securestate powerpoint tempate - issa: pittsburgh...
TRANSCRIPT
![Page 1: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/1.jpg)
NMAP BasicsMay 10, 2011
![Page 2: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/2.jpg)
About Your Presenter
• Matt Neely
• Manager of the Profiling Team at SecureState
• Areas of Interest: convergence of physical and logical security, lock and lock picking, and all things wireless
• Co-host on the Security Justice podcast
• Co-founder of the Cleveland Chapter of TOOOL
2
![Page 3: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/3.jpg)
About Your Presenter
• Gary McCully
• Consultant at SecureState
• CISSP, Security+, Network+, MCP
• Web Application Security Assessments, Penetration Tests, Physical Penetration Tests, War Dialing
• Formally worked for a Fortune 500 Company
3
![Page 4: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/4.jpg)
Quick Intro
• Started as a port scanner
• Released 1997
• Gordon “Fyodor” Lyon
• Free
• Windows, Linux, Unix, Mac OS
What is NMAP
![Page 5: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/5.jpg)
Features
• Port Scanner
• Version Detection
• OS Detection
• NMAP Scripting Engine
What is NMAP
![Page 6: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/6.jpg)
IP
• Internet Protocol
• It is the address of a machine
• IPv4 is most common (10.0.0.1)
• IPv6 is on the horizon(1:1:1:1:1:1:1:1)
Network Basics
![Page 7: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/7.jpg)
IP
Network Basics
10.0.0.1 10.0.0.2
FROM:10.0.0.1
TO:10.0.0.2
![Page 8: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/8.jpg)
ICMP
• Internet Control Message Protocol
• Mostly used for troubleshooting
• Not Typically Used to Exchange Data
Network Basics
![Page 9: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/9.jpg)
ICMP (Ping)
Network Basics
10.0.0.1 10.0.0.2
Are you home
![Page 10: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/10.jpg)
ICMP (Ping)
Network Basics
10.0.0.1 10.0.0.2
Yes I am home
![Page 11: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/11.jpg)
ICMP (Ping)
Network Basics
ICMP Type 8 (Echo Request)
ICMP Type 0 (Echo Reply)
![Page 12: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/12.jpg)
TCP
• Transmission Control Protocol
• Connection Oriented
• Reliable
Network Basics
![Page 13: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/13.jpg)
TCP
Network Basics
10.0.0.1 10.0.0.2
![Page 14: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/14.jpg)
TCP
Network Basics
10.0.0.1 10.0.0.2
Please Sign For This Letter
![Page 15: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/15.jpg)
Setting Up TCP Session
Network Basics
SYN
SYN, ACK
ACK
![Page 16: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/16.jpg)
Tearing Down TCP Session
Network Basics
FIN/ACK
ACK
FIN/ACK
ACK
![Page 17: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/17.jpg)
TCP
Network Basics
Source: http://learn-networking.com
![Page 18: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/18.jpg)
UDP
• User Datagram Protocol
• Not Connection Oriented
• Not Reliable
Network Basics
![Page 19: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/19.jpg)
UDP
Network Basics
10.0.0.1 10.0.0.2
![Page 20: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/20.jpg)
UDP
Network Basics
10.0.0.1 10.0.0.2
![Page 21: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/21.jpg)
Sending Data over UDP
Network Basics
Datagram
![Page 22: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/22.jpg)
UDP
Network Basics
Source: http://learn-networking.com
![Page 23: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/23.jpg)
Network Basics
Ports
• Ports are used to tell a server what service should read what incoming data
• Ports can either be TCP or UDP
• The standard mapping of port numbers with specific services is handled by IANA (Internet Assigned Numbers Authority)
![Page 24: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/24.jpg)
Network Basics
Some Popular Ports
• TCP 21 (FTP) – Used for transferring files
• TCP 80 (HTTP) – Used to access Websites
• TCP 443 (HTTPS) – Used to access Websites using SSL
• TCP 3389 – Used for remote desktop
• UDP 123 – Used for time synchronization
![Page 25: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/25.jpg)
Connecting to a Website
www.google.com (Web Browser forwards to port 80)
I understand your request here is the webpage
Network Basics
Web Server On Port 80
![Page 26: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/26.jpg)
Basic Syntax
• nmap “Scan Type(s)” OPTIONS TARGETS
• Targets
– 10.0.0.1\16
– 10.0.1-255.1-255
– 10.0.0.1 10.0.0.2 10.0.0.3
– Can pull from a file
NMAP Basics
![Page 27: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/27.jpg)
What is Host Discovery?
