Questions about this topic? Sign up to ask in the talk tab.

Nmap

From NetSec
Jump to: navigation, search

NMAP is a network recon tool widely used in the security community. It offers everything from port scanning, to OS detection and more. Most users value NMAP for multitude of options, along with the ability to perform many different actions within a single command. NMAP stands for network map.

Correct Usage

nmap [Scan Type(s)] [Options] {target specification}

The last argument is always the target(s) which are being scanned. All other arguments come before it on the command line. There is no --target= switch, the command parser simply takes the trailing argument as the target.

Scan Types

  • -sS
    • SYN Scan. The advantage over other scans is that a 3 way handshake isn't performed. This results in a lower chance of logging. A syn packet is sent to the server and a SYN-ACK is sent in response back to the program with no ACK replied. Instead, it injects a RST packet to tear down the connection. This is therefore a useful scan type for camouflaging scans. As it does not create a full connection, it is also a lot faster and allows for decoys and spoofing of scan sources.
  • -sA
    • ACK Scan. Using an ACK scan is essentially mapping the firewall rules to try and see what ports a firewall is attempting to protect, by determining whether the port is filtered or unfiltered, as opposed to closed or open. How it works is it sends an ACK packet to the target port, and if the port is not filtered, it should receive an RST packet. No reply indicates filtering. This scan type is known to be inaccurate at times, and should be used in conjunction with other scan types.
  • -sF
    • FIN Scan. Using a FIN scan should return a RST packet on closed ports, but may not return anything on open ports, and will likely be discarded. It is another good way to detect whether a port is filtered or not.
  • -sX
    • Xmas Scan. Nmap will send tcp packets with every flag lit up. Many firewalls will just ignore them and pass them through to hosts. You can get some really funky results with xmas scans so it isn't recommended using them as your primary scan type but when you want to look through firewalls, or determine if there are any firewalls protecting a host, use -sX. Way better than -sA or -sF by far in that regard. Keep in mind that firewalls are starting to filter xmas packets so it might not work well in some situations.
  • -sU
    • UDP Scan. UDP scans are very good. Since UDP is not a stateful protocol, and has no delivery confirmation like TCP, it takes a very long time to run a full UDP scan. It is recommended you know specifically what you're looking for. For example: SNMP = 161, NTP = 123, RPC = 111, NFS = 2049 You can typically get RPC on TCP, and it returns a list of the services from nmap, nfs/nfslock/etc. But, in cases where you have ancient boxes, it will more than likely be UDP. One example where you can tell if there is a firewall or not, is if you find an open port 111 and it is advertising nfs and portmap but you don't see any NFS on the host. That usually means that there's a firewall blocking nfs access.
    • Just probe RPC instead of NFS, even if the port is open. The timeout is ridiculous, so RPC will tell you what port to look for NFS on. UDP scans are -sU, use it with the -p option always and know what ports to scan on.
    • I know you're wondering, "isn't the point of nmap to tell me what ports are open?" Well yes, but in the udp scan situation scanning 1000 or even 100 ports is very impractical.If you are looking for snmp though: "-sU -p161 --script=all" will tell you which hosts are listening on snmp and if the community is public/private or not.
  • -sY
    • SCTP scan. Now you have sctp scans. They're relatively useless unless you're scanning a telco or something. sctp is a protocol like tcp, layer 3 etc, which is used in SS7, a system used by cell phone carriers and telcos. Recently there have been other applications for it since it is a really cool protocol.

Options

  • -T
    • -T sets scan speed/timing, with 0 being incredibly slow and stealthy, and 5 being insanely fast. You can specify anything between 0 and 5, or use the arguements "paranoid, sneaky, polite, aggressive, insane". They do what they say. It is generally recommended to use a slower scan if you suspect there is an IDS/IPS in operation, however most users seem to just use -T4 and hope for the best.
  • --open
    • --open means to only show open ports on hosts. When scanning more than one host, it is suggested that you use --open, which cleans up the output of nmap significantly. This is highly recommended with certain terminal emulators that do not have enough scrollback.
  • -Pn
    • -Pn tells nmap not to do ping scan before scanning hosts. Usually, it will take the ip's it gave you and ping them all first to see which ones are online. In previous version of nmap, -Pn was -PO and -PN. This is highly recommended if you suspect a firewall is in place, some are known to fingerprint nmaps ping scan and block you for a short amount of time as a proactive intrusion prevention method. Some embedded devices built-in firewalls do the same, for example, the Netopia 3*** series routers.
  • -p80
    • -p80 tells nmap to only scan port 80, you can do multiple ports like so: -p80,113,135-139. Specifying a small number of ports to scan is a lot more stealthy (and faster) than scanning them all, and is an excellent way to keep "noise" to a minimum during initial reconnaissance.
  • -F
    • -F will scan the 100 most popular ports based on a huge scan of the internet by the creators of nmap. This greatly speeds up the scan, however you are likely to miss non standard services, or services installed on non standard ports.
  • -iR
    • -iR scans for random hosts, so "-iR 1000" scans 1000 random ips. With the previous parameters, it's for port 80 w/ ping scan enabled. This is pretty stupid to use as it can get you in a lot of trouble if you scan the wrong thing. However, it is useful for taking "surveys" of large numbers of hosts, or finding live hosts to spoof as.
  • -i
    • -i is internet wide, so you can do a random scan for webservers with -iR. This is useful for reducing attention to your activity as it spreads it across network blocks instead of hitting just one.
  • -6
    • Enables IPv6 scanning
  • -A
    • Aggressive scan options including -O, -sV, -sC and --traceroute. Recommended if you want to quickly gather detailed information without working out the correct scan strings to use, and using extra verbosity (-vv) is recommended.
  • -h
    • Prints a help summary page
  • --privileged
    • Assumes that the user is fully privileged. When you are running nmap unprivileged, you cannot run sys scans. In unpriveleged mode, you are scanning -sT by default, that is, raw connection scanning. So nmap is doing a full 3 way handshake with each client.In privileged mode, you can run a lot more scan types such as syn scans, ack scans, fin scans, xmas scans, udp scans, sctp scans, protocol scans.

