Scribd
Upload
25 views

Week 12

The document discusses the NMAP tool and its features for host discovery and port scanning. It describes various techniques for host discovery using ICMP sweep, broadcast ICMP, non-echo ICMP, TCP sweep, and UDP sweep. It also covers the main features of NMAP including host discovery, port scanning, service/version detection, and OS detection.

Uploaded by

Tracey George
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
25 views

Week 12

The document discusses the NMAP tool and its features for host discovery and port scanning. It describes various techniques for host discovery using ICMP sweep, broadcast ICMP, non-echo ICMP, TCP sweep, and UDP sweep. It also covers the main features of NMAP including host discovery, port scanning, service/version detection, and OS detection.

Uploaded by

Tracey George
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 54

04/10/19

Course Name: Ethical Hacking


Faculty Name: Prof. Indranil Sen Gupta
Department : Computer Science and Engineering

Topic
Lecture 56: The NMAP Tool: A Relook (Part I)

q Introduc/on to NMAP

q Basic NMAP features

q Host discovery using NMAP

1
04/10/19

IntroducJon to Network Mapper (NMAP)

• NMAP is a free, open-source tool for vulnerability scanning and network discovery.
• Network administrators use NMAP for a variety of reasons:
• Essen/ally a port scanning tool.
• The packets that are sent out return with IP addresses and a wealth of other data.
• Can be used to:
• Discover hosts that are available on a network, and services that they offer.
• Find open ports and detect security risks.
• Determine OS versions.
• Variety of other things …

The History

• NMAP is a well-known and freely available security scanner developed by Gordon


Lyon in 1997.
• Available on: hLps://nmap.org
• Several versions released since then.

• Generic command to run NMAP on command prompt:


nmap [scan types] [options] <host or network ...>

2
04/10/19

The Main NMAP Features

A. Host Discovery
• Which hosts are alive? --- Various approaches are available
B. Port Scanning
• What services are available? --- By enumera/ng the open ports
C. Service and Version DetecJon
• Which version is running? --- Iden/fy applica/on name and version number
D. OS DetecJon
• Which OS version is running? --- Also iden/fy some hardware characteris/cs

(A) Host Discovery using NMAP

3
04/10/19

What is Host Discovery?

• The most basic step in network mapping.


• Mul/ple hosts are queried (called ping sweep opera/on)

• Various host scan techniques are supported by NMAP:


a) ICMP sweep
b) Broadcast ICMP
c) Non-Echo ICMP
d) TCP sweep
e) UDP sweep

(a) Host discovery using ICMP Sweep


• Easy to implement
• How it works? • Rather slow
• Easy to block
• Send out an ICMP ECHO request (ICMP type 8)
• If an ICMP ECHO reply (ICMP type 0) is received à TARGET IS ALIVE
• No response is received à TARGET IS DOWN
ICMP ECHO request

ICMP ECHO reply


Scanner Target
TARGET is alive
ICMP ECHO request

No response
Scanner TARGET is down/filtered Target

4
04/10/19

• To perform ICMP echo sweep -PE op/on is used.


• We send an ICMP echo request from 10.5.23.251 to 10.5.23.209.
• In response to this 10.5.23.209 replies with an ICMP echo reply.

(b) Host discovery using Broadcast ICMP • Most routers block


this.
• Windows ignore
• How it works? these requests.
• Send out an ICMP ECHO request to the network and/or broadcast address.
• All the hosts in the network will simultaneously send back ICMP ECHO reply packets.
• Faster than previous method.

Broadcast ICMP ECHO request

Scanner

10

5
04/10/19

(c) Host discovery using Non-ECHO ICMP

• How it works?
• Instead of ICMP ECHO request, the scanner sends out other types of ICMP messages.
• The target will respond to such messages.
• Approach 1: Send ICMP type 13 messages (TIMESTAMP)
• The scanner queries current /me to the target.
• Approach 2: Send ICMP type 17 messages (ADDRESS MASK REQUEST)
• The scanner queries subnet mask to the target (this feature is used by diskless worksta/ons
during boo/ng)

11

• To perform ICMP non echo sweep -PP and -PM op/on are used.
• -PP is used for ICMP /mestamp request (type 13)
• -PM is used for address mask request (type 17)

12

6
04/10/19

13

(d) Host discovery using TCP Sweep

• How it works?
• The scanner sends out TCP SYN or TCP ACK packet to the target.
• The port number can be suitably selected to prevent blocking by firewall.
• Typical port numbers used: 21, 22, 23, 25, 80

• A drawback:
• Firewalls can spoof a RESET packet for an IP address, so TCP Sweep may not be reliable.

