Tuesday, 30-January-2001 04:13:05 PDT|
Now, I'm not going to spend too much time explaining how to use Nmap. There is no point in all of you coming out here just to learn what all the options mean. The Nmap web page at Insecure.Org offers the man page in various languages, as well as usage examples, tutorials, articles, etc. So I will generally only cover specific features of Nmap when they relate to issues being discussed.
Before I get started, I want to get an idea of how familiar you guys are with Nmap so I can taylor the talk accordingly. Would those of those of you who have at least heard of Nmap raise your hands? How many have actually used it?
Good. Thanks. (skip to usage)
Nmap V. 2.54BETA19 Usage: nmap [Scan Type(s)] [Options]
Some Common Scan Types ('*' options require root privileges) -sT TCP connect() port scan (default) * -sS TCP SYN stealth port scan (best all-around TCP scan) * -sU UDP port scan -sP ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sR/-I RPC/Identd scan (use with other scan types) Some Common Options (none are required, most can be combined): * -O Use TCP/IP fingerprinting to guess remote operating system -p ports to scan. Example range: '1-1024,1080,6666,31337' -F Only scans ports listed in nmap-services -v Verbose. Its use is recommended. Use twice for greater effect. -P0 Don't ping hosts (needed to scan www.microsoft.com and others) * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys -T General timing policy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] -oN/-oX/-oG Output normal/XML/grepable scan logs to -iL Get targets from file; Use '-' for stdin * -S /-e Specify source address or network interface --interactive Go into interactive mode (then press h for help) Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*' SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
amy~> ping microsoft.com PING microsoft.com (188.8.131.52) from 184.108.40.206 : 56(84) bytes of data. --- microsoft.com ping statistics --- 8 packets transmitted, 0 packets received, 100% packet lossThe first time I pinged Microsoft like this, I thought, well, it is Windows. The box is probably crashed and not responding. But they are actually filtering the pings as we will soon see.
-PS. We will discuss one reason for doing this later.
-P0tells Nmap to scan each machine without even checking if it is up first. This can be very slow (if scanning thousands of ports), but is the ultimate technique for paranoid (experienced) security admins.
-sSargument to perform this kind of scan. The idea is that we send a SYN packet to the target host & port. If the port is open, the target host will send back a SYN|ACK. If closed, the target returns a RST. Even if we get a SYN|ACK (meaning the port is open), we RST the partial connection rather than completing it. That is why it is called half-open scanning.
-sU) A lot of people forget this whole protocol. They close all there TCP ports and think they are secure, but do not realize they have SunRPC, syslogd, lpd, and mountd all waiting to be exploited via UDP.
-sN). FIN scan, as you can imagine, uses TCP packets with just the FIN flag set. NULL uses no flags at all, and XMAS scan uses every flag except SYN, ACK and RST.. More details on the mechanics of these scans is available in the Nmap manpage.
else if (scantype == NULL_SCAN) scanflags = 0;
-sA) for probing firewalls/filtering systems.The idea here is pretty simple. In response to an unexpected ACK packet, a compliant TCP stack will send back a RST. But if we get nothing back on some ports, or we get an ICMP administratively prohibited host unreachable, we know a filter is blocking our packet. Now SYN scan tells you this too, with the added bonus of determining whether the port is open at the same time. But an ACK is more likely to get through to the destination machine since it is difficult to block with stateless filters like ipchains, router ACLs, etc). So doing an SYN scan followed by an ACK scan can tell you a lot about what type of firewall is being used and how it is configured. (FIXME: Demo -- hping Microsoft with ACK packet to port 80 and SYN packet to port 80)
-sP. Nmap usually focuses on TCP, UDP, and ICMP, but there is a whole World of other protocols available for advanced attacks and information gathering. The Protocol Scan cycles through the 8-bit protocol field sending raw IP headers without any data. An ICMP Protocol Unreachable error means the target does not accept packets for the given protocol.
