Scribd
Upload
12 views40 pages

23 Nmap

Uploaded by

ayushkwar3567
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12 views40 pages

23 Nmap

Uploaded by

ayushkwar3567
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 40

ì

Computer Networking
COMP 177 | Fall 2020 | University of the Pacific | Jeff Shafer

Nmap
Network Scanning
2

Types of Network Scans

ì Sweeps/Traces
ì Send out a small number of probes to each IP
address and listen for reply
ì Make note of active systems
ì Attempt to deduce network topology

Sweep Port Scan Fingerprinting Vulns

Computer Networking Fall 2020


3

Types of Network Scans

ì Port scans
ì Send out a larger number of probes to each active IP
address and listen for reply
ì Make note of TCP and UDP ports that are listening

Sweep Port Scan Fingerprinting Vulns

Computer Networking Fall 2020


4

Types of Network Scans

ì OS Fingerprinting and Version Scanning


ì Send a larger number of probes to active hosts with
listening ports
ì Deduce the operating system of the host by closely
examining the replies
ì Deduce the installed software and version of active
network services on the host

Sweep Port Scan Fingerprinting Vulns

Computer Networking Fall 2020


5

Types of Network Scans

ì Vulnerability Scanning
ì Armed with lists of active hosts, their OS, and
network services, check for known vulnerabilities or
common misconfigurations

Sweep Port Scan Fingerprinting Vulns

Computer Networking Fall 2020


6

Scan Challenges

ì The more detailed the network scan, the slower it will


be
ì Detecting a host is up: At little as one ICMP ping; fire and
forget!
ì Detecting a port is open: One packet per port (65,535 if
you scan them all) x 2 (TCP+UDP)
ì Detecting versions (of OS or network services): Dozens+
of packets per service, having a “legitimate” conversation
with the service in the expected manner
ì Vulnerability scanning: Even slower

ì Often send multiple probes to each host & port in case


of packet loss

Computer Networking Fall 2020


7

Scan Challenges

ì Setting your network scanner to MAX DETAILS will


not produce results in a timely manner
ì 100 IPs and potential hosts? Ok….
ì 10,000? 100,000? Days! Need to refine your
technique

ì Iterative approach (sweeps before targeted scans)

ì Reduce specific ports scanned?


ì Pros: Faster
ì Cons: Might miss obscure (but vulnerable) ports

Computer Networking Fall 2020


8

Common TCP Ports

ì FTP – 21 ì NetBIOS over TCP – 135,137

ì SSH – 22 ì HTTPS – 443

ì Telnet – 23 ì SMB over TCP - 445

ì SMTP – 25

ì HTTP – 80

Computer Networking Fall 2020


9

Faster Scanners - ZMap


Extreme example of tradeoff between speed and detail

ZMap is a fast single-packet network


scanner optimized for Internet-wide
network surveys. On a computer with a
gigabit connection, ZMap can scan the
entire public IPv4 address space in under
45 minutes. With a 10gigE connection
and PF_RING, ZMap can scan the IPv4
address space in 5 minutes.

Is this a scan or a DOS attack?

Computer Networking https://zmap.io/ Fall 2020


10

ì
Scanning Mechanics
Computer Networking Fall 2020
11

Nmap

ì Nmap (“Network mapper”) is a tool for network


discovery and security auditing

ì Many scanning possibilities


ì What hosts are on the network?
ì What services (app name & version) are they
offering?
ì What OS version are they running?
ì What packet filters / firewalls are in use?

Computer Networking https://nmap.org/ Fall 2020


12

Nmap

Command Line (nmap) GUI (zenmap)

Computer Networking Fall 2020


13

Target Specification

ì What systems do I want to scan?


ì {target specification}

ì Hostnames: scanme.nmap.org
ì Challenge that one hostname might map to multiple
systems (i.e. web servers behind a proxy)
ì Not preferred for serious analysis

ì IP address(es) - either a single IP or a range


ì 192.168.0.1
ì 192.168.0.0/24
ì 10.0.0-255.1-254 (aka 10.0.0.0/16)

Computer Networking Fall 2020


14

Scanning Mechanics

ì Host Detection
ì How do we detect if a host is active?
ì Even if it is nominally configured to hide its presence

ì Port Detection
ì How do we detect if a port is open/listening?