14

7
04/10/19

• TCP sweep can be performed using two op/ons:


• -PS : for TCP SYN sweep
• -PA : for TCP ACK sweep
• We show example with the -PS op/on.
• We just show the command and final output.
• Many other lines of informa/on may be generated.
• We can also see why any port is closed/open using --reason op/on.
• TCP sweep is also used by default port scanning op/ons:
• –sT, -p, -Pn

15

(i) TCP Sweep using -PS (TCP SYN) : closed port

16

8
04/10/19

(ii) TCP Sweep using -PS (TCP SYN) : open port


Port 135: MSRPC
(Microsog
Remote
Procedure Call)

17

(iii) TCP Sweep using -PS with --reason opJon

18

9
04/10/19

(e) Host discovery using UDP Sweep

• How it works?
• The scanner sends a UDP datagram to the target.
• If no ICMP PORT UNREACHABLE message is received à TARGET IS ALIVE
• If an ICMP PORT UNREACHABLE message is received à TARGET IS DOWN

• Routers can drop UDP packets as they cross the Internet.


• Many UDP services do not respond.
• Firewalls typically drop UDP packets (except DNS).
• Not very reliable

19

• To perform UDP sweep -PU op/on is used.


• The -sU op/on also uses UDP sweep.
• In the example, unreachable means the UDP port is considered as closed.

20

10
04/10/19

More on Host DetecJon

• By default NMAP uses all types of sweep opera/ons in common scanning


op/ons such that it can get beher details about any system.
• Commands that use all types (except UDP sweep) are -sP, -sn, -sl, -Pn, etc.
• We will show example of -sP command.
• This is used to print whether all or specific hosts are up and running.

21

22

11
04/10/19

All type of sweep opJons are


used with –sn except UDP.
“--packet-trace” gives
the details.

23

Some other NMAP commands for host discovery

-sL: lis/ng the IP of


any range or subnet
(list scan)

24

12
04/10/19

-PN : Check firewall


and print open ports if
firewall is off; else print
the ac/ve IPs.

25

Mul/ple host discovery


(by specifying list)

Mul/ple host discovery


(by specifying range)

26

13
04/10/19

NMAP Command OpJons for Host Discovery

• sL: List Scan - simply list targets to scan


• -sP: Ping Scan - go no further than determining if host is online
• -PN: Treat all hosts as online -- skip host discovery
• -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
• -PE/PP/PM: ICMP echo, /mestamp, and netmask request discovery probes
• -PO [protocol list]: IP Protocol Ping
• -n/-R: Never do DNS resolu/on/Always resolve [default: some/mes]
• --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
• --system-dns: Use OS's DNS resolver
• -sU: UDP Scan

27

28

14
04/10/19

Course Name: Ethical Hacking


Faculty Name: Prof. Indranil Sen Gupta
Department : Computer Science and Engineering

Topic
Lecture 57: The NMAP Tool: A Relook (Part II)

q Post scanning using NMAP

q Various ways to carry out port scan

1
04/10/19

Port Scanning using NMAP

IntroducJon

• To determine what services are running or LISTENing.


• Each running TCP service is associated with a port number, which listens for incoming
connecJons.
• Each running UDP service is associated with a port number.

• Various port scanning techniques in NMAP:


a) TCP Connect scan
b) TCP SYN scan
c) TCP Stealth scan
d) FTP Bounce scan

2
04/10/19

Client Server

(a) TCP Connect scan SYN

• How it works? SYN/ACK


• Use basic TCP connecJon establishment mechanism.
• Complete 3-way handshake. ACK

• Easy to detect by inspecJng the system log.


ConnecJon
SYN
Established
SYN/ACK
ACK
Scanner Target
The port is OPEN
SYN
RST/ACK

Scanner The port is CLOSED Target

Client Server

(b) TCP SYN scan SYN

• How it works?
SYN/ACK
• Do not establish complete connecJon (half-open scanning).
• SYN/ACK is received à The port is LISTENING
ACK
• Immediately terminate connecJon by sending RST.
• RST/ACK is received à The port is NON-LISTENING ConnecJon
SYN
Established
SYN/ACK
RST
Scanner Target
The port is OPEN
SYN
RST/ACK

Scanner The port is CLOSED Target

3
04/10/19

• The -sT scan uses both


TCP SYN and TCP ACK
packets.
• It also uses ICMP ECHO
sweep for checking if host is
up or not.

