nmap(network mapping)

Information Networking Security and Assurance LabNational Chung Cheng University

1

Port Scanners

Information Networking Security and Assurance LabNational Chung Cheng University 2

Introduction

The first step in the process of hackingDiscover the servicesVersion labelOperation System

Send few packets to the host


Pre Study

TCP Packet Header


TCP conversation

Client Server

SYN

SYN/ACK

ACK

Connection Established

Client Server

FIN

ACK/FIN

ACK

Connection Closed

Connect Disconnect

Three-way handshake


TCP Flag Definitions

FlagSYN The beginning of a connection

ACK Acknowledge receipt of a previous packet or transmission

FIN Close a TCP connection

RST Abort a TCP connection


Scanning for Hosts

Is the host alive ?Method

Pingnmap –sP 192.168.0.1

TCP Pingnmap –sT 192.168.0.1


Scanning for TCP Ports

TCP connectnmap –sT 192.168.0.1

RPC servicenmap –sR 192.168.0.1


SYN Scan

Nmap sends to Host Port

Nmap receives from Host Port

Nmap Assumes

SYN SYN/ACK Port is openHost is up

SYN RST Port is closedHost is up

SYN Nothing Port is blocked by firewallOr Host is down

Nmap –sS <target host>


ACK Scan



Nmap Assumes

ACK RST Port is not firewall-protectPort may be open or closedHost is up

ACK Nothing or ICMP unreachable

Port is blocked by firewall if host is up

No firewall~

Protected by firewall~

Nmap –sA <target host>


FIN Scan

Connect



Nmap Assumes

FIN RST Port is closed Host is up

FIN Nothing Port is open if host is up and not firewall-protected

Nmap –sF <target host>


Xmas Scan

Non-normal TCP operationSet the flags FIN,URG,PUSHWith –sX

Nmap –sX <target host>


Null scan

Turn off all flags

With -sN

Nmap –sN <target host>


Scanning for UDP Ports



Nmap Assumes

Empty UDP packet

Nothing Port assumed open if host responds to Ping.Port may be closed if firewall blocking ICMP

Empty UDP packet

ICMP unreachable Port is closed

Nmap –sU <target host>


Scanning for Protocol

IP HeaderNmap –sO <target host>


DecoysFragmentation

Hiding Your Scan

(-D) (-r)(-f)

Nmap –sS –f <target host>

With –sS –sF –sN -sX

FTP Bounce

Nmap –b anonymous@<ftp server> –p <targer port> <target host>Nmap –D <spoof host> <target host>

Disable Randomizing Ports

Nmap –r <target host>


Timing Your Scan

Time-based algorithmUsing -T option

Nmap –T <name> <target host>name Probe

Response Timeout

Time Spent on One Host

Time between Probes

Use Parallelized Probes

Paranoid 5 min Unlimited 5 min No

Sneaky 15 sec Unlimited 12 sec NoPolite 6 sec Unlimited 0.4 sec NoNormal 6 sec Unlimited None NoAggressive 1 sec 5 min None YesInsane 0.3 sec 75 sec None Yes


TCP Reverse Ident Scanning

Who runs the process (-I)

Nmap –I <target host>


OS Fingerprinting

With –O flag

Sending specially TCP and UDP headers

Analyze the result and compare information

OS information


OS Detection on Linux

Nmap –O 192.168.0.1


Mapping Networks

Scanning a Class C subnet


Mapping Networks

Port scans in IP section


Scanning Tools on windows

NetscantoolsSuperscanIPEYEWUPS

nmap(network mapping)

Engineering