Difference between revisions of "Nmap"

Revision as of 19:09, 28 November 2011

NMAP is a network recon tool widely used in the security community. It offers everything from port scanning, to OS detection and more. Most users value NMAP for multitude of options, along with the ability to perform many different actions within a single command. For example:

[root@crankhandle ~]# nmap -sS -A -sV blackhatacademy.org

Starting Nmap 5.21 ( http://nmap.org ) at 2010-12-16 06:26 EST
Nmap scan report for blackhatacademy.org (201.218.250.220)
Host is up (0.064s latency).
Not shown: 995 filtered ports
PORT     STATE  SERVICE  VERSION
22/tcp   open   ssh      OpenSSH 4.6 (protocol 2.0)
| ssh-hostkey: 1024 ad:d0:2e:72:22:89:54:91:6d:ac:4a:20:b2:2b:1b:b7 (DSA)
|_1024 7d:24:f9:a1:e6:80:6e:04:1e:3b:3c:fc:f4:4a:6f:71 (RSA)
80/tcp   open   http     Apache httpd
| robots.txt: has 5 disallowed entries 
| / /~joe/docs/ /~joe/private.html /~joe/foo.html 
|_/~joe/bar.html
|_html-title: Hacks
|_http-favicon: 
110/tcp  open   pop3     qpopper
|_pop3-capabilities: USER EXPIRE(NEVER) UIDL X-MANGLE APOP TOP OK(K Capability list follows) RESP-CODES X-LOCALTIME(Thu 16 Dec 2010 06 27 06 -0500) LOGIN-DELAY(0) AUTH-RESP-CODE X-MACRO
443/tcp  open   ssl/http Apache httpd
|_sslv2: server still supports SSLv2
| robots.txt: has 1 disallowed entry 
|_/
|_http-favicon: Apache on Linux
|_html-title: Site doesn't have a title (text/html).
8000/tcp closed http-alt
Device type: general purpose|WAP
Running (JUST GUESSING) : Linux 2.6.X (86%), PheeNet embedded (85%)
Aggressive OS guesses: Linux 2.6.15 - 2.6.26 (86%), PheeNet WAP-854GP WAP (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 14 hops
Service Info: Host: meteor.localhost

TRACEROUTE (using port 8000/tcp)
HOP RTT      ADDRESS
1   3.41 ms  myrouter.home (192.168.1.1)
2   9.28 ms  L100.TAMPFL-VFTTP-109.verizon-gni.net (71.180.136.1)
3   11.41 ms G6-0-2-1709.TAMPFL-LCR-07.verizon-gni.net (130.81.105.128)
4   11.76 ms so-6-1-0-0.TPA01-BB-RTR1.verizon-gni.net (130.81.29.240)
5   31.72 ms so-7-3-0-0.ATL01-BB-RTR1.verizon-gni.net (130.81.19.30)
6   26.76 ms 0.xe-7-1-0.BR3.ATL4.ALTER.NET (152.63.80.73)
7   26.93 ms te7-2-10G.ar2.atl2.gblx.net (64.208.110.245)
8   94.42 ms 64.214.150.198
9   94.56 ms gsr1-wc.tcarrier.net (200.46.0.20)
10  86.89 ms 200.90.140.174
11  93.61 ms 201.218.239.246
12  86.18 ms 200.46.241.13
13  86.31 ms 201.218.218.51
14  88.79 ms 201.218.250.220

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.53 seconds

Now, not only have we found the open ports on the target machine, but we have found service versions, a possible operating system, and a nice traceroute to the target.

Lesson

1.0 - Introduction nmap is a really useful tool for finding out a lot of information on your (target's) own network. It is used for portscanning mainly. If you haven't guessed, it stands for network map. In this lesson, all we're going to do is go over some basic flags you can use with the nmap program. To get started, I'll give you a sample nmap command: nmap -T5 --open -Pn -A -p80 -iR 4096

Let's assume this command was run in unpriveleged mode. When youare running nmap unprivileged, you cannot run sys scans. In unpriveleged mode, you are scanning -sT by default, that is, raw connection scanning. So nmap is doing a full 3 way handshake with each client. In privileged mode, you can run a lot more scan types such as syn scans, ack scans, fin scans, xmas scans, udp scans, sctp scans, protocol scans.

We will now go over the basic flags using this as an example.

