NMAPand

Metasploitable-II

About Me

Mohammed Akbar Shariff

Cyber Sec Intern – WICS

Graduating M.tech

www.linkedin.com/in/mohammed-akbar-shariff

@akbarshariffak

Agenda

• Basics of Network

• Metasploitable II

• Introduction to NMAP

• Port Status

• Scan Types

• Host Discovery

• OS Fingerprinting

• Nmap Scripting Engine

Basics of Netwoks

TCP Header

Three way Handshake…???

TCP Three way handshake

Metasploitable II

The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities.

What is NMAP?

• Network Mapper - Utility used to identify assets and map them in a network.

• https://github.com/nmap/nmap (Current release is 7.50, 20 year old project and active)

Why NMAP..??

• Perhaps I can ping sweep?

• How to know which IP’s are alive?

• There are only• 65535(PORTS) *2 (TCP &UDP)*24 ( if class C)

Nmap Port Status

• OPEN

• CLOSED

• FILTERED

• OPEN|FILTERED

NMAP port “Status” - Open

•Open - SYN reached the end system, victim responded with

SYN+ACK and Completes the handshake.

Nmap -n -sT -p 80 192.168.56.104

NMAP port “Status” - Closed

• Closed - SYN reached the end system, responded with RST+ACK. System is accessible and service is still not open on victim. Nmap -n -sT -p 22 192.168.56.104

NMAP port “Status” - Filtered

• Filtered – Observed when a port does not respond on repeated tries.

Nmap -n -sT -p 445 192.168.56.105

Scan Types

nmap <options><scan type> <target>

NMAP Options-iL <filename>: Pass a list of hosts.

-iR <number of Hosts>: Choose random targets.Ex: nmap -Pn -sS -p 80 -iR 0 --open

-p <port ranges> : Port scanning, Only scan specified ports…. -p-

Host Discovery

-sL (List Scan): Simply lists each host of the network(s) specified.

-sn : No port scan and only ping scan

-Pn : Skip ping scan and treat all host to be live

-PS <portlist> : TCP SYN Ping

-n : No DNS resolution

-R : DNS resolution for all targets

-PE; -PP; -PM : ICMP Ping Types.-PA <port list> : TCP ACK ping

-PU <port list> : UDP Ping

Nmap Scan Types

• -sP (Ping Sweep) – Performs ARP ping and ICMP echo request to determine system is alive.

• -sS (TCP SYN Scan) – Determines a system/port being alive by sending only SYN and waiting for SYN-ACK

• -sU (UDP Scan) – Probes UDP detects system/port is alive when there is a UDP response + ICMP packet Destination unreachable.

• -sT (TCP Connect Scan): Performs connection establishment using system call “connect”

• -sN (Null scan): Does not set any bits (TCP flag header is 0).

• -sF (FIN Scan): Sets just the TCP FIN bit.

• -sX (Xmas scan): Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

OS Fingerprinting• Nmap sends a series of TCP and UDP packets to the remote host and

examines practically every bit in the responses.

• Nmap compares the results to its nmap-os-db database of more than 2,600

known OS fingerprints and prints out the OS details if there is a match.

-O (Enable OS detection)

Nmap – service Version and Enumeration!

• Nmap-services database is constantly updated with services, finger printing and banners to identify remote ports and operating systems.

• -sV - runs about ~30 Nmap Script Engine (.nse files) to identify and enumerate the service that has been detected earlier.

• -sC – runs “default” ~200 Nmap Script Engine (.nse files) to identify and enumerate the services and provide vulnerabilities identified. Optionally can use - -script option.

Nmap service Enumeration!• The Difference between the two in Action

TCP scan with Version

-sT + -sV = -sTV

Regular TCP scan

Nmap Scripting Engine(NSE) –What and Why?

• Nmap Script Engine, written in Lua.

• Sophisticated Version detection and OS detection.

• Example: smb-os-discovery.nse , http-cisco-anyconnect.nse …

• Vulnerability detection.

• Example: tls-ticketbleed.nse, sslv2-drown.nse,..

• Malware detection.

• Example: http-google-malware.nse..

• Vulnerability Exploitation.

• Example: smb-psexec.nse,..

NSE – what? where?

• -sC and --script uses NSE. There is a default set launched when no option is given. https://nmap.org/nsedoc/categories/default.html

Nmap Enumeration technique

Notice how the service is not shellEven though Banner shows Shell

Nmap Enumeration technique

So you need to use –sTV along for Version grab

Nmap Output Formatting

Greppable

Regular Text

XML

References

• https://www.nmap.org

• https://null.co.in/

• http://insecure.org/

QUESTIONS??

THANK YOU