NMAP - CyberSD

NMap
At the end of this chapter, you will be able to:
Describe:
Port scanning
Types of port scans
Port-scanning tools
Explain ping sweeps
Explain shell scripting
With Port Scanning, you can determine
Which hosts are live
Which services are being offered
Open services represent vulnerabilities
Open ports
May be used to launch exploits
When testing, scan all ports
Not just well-known ports
Establish network baseline consisting of:
All live machines and
All open ports
Port scanning tools identify and report port
status.
Each port must be in one of three states:
1.
2.
3.
Open
Closed
Filtered
Can assess (best-guess) OS
Open high level ports may indicate Trojans,
other maleware…
Common port scans are based upon TCP flags
Wireshark reports each packet’s flag status
SYN
Stealthy scan
Connect
Completes three-way handshake
NULL
Flags turned off
XMAS
FIN, PSH and URG flags set
!
#
$
%
ACK
Used to deceive a (stateless) firewall
FIN
Closed port responds with an RST packet
UDP
Closed port responds with ICMP “Port
Unreachable” message
"
'
&
)*
+
#
,
+
Nmap
Insecure.org
Unicornscan
NetScanTools Pro 2004
Nessus (Vulnerability Scanner)
(
Open source
Standard
Originally written for Phrack magazine
Insecure.org
In the Matrix, used by Trinity
Available
GUI version
Xnmap
Windows versions
.
Ideal for large networks
Developed in 2004
Scans 65,535 ports in three to seven seconds
Handles port scanning using
TCP
ICMP
IP
Optimizes UDP scanning
-
+
((
Robust, easy-to-use commercial tool
Supports
*NIX
Windows
Types of tests
Database vulnerabilities
E-mail account vulnerabilities
DHCP server discovery
IP packets and name servers
OS fingerprinting
1998
V2 and earlier open source tool (Status changed
at V3.)
Client/server architecture
Conducts testing from different locations
!
-
$
%
Server
Any *NIX platform
Client
UNIX or Windows
Functions much like a database server
Ability to update security checks plug-ins
Scripts
Some plug-ins are considered dangerous
(DoS)
"
&
-
$
%
Finds services running on ports
Finds vulnerabilities associated with identified
services
(
Ping sweeps
Identify which IP addresses are active within an
addresses range
Problems
Shut down computers cannot respond
Newer machines may have remote wake-up
Networks may be configured to block ICMP Echo
Requests
Firewalls may be configured to filter out ICMP
traffic
/
Ping multiple IP addresses simultaneously
www.fping.com/download
Command-line tool
Input: IP address range or file
Entered at a shell
-g option
Input file with addresses
-f option
To create a baseline, redirect FPing output to
a file
0
Used to bypass filtering devices
Allows users to fragment and manipulate IP
packets
www.hping.org/download
Powerful
All security testers should be familiar with tool
Supports many parameters (command
options)
#
1
Packet components
IP address
Destination
Source
Flags
Crafting packets helps you obtain more
information about a service
Flags can be varied
Packet Crafting Tools
Fping
Hping
!
.
2+
+
Enable you to modify tools to better suit your
needs
Script
Computer program that automates tasks
Time-saving solution
"
3
Similar to DOS batch programming
Script or batch file
Text file
Contains multiple commands
Repetitive commands are good candidate for
scripting
Practice is key
&
(
Port scanning
Also referred as service scanning
Process of scanning a range of IP address
Determines what services are running
Port scan types
SYN
ACK
FIN
UDP
Others: Connect, NULL, XMAS
$
%
Port scanning tools
Nmap
Nessus
Unicornscan
Ping sweeps
Determine which computers are “alive”
Shell scripting
Helps with automating tasks
Reference
http://ca.htc.mnscu.edu/ccis2410/