Evasion Techniques

Evasion and Stealth Techniques

Decoy Scanning Decoy Scanning is a very simple technique nmap can use for obfusticating the original source IP address of a port scan. Essentially it sends some of the probes from spoofed IP addresses that the user specify, in the hopes that they "mask" the users true IP address in the targets log files. Remember - the users IP will still be in the logs!

  • Example usage:
    • [email protected]:~# nmap -sS -sV -Ddecoy.tld,decoy.tld,decoy.tld,decoy.tld,decoy.tld target.tld


This would launch a "Stealth SYN" scan with Version Fingerprinting against "target.tld", masquerading as various decoys. Note how the decoys are used in the string: -D[Decoy1],[Decoy2] - a comma seperated list. This is the correct way to structure your decoy lists.

Now, this tactic has several glaring issues.

The users are most likely on a DSL or Cable line. This means the users IP address is going to stand out like a sore thumb as it resolves to a cable/DSL provider and NOT the random hosts (normally websites) that you decided to use as decoys. So, if the user ais going to scan using Decoys, they make sure to use IP addresses from similar "internet demographics" as them. I.E: If scanning from a Cable/DSL connection, a users decoy bounces should also be DSL/Cable connections.

The other issue with Decoy scanning is that if the users Decoy's are not, in fact, online/up, the user may accidentally hoze their target. One method that has been used with success is to quickly scan a few ranges known to have home/DSL lines on them, and use the ones that are "up" as decoys.

---

Fragmentation

Some firewalls and IDS systems can be evaded by the correct use of packet fragmentation. Essentially this means "splitting" your packets in an attempt to disguise your traffic. It is a somewhat-decent method when combined with other techniques, however it has been known to slow the scan down somewhat.

This would fragment the packets sent to target.tld to some degree, and for finer grained control over the packet fragmentation you may manually set the MTU value using the --mtu <value> arguement. It is advised to experiment with this in order to find optimal settings for your scanning.

The MTU must be a multiple of 8 (i.e. a legitimate MTU value) for this to work. Otherwise nmap will just throw an error and exit.

Essentially this technique hopes that IDS/switches/firewalls will not do a great job of reassembling the packets sent, and allow "evil" packets through the filters where they are reassembled and interpreted/replied to by the target system.

---

Data Length

Some firewall/IDS systems either log, or block, the packets sent by nmap for obvious reasons. One common way to "signature" nmap packets is the default data length, so in order to bypass filters and evade IDS systems, you can specify your own data length for the packets using the --data-length=<value> arguement.

  • The following scan string is an example:

This would scan "target.tld" with packets of "length" 1337. Effectively this technique adds extra "padding" to the packet, making it look less like a scan-packet and more like a legitimate packet.

---

Timing

NOTE: Timing can be seen as both evasion AND/OR performance related. Staff have no doubt this will cause multiple EDITS so just leave it as-is unless you have a VERY valid reason to edit.

Timing your scans is an excellent way to lower the detection threshold you have. Fast, noisy scans tend to get detected instantly, wheras if the same scan was done incredibly slowly, it has a much smaller chance of detection.

The timing flag works like so: -T<value> where value is 0-5. There are also "key words" you can use like -T aggressive, etc. The key words are paranoid, sneaky, polite, aggressive, insane. They basically do what they say.

  • The following scan string is an example:

This would launch a scan (an incredibly slow one) against target.tld. Remember, slow and sneaky is generally a lot better than loud and fast!

General Evasion Tips: 1. Do several "Scans" of the target. Break your scans up into chunks of "ports of interest", for example, if you wanted to map out 25 ports on a target server, break them into groups of 5 and scan each group individually with delays between the scans. 2. Layer your source-obfustication techniques. Use both decoys and timing, along with fragmentation, extra "padding", etc. The more "layers" of hiding the better. 3. While you should keep your scans slow, you should also keep your "scan time" to a minimum. Break the scan up into several smaller jobs.