1.1 - -T -T sets scan intensity, and is obviously, the -T flag.The range of -T flag is from 0 to 5 with 0 being highly intensive but slow and 5 being very fast but not very intense.

1.2 - --open --open means to only show open ports on hosts. When scanning more than one host, it is suggested that you use --open, which cleans up the output of nmap significantly.

1.3 - -Pn -Pn tells nmap not to do ping scan before scanning hosts. Usually, it will take the ip's it gave you and ping them all first to see which ones are online. In previous version of nmap, -Pn was -PO and -PN.

1.4 - -A -A tells nmap to run service discovery. It is used for version scanning, os discovery and does some scripts.

1.5 - -p80 -p80 tells nmap to only scan port 80, you can do multiple ports like so: -p80,113,135-139.

1.6 - -F -F will scan the 100 most popular ports based on a huge scan of the internet by the creators of nmap. 1. - -iR -iR scans for random hosts, so "-iR 1000" scans 1000 random ips. With the previous parameters, it's for port 80 w/ ping scan enabled. This is pretty stupid to use as it can get you in a lot of trouble if you scan the wrong thing.

1. - -i -i is internet wide, so you can do a random scan for webservers with -iR. This is useful for reducing attention to your activity as it spreads it across network blocks instead of hitting just one.

2.0 - Different scans

2.1 - Syn Scan (-sS) To run a syn scan, you'd do something like: sudo nmap -T4 -vv -Pn -sS -sV 172.16.190.5

The advantage of a syn scan over a connect scan is that usually the connection attempt isn't logged cause nmap won't perform a 3 way handshake. Basically it goes nmap computer -> syn -> server then map computer <- synack <- server and then no ack is sent back to the server.

A lot of modern firewalls will see the packets anyway so syn scans are good generally, this is one of a few ways to help Camouflage your scans using the -sS.

2.2 - Ack Scan (-sA) These are generally pretty useless. Sometimes a service will det confused when it recieves a random ack and send a syn or a fin.

Sometimes firewalls will let random acks through, though it's not really guarenteed to give full results or even any. So it is suggested to not use it. Unless you know the host is up and a syn or connect scan doesn't find anything.

2.3 - Fin Scan (-sF) A Fin scan is very similar to an ACK scan in a lot of reguards. Sometimes a service will get a random fin packet without any initial connection and just throw something random back.

2.4 - xmas Scan (-sX) Xmas scans are awesome. Basically, nmap will send tcp packets with every flag lit up. Many firewalls will just ignore them and pass them through to hosts.

You can get some really funky results with xmas scans so it isn't recommended using them as your primary scan type but when you want to look through firewalls, or determine if there are any firewalls protecting a host, use -sX.

Way better than -sA or -sF by far in that regard. Keep in mind that firewalls are starting to filter xmas packets so it might not work well in some situations.

2.5 - udp Scan (-sU) udp scans are very good. Since udp isn't connection oriented it takes a very long time to run a full udp scan so it is recommended you know specifically what you're looking for.

So like: snmp = 161, ntp = 123, rpc = 111, nfs = 2049, that's all that really matters much. You can typically get rpc on tcp and it returns a list of the services from nmap, nfs/nfslock/etc.

But in cases where you have ancient boxes, it'll be udp etc. One example where you can tell if there is a firewall is if you find an open port 111 and it is advertising nfs and portmap but you don't see any nfs on the host. That usually means that there's a firewall blocking nfs access.

Just probe rpc instead of nfs though, even if the port is open the timeout is ridiculous, so rpc will tell you what port to look for nfs on.

udp scans are -sU, use it with the -p option always and know what ports to scan on.

I know you're wondering, "isn't the point of nmap to tell me what ports are open?" Well yes, but in the udp scan situation scanning 1000 or even 100 ports is very impractical.

If you are looking for snmp though: "-sU -p161 --script=all" will tell you which hosts are listening on snmp and if the community is public/private or not.

2.6 - sctp scans (-sY) Now you have sctp scans. They're relatively useless unless you're scanning a telco or something. sctp is a protocol like tcp, layer 3 etc, which isused in ss7, a system used by cell phone carriers and telcos.

Recently there have been other applications for it since it is a really cool protocol.

2.7 - Protocol Scans What a protocol scan does is it runs protocol pings. It will tell you what protocols the remote host supports or is using at least.

