nmap and metasploitable
TRANSCRIPT
NMAPand
Metasploitable-II
About Me
Mohammed Akbar Shariff
Cyber Sec Intern – WICS
Graduating M.tech
www.linkedin.com/in/mohammed-akbar-shariff
@akbarshariffak
Agenda
• Basics of Network
• Metasploitable II
• Introduction to NMAP
• Port Status
• Scan Types
• Host Discovery
• OS Fingerprinting
• Nmap Scripting Engine
Basics of Netwoks
TCP Header
Three way Handshake…???
TCP Three way handshake
Metasploitable II
The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities.
What is NMAP?
• Network Mapper - Utility used to identify assets and map them in a network.
• https://github.com/nmap/nmap (Current release is 7.50, 20 year old project and active)
Why NMAP..??
• Perhaps I can ping sweep?
• How to know which IP’s are alive?
• There are only• 65535(PORTS) *2 (TCP &UDP)*24 ( if class C)
Nmap Port Status
• OPEN
• CLOSED
• FILTERED
• OPEN|FILTERED
NMAP port “Status” - Open
•Open - SYN reached the end system, victim responded with
SYN+ACK and Completes the handshake.
Nmap -n -sT -p 80 192.168.56.104
NMAP port “Status” - Closed
• Closed - SYN reached the end system, responded with RST+ACK. System is accessible and service is still not open on victim. Nmap -n -sT -p 22 192.168.56.104
NMAP port “Status” - Filtered
• Filtered – Observed when a port does not respond on repeated tries.
Nmap -n -sT -p 445 192.168.56.105
Scan Types
nmap <options><scan type> <target>
NMAP Options-iL <filename>: Pass a list of hosts.
-iR <number of Hosts>: Choose random targets.Ex: nmap -Pn -sS -p 80 -iR 0 --open
-p <port ranges> : Port scanning, Only scan specified ports…. -p-
Host Discovery
-sL (List Scan): Simply lists each host of the network(s) specified.
-sn : No port scan and only ping scan
-Pn : Skip ping scan and treat all host to be live
-PS <portlist> : TCP SYN Ping
-n : No DNS resolution
-R : DNS resolution for all targets
-PE; -PP; -PM : ICMP Ping Types.-PA <port list> : TCP ACK ping
-PU <port list> : UDP Ping
Nmap Scan Types
• -sP (Ping Sweep) – Performs ARP ping and ICMP echo request to determine system is alive.
• -sS (TCP SYN Scan) – Determines a system/port being alive by sending only SYN and waiting for SYN-ACK
• -sU (UDP Scan) – Probes UDP detects system/port is alive when there is a UDP response + ICMP packet Destination unreachable.
• -sT (TCP Connect Scan): Performs connection establishment using system call “connect”
• -sN (Null scan): Does not set any bits (TCP flag header is 0).
• -sF (FIN Scan): Sets just the TCP FIN bit.
• -sX (Xmas scan): Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
OS Fingerprinting• Nmap sends a series of TCP and UDP packets to the remote host and
examines practically every bit in the responses.
• Nmap compares the results to its nmap-os-db database of more than 2,600
known OS fingerprints and prints out the OS details if there is a match.
-O (Enable OS detection)
Nmap – service Version and Enumeration!
• Nmap-services database is constantly updated with services, finger printing and banners to identify remote ports and operating systems.
• -sV - runs about ~30 Nmap Script Engine (.nse files) to identify and enumerate the service that has been detected earlier.
• -sC – runs “default” ~200 Nmap Script Engine (.nse files) to identify and enumerate the services and provide vulnerabilities identified. Optionally can use - -script option.
Nmap service Enumeration!• The Difference between the two in Action
TCP scan with Version
-sT + -sV = -sTV
Regular TCP scan
Nmap Scripting Engine(NSE) –What and Why?
• Nmap Script Engine, written in Lua.
• Sophisticated Version detection and OS detection.
• Example: smb-os-discovery.nse , http-cisco-anyconnect.nse …
• Vulnerability detection.
• Example: tls-ticketbleed.nse, sslv2-drown.nse,..
• Malware detection.
• Example: http-google-malware.nse..
• Vulnerability Exploitation.
• Example: smb-psexec.nse,..
NSE – what? where?
• -sC and --script uses NSE. There is a default set launched when no option is given. https://nmap.org/nsedoc/categories/default.html
Nmap Enumeration technique
Notice how the service is not shellEven though Banner shows Shell
Nmap Enumeration technique
So you need to use –sTV along for Version grab
Nmap Output Formatting
Greppable
Regular Text
XML
References
• https://www.nmap.org
• https://null.co.in/
• http://insecure.org/
QUESTIONS??
THANK YOU