Target Specification

For example:

[[email protected] ~]# nmap -sS -A -sV blackhatacademy.org

Starting Nmap 5.21 ( http://nmap.org ) at 2010-12-16 06:26 EST
Nmap scan report for blackhatacademy.org (201.218.250.220)
Host is up (0.064s latency).
Not shown: 995 filtered ports
PORT     STATE  SERVICE  VERSION
22/tcp   open   ssh      OpenSSH 4.6 (protocol 2.0)
| ssh-hostkey: 1024 ad:d0:2e:72:22:89:54:91:6d:ac:4a:20:b2:2b:1b:b7 (DSA)
|_1024 7d:24:f9:a1:e6:80:6e:04:1e:3b:3c:fc:f4:4a:6f:71 (RSA)
80/tcp   open   http     Apache httpd
| robots.txt: has 5 disallowed entries 
| / /~joe/docs/ /~joe/private.html /~joe/foo.html 
|_/~joe/bar.html
|_html-title: Hacks
|_http-favicon: 
110/tcp  open   pop3     qpopper
|_pop3-capabilities: USER EXPIRE(NEVER) UIDL X-MANGLE APOP TOP OK(K Capability list follows) RESP-CODES X-LOCALTIME(Thu 16 Dec 2010 06 27 06 -0500) LOGIN-DELAY(0) AUTH-RESP-CODE X-MACRO
443/tcp  open   ssl/http Apache httpd
|_sslv2: server still supports SSLv2
| robots.txt: has 1 disallowed entry 
|_/
|_http-favicon: Apache on Linux
|_html-title: Site doesn't have a title (text/html).
8000/tcp closed http-alt
Device type: general purpose|WAP
Running (JUST GUESSING) : Linux 2.6.X (86%), PheeNet embedded (85%)
Aggressive OS guesses: Linux 2.6.15 - 2.6.26 (86%), PheeNet WAP-854GP WAP (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 14 hops
Service Info: Host: meteor.localhost

TRACEROUTE (using port 8000/tcp)
HOP RTT      ADDRESS
1   3.41 ms  myrouter.home (192.168.1.1)
2   9.28 ms  L100.TAMPFL-VFTTP-109.verizon-gni.net (71.180.136.1)
3   11.41 ms G6-0-2-1709.TAMPFL-LCR-07.verizon-gni.net (130.81.105.128)
4   11.76 ms so-6-1-0-0.TPA01-BB-RTR1.verizon-gni.net (130.81.29.240)
5   31.72 ms so-7-3-0-0.ATL01-BB-RTR1.verizon-gni.net (130.81.19.30)
6   26.76 ms 0.xe-7-1-0.BR3.ATL4.ALTER.NET (152.63.80.73)
7   26.93 ms te7-2-10G.ar2.atl2.gblx.net (64.208.110.245)
8   94.42 ms 64.214.150.198
9   94.56 ms gsr1-wc.tcarrier.net (200.46.0.20)
10  86.89 ms 200.90.140.174
11  93.61 ms 201.218.239.246
12  86.18 ms 200.46.241.13
13  86.31 ms 201.218.218.51
14  88.79 ms 201.218.250.220

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.53 seconds

Now, not only have we found the open ports on the target machine, but we have found service versions, a possible operating system, and a nice traceroute to the target.

This is a good way to tell if a host that has no open ports is alive or not. Another tip, if you are only scanning one host use -vv instead of --open. -vv means double verbose. Verbosity is good. You can actually change the verbosity in the middle of a running scan by typing v or V during a scan. v = increse, V = decrease. You can change the debug level as well with d and D. This is useful, when running a script scan. If you hit d 2 or 3 times usually it will tell you what a current script is doing down to the operation. You should hit D a few times afterwards to get the debug down to 0 because if it hits the end of the script, you will not like the output.

Script Scanning

So this brings me to script scanning. http://nmap.org/nsedoc/ is a very good reference. In a script scan, --script= is used. You can set individual scripts like: "--script=auth-owners,ftp-brute,finger". Script scans are great, they even have scripts to probe mysql info, ircd info, etc , all kinds of data.

You can also run groups of scripts like: "--script=auth,dos,malware,intrusive,exploit,vuln". It will run them in the order specified. Note that nmap won't complete until every script finishes so you won't get pretty output until it's done.

The other thing you can do is: "--script=all". This isn't recommended, it tries to exploit, violate, dos, and break into remote hosts. Another useful command is: "--script "not intrusive"" This loads every script except for those in the intrusive category.

Conclusion

There is no reason not to get the latest nmap sources and compile them. Whenever a new version of nmap is released even if it's beta. New scripts are included every released and it compiles and installs quick.

Common Scans

  • This will map our your home network in pretty good detail, and save the results to home_network.txt
 nmap -sSV -A -O -Pn -vv --defeat-rst-ratelimit --script=discovery -oN home_network.txt 192.168.1.0/24