This is like: tcp, udp, sctp, esp, icmp.

Here's an example: Nmap scan report for 172.16.10.1 Host is up (0.26s latency). Not shown: 213 open|filtered protocols, 41 closed protocols PROTOCOL STATE SERVICE 1 open icmp 6 open tcp

This is a good way to tell if a host tht has no open ports is alive or not. Another tip, if you are only scanning one host use -vv instead of --open. -vv means double verbose. Verbosity is good. You can actually change the verbosity in the middle of a running scan by typing v or V during a scan. v = increse, V = decrease. You can change the debug level as well with d and D. This is useful, when running a script scan. If you hit d 2 or 3 times usually it will tell you what a current script is doing down to the operation. You should hit D a few times afterwards to get the debug down to 0 because if it hits the end of the script, you will not like the output.

3.0 - Script Scanning So this brings me to script scanning. http://nmap.org/nsedoc/ is a very good reference. In a script scan, --script= is used. You can set individual scripts like: "--script=auth-owners,ftp-brute,finger". Script scans are great, they even have scripts to probe mysql info, ircd info, etc , all kinds of data. You can also run groups of scripts like: "--script=auth,dos,malware,intrusive,exploit,vuln". It will run them in the order specified. Note that nmap won't complete until every script finishes so you won't get pretty output until it's done. The other thing you can do is: "--script=all". This isn't recommended, it tries to exploit, violate, dos, and break into remote hosts. Another useful command is: "--script "not intrusive"" This loads every script except for those in the intrusive category.

3.1 - --reason --reason tells you why a port is displays the way it is like why it is shown as closed or open or open|filtered. The only other notable thing I can think of right now is outputting.

3.2 - Outputting You can output the current scan you are running to a file with -oN and then the file name. So like: -oN mepholic.txt. It will save the output of the scan to niggers.txt in the nmap format. There is also -oX, which will output everything in XML. The useful one though is -oG. It outputs the scan in a greppable format. Basically, it includes all of the results for each host on a single line. It's most useful when used with --open The next one, -oA, will include xml, nmap, and greppable format. The last one is -oS. It stands for script kiddie and outputs a 1337 output.

Example: StartiNg Nmap 5.59B3Ta1 ( http://nmap.0Rg ) at 2011-08-28 02:26 EDT

Nmap $can r3poRt for 172.16.190.5

HOsT |z up (0.00020z latEnCy). PORt sT4T3 sERV!c3 V3RS!0n 22/tcp Op3N $Sh 0pen$$H 4.3 (pROtOcol 2.0) | $$h-H0stkEy: 1024 4c:83:24:Fa:57:99:3C:b2:9d:ca:7c:23:CF:13:23:cF (DS4) |_2048 64:86:c8:cB:87:d0:38:6b:d2:6D:fa:8b:43:70:5e:6f (RSA) 80/tcp op3n http lighttpd 1.4.26 |_Http-t!Tl3: POw3r3d by lighttPD

$3Rvic3 dEtEcTion p3rf0Rmed. pl3a$e r3PorT Any !nc0rr3Ct Re$ults aT hTTp://nmaP.org/$ubMIt/ .

Nmap doNE: 1 1P addResS (1 hO$T up) $cAnned In 6.93 $3c0ndS

4.0 - Conclusion There is no reason not to get the latest nmap sources and compile them. Whenever a new version of nmap is released even if it's beta. New scripts are included every released and it compiles and installs quick. -D is for decoy. It lets you specify a few addresses like: -D 2.9.11.231,99.99.99.99. nmap will forge packets with those as source addresses along with your legitimate packets and send those to remote hosts as decoys.

Also, there is -S. It allows you to spoof your source address but it is useless because you don't get packets back, so scans are worth nothing. It's useful if you want to make it look like someone else is scanning your target but even then, a lot of times routers/firewalls on your end even will drop those packets. There are the parallelism options too. You can set --min-parallelism and --max-parallelism to a high number if you are on a really big pipe. You can use --min-hostgroup and --max-hostgroup as well on top of those. There is --scan-delay and --min-rate and --max rate. Using these you can optimize scans for speed on bigger pipes but keep in mind that the faster you scan, the more visible you are but on the upside, if you're on like a gigabit pipe, your scans will complete instantly.