Computer Networking Fall 2020


15

Host Detection

ì What hosts are on the network?

nmap –sn [options] {target specification}

root@kali:~# nmap -sn scanme.nmap.org


Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-26 20:04
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.00014s latency).
Other addresses for scanme.nmap.org (not scanned):
2600:3c01::f03c:91ff:fe18:
Nmap done: 1 IP address (1 host up) bb2f scanned in 0.16

Computer Networking Fall 2020


16

Host Detection

Root User Unprivileged User


ì Ability to generate arbitrary ì Limited to normal network
packets sockets (i.e. connect() )

ì Same subnet? ì TCP SYN to port 80


ì ARP request for IP
ì DNS Reverse Lookup ì TCP SYN to port 443

ì Different subnet?
ì ICMP Echo Request
ì ICMP Timestamp Can customize –
ì TCP SYN to port 443 (HTTPS) Burst in parallel these defaults will
ì TCP ACK to port 80 (HTTP) not detect all hosts
ì DNS Reverse Lookup

Computer Networking https://nmap.org/book/man-host-discovery.html Fall 2020


17

TCP Port Detection

ì What TCP ports are open on a host?


nmap –sT [options] {target specification}
nmap –sS [options] {target specification}
root@kali:~# nmap -sT scanme.nmap.org
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-26 21:29 PST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.033s latency).
Other addresses for scanme.nmap.org (not scanned):
2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
9929/tcp open nping-echo
31337/tcp open Elite
Computer Networking Fall 2020
18

TCP Port Scan - Connect

ì TCP Connect scan (-sT) Nmap Target

ì Can be run without root SYN


privileges
SYN-ACK
ì Uses OS connect()
ACK
ì Less efficient
RESET
(more packets required)

ì Often logged by target


machine as a connection
failure

Computer Networking https://nmap.org/book/scan-methods-connect-scan.html Fall 2020


19

TCP Port Scan – SYN Scan

ì TCP SYN scan (-sS) Nmap Target


ì Aka “half-open scanning”
SYN
ì Default if you don’t specify
scan type / recommended SYN-ACK
ì Requires root privileges to
generate packets
RESET
ì More efficient / fewer packets
ì Less likely to be logged by
target system (no connection is
established)
ì Firewalls/IDSs still detect it

Computer Networking
https://nmap.org/book/synscan.html Fall 2020
20

TCP Port Detection

ì Possible TCP port states from scanning


ì Open : Nmap confirmed there is an application listening
for packets on that port
ì Nmap sent SYN, target responded SYN-ACK
ì Closed : Nmap confirmed there is not an application
listening for packets on that port
ì Nmap sent SYN, target responded RST
ì Filtered : Nmap could not confirm port is open or closed
ì Nmap sent SYN, target responded [radio silence]
ì Likely firewall blocking scan (intentionally muddying
results and slowing down scanning considerably)

Computer Networking Fall 2020


21

TCP Port Scan – SYN Scan

Open:

Closed:

Filtered:

Computer Networking
https://nmap.org/book/synscan.html Fall 2020
22

TCP Port Detection


ì Why were these ports filtered ì TCP 25: SMTP
when I ran this scan at home? ì TCP 135 : RPC
(AT&T Uverse)
ì TCP 139 : NetBIOS
root@kali:~# nmap -sT scanme.nmap.org
ì TCP 445 : SMB
...
PORT STATE SERVICE
22/tcp open ssh
ì Bad history of malware
25/tcp filtered smtp abusing these services on
80/tcp open http unsuspecting
135/tcp filtered msrpc (unsophisticated) home
139/tcp filtered netbios-ssn users!

🤔
445/tcp filtered microsoft-ds ì AT&T blocking?
9929/tcp open nping-echo
31337/tcp open Elite

Computer Networking Fall 2020


23

TCP Port Detection


ì Result of identical scan, but from an EC2 virtual machine (AWS)

ubuntu@ip-172-31-52-244:~$ nmap -sT scanme.nmap.org

Starting Nmap 7.60 ( https://nmap.org ) at 2020-01-27 07:22 UTC


Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.021s latency).
Other addresses for scanme.nmap.org (not scanned):
2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh

😎
80/tcp open http
9929/tcp open nping-echo
31337/tcp open Elite

Usefulseconds
Nmap done: 1 IP address (1 host up) scanned in 0.73 lesson about where
Computer Networking
you are scanning from?
Fall 2020
24