-sT packet trace


for closed port

4
04/10/19

-sT packet trace


for open port

(c) TCP Stealth scan

• Basic idea:
• Carry out port scanning while avoiding detecJon.
• Try to hide themselves among normal network traffic.
• Not to be logged (stealth).
• How it works?
• Flag probe packets (also known as Inverse Mapping)
• Response is sent back only by closed port.
• Intruder determines what services do not exist, and can infer the ones that exist.
• Slow scan rate
• Difficult to detect, and needs long history log.

10

5
04/10/19

• How it can be done?


• RFC793 talks about how to handle wrong packets.
• Closed ports à Reply with a RESET packet
• Open ports à Ignore any packet in quesJon
• Various ways:
• Send a RST scan packet.
• Send a FIN probe with FIN flag set.
• Send an XMAS probe with FIN,Probe
URG,packet
SYN, RST, PSH flags set.
No response

Scanner The port is OPEN Target


Probe packet
RST/ACK

Scanner The port is CLOSED Target

11

(d) FTP Bounce scan


• How it works?
• Connect to a FTP server, and establish a control connecJon, and ask the FTP server to iniJate
an acJve data transfer process.
• Quite slow.

PORT 10.0.0.5,0,22
Scanner FTP Server Target
(10.0.0.4) (10.0.0.5)
TCP SYN
RST
425 Cannot build data connecJon

12

6
04/10/19

Other port scanning opJons in NMAP

Specify the port


numbers to be
scanned using –p
opJon

13

Scan fewer ports


that the default
scan using –F
opJon (fast mode)

14

7
04/10/19

Scan most common


ports using
--top-ports opJon

15

IP protocol scan using


-sO opJon

16

8
04/10/19

NMAP Command OpJons for Port Scanning


• Scan Techniques:
• -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
• -sN/sF/sX: TCP Null, FIN, and Xmas scans
• -b <FTP relay host>: FTP bounce scan

• Port specificaJon and Scan Order:


• -p <port ranges>: Only scan specified ports
• Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
• -F: Fast mode - Scan fewer ports than the default scan
• -r: Scan ports consecuJvely - don't randomize
• --top-ports <number>: Scan <number> most common ports

17

18

9
04/10/19

Course Name: Ethical Hacking


Faculty Name: Prof. Indranil Sen Gupta
Department : Computer Science and Engineering

Topic
Lecture 58: The NMAP Tool: A Relook (Part III)

q Services, version and OS detec5on

q Use of scripts in NMAP

1
04/10/19

(C) Services, Version and OS DetecNon

IntroducNon

• Some opera5ng systems respond with specific messages in response to certain


requests.
• Helps in iden5fica5on.
• TCP/IP fingerprin5ng (IP stack implementa5on will response differently).
• FIN probe, Bogus Flag probe
• TCP ini5al sequence number sampling, TCP ini5al window, ACK value
• ICMP error quenching, message quo5ng, ICMP echo integrity
• IP: DF, TOS, Fragmenta5on

2
04/10/19

Some Specific Examples

• ACK: sending FIN|PSH|URG to a closed port


• Most OS à ACK with the same sequence number.
• Windows à ACK with sequence number + 1
• Type of Service: Probing with ICMP_PORT_UNREACHABLE message
• Most OS à Returns with TOS = 0.
• Linux à Returns with TOS = 0xC0.

OS detec5on using the


-O op5on

3
04/10/19

Version detec5on using


the -sV op5on

NMAP Command OpNons for OS DetecNon

• Service / Version Detec5on:


• -sV: Probe open ports to determine service/version info
• --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
• --version-light: Limit to most likely probes (intensity 2)
• --version-all: Try every single probe (intensity 9)
• --version-trace: Show detailed version scan ac5vity (for debugging)
• OS Detec5on:
• -O: Enables OS detec5on
• --osscan-limit: Limit OS detec5on to promising targets
• --osscan-guess: Guess OS more aggressively

4
04/10/19

Use of Scripts in NMAP

What are NMAP Scripts?