• Is Host Alive?
• By Default, First Step in Scanning
• Uses TCP, UDP and ICMP
Host Discovery
![Page 28: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/28.jpg)
-PS Switch
• -PS (TCP SYN Ping)
• Just see if Host is Online
• Host online determined by response to SYN
• Syntax: nmap 192.168.17.130-135
• Syntax: nmap –PS8080 192.168.17.130-135
Host Discovery
![Page 29: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/29.jpg)
TCP SYN to 80
Host Online
SYN to port 80
SYN ACK (Open Port)
RST
Host Discovery
![Page 30: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/30.jpg)
TCP SYN to 80
Host Online
SYN to port 80
RST (Closed Port)
Host Discovery
![Page 31: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/31.jpg)
TCP SYN to 80
SYN to port 80
Host Discovery
![Page 32: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/32.jpg)
Host Discovery
![Page 33: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/33.jpg)
-PS Switch
• Advantages:
– Looks just like normal TCP traffic
– Reliable for finding open ports
• Disadvantage
– Many Firewalls are configured to drop SYN packets destined for closed ports
Host Discovery
![Page 34: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/34.jpg)
-PA Switch
• -PA (TCP ACK Ping)
• Just see if Host is Online
• Host online determined by response to ACK
• Syntax: nmap –PA8080 192.168.17.130-135
Host Discovery
![Page 35: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/35.jpg)
-PA Switch (Important Note)
• A port will respond with RST
• RST is the response of a closed port
• RST is the response of a out of band ACK
• Basically tells which ports are not blocked
Host Discovery
![Page 36: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/36.jpg)
-PA Switch
• Advantages:
– When firewalls are configured to drop SYN packets they may allow ACK packets
• Disadvantage
– If not responding to a SYN packet many firewalls will block this traffic because its viewed as invalid
Host Discovery
![Page 37: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/37.jpg)
-sP Switch (NMAP Default)
• -sP (Ping Scan)
• Just see if Host is Online
• Default (ICMP and TCP to port 80)
• Syntax: nmap –sP 192.168.17.130-135
Host Discovery
![Page 38: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/38.jpg)
-sP Switch
• Advantages:
–Quick
• Disadvantage
–May miss machines which are online
Host Discovery
![Page 39: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/39.jpg)
-sL Switch
• -sL (List Scan)
• Simply Lists Targets to Scan
• No packets are sent to the hosts
• By default, DNS still resolves names
• Syntax: nmap -sL 192.168.17.130-135
Host Discovery
![Page 40: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/40.jpg)
-sL Switch
• Advantage:
–Nice Sanity Check
• Disadvantage:
–Never checks to see if the host is online
Host Discovery
![Page 41: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/41.jpg)
-PN Switch
• -PN (Skips Host Discovery Phase)
• Performs other scanning steps without determining if host is online
• Takes Longer
• Scans Hosts that may be otherwise missed
Host Discovery
![Page 42: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/42.jpg)
-PN Switch
• Advantages:
–Port scans machines which host discovery would have missed
• Disadvantage
–Can take a very long time
Host Discovery
![Page 43: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/43.jpg)
43
Host Discovery Lab
![Page 44: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/44.jpg)
Connect to “Lab_Network”
192.168.10.2
Username: lab
Password: lab
Host Discovery Lab
![Page 45: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/45.jpg)
nmap –PS25-30 192.168.10.10-20 (TCP SYN)
nmap –PA135,445 192.168.10.10-20 (TCP ACK)
nmap –sP 192.168.10.10-20 (Default Option)
nmap -sL 192.168.10.1/24(nmap list scan)
nmap –PN 192.168.10.13 (No Host Discovery)
Host Discovery Lab
![Page 46: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/46.jpg)
What is Port Scanning?