UDP Port Detection

ì What UDP ports are open on a host?

nmap –sU [options] {target specification}

root@kali:~# nmap -sU scanme.nmap.org


Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-26 21:31 PST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.0043s latency).
Other addresses for scanme.nmap.org (not scanned):
2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 999 open|filtered ports
PORT STATE SERVICE
123/udp open ntp

Nmap done: 1 IP address (1 host up) scanned in 4.25 seconds

Computer Networking https://nmap.org/book/scan-methods-udp-scan.html Fall 2020


25

UDP Port Detection

ì Sends a UDP packet to each port in a scan and listens for


any reply
ì Empty payload for most ports
ì Hard to know what to send to a mystery application
ì Big challenge – most applications will just discard/ignore
an empty UDP packet

ì Protocol-specific payload for a few specific ports to elicit


more replies (sneaky!)
ì UDP 53 (DNS)
ì UDP 161 (SNMP)
ì …

Computer Networking Fall 2020


26

UDP Port Detection

ì Possible UDP port states from scanning


ì Open : Nmap sent packet, target responded with
any UDP packet
ì Open|Filtered : Nmap sent packet, no response
from target (even after retransmissions)
ì Closed : Nmap sent packet, target responded with
ICMP port unreachable (type 3, code 3)
ì Filtered : Nmap sent packet, target responded with
ICMP unreachable (type 3, other codes)

Computer Networking Fall 2020


27

Port Detection
Table 6.1. Required --top-ports values for reaching various effectiveness levels
TCP ports UDP ports
Effectiveness
ì Nmap does not scan all required required

ports by default! 10% 1 5


20% 2 12
ì Checking all 65,535 ports is 30% 4 27
slooooooooow and nearly 40% 6 135
all are closed 50% 10 1,075
ì Only most popular 1000 60% 18 2,618
ports are checked by 70% 44 5,157
80% 122 7,981
default
85% 236 9,623
ì Good odds for TCP, less so 90% 576 11,307
for UDP 95% 1,558 13,035
ì Scanned in random order 99% 3,328 15,094
100% 65,536 65,536
https://nmap.org/book/performance-port-selection.html
Computer Networking https://nmap.org/book/port-scanning.html#most-popular-ports Fall 2020
28

Port Detection

ì Can override with --top-ports=n option

ì Can reduce to top 100 ports with -F (fast mode)

ì Can specify specific ports with -p option


ì A single port: -p 80
ì A list: -p 80,443
ì A range: -p 0-65535

ì UDP port scans can be improved with version detection


(-sV) because the probes sent are tailored to the
specific application that typically listens on that port

Computer Networking Fall 2020


29

OS Detection

ì What operating systems are on the network?


nmap –O [options] {target specification}

root@kali:~# nmap -O scanme.nmap.org


Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-27 20:19 PST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.027s latency).
Other addresses for scanme.nmap.org (not scanned):
2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
31337/tcp open Elite
Device type: general purpose
Running: Microsoft Windows XP|7|2012
OS CPE: cpe:/o:microsoft:windows_xp::sp3
cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012
OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or
Windows 7 or Windows Server 2012
Computer Networking Fall 2020
30

OS Detection

ì Purposes of OS detection?
ì Check if hosts are vulnerable to known exploits
ì Inventory of systems on network
ì Detect unauthorized devices on the network (e.g.
wireless access point)

Computer Networking Fall 2020


31

OS Detection

ì How is the OS detected?


ì “Nmap OS fingerprinting works by sending up to 16
TCP, UDP, and ICMP probes to known open and
closed ports of the target machine. These probes are
specially designed to exploit various ambiguities in
the standard protocol RFCs. Then Nmap listens for
responses. Dozens of attributes in those responses
are analyzed and combined to generate a
fingerprint. Every probe packet is tracked and resent
at least once if there is no response.”
More info: https://nmap.org/book/osdetect-methods.html

Computer Networking Fall 2020


32

Service & Version Detection

ì Final main piece of Nmap functionality

ì Key challenges remaining


ì If a service is listening on TCP Port 80, are we sure
it’s a web server? (Nmap port scan will label it http
without any verification)
ì If some service is listening on nonstandard port
12345, what is it?
ì Can we find more details about the specific service
application and its version number?