• There are 1000s of scripts available with NMAP to perform various opera5on.
• The scripts can have there own specific requirements, like some services running,
port requirements, etc.
• We have already seen an example earlier:
--script vuln to check vulnerability in a system.
• Any script can be run using the command:
--script <script name> <port # if required> <target>

10

5
04/10/19

Vulnerability scan using


the --script vuln
op5on

11

Detec5ng malware infec5on


using --script http-
malware-host op5on

12

6
04/10/19

Check whether a host is


running web server on a
par5cular port using
--script http-
methods op5on

13

Guess username and password using


--script smb-brute.nse
op5on
(This is possible only if port 445 is
open, and takes a long 5me)

14

7
04/10/19

Some Issues

• For System Administrators to detect scanning:


• Examine logs for suspicious packets
• Iden5fy connec5ons not properly terminated
• Analyze ports usage
• For scanners to avoid detec5on:
• Randomize the sequence of ports being scanned
• Slow scan: exceed the site detec5on threshold in IDS, 2 packets/day/site!
• Use spoofed address in aiack
• Coordinated Scans: mul5ple scanners probe the same host or network

15

Recall: Some common NMAP scan opNons

• Scan a single target with default op5ons (basic scan):


nmap 144.16.192.57
nmap www.someserver.com
• Scan mul5ple hosts at the same 5me:
nmap 144.16.192.25 144.16.192.70 10.2.75.38
• Scan a range of IP addresses:
nmap 144.16.192.100-150
• Scan an en5re subnet:
nmap 144.16.192.0/24

16

8
04/10/19

• Scan a list of targets (IP addresses or host names stored in a file):


nmap –iL scanlist.txt
• Scan a specified number of random internet hosts:
nmap –iR 5
• Exclude targets from a scan
nmap 144.16.192.0/24 --exclude 144.16.192.60-70
nmap 144.16.192.0/24 --excludefile xfile.txt
• Perform an aggressive scan (use most commonly used op5ons):
nmap –A 10.3.100.65

17

18

9
04/10/19

Course Name: Ethical Hacking


Faculty Name: Prof. Indranil Sen Gupta
Department : Computer Science and Engineering

Topic
Lecture 59: Network Analysis using Wireshark

q About Wireshark

q Various menu op8ons in Wireshark

q Packet capturing examples

1
04/10/19

IntroducHon

• What is network analysis or Sniffing?


• It is a process of analyzing network ac8vity by capturing network traffic.
• Sniffer is a program that monitors the data travelling around the network.
• Example tools: Wireshark, Solarwinds, Kismet and many others.

• Features of a network analyzer


• Support for mul8ple protocols.
• Graphical user interface.
• Sta8s8cal report genera8on.

What is Wireshark?

• It is an open source tool for profiling network traffic and analyzing packets.
• OTen referred to as a network analyzer, network protocol analyzer or sniffer.
• hJp://www.wireshark.org

• What is does really?


• Captures network data and displays them to readable format.
• Log network traffic for forensics and evidence.
• Analyze network traffic generated by various applica8ons.

2
04/10/19

How Packet Sniffer works?

• Ethernet is the most widely used protocol used in a LAN.


• At the data-link layer level.
• While running Wireshark the machine’s network interface card (NIC) is put in
promiscuous mode.
• In this mode, the sniffer can read all traffic on the network segment to which the NIC is
connected (irrespec8ve of the sender and the receiver).
• Requires root privilege to set the NIC to promiscuous mode.
• If the LAN uses a switch, then packets from other network segments cannot be
captured.

Wireshark
• Can be downloaded from: hJp://www.wireshark.org

3
04/10/19

Packet Capture using Wireshark

Method 3: Go to capture menu


and click on start capturing.

Method 2: Select network


and click on capture.

Method 1: To start capturing double


click on the network adapter.

Packet Capturing Starts


Packet InformaHon
No: Frame number
Time: Time in second
Source: source address
DesHnaHon: Des8na8on address
Packet summary Protocol: Protocol that is used for
communica8on
Length: Length of packet in bytes
Protocol Window Info: Info of the packet (Type
version etc.)

Offset Data in Hexadecimal Data in ASCII Data


Window

4
04/10/19

Applying Filter

Filtering different type of packets

• To filter packets put filter name in filter bar and press <enter> or the arrow.
• Restrict the packets that are displayed in summary window.
• For correct filter, bar will convert from white to green and for wrong filter it will be shown as
red.

10

5
04/10/19

TCP Filter: Summary Window

11

TCP Packet Header Details


• When you double click on any of the packets the respec8ve protocol will
highlight, and you can see header details.