• What ports are open
• The more ports the higher the attack
surface
• Quickly identify high risk services
Port Scanning
![Page 47: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/47.jpg)
-sS Switch (NMAP Default)
• -sS (SYN Scan)
• Find what ports are open based on response to TCP SYN flag
• Ports are open, closed, or filtered
• Syntax: nmap –sS 192.168.17.130-135
• Syntax: nmap –sS –p21 192.168.17.130-135
Port Scanning
![Page 48: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/48.jpg)
TCP SYN to 80
Port Open
SYN to port 80
SYN ACK
RST
Port Scanning
![Page 49: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/49.jpg)
Port Scanning
![Page 50: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/50.jpg)
TCP SYN to 80
Port Closed
SYN to port 80
RST
Port Scanning
![Page 51: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/51.jpg)
Port Scanning
![Page 52: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/52.jpg)
TCP SYN to 80
Port Filtered
SYN to port 80
Port Scanning
![Page 53: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/53.jpg)
Port Scanning
![Page 54: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/54.jpg)
-sS Switch
• Advantages:
– Looks just like normal TCP traffic
– Reliable for finding open ports
• Disadvantage:
– Many Firewalls are configured to drop SYN packets destined for closed ports
Port Scanning
![Page 55: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/55.jpg)
-sA Switch
• -sA (TCP ACK Scan)
• Find what ports are not filtered based on response to TCP ACK flag
• Ports are unfiltered, or filtered
• Syntax: nmap –sA 192.168.17.130-135
• Syntax: nmap –sA –p21 192.168.17.130-135
Port Scanning
![Page 56: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/56.jpg)
TCP ACK to 80
Port Unfiltered
ACK to port 80
RST
Port Scanning
![Page 57: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/57.jpg)
Port Scanning
![Page 58: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/58.jpg)
TCP ACK to 80
Port is Filtered
ACK to port 80
Host Discovery
![Page 59: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/59.jpg)
Port Scanning
![Page 60: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/60.jpg)
-sA Switch
• Advantages:
– When firewalls are configured to drop SYN packets they may allow ACK packets.
– Lets you know what ports are blocked by a firewall.
• Disadvantage:
– If not responding to a SYN packet, many firewalls will block this traffic because its viewed as invalid.
Port Scanning
![Page 61: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/61.jpg)
61
TCP Port Scanning Lab
![Page 62: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/62.jpg)
nmap –sS –p1-100 192.168.10.10-20 (SYN Scan 1-100)
nmap –sS –p135,445 192.168.10.10-20 (SYN Scan 135,445)
nmap –sS 192.168.10.10-20 (Default)
nmap -sA 192.168.10.1/24(ACK Scan)
nmap –sA –p1-100 192.168.10.10-20 (ACK SCAN 1-100)
Port Scanning Lab
![Page 63: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/63.jpg)
-sU Switch
• -sU (UDP Scan)
• Slow compared to TCP Based Scans
• Find what ports are not open, open-filtered, closed or filtered
• Syntax: nmap –sU 192.168.17.130-135
• Syntax: nmap –sU –p161 192.168.17.130-135
Port Scanning
![Page 64: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/64.jpg)
-sUV Switch
• -sUV (UDP Version Detection Scan)
• Higher Success rate of finding open ports
• Identifies versions of software through database of valid UDP probes
• In some cases, can take longer than -sU
Port Scanning
![Page 65: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/65.jpg)
UDP to 161
Port Open
UDP port 161
Service Responds
Port Scanning
![Page 66: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/66.jpg)
UDP to 161
Port Open|Filtered
UDP port 161
Port Scanning
No Response
![Page 67: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/67.jpg)
UDP to 161
Port Closed
UDP port 161
ICMP port unreachable errorType 3, code 3
Port Scanning
![Page 68: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/68.jpg)
UDP to 161
Port Filtered
UDP port 161
Other ICMP unreachable errorsType 3, code 1,2,9,10, or 13
Port Scanning
![Page 69: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/69.jpg)
Port Scanning
![Page 70: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/70.jpg)
Port Scanning
![Page 71: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/71.jpg)
-sU Switch
• Advantage:
– Faster than -sUV
• Disadvantage:
–No Version Information
Port Scanning
![Page 72: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/72.jpg)
-sUV Switch
• Advantages:
–Provides specific version information
– Identifies more open ports
• Disadvantage:
–Slower than –sU switch
Port Scanning
![Page 73: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/73.jpg)
73
UDP Port Scanning Lab
![Page 74: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/74.jpg)
nmap –sU –p53,123,161 192.168.10.10-20 (UDP Scan)
nmap –sUV –p53,123,161 192.168.10.10-20 (UDP Service Detection Scan)
nmap –sU –p50-55 192.168.10.10-20 (UDP Scan 120-130)
nmap –sUV –p50-55 192.168.10.10-20 (UDP Service Detection Scan 50-55)
Port Scanning Lab
![Page 75: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/75.jpg)
What is Operating System Detection?
