AppSec USA 2014

Denver, Colorado

nmap 101

An introduction to the timeless network scanner

2

Jon Pettyjohn, jon@aestone.com

Jon PettyjohnJon Pettyjohn is a Cybersecurity professional at Aerstone with over ten (10) years of experience conducting penetration testing of networks and web applications. Mr. Pettyjohn started IT security testing in 2003 for Science Applications International Corporation (SAIC), now known as Leidos. During his time at SAIC, Mr. Pettyjohn was a member of a penetration test team that conducted over sixty-five (65) testing engagements a year for the Defense Department and the Federal Government. At Aerstone, Jon is a member of the security testing and Payment Card Industry assessment practice.

Introduction

3

• To provide an introduction to nmap• Learn basic network discovery/enumeration• Cover other uses:– Service Enumeration– OS detection– Slow or “Stealth” scanning

• Not covering installation and every option• Hands-on practice!

Objectives

4

• Free and Open Source– http://nmap.org/download.html

• Short for “Network Mapper”• Written and maintained by – Gordon “Fyodor” Lyon

• First released in 1997• Appeared in “The Matrix Reloaded”• Still used today

Background

5

What is it?

• Nmap is a port scanner with lots of options• Excellent tool for discovering “live” hosts and devices

on a network• Excellent tool for identifying available services on a host

or device• Very good tool for identifying operating system of a

host or device• Good tool for identifying type and version of available

services on a host or device

6

nmap and Pentesting

Discovery Enumeration VulnScanning

IPsIPsPorts/Services

PentestingIPsPorts/ServicesPotential Vulns

IPsPorts/ServicesConfirmed Weaknesses

Phase

CollectedData

nmap

7

Basic Usage: Discovery

• Process of sending probes to solicit responses from active devices.

• AKA Network Recon, Ping Sweep• Examples:# nmap -sn 192.168.1.1-254Basic ping sweep of 192.168.1.x. (-sn no port scanning). When scanning local networks, nmap uses ARP to determine live hosts.

# nmap -sn –PS21,22,80,443 192.168.1.1-254(need root) SYN Ping, sends empty SYN packet to attempt 3-way handshake to common ports

# nmap -Pn -p21,22,23,53,80,113,137,139,443,3389 192.168.1.1-254No Ping. Skips normal nmap discovery and attempts to connect to several TCP ports to every target in target list.

8

Basic Usage: Enumeration

• AKA “Port Scanning”• The goal of enumeration is to identify open ports, services, and

OS's of live targets found in the discovery phase. • Root privileges are needed to run SYN and UDP scans.• Examples:

# nmap –sS –iL <hostlist> Default port scan (SYN) of default ports in nmap-services file. Either using host file or IPs as input.

# nmap –sS –p1-65535 –iL <hostlist> (or –p-)Scans for all 65k TCP ports. “Dash p Dash” is the equivalent of listing all 65k ports, minus port 0.

# nmap –sU –p1-65535 –iL <hostlist> (or –p-)Scans for all 65k UDP ports.

9

Basic Usage Enumeration - cont

Some Common UDP Ports

Port Service Description

123 NTP Network Time Protocol. Used for time synch.

161 SNMP Simple Network Management Protocol. SNMP traps listen on UDP 161. Still widely used.

53 DNS Domain Name Server. Used for name resolution.

111 RPC Common UNIX port for sharing files over NFS (Network File System). Used for fingerprinting *NIX boxes.

69 TFTP Trivial File Transfer Protocol. Less secure FTP. Doesn’t require credentials.

10

Port Scan Output

11

Port Scan Output Analysis

Understanding the Results, Focusing on the most common ports/services:

21/tcp open ftp Likely a FTP server 25/tcp open smtp Likely a Mail server80/tcp open http Likely a Web server135/tcp open msrpc Typically a Microsoft service139/tcp open netbios-ssn Typically a Microsoft service445/tcp open microsoft-ds Typically a Microsoft service1433/tcp open ms-sql-s Likely a SQL server

At this phase, none of the services have been verified, hence the terms “Likely” and “Typically”.

