NMAP the King of Scanners
Nmap has the ability to determine not only the computers that are active on the target network, but in many cases, it can also determine operating system, listening ports, services, and possibly user credentials. By using a combination of commands, switches, and options against targets, Nmap can be a great asset in the scanning phase of the penetration testing engagement.The Nmap Command Structure
Nmap’s command switches have a very distinct structure allowing command options and targets to be
assembled in a manner that supports maximum flexibility. A typical, but quite basic, command is
illustrated in Picture, detailing the several basic parts that tell the scanning engine what to do.
With the exception of the Nmap command itself, each of these options will be covered in more detail in
the sections that follow. The command switches and options tell the operating system what program to
run, in this case Nmap, and what is specifically required to properly execute the task. Following the
command is the scanning options, in this case the stealth scan is signified by the “-sS” switch.
Next is thetiming options that tell the engine how much traffic to generate and how fast to generate it, ultimatelydetermining how fast or slow the scan will run. In this example, the target option follows the timing
options and is the only other required portion of the command needed to conduct an Nmap scan.
The finaloption in this example is the output option telling the application where to send the results of the scan.Nmap scanning commands can be far more complex or much more basic than the command and optionsstring in Picture. For example the following is all that is needed to conduct a complete Nmap commandstatement resulting in a scan of the target. In this case, the target is the Metasploitable2 virtual machinefrom the lab that was described in an earlier chapter of this book.nmap 10.0.2.100
By default Nmap will conduct a stealth scan of the target at 10.0.2.100 using the normal time template
(T3) speed if no options are set as in the example above. Additionally, the scan results are output to the
monitor (if defined as standard output). This basic scan illustrates one end of the Nmap spectrum, with the
other end being complex and lengthy scans that define detailed actions that Nmap will complete.
Advanced usage includes executing detailed scripts written for Nmap using the Nmap Scripting Engine
(NSE).
To better understand the details of basic Nmap scans, the next few sections will detail the options that
will enhance the use of Nmap as a scanning tool that helps define targets in the penetration testing
engagement. These sections not only scratch the surface of Nmap but will give the reader a solid
understanding of what the tool can do. The sections will cover the scanning, the timing, targeting, and
output options. Following these sections, the basic use of preconfigured Nmap scripts will be covered.
Scanning Options
The use of the “-s” (lowercase s) scanning prefix alerts the Nmap scanning engine that the user is
specifying a specific type of scan should be conducted on the target(s) defined in the scan command. The
lowercase “s” is followed by an upper case letter that will identify the scan type. The selection of scan
type can assist the penetration tester in evading detection by some host and network-based protection
systems and may even circumvent network protections like firewalls.
–sS Stealth Scan
The stealth scan is the default scan option used by Nmap when no scan option is defined. The stealth scan can also be intentionally initiated when the –sS option is set in the command string.
This scan initiates a TCP connection with the target but never completes the three-way handshake. The Nessus engine initiates the handshake by sending the target machine a SYN packet. The target machine will hopefully reply with a SYN/ACK packet that is not acknowledged by the Nessus engine.
This leaves a connection open, as the communication channel is never completely built. Most systems close this connection automatically after a certain time period. In older and poorly configured systems, this type of connection can go undetected, so this type of scan is often associated with a more clandestine and considered less noisy scan of the target.
Today many network systems and even hosts can detect the stealth scan; however, this should not deter the penetration tester from scanning with this technique as it will often be harder to detect than other scans and if the system being targeted is poorly configured, the scan may go totally unnoticed even today. This scan technique is illustrated in Picture.
–sT TCP Connect Scan
The TCP connect scan can often be used to gather more information about the target than the stealth scan as a full TCP connection is made with the targeted host. In this case, the Nessus engine initiates a SYN packet that is hopefully acknowledged by the target with a SYN/ACK reply.
Unlike the stealth scan, this time the Nessus engine completed the communication path by sending a final ACK packet. This scan is logged on most systems but can normally provide more information than the stealth scan Picture.
–sU UDP Scan
The UDP scan assesses the UDP ports on the target system. Unlike scanning TCP ports, UDP scans expectto receive replies back from systems that have the tested ports closed.
Packets sent to open UDP ports are not responded; however, if the packet sent elicits a response from the target, then the port being probed is open.
If no response is received, then the port could be open or could be filtered by a device like a firewall. Closed UDP ports can be identified by an ICMP response with a type 3 and code 3 response (port unreachable). Finally, ports that are confirmed to be filtered will have an ICMP response of type 3 with codes of 1, 2, 9, 10, or 13, indicating various unreachable errors Picture.
–sA
The ACK scan, –sA, is used to try to determine if a TCP port is filtered or unfiltered. This scan initiates
communications with the target with the acknowledgment (ACK) flag set.
