wait 15 seconds between packets
  • Polite (2) - scan serially, wait .4 seconds between packets
  • Normal (3) [def] - parallel scan, multiple packets to multiple ports at once
  • Aggressive (4) - parallel scan, max time per host 5 min, 1.25 seconds response time-out
  • Insane (5) - parallel scan, max time per host 75 seconds, 0.3 seconds response time-out

Nmap Top Port Scan Performance Options
  • --host-timeout: (Asks Nmap to give up on hosts that take more than the given amount of time to scan)
  • --max-retries: (Specifies the maximum number of port scan probe retransmissions to a single port)
  • --min_rtt_timeout:, --max_rtt_timeout:, --initial_rtt_timeout: (Amount of time that Nmap will wait for a port scan probe response)
  • --min-rate, --max-rate (The min and max number of probe packets Nmap sends per second
  • --min_parallelism:, --max_parallelism: (Number of port scan probes (across all hosts scanned concurrently) that Nmap may have outstanding)
  • --scan_delay:, --max-scan-delay: (Amount of time between sending probes to any individual host (the scan delay can grow as Nmap detects packet loss, so a maximum may be specified)

Nmap Version Scanning (-sV)
  • When Nmap identifies an open port, it displays the default service commonly associated with that port (Based on list of about 2,200 services in nmap-services file)
  • What about services not on the list?
  • What about services on unexpected ports?(i.e. HTTP on T:90 or sshd on T:3322)
  • --version-trace (option shows probe details in real time)

Nmap Version Scanning Technique
  • NULL probe
  • - If port is TCP, Nmap connects to it and listens for roughly 5 seconds for initial welcome banner
  • - If data is received, it is compared to signatures in nmap-services-probes
  • Probable Port probes (share connection from 1.)
  • - All UDP ports and TCP ports that failed (or soft-matched) NULL probing
  • - Every probe has a list of probable port numbers
  • - Probes that match the port send a probe string to the port
  • - Responses are compared to regular expressions
  • Sequential Probes
  • - New connection for each probe (to avoid corrupting next probe)
  • - Uses ‘rarity’ metric to avoid trying probes that are extremely unlikely
  • SSL probes
  • - If Sequential Probes determine the target port is running SSL and if OpenSSL is available, Nmap connects back via SSL and restarts scan
  • Nmap RPC Grinder
  • - If generic probe identifies RPC-based service, Grinder brute-forces the RPC program number/name and supported version numbers

Active OS Fingerprinting (Gen1) - Nmap versions < 4.51 include first-generation (-01)
  • TCP Sequence Prediction
  • SYN packet to open port
  • NULL packet to open port
  • SYN|FIN|URG|PSH packet to open port
  • ACK packet to open port
  • SYN packet to closed port
  • ACK packet to closed port
  • FIN|PSH|URG packet to closed port
  • UDP packet to closed port

Nmap Gen2 Active OS Fingerprinting (> 30 different methods/tests, invoked with -O or -O2)
  • TCP ISN greatest common denominator (GCD)
  • TCP ISN counter rate (ISR)
  • TCP IP ID sequence generation algorithm (TI)
  • ICMP IP ID sequence generation algorithm (II)
  • Shared IP ID sequence boolean (SS)
  • TCP timestamp option algorithm (TS)
  • TCP initial window size (W, W1 - W6)
  • IP don’t fragment bit (DF)
  • IP initial time-to-live guess (TG)
  • Explicit congestion notification (CC)
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)