April 16, 2016

Penetration testing tools - Nmap


Nmap is THE network scanner. You can download it for free for Linux and Windows. In my opinion it is the first tool to learn for all wanna-be penetration testers (like myself). Nmap can be used to scan large networks, or even the whole Internet, but in this example we will consider a simple hypothetical home LAN to which we are presumed to be connected. This way it is also easy for you to test these commands. In this article I will first present a command and then go into detail to explain what it actually does.

There is a lot of information about Nmap here. This article is not meant to be a comprehensive guide. Rather, I will explain how the underlaying technologies work and what is their purpose. You can then apply this knowledge to fit different situations. I will only present few essential commands here. However, you can get pretty far with just these...


First command - Finding hosts

nmap -sP 192.168.1.1/24

This basic ping scan (-sP) will show you all the devices that are connected to the network and are set to reply to ICMP echo requests.

ICMP (Internet Control Message Protocol) was designed as the debugging, troubleshooting, and error reporting mechanism for IP. Such network layer protocols are not normally used by end-user applications, but ping and traceroute are diagnostic tools that make an exception to this rule. Because of their purpose, ICMP messages are very valuable. Nevertheless, in some cases network administrators want to disable these replays in order to hide servers from ping scans. In these cases you will not be able to find those servers with this command.

The part that tells Nmap to scan the whole network is the "/24" notation. Usually the home LANs have a subnet mask of 255.255.255.0, which basically has the same meaning as "/24" when it is added after an IP-address. If you are not sure of your network mask, you can type "ifconfig" into your command line, or "ipconfig" in Windows, to find out.

Let me clarify the meaning of subnet mask, because it is important to understand it here. Subnet mask divides the IP-address into two parts; the network address and the usable addresses. In our example, the subnet mask of 255.255.255.0 tells that the first three sections of the IP-address are part of the network address, and the last section contains the freely distributable addresses.  So when I tell Nmap to scan 192.168.1.1/24, it will scan all the distributable addresses of network 192.168.1.0, ie. from 192.168.1.1 to 192.168.0.255.

Okay, let's create some ground for the next command. Let's presume that with our ping scan we discovered three hosts. The first one is 192.168.1.1, which we know that is our router, because that is the norm, and because it is our default gateway (you can check your default GW in Ubuntu by typing "route -n" and in Windows with ipconfig). The other two hosts up are 192.168.1.2, and 192.168.1.3. Next we will find out more...


Second command - Comprehensive port scan

nmap -sS -sU 192.168.1.2-3 -p1-65535

Before you start this scan understand that it will take a LONG time (for me it took about 24 hours for one target). Rather than execute this fully, apply it to your situation and remove the redundant part. If you, for example, take the "-p1-65535" part off, Nmap will scan only 1000 most commonly used ports. If you were doing penetration testing on a corporate network, you would just execute something like this, and leave it running while using another computer to perform other tasks. This is the case if you want to be extremely confident that you find all open ports. Still, should be noted that normally on corporate networks the public services are running on some of the well-known ports and can be found more quickly with less comprehensive scans.

Related pro tip - when the scan is in progress and you want to know how much is left, press "t" or <enter>.

To understand the above command, it is essential to understand the three-way handshake used by TCP - the Transmission Control Protocol. When forming a TCP connection, the parties go through these three steps:
  1. Opening the connection - performed by the client by sending a SYN-packet to a server
  2. Reply - the server replies with a SYN-ACK-packet.
  3. Confirmation - the client sends an ACK-packet back to the server. 
After this a full-duplex connection is established and the server and the client can send data to each other. With SYN scan (-sS) Nmap shrewdly takes advantage of servers responsibility to always reply to SYN-packets. If this would not be the case no service would work, because no one would be able to establish a connection... So with SYN scan you can find out if there are any services open on a host, because if there is, you will definitely get a reply.

Unless, the service is using UDP instead of TCP. UDP stands for User Datagram Protocol. Simply, it is just another way of sending packets over a network. Some services, like DNS, SNMP, and DHCP, use UDP instead of TCP. I briefly described the difference between those two in my setting up OpenVPN article, but the here the important point is that UDP has it's own set of ports. You can scan those with Nmap using the -sU command. UDP scan is much slower than the TCP SYN scan, but if you dont do it, you might miss some vulnerable services. Basically when executing UDP scan Nmap sends an empty UDP packet to a port, and based on the reply or lack of it, deduces the state of the port.

Let me quickly recall what ports are. They are the end points of connections through which data flows into operating systems. Ports are not physical, but logical constructs in sofware that identify processes and their connections. There are 65 535 ports in total, but only a fraction of them are used. The 1024 "well known" ports are reserved for protocols like HTTP, SMTP and SSH. Ports outside the well-known range are also used, but more randomly. So... If there is a public service, like FTP, running on a host the service is listening to a specific port. This means the port is open and could be exploited to gain access to the system. This is the goal we have in mind when scanning for open ports with Nmap.

For this scan I determined IP-address range for the two hosts found with the first command. The IPs 192.168.1.2 and 192.168.1.3 will be scanned. The last option "-p" determines the port range. This scan would go through all 65 535 ports on both IP-addresses. This way you can find also those services that are running on a random port number.

Okay, for the next command let's say we found out there is an open port 47291 on 192.168.1.2. Nmap will tell us that the service is "unknown".


Third command - Version discovery

nmap -sV 192.168.1.2 -p47291

If you tried the scan above, you might have noticed that the results gave some detailed information about the services running on those ports. This is because Nmap has a database of about 2,200 well-known services that usually run on their default ports. For example, the default port for SSH is 22. If port number 22 is open, Nmap will deduce it has SSH service running. However, we can find out more because real "OS fingerprinting" has not yet been conducted. Sometimes it could be that, for example, a company has prevented the use of telnet because of it's security flaws, but an employee is running telnet on port 22. In this case Nmap would deduce that SSH service is running, but with version discovery we will find out the real service. We will do that with the -sV command. Notice that we have targeted the scan on a single port on a single host that we found with the earlier scan. You can extend this as much as you like, but you might not need to.

Nmaps version discovery is an extremely clever tool, that connects to open ports and interrogates them using probes tailored for a specific service. Based on the replies it can deduce details of the service (like operating system, specific version and sometimes even the configured hostname).


Notice!
Scanning networks without permission is illegal in many countries. You can be prosecuted by law if you use these scans against wrong targets. I used to work for an Internet service provider and I know they filter their networks for scanning attempts and close down the connections for the source of those scans. In most cases this was due to botnet infection, but it could as well be your Nmap testing.


Reference

I borrowed a great book from my friend. If you want to gain in-depth knowledge about Nmap, I can definitely recommend this (though the same information is probably available at the webpage I provided in the beginning):

 

No comments :

Post a Comment