12

6
04/10/19

IP Filter Summary Window

13

IP Packet Header Detail

14

7
04/10/19

Exploring the Menu

15

File Menu
• We can divide File Menu into 3 major sec8ons as per their
func8onality.
• Import :
• Open: open captured file.
• Open recent: open recently captured file.
• Merge: merge current capture with other captured file.
• Import from hex dump: Import from hexadecimal file.
• Save:
• Save: save in .pcapng (wireshark format)
• Save as: Save in different format such that it can be imported to
other network analyzer (.txt, .dmp, .5vw, .erf etc).

16

8
04/10/19

File Menu
• Export :
• File Set: navigate the directory where file will be stored.
• Various Exports OpHons: allow to save report in different format
such as CSV, C array, XML, JSON etc., it also allows to save data
for selected packet or range of packets.
• Print: to print report as a plain text.
• Close and Quit are used to turn off capturing, and exit
from applica8on.

17

Edit Menu
• Edit menu can also be divided into 5 sec8ons:
• Find:
• Used to search packets by matching hexadecimal string, and to search
for next and previous packets as per requirement.
• Mark:
• Mark op8ons are used for marking the packets that are displayed in
summary window.

18

9
04/10/19

Edit Menu
• Preferences: Used to set:-
• How many packets you want to show at once?
• Font and color for packets.
• Fields to be displayed (no, 8me, source, dest. etc.).

19

View Menu

• View menu is used to manage the look of the


windows.
• Expand and collapse op8ons are used to expand/
collapse the detail of header file in protocol
window.
• You can handle coloring of packets from view menu
as well.

20

10
04/10/19

Go Menu

• Go menu is used to switch between packets.

21

Capture Menu

• Capture menu is used to start/stop capturing as well as to set capture op8ons


(preferred network interface, Wi-Fi, etc.).
• It can also provide filtering(ARP/TCP/IP/ICMP etc.) when capturing is running.

Capturing Capture stopped

22

11
04/10/19

Analyze Menu

• This is the most important menu in Wireshark.


• This is used to analyze the packets and manage
different filtering op8ons.
• Display Filters: To see what commands needs to
be given in filter bar to filter those type of packets.

23

Analyze Menu: Display Filter


• To filter packets we
need to give a specific
filter name.

24

12
04/10/19

Analyze Menu: Enable protocol


• We can enable or
disable protocol.
• If we don’t want to
see icmp packets,
then uncheck icmp
protocol.

25

Analyze Menu: Conversion Filter


Basically this op8on
directly applies a
filter and shows the
output.

26

13
04/10/19

Analyze Menu: Follow


Using this op8on we
can see the complete
detail of the packets.

27

StaHsHcs Menu

• This is used to check the sta8s8cs of the capturing, like


property of the network, number of packets sent and
received, etc.

28

14
04/10/19

StaHsHcs Menu: Capture File ProperHes


It show the full
system detail of the
capturing machine.

29

StaHsHcs Menu: Protocol Hierarchy


It will display
sta8s8cs about
packets as per
protocols

30

15
04/10/19

StaHsHcs Menu: DesHnaHon and Ports


This will give
informa8on about
connec8ons, ports,
and number of
packets to that
des8na8on.

31

Telephony Menu

• Provides analysis for telephony and media streaming related


network traffic.
• It can track details for VoIP call, i.e. start 8me, end 8me, ini8ator
IP, etc.

32

16
04/10/19

Wireless Menu

• This op8ons is used when you are using


Wireshark to analyze wireless networks.

33

Tools Menu
• This menu is used to select the
rules (which type of scanning do
you want to do).
• It also provides help for various
tools that are used by Wireshark.

34

17
04/10/19

Packet Analysis Examples

35

Example:

• Start a capture in wireshark.


• Open browser and type www.google.com and search.
• Save capture and analyze by applying hnp filter.

18
04/10/19

Packet summary: See how connecHon


has been established

Protocol Window

Data Window

37

Right click to packet à Follow à HTTP/TCP stream to see data

38

19
04/10/19

Data HTTP Stream

Details

TCP stream: ASCII


Format

You can
switch
between
different
formats

39

Capture Login credenHals of unsecured website:


vulnweb.com
• Click on the frame number 106 (userinfo.php frame) for analysis.

40

20
04/10/19

We can even view username and password from hJp packet

See we
captured
username
and password

41

Packet details for SBI net banking

Making
secure
connecHon
with port 443

42

21
04/10/19

Key exchange
and encrypted
handshaking
processes
between server
and client

43

44

22

You might also like