Notes

Scanning Goals

Looking for specific systems and applications to target

  • What hosts are up and what are they? What systems, what devices?

  • Finding live hosts

    • ICMP and/or TCP/UDP network scans

  • Finding open ports on live hosts

    • TCP/UDP port scans

  • Gather information about firewalls and IDS/IPS

    • Examining results and output from scanning tools

Finding Live Hosts

ICMP - Internet Control Messaging Protocol

  • layer 4 - carried over IP at layer 3

  • Health and maintence protocol

  • Not intended to carry user data, just system messages

Pingis the most directly used ICMP command

Ping Sweep

Scanning method using ICMP to look for live hosts across the entire network

  • Pros

    • Simple and can be effective first pass to enumerate live hosts

  • Cons

    • Noisy and can be obvious to systems defenders

    • many network security devices can block ICMP

    • not all systems respond to an echo request

TCP/UDP Scanning

How do you find live hosts if ICMP is blocked? TCP/UDP

  • Pros

    • Can be more reliable and may ne less noisy if you target specific well know TCP/UDP ports

  • Cons

    • Can be slow, especially if you are testing a lot of TCP/UDP ports

NMAP is th emost widely used tool!

NMAP

Nmap can potentially determine

  • The computers that are active on the target network,

  • Listening ports

  • What service is running on those ports (e.g. HTTP not on port 80)

  • Operating system

  • User credentials

NMAP Options

  • Scanning Options: What type of scan (TCP, ICMP, UDP, and other options)

  • Timing: How aggressive should the scan be – bandwidth, IPS all factors

  • Targets: IP, Network, or list of target with the –iL switch

  • Output Options: Formatting of results

NMAP does discovery with

  • an ICMP echo request,

  • a TCP SYN packet to port 443,

  • a TCP ACK packet to port 80,

  • and an ICMP timestamp request.

Then performs a 1,000 port scan

  • NMAP has an option to do host discovery without a full port scan

  • -sn will only send pings and a few tcp packets to try and determine if a host is available

  • -sS Syn Scan

  • -T3 Normal timing

  • Standard output (to monitor)

  • Simple port mapping to a list of services

    • nmap-services

NAMP -sS SYN scan

  • Default scan option used when no scan option is defined

  • Can be intentionally initiated when the -sS option is set

  • This scan initiates a TCP connection with the target but never completes the three-way handshake

  • AKA SYN Scan: It sends a SYN but does not send the final ACK (makes it harder to detect in a system)

NMAP TCP Connect –sT TCP Connect Scan

The TCP connect scan can often be used to gather more information about the target than the stealth scan as a full TCP connection is made with the targeted host.

  • Completes the 3-way handshake

  • This way you can make sure the host is up and you are not talking with the firewall

NMAP UDP Scan

–sU UDP Scan (You need to be root)

  • Unlike scanning TCP ports, UDP scans expect to receive replies back from systems that have the tested ports closed

  • If the packet sent elicits a response from the target, then the port being probed is open

  • If no response is received, then the port could be open or could be filtered by a device like a firewall

  • Closed UDP ports can be identified by an ICMP response with a type 3 and code 3 response (port unreachable)

  • Ports that are confirmed to be filtered will have an ICMP response of type 3 with codes of 1, 2, 9, 10, or 13, indicating various unreachable errors

NMAP Flag Scans

  • Simple network security devices may block SYN packets

  • NMAP ACK, FIN and XMAS scans are methods that set different flags in the TCP header to try and evade firewalls/IPSs

    • -sF FIN scan (sets the FIN flag)

    • -s A

  • Based on the RFC implementation of TCP

    • Closed ports should respond with RST packets

    • Open ports won’t respond at all

    • Can help map firewall rules

NMAP Port Options

Use the –p switch

  • -p <port ranges> (Only scan specific ports)

    • Individual port numbers

    • ranges separated by a hyphen (e.g. 1-1023).

    • -p- is a shortcut to scan 1 through 65535

    • Commas can separate ports and ranges

  • When scanning a combination of protocols T: for TCP, U: for UDP, S: for SCTP, or P: for IP Protocol.

  • The qualifier lasts until you specify another qualifier.

  • For example, the argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111,and 137, as well as the listed TCP ports.

Host Discovery vs Port Scanning

  • Two Goals of Reconnaissance Stage

    • Find Live Hosts

    • Figure out what ports/services are running on those hosts

ARP Ping-Host Discovery

  • On the local subnet– nmap will do “arp pings”

  • ARP converts IP addresses to MAC addresses with layer 2 broadcasts

    • E.g. “Who has 192.168.3.159”

      • “I do – and my MAC is 00:24:d7:18:ba:48”

  • So if system responds – that IP is up.

  • Only works on same subnet – ARP broadcast cannot cross router

  • --disable-arp-ping if you don’t want this to happen

Port Scan with only NMAP

  • For efficiency – it may be advisable to separate host discovery and port scans

  • To perform port scans without discovery

    • Use the –Pn (no ping – aka no host discovery) option

    • -sL (use the list of targets instead of discovery)

NMAP Timing Options

  • Anomaly-Based Firewalls/IPS’s can block IP addresses if thresholds are exceeded.

  • May require more patient scans (T0/T1)

NMAP Service and Version Detection

  • Simply identifying that a port is open is useful – but understanding what service is running on that port is more beneficial

  • For example:

    • Port 80 is typically HTTP and 25 SMTP, but what about an open port that is not commonly used

    • What if a service running on 80 is not HTTP or telnet (commonly 23) is running on 22 (SSH)

  • NMAP service version sends “version specific probes” to open ports

  • Can also reveal information such as particular Application and Version of service (e.g. Apache 2.4.23)

  • -sV will perform the service detection

  • Recommendation for multiple targets:

    • Do host discovery and port scanning first

    • Then perform -sV against specific ports (using -p <port_list>)

NMAP OS Fingerprinting

Nmap compares the results to its nmap-os-db database of more than 2,600 known OS fingerprints and prints out the OS details if there is a match. This scan is notoriously unreliable.

  • NMAP can also do remote OS detection using TCP/IP stack fingerprinting.

  • Performs dozens of tests such as

    • TCP Initial sequence number sampling,

    • TCP options support and ordering,

    • and the initial window size check,

    • -o (not zero) calls the OS fingerprint test

    • --osscan-limit (Limit OS detection to promising targets)

    • OS detection is far more effective if at least one open and one closed TCP port are found. Set this option and Nmap will skip OS detection against hosts that do not meet this criteria. This can save substantial time

    • --max-os-tries (Set the maximum number of OS detection tries against a target)

    • If cannot fingerprint on first try nmap will try 4 more times by default

    • This can be slow, so may want to set to lower value

PreviousNMAP CommandsNextModule 3: DNS

Last updated