This type of scan sometimes can bypass certain firewalls by posing as a response (ACK) to an internally sent request. For example, a SYN packet is sent from the target computer, even though this internal computer never sent a request.
A reset (RST) response to this scan indicates that the queried port is unfiltered. If no response is received or if a type 3 ICMP response with a code of 1, 2 , 3, 9, 10, or 13 (unreachable error) indicates that the port is filtered Pictute.
Timing Templates
As stated above, the default timing template used by Nmap if no timing switch is set is –T3 or normal.Nmap has the built-in ability to let the user override this functionality to scan the target set faster or
slower than the normal default speed.
There are a number of different settings that are adjusted based on the timing template that is selected, but the most illustrative are the delays between scanning probes and parallel processing status. For this reason, the scan_delay, max_scan_delay, and max_parallelism options will be used to explain each of the different timing templates.
These options provide a good method to measure each of the timing templates to ensure the correct template is set for the engagement and target network. The scan_delay setting sets the minimum pause between probes sent to the target machine while the max_scan_delay indicates the maximum time the scanner will allow the scanning delay to grow based on target and network settings.
This can be important as some systems will only reply to probes at a specific rate. Nmap will automatically adjust the probe timing to match the requirements of the system or network up to the max_scan_delay setting. Max_parallelism instructs the system to either send one probe at a time for serial scans or multiple probes at the same time for parallel scans.
The following examples will all use the same target, the Metasploitable2 virtual machine with the –sU
(UDP scan) switch set. While it has not been introduced the example will use the port switch (-p) to
indicate the first 500 ports should be scanned with the –p 1–500 switch combination.
The Nmap command for this will look like the following; however, the hash tag (#) will be replaced with the number of the template to be used for that specific example. This way the timing of the scans can be compared to each other. While the –T# switch is being used in this example, the English text could also be used to achieve the same results, therefore –T5 and –timing insane result in the same scan being run.
nmap –sU –T# p 1-500 10.0.2.100
Or
nmap –sU --timing paranoid –p 1-500 10.0.2.100
–T0 Paranoid
The –T0 or Paranoid scan is used for slow network links or in situations where detection risks must be
minimized. This is a serial scan that will pause for a base minimum of 5 minutes; however, the max_delay
setting of second is ignored as the base scan_delay is set to a value higher than this default value.
It is easy to see the amount of time needed to complete the paranoid scan on only 500 UDP ports on a single computer in Picture. In Picture, the system time is displayed at the top of the Picture as 10:29 AM and the scan start time was 8:23 AM indication the scan has been running for over 2 hours.
The last line indicates that the scan will complete in another 45 hours and 37 minutes. This scan can be effective but should be used when stealth is required and a lot of time is available.
–T1 Sneaky
The –T1 or --timing sneaky scan is slightly faster than the paranoid scan, reducing the scan time needed
while maintaining some of the stealth inherent in a slower scan.
This scan also uses a serial process for querying the target, but reduces the scan_delay quite dramatically to 15 seconds. While the scan_delay is reduced, it is still a larger value than the max_scan_delay so this second value is ignored. The difference in speed between this scan and the –T0 scan is illustrated in reducing the scan time to 8331 seconds or 138 minutes.
–T2 Polite
The –T2 or --timing polite scan is an increase in speed again over the –T0 and –T1 scan and is the last
scanning template to use the serial scanning technique.
The scan_delay for this scan is set to 400 milliseconds, making this the first template to make use of the max_scan delay, a value that is still set to the default value of 1 second. With this template selected Nmap will begin scanning targets using the scan_delay of 400 milliseconds but has the ability to dynamically adjust the delay up to a maximum of 1 second.
By examining the time required to complete the polite scan of the same 500 ports, overall scanning time has been reduced to just 544 seconds or just 9 minutes Picture
.
–T3 Normal
The –T3 or --timing normal scan is the default scan for Nmap, meaning that if no timing template ormanual timing options are set, the settings in this template will be used for the scan.
This template is the first to use the parallel processing technique, sending multiple probes out simultaneously, increasing the overall speed. This scan has a scan_delay of 0 seconds that can grow to a max_scan_delay that can grow to 1 second, meaning the scan will occur as quickly as possible but after 1 second the current port scan will be abandoned and the next port will be scanned.
The normal scan will complete the scan of selected ports on the target computer in 547 seconds, actually slower than the polite scan in this case, however this is not normally the case.
This is one of the strange quirks of scanning, at times things will align and a scan that should be slower really is not that much slower.
This is why the successful penetration tester should be familiar with all of the tools in his or her arsenal to know how to best employ them Picture.
