network reconnaissance using nmap · • simple network mapper used for port scanning, network...
Post on 11-Aug-2020
16 Views
Preview:
TRANSCRIPT
1Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Network Reconnaissance using NMAP
Christopher Rodman
2Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Copyright 2019 Carnegie Mellon University. All Rights Reserved.
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.
DM19-0596
3Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Agenda
Introduction to NMAP
• Target specification
• Output
• Scan Types
Defense evasion
Scan performance
Introduction to NSE Scripts
Hands-on lab (Network mapping with NMAP and xprobe)
4Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
IntroductionRecon using NMAP
5Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Overview
• Simple network mapper used for port scanning, network
discovery and vulnerability enumeration
• Basic syntax (nmap <target> -args)
• Help is your friend
• Complimentary tools include:
• Xprobe
• recon-ng
• Sparta
• Zenmap
• Nessus
Introduction to NMAP
6Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Target specification
• Single IP address or hostname
• IP address range*
• CIDR notation*
• Input file (-iL)
• Port Definition (-p)
• -p- scans all 65535
* exclude addresses using --exclude
Introduction to NMAP
7Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Output results
• Output interpretation
• Setting verbosity (-v)
• Setting debugging (-d)
• Output to file
• Text (-oN)
• XML (-oX)
• Grep (-oG)
• All three formats (-oA)
Introduction to NMAP
8Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Basic scan methods
• TCP SYN scan (-sS) – default scan method
• TCP Connect() (-sT) – method used if sS is not possible
• ACK (-sA)
• Window (-sW)
• Maimon (-sM)
• Ping sweep (-sn)
• Discovery scan (-Pn)
• Service scan (-sV)
• Operating System discovery (-O)
• UDP scanning (-sU)
Introduction to NMAP
9Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Recon example
• Ping sweep
• Discovery scan
• Service scan
• Operating System
Introduction to NMAP
10Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Defense EvasionRecon using NMAP
11Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Scan alteration
• Set timing (-T1 – 5)*
• 1 = paranoid, 5 = insane
• Default is 3
• Set packet header bits (--scan-flags)
• Set packet fragmentation (-f and specify MTU -mtu)
• Set target randomness (--randomize-hosts)
• Spoof MAC (--spoof-mac)
• Add decoy noise (-D)*
• TCP Idle scan (-sI)*
*timing templates primarily adjust values for RTT, retries and other timeout values
Defense Evasion
12Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Evasion example
• Disable ping scan
• Set timing
• Set random decoy
• Set randomness
* --data-string can be used to fill packets with garbage data or to include useful information
Defense Evasion
13Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Scan PerformanceRecon using NMAP
14Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Scan alteration
• Skip port scanning (-sn) if you only need to know if hosts are
online
• Limit number of ports being scanned (default is top 1000)
• Utilize Fast scan (-F) or --top-ports
• Skip advanced scans (-sC, -sV, -O, -A)
• Turn off DNS resolution if not needed (-n)
• Separate TCP and UDP scans
• Adjust timeouts and retries as desired*
• Parallelism (--min/max-parallelism)
• Retries (--min/max-retries)
• Host time (--host-timeout)
Scan Peformance
15Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Performance example
• Set timing
• Remove unnecessary DNS resolution
• Remove port scan
Defense Evasion
16Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
NSE (NMAP Scripting Engine)Recon using NMAP
17Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
NSE Scripts
• Script files located in /usr/share/nmap/scripts with .nse file
extension
• Syntax (-sC or --script)
• Script help (--script-help)
• Scripts are categorized
• Types
• Prerule
• Host
• Service
• Postrule
NSE Scripts
18Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Network scanning with NMAP
and xprobe
Hands-on Lab
19Network Reconnaissance with NMAP© 2018 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Hands-on lab
• https://stepfwd.cert.org
• Login credentials provided on entry
• Search for “X-Games 2019”
• Select “X-games 2019 training”
• Under Courses/Available
• Select Launch
top related