12

OS and Version Identification

OS DetectionTo identify the Operating System for hosts, nmap will compare the results of probes to a database of OS fingerprints:

#nmap -O (host or hostlist)

Version FingerprintingStandard port scans will produce best guess at service running. Version detection will compare against a database of protocol signatures to attempt to identify: application name (Apache, Solaris telnetd, etc), version, device type, and OS family.

#nmap -sV -PN (host or hostlist)

13

Stealth Scanning

• Targets protected by a firewall or filtering device may require adjusting the speed and throughput of probes sent.

• Multiple source IPs may be used if security devices block the tester IPs.• “Throttle” switches include T0-T5 (5 being the fastest, T3 being the default)• The following nmap command may be used to execute a throttled-down discovery scan that sends 1

probe every 3 seconds:

nmap -sS -PN --top-ports 100 --max-rate .33 --max-parallelism 1 --max-retries 2 --max_rtt_timeout 500ms --max-hostgroup 1 <subnet>

OPTION Description

--top-ports 100 scan top 100 ports

--max-rate .33 send probe every 3 secs

--max-parallelism 1 send 1 probe at a time

--max-hostgroup 1 limit to one host at a time

--max_rtt_timeout 500 limit rtt timeout to 500 ms

--max-retries 2 only retransmit twice

14

Timing Settings

15

NSE

• Nmap Scripting Engine – allows users to use or write scripts to automate a variety of tasks (vulnerability detection, backdoor detection, advance version detection, exploitation)

• For Typically located in: /<install location>/nmap/scripts/• Information Portal for all NSE scripts: http://nmap.org/nsedoc/• Good for automating “manual” tasks such as:• Looking for default snmp strings• Active Windows accounts• Brute-force popular services (mysql, ldap, wordpress, etc)

• Example of smb-brute NSE script:

16

NSE Example

17

Zenmap

• GUI version of nmap that works on Windows, Linux, Mac OS X, BSD, etc.

• Popular and common scan commands can be selected via menu.

• Different “views” of scan output.• Saved scans can be compared to show differences.

18

Zenmap Examples

19

Other Useful Options

--help Help! Sooo many options and configurations, we are only scratching the surface!

-v Verbosity. Prints more information during a scan, such as timing, flags, protocol details etc. Can either specify the verbose level in the command, or during a scan by hitting “v” (increase) or “V” (decrease)

-oX Output. Different options for directing output to files including:-oN Normal, human readable results-oX XML, output for use in other programs or XML parsers-oG Grepable, (depreciated), easily searched using grep, awk, cut, etc.-oA All, gives you normal, XML, and Grepable file types.

--resume Resume. Sometimes scans can take DAYS depending on timing options and number of targets. If a scan is stopped using ctrl-C and if normal/grepable output was selected, then a scan can be resumed by:#nmap --resume <output filename>

20

Hands-on Activity

Practice objectives:• How many “active” devices?• List 1 or more operating systems• Find the hidden web application(s).• Identify the “mystery” device.

Restrictions:• Limit Network range 10.0.0.1-100• Port scan 1 host at a time• Limit port scans to - -top-ports 10000 (TCP) - -top-ports 100 (UDP)• Use –n in all scans (skip DNS lookup)

21

Answers

Live IPs:10.0.0.110.0.0.1010.0.0.1110.0.0.1510.0.0.1810.0.0.5010.0.0.8810.0.0.99

OS:WiFi RouterWin 2003 ServerCentOS 6.5Win 2kCentOS 6.5IP CamWin 8CentOS 6.5

What’s RunningNothing specialFTP, SMTP, HTTP, MS-SQL, Web App on 4444SSH, MySQL, Web app on 80, TFTP (UDP)MS NetBIOS ports 135, 139, 445SSH, Web App on port 80Web Server/Cam feed on port 1984All FilteredSSH on port 1433 (needs –T2) to find