–T4 Aggressive
The –T4 or --timing aggressive template also runs its scanning in parallel increasing speed. The scan_delay for this template is set to 0 seconds and can grow to a max_scan_delay of 10 milliseconds.
Scans with a max_scan_delay of less than 1 second are prone to errors as some target operating systems have settings that require a minimum delay between probe responses of 1 second.
This scan completed the port scan of the metasploit virtual machine in just 477 seconds or just under 8 minutes Picture.
–T5 Insane
The –T5 or --timing insane timing template is the fastest of the built-in timing templates. This template
uses the parallel scanning technique with a scan_delay of 0 seconds and a max_scan_delay of 5
milliseconds.
As stated with the –Aggressive scan, this scan can cause errors based on target machine
operating systems and settings. This scan, the fastest, completed in just under 22 seconds; however, the
results are quite a bit different than all of the scans to this point Picture.
Targeting
Identifying the target or target set for an Nmap scan is one of the most important parts of the Nmap
command string. Defining the wrong targets can result in scanning empty IP space or worse yet computers
that are not covered by the Rules of Engagement (ROE).
There are a number of ways that a target set can be defined in the scan statement string. Of these methods, the two described in this book are the IP address range and using a scan list.
IP Address Ranges
Defining a set of targets using an IP address range is quite straightforward.For this example the address range will be the 10.0.2.x class c address range. This will mean that the maximum number of hosts that can be included in the scan is 254. To scan all of the hosts, use the following command.
nmap 10.0.2.1-255
This same scan can be completed using the CIDR method of addressing by using the /24 postfix as
follows. CIDR addressing is a quick way to select a range of addresses but CIDR addressing is beyond
the scope of this book.
A quick way to define a CIDR range without completing all of the calculations is by using one of the online calculators like the one at http://www.mikero.com/misc/ipcalc/. To use this enter the starting and ending addresses in the IP Range boxes, and click the Convert button. There are a number of good references that can be used to learn more about CIDR addressing.
nmap 10.0.2.1/24
A smaller set of IP addresses can be identified in the scan by defining the smaller IP range. In this example, the first 100 addresses will be scanned.
nmap 10.0.2.1-100
or using the CIDR
nmap 10.0.2.0/25
Scan List
Nmap can also use a text file as input for the target list. Assume that the following addresses are stored in
a file called targets.txt.
10.0.2.1
10.0.2.15
10.0.2.55
10.0.2.100
The command to use this file would look like the following.
nmap –iL targets.txt
Selecting Ports
Selecting ports can be done by using the –p switch in the scan command. The ports can be continuous by
using a dash in the command. Selected ports can also be identified by using commas in the command.
nmap –sS –p 1-100
nmap –sU –p 53,137,138,161,162
(or use both) nmap -sS -p 1-100,445,8000-9000
Output Options
There are many times that the penetration tester does not want the Nmap scan to be output to the screen but
rather saved to a file. This can be done by redirecting with the pipe command (|), but for this chapter the
Nmap scan output options will be described. These include normal, XML, and GREPable. For all of
these examples, the metasploitable target at 10.0.2.100 will be used and the appropriate extension will be
used with the file name “metascan”.
–oN Normal Output
The normal output option will create a text file that can be used to evaluate the scan results or use as input
for other programs.
nmap –oN metascan.txt 10.0.2.100
–oX Extensible Markup Language (XML) Output
XML output can be used for input into a number of different applications for further processing or
evaluation.
nmap –oX metascan.xml 10.0.2.100
–oG GREPable Output
GREPable output is often used by penetration testers to allow further investigation using tools like GREP,
but can also be searched using tools like AWK, SED, and DIFF.
nmap –oG metascan.txt 10.0.2.100
–oS ScRipT Kidd|# oUTpuT
While not used for serious penetration testing, the script kiddie output can be fun to use from time to time.
This output method should not be used for serious scans as it uses the “leet” speak used by many that most penetration testers would call “script Kiddies.”
nmap –oS metascan.txt 10.0.2.100
Nmap Scripting Engine
Building custom scripts for Nmap is beyond the scope of this book; however, the ability to use preconfigured scripts can be quite helpful for conducting penetration tests. The full set of preconfigured scripts can be found at http://nmap.org/nsedoc/. For this example the script to get the targets NetBIOS and MAC address information. To tell the Nmap scanning engine that a script will be used the --script flag is used as in the example.
nmap --script nbstat.nse 10.0.2.100
Nmap is constantly involved in the development of new scripts for community use. A security tester will want to make sure that the scripting database within Nmap is as up-to-date as possible. It is recommended that the database be updated before heading out on mission. To update the Nmap database:
nmap --script-updatedb
good information buddy keep up..:
ReplyDeleteThanks buddy :)
ReplyDelete