• Identifies what operating system is
running
• Does this by sending up to 15 TCP, UDP,
and ICMP probes
Operating System Detection
![Page 76: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/76.jpg)
What is Operating System Detection?
• Matches packet attributes with a database
of packet attributes it has already
identified.
• Syntax: nmap –O 192.168.17.135
Operating System Detection
![Page 77: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/77.jpg)
15 TCP, UDP, ICMP
Misc Responses
Operating System Detection
Attributes of response data compared to database of attributes
![Page 78: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/78.jpg)
Operating System Detection
Example: Integrity of returned UDP data300 „C‟ Returned G otherwise I (Invalid)
![Page 79: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/79.jpg)
Operating System Detection
![Page 80: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/80.jpg)
What Service Version is Behind a Port?
• Uses response from a particular port to
find the version of the service.
• Syntax: nmap –sV 192.168.130.130-135
Service Detection
![Page 81: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/81.jpg)
Service Detection
![Page 82: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/82.jpg)
Service Detection
![Page 83: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/83.jpg)
83
OS Identification and Service Detection Lab
![Page 84: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/84.jpg)
nmap –O 192.168.10.16 (OS Identification)
nmap –O 192.168.10.13 (OS Identification)
nmap –sV 192.168.10.16 (Service Identification)
nmap –sV 192.168.10.13 (Service Identification)
nmap –sV –p1-100 192.168.10.13 (Service Identification Ports 1-100)
OS Identification and Service Detection Lab
![Page 85: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/85.jpg)
-sC Switch
• Write and Share Scripts to automate networking tasks
• -sC (Runs NSE Default Scripts)
• Syntax: nmap –sC 192.168.17.130-135
• Syntax: nmap --scrpt ftp-anon.nse 192.168.17.130-135
NMAP Scripting Engine
![Page 86: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/86.jpg)
NMAP Scripting Engine
![Page 87: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/87.jpg)
NMAP Scripting Engine
![Page 88: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/88.jpg)
NMAP Scripting Engine
![Page 89: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/89.jpg)
Other NSE Scripts
• smb-check-vulns.nse
• smbv2-enabled.nse
• sslv2.nse
• ssl-enum-ciphers.nse
• ftp-anon.nse
• snmp-brute.nse
NMAP Scripting Engine
![Page 90: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/90.jpg)
90
NMAP Scripting Engine Lab
![Page 91: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/91.jpg)
nmap -sC 192.168.10.16 (Default Scripts)
nmap --script ftp-anon.nse 192.168.10.10-20 (Anonymous FTP)
nmap --script smb-check-vulns.nse 192.168.10.10-20 (SMB Vulns)
nmap -sU –p53,123,161 -sC 192.168.10.10-20 (UDP Default Scripts)
nmap -sU –p53,123,161 --script snmp-brute.nse 192.168.10.10-20 (SNMP Community Strings)
NMAP Scripting Engine
![Page 92: SecureState Powerpoint Tempate - ISSA: Pittsburgh …pittsburgh.issa.org/Archives/ISSA_Pittsburgh-NMAP_Basics.pdf• Manager of the Profiling Team at SecureState ... •Windows, Linux,](https://reader031.vdocuments.us/reader031/viewer/2022030422/5aa9e0577f8b9a95188d6b8f/html5/thumbnails/92.jpg)
Thank you for your time!
Q U E S T I O N SA N S W E R S
92
Matt Neely Gary McCully