NMAP - CyberSD
Transcription
NMAP - CyberSD
NMap At the end of this chapter, you will be able to: Describe: Port scanning Types of port scans Port-scanning tools Explain ping sweeps Explain shell scripting With Port Scanning, you can determine Which hosts are live Which services are being offered Open services represent vulnerabilities Open ports May be used to launch exploits When testing, scan all ports Not just well-known ports Establish network baseline consisting of: All live machines and All open ports Port scanning tools identify and report port status. Each port must be in one of three states: 1. 2. 3. Open Closed Filtered Can assess (best-guess) OS Open high level ports may indicate Trojans, other maleware… Common port scans are based upon TCP flags Wireshark reports each packet’s flag status SYN Stealthy scan Connect Completes three-way handshake NULL Flags turned off XMAS FIN, PSH and URG flags set ! # $ % ACK Used to deceive a (stateless) firewall FIN Closed port responds with an RST packet UDP Closed port responds with ICMP “Port Unreachable” message " ' & )* + # , + Nmap Insecure.org Unicornscan NetScanTools Pro 2004 Nessus (Vulnerability Scanner) ( Open source Standard Originally written for Phrack magazine Insecure.org In the Matrix, used by Trinity Available GUI version Xnmap Windows versions . Ideal for large networks Developed in 2004 Scans 65,535 ports in three to seven seconds Handles port scanning using TCP ICMP IP Optimizes UDP scanning - + (( Robust, easy-to-use commercial tool Supports *NIX Windows Types of tests Database vulnerabilities E-mail account vulnerabilities DHCP server discovery IP packets and name servers OS fingerprinting 1998 V2 and earlier open source tool (Status changed at V3.) Client/server architecture Conducts testing from different locations ! - $ % Server Any *NIX platform Client UNIX or Windows Functions much like a database server Ability to update security checks plug-ins Scripts Some plug-ins are considered dangerous (DoS) " & - $ % Finds services running on ports Finds vulnerabilities associated with identified services ( Ping sweeps Identify which IP addresses are active within an addresses range Problems Shut down computers cannot respond Newer machines may have remote wake-up Networks may be configured to block ICMP Echo Requests Firewalls may be configured to filter out ICMP traffic / Ping multiple IP addresses simultaneously www.fping.com/download Command-line tool Input: IP address range or file Entered at a shell -g option Input file with addresses -f option To create a baseline, redirect FPing output to a file 0 Used to bypass filtering devices Allows users to fragment and manipulate IP packets www.hping.org/download Powerful All security testers should be familiar with tool Supports many parameters (command options) # 1 Packet components IP address Destination Source Flags Crafting packets helps you obtain more information about a service Flags can be varied Packet Crafting Tools Fping Hping ! . 2+ + Enable you to modify tools to better suit your needs Script Computer program that automates tasks Time-saving solution " 3 Similar to DOS batch programming Script or batch file Text file Contains multiple commands Repetitive commands are good candidate for scripting Practice is key & ( Port scanning Also referred as service scanning Process of scanning a range of IP address Determines what services are running Port scan types SYN ACK FIN UDP Others: Connect, NULL, XMAS $ % Port scanning tools Nmap Nessus Unicornscan Ping sweeps Determine which computers are “alive” Shell scripting Helps with automating tasks Reference http://ca.htc.mnscu.edu/ccis2410/