Computer Networking Fall 2020


33

Service & Version Detection

ì What services are on the network?


nmap –sV [options] {target specification}

root@kali:~# nmap -sV scanme.nmap.org


Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-27 20:35 PST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.084s latency).
Other addresses for scanme.nmap.org (not scanned):
2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13
(Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
9929/tcp open nping-echo Nping echo
31337/tcp open tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Computer Networking Fall 2020


34

Doing it ALL
(Host + Port + OS + Version + scripts)
nmap –A [options] {target specification}

ubuntu@ip-172-31-52-244:~$ nmap -A scanme.nmap.org

Starting Nmap 7.60 ( https://nmap.org ) at 2020-01-27 08:22 UTC


Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.021s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
| 2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
| 256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
|_ 256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (EdDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Go ahead and ScanMe!
9929/tcp open nping-echo Nping echo
31337/tcp open tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .


Nmap done: 1 IP address (1 host up) scanned in 12.26 seconds

Big drawback for always using -A: 12.26 seconds vs 0.38 seconds for –sT for ONE HOST
Computer Networking Fall 2020
35

Nmap Tips and Tricks

ì How close is my scan to finishing?


ì Press any key while running to see current status
(runtime, hosts scanned, hosts up, …)

ì How do I get more information / more debugging


information?
ì Press v or d while running to increase verbosity /
debugging level
ì Press shift-v or shift-d while running to decrease
verbosity / debugging level
ì Use the --packet-trace option to see all packets
sent

Computer Networking Fall 2020


36

Nmap Tips and Tricks

ì How do I control the speed at which Nmap scans?


nmap -T[time option] [opt] {target}

ì “Timing Templates”
ì -T0: Paranoid: 300s between probes Sufficiently slow
that IDS won’t
ì -T1: Sneaky: 15s between probes detect scan?
ì -T2: Polite: 0.4s between probes
ì -T3: Normal (default)
ì -T4: Aggressive: More parallelism, shorter timeouts
Consider -T4 for LAN
ì -T5: Insane: MOAR!!

Computer Networking https://nmap.org/book/performance-timing-templates.html Fall 2020


37

Nmap Tips and Tricks

ì How do I control the Nmap output format?

nmap -o[output option] [opt] {target}

ì Output Formats
ì No option – Default human-readable option
ì -oN [filename] – Similar output saved to file
ì -oX [filename] – XML output, easily imported
ì -oG [filename] – “Grepable” single-line-per-host
ì -oA [dirname] – Normal + XML + Grepable in a directory
ì -oS [filename] – sCRiPt KiDDi3 0utPU+
ì This format is provided for the l33t haXXorZ! J

Computer Networking https://nmap.org/book/output.html Fall 2020


38

Nmap Tips and Tricks

ì Why did Nmap mark that port as open, closed,


filtered, …?
nmap --reason [opt] {target}
root@kali:~# nmap -sT --reason scanme.nmap.org
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-27 20:09 PST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received reset ttl 128 (0.043s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 992 closed ports
Reason: 992 conn-refused
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
25/tcp filtered smtp no-response
80/tcp open http syn-ack
135/tcp filtered msrpc no-response
139/tcp filtered netbios-ssn no-response
445/tcp filtered microsoft-ds no-response
9929/tcp open nping-echo syn-ack
31337/tcp open Elite syn-ack

Computer Networking Fall 2020


39

Nmap Tips and Tricks


ì How do I reduce the scan time?

ì Omit non-critical tests


ì Skip the port scan (-sn) when you only need to know what hosts are online
ì Limit the number of ports scanned
ì Skip advanced scan types (-sC, -sV, -O, --traceroute, and -A)
ì Turn off DNS resolution when it isn't necessary
ì Nmap does reverse DNS lookup against every host by default

ì Optimize Timing Parameters (-T templates)

ì Separate and Optimize UDP Scans

ì Scan From a Favorable Network Location


ì Inside the LAN is almost always better!

Computer Networking https://nmap.org/book/reduce-scantime.html Fall 2020


40

Closing Thoughts

Recap Next Class


ì Today we discussed ì DNS, DNSSEC, DNSTLS, …
ì Port Scanning
ì Nmap operation
Project 5
Due Dec 2nd

Presentation
Due Nov 23rd

Computer Networking Fall 2020

You might also like