nmap
DESCRIPTION
nmap. Fyodor ( www.insecure.org ) Network Mapper Port scanner OS fingerprinter Scans a particular target for all open ports Very invasive and very powerful. nmap Uses. Network exploration tool and port scanner Security audits Network inventory Upgrade schedules - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/1.jpg)
nmap
• Fyodor <[email protected]> (www.insecure.org)
• Network Mapper
• Port scanner
• OS fingerprinter
• Scans a particular target for all open ports
• Very invasive and very powerful
![Page 2: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/2.jpg)
nmap Uses
• Network exploration tool and port scanner– Security audits
– Network inventory
– Upgrade schedules
– Monitoring host/service uptime
![Page 3: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/3.jpg)
# nmap -A -T4 scanme.nmap.org playground
Starting nmap ( http://www.insecure.org/nmap/ )Interesting ports on scanme.nmap.org (205.217.153.62):(The 1663 ports scanned but not shown below are in state: filtered)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)53/tcp open domain70/tcp closed gopher80/tcp open http Apache httpd 2.0.52 ((Fedora))113/tcp closed authDevice type: general purposeRunning: Linux 2.4.X|2.5.X|2.6.XOS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11Uptime 33.908 days (since Thu Jul 21 03:38:03 2005)Interesting ports on playground.nmap.org (192.168.0.40):(The 1659 ports scanned but not shown below are in state: closed)PORT STATE SERVICE VERSION135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn389/tcp open ldap?445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds1002/tcp open windows-icfw?1025/tcp open msrpc Microsoft Windows RPC1720/tcp open H.323/Q.931 CompTek AquaGateKeeper5800/tcp open vnc-http RealVNC 4.0 (Resolution 400x250; VNC TCP port: 5900)5900/tcp open vnc VNC (protocol 3.8)MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications)Device type: general purposeRunning: Microsoft Windows NT/2K/XPOS details: Microsoft Windows XP Pro RC1+ through final releaseService Info: OSs: Windows, Windows XPNmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds
Example nmap Scan
![Page 4: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/4.jpg)
# nmap
Usage: nmap [Scan Type(s)] [Options] {target specification}TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -Nmap 3.95 ( http://www.insecure.org/nmap/ )iL <inputfilename>: Input from list of hosts/networks -iR <num hosts>: Choose random targets --exclude <host1[,host2][,host3],...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from fileHOST DISCOVERY: -sL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is online -P0: Treat all hosts as online -- skip host discovery -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -n/-R: Never do DNS resolution/Always resolve [default: sometimes]SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idlescan -sO: IP protocol scan -b <ftp relay host>: FTP bounce scanPORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 -F: Fast - Scan only the ports listed in the nmap-services file) -r: Scan ports consecutively - don't randomize
nmap Options Summary and Syntax
![Page 5: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/5.jpg)
SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info --version_light: Limit to most likely probes for faster identification --version_all: Try every single probe for version detection --version_trace: Show detailed version scan activity (for debugging)OS DETECTION: -O: Enable OS detection --osscan_limit: Limit OS detection to promising targets --osscan_guess: Guess OS more aggressivelyTIMING AND PERFORMANCE: -T[0-5]: Set timing template (higher is faster) --min_hostgroup/max_hostgroup <msec>: Parallel host scan group sizes --min_parallelism/max_parallelism <msec>: Probe parallelization --min_rtt_timeout/max_rtt_timeout/initial_rtt_timeout <msec>: Specifies probe round trip time. --host_timeout <msec>: Give up on target after this long --scan_delay/--max_scan_delay <msec>: Adjust delay between probesFIREWALL/IDS EVASION AND SPOOFING: -f; --mtu <val>: fragment packets (optionally w/given MTU) -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address -e <iface>: Use specified interface -g/--source_port <portnum>: Use given port number --data_length <num>: Append random data to sent packets --ttl <val>: Set IP time-to-live field --spoof_mac <mac address/prefix/vendor name>: Spoof your MAC address
nmap Syntax (cont)
![Page 6: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/6.jpg)
nmap Syntax (cont)
OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA <basename>: Output in the three major formats at once -v: Increase verbosity level (use twice for more effect) -d[level]: Set or increase debugging level (Up to 9 is meaningful) --packet_trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) --append_output: Append to rather than clobber specified output files --resume <filename>: Resume an aborted scan --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --webxml: Reference stylesheet from Insecure.Org for more portable XML --no_stylesheet: Prevent associating of XSL stylesheet w/XML outputMISC: -6: Enable IPv6 scanning -A: Enables OS detection and Version detection --datadir <dirname>: Specify custom Nmap data file location --send_eth/--send_ip: Send using raw ethernet frames or IP packets --privileged: Assume that the user is fully privileged -V: Print version number -h: Print this help summary page.EXAMPLES: nmap -v -A scanme.nmap.org nmap -v -sP 192.168.0.0/16 10.0.0.0/8 nmap -v -iR 10000 -P0 -p 80SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
![Page 7: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/7.jpg)
Target Specification
• 192.168.10.0/24 198.168.10.97/16• 192.168.0-255.0/8 better 192.168.0-255.1-254• 0-155.0-255.13.37
• Internet wide scan of all addresses ending in 13.37• scanme.nmap.org/8• Some available options:
–iL <input_file_name> (Addresses from list)–iR <num hosts> (Choose random targets)–-excludefile <exclude_file>
![Page 8: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/8.jpg)
Host Discovery
• Reduce the number of hosts on a network to be scanned
• Specify how each host is to be identified as interesting
• Firewall considerations
• Default: Each requested IP address• Attempt – TCP ACK to port 80
• Attempt – ICMP Echo Request
![Page 9: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/9.jpg)
Host Discovery
• Some available host discovery options:–sL (List Scan)–sP (Ping Scan)
– Use only pings to scan the IP addresses specified– Prints all host responding to a ping
–P0 (No Ping)–PS [port list] (TCP SYN Ping Scan)
– TCP SYN Packet sent to port 80 for every IP– Else to every port in the list
–PA [port list] (TCP ACK Ping Scan)–PU [port list] (UDP Ping Scan)–PE; -PP; -PM (ICMP Ping Scan)–PR (ARP Ping Scan)
![Page 10: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/10.jpg)
Port Scanning Basics
• nmap scans more than 1660 ports
• Most port scanners list ports as opened or closed
• nmap recognizes 6 port states– Open
• Accepting TCP connections or UDP packets
– Closed
• Host is up on the IP address
• Accessible but no app is listening
• Try later
![Page 11: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/11.jpg)
Port Scanning Basics
• nmap recognizes 6 port states (cont’d)– Filtered
• No response from probe» Firewall probably did a stealth drop
• Forces nmap to retry many times
– Unfiltered
• Port is accessible but not whether open or closed
• Used in mapping firewall rulesets
• Try Window scan, SYN scan, FIN scan
![Page 12: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/12.jpg)
Port Scanning Basics
• nmap recognizes 6 port states (cont’d)– open|filtered
• When unable to determine whether port is open of filtered
– closed|filtered
• When unable to determine whether port is closed or filtered
![Page 13: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/13.jpg)
Port Scanning Techniques
• Only one scan technique can be used at a time• Usually must have root privilege• Some available scan techniques:
–sS (TCP SYN scan)• Default• Half-open scanning
– The open request is never completed–sT (TCP connect() scan)
• A full TCP connection is attempted• Firewalls tend to block incomplete TCP connect attempts• The scan control is handed over to the OS.
![Page 14: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/14.jpg)
Port Scanning Techniques (cont’d)
• Some additional available scan techniques:–sU (UDP scan)
• Picks up services like DNS, SNMP, DHCP• A UDP packet is sent with no data to all targeted ports
– ICMP: port unreachable --> port is closed– ICMP: 3 code: 1,2,9,10 or 13 --> port is filtered– Responds with a UDP packet --> port is open– No response --> port is open|filtered
–sN (TCP null scan) no flags set–sF (TCP FIN scan) only the FIN bit is set–sX (Xmas scan) FIN, PSH, & URG bits are set
• RST packet received --> port is closed• No response --> port is open|filtered• ICMP unreachable (1,2,3,9,10,13) --> port is filtered
![Page 15: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/15.jpg)
Port Scanning Techniques (cont’d)
• Some additional available scan techniques:–sA (TCP ACK scan)
• No open ports are discovered• Does determine if the firewall is statefull• Unfiltered systems return a RST packet and labeled
unfiltered• Noresponse of ICMP errors are labeled filtered
–sW (TCP window scan)–sO (IP protocol scan)
• Cycles through all of the IP protocols
![Page 16: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/16.jpg)
Service and Version Detection
• Probes discovered ports
• nmap-service-probes contains probes for querying options–sV (Version detection)
![Page 17: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/17.jpg)
OS Detection
• Uses TCP and UDP scans
• Compares to the nmap-os-fingerprints database–o (Enable OS detection)–A (Enable both OS and version detection)
![Page 18: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/18.jpg)
Output
• Piles of output• Learn perl and grep
• Many formats–oN <filespec> (Normal optput)–oX <filespec (XML output)–v (Increase verbosity level)
![Page 19: nmap](https://reader036.vdocuments.us/reader036/viewer/2022082611/568131e0550346895d9848df/html5/thumbnails/19.jpg)
Conclusion
• nmap– Extremely powerful
– Extremely invasive
– Extremely obvious if you are not careful
– Extremely illegal if not done correctly