For example, here is a SYN scan of a high-end CISCO router:
amy~# nmap -sS 220.127.116.11 (Explain syntax then note: scanning single machine. To scan the class C subnet containing this IP you would add /24 to the end to scan the 24-bit subnet. Or you could use 18.104.22.168-255. Starting nmap V. 2.54BETA19 ( insecure.org/nmap/ ) Interesting ports on dcr01-g6-0.sntc05.exodus.net (22.214.171.124): (The 1537 ports scanned but not shown below are in state: closed) As a side note, many people ignore this line (above), but it is actually quite important [explain it]. Port State Service 514/tcp open shell Nmap run completed -- 1 IP address (1 host up) scanned in 7 secondsAs you can see, this doesn't leave a whole lot of room for attack because there is only 1 open TCP port. In a real audit, UDP would be scanned too.
amy~#nmap -sO 126.96.36.199 Starting nmap V. 2.54BETA19 ( insecure.org/nmap/ ) Interesting protocols on dcr01-g6-0.sntc05.exodus.net (188.8.131.52): (The 238 protocols scanned but not shown below are in state: closed) Protocol State Name 1 open icmp 4 open ip 6 open tcp 8 open egp 9 open igp 17 open udp 47 open gre 53 open swipe 54 open narp 55 open mobile 77 open sun-nd 80 open iso-ip 88 open eigrp 89 open ospfigp 94 open ipip 103 open pim Nmap run completed -- 1 IP address (1 host up) scanned in 149 secondsLooking over this list we see a bunch of potential opportunities, such as [ go through list and note interesting ones ]. These protocols are not hammered on by attackers nearly as frequently as TCP, UDP, and ICMP. So it may be easier to find and exploit bugs and design flaws in them.
IP Protocol scanning support was sent in by Gerhard Rieger (email@example.com) last year. And since this is an Open Source and Free Software development conference, I will take an aside here and mention that I consider this to be a great example of where Open Source really shines. Even though this may seem like an obvious feature now, it wasn't on my radar last year because I hadn't thought of it and nobody had asked for it. Then out of the blue one day, Gerhard sent his complete patch to nmap-hackers. I am very pleased to report that this sort of grass roots innovation is not an isolated occurance. Literally hundreds of people have helped out in important ways. For example, just this last Thursday someone named Rob Braun sent me MacOS X (um, I think they call it Darwin now) portability patches. I integrated those in so that the next version of Nmap will support Darwin right out of the box. Closed source competitors like the ISS Security Scanner and NAI Cybercop completely miss out on this opportunity.
-O) can usually determine the OS in use via a technique known as TCP/IP fingerprinting. The idea is to send various valid and invalid IP packets to the remote host and study the characteristics of the response very closely. A paper I wrote which describes these techniques is available at https://nmap.org/nmap-fingerprinting-article.html.
hping2 --traceroute -t 1 -2 --baseport 53 -keep -V -p 5023 gw.target.comThis means do a traceroute, starting with ttl=1 using UDP packets with a source port of 53 (dns) and a desination port of 5023 against gw.target.com. -V just turns on verbosity.
-goption allows for changing the source port of a scan.
-Ioption). (Describe the problem; Open shell and do "nmap -I localhost"; first of all, note that my box is not following the golden rule of closing all the ports you don't need. Those are actually only opened to localhost for demos. Also note that this gives attackers an easy way to prioritize their attacks. They will go after the root services first. Additionally, it gives them a chance to spot common misconfigurations, such as httpd servers running as root.)
-sR). We'll give an example of this soon.
nmap -sS -PS53 -p53 10.0.0.8/8Recall from earlier in this presentation that -PS means "spew SYN packet probes to the given port of each target IP and watch for replies". But if a SYN packet has already been sent to the targeted port of a machine, doing the actuaql "SYN scan" is redundant, so Nmap just interprets the results of the initial SYN probe to deterine whether the port is open or not This shortcut can make a scan go two or three times faster than it would otherwise. All three options above must be given, and the port numbers must match up.
"nmap -sS -PS53 -p53 10.2.3.0/24 10.0.0.8/8"" (assuming 10.2.3.* contains some machines).
-T Aggressiveor to muck with the low level timing parameters (eg --max_rtt_timout, --host_timeout, etc.). These can make a dramatic difference if you scan thousands of hosts and learn to use them appropriately. Usually they are most important if the hosts being scanned are behind a firewall. Otherwise Nmap usually does a good job at determining the optimum scan speed.
-D) uses source address spoofing to forge scans against the target "from" the machines given as decoys. So even if the target network has special software to log scans, they will see scans from dozens of addresses and are unlikely to be able to fish out the true scan origin from all of the decoys. Now this feature caused a bit of a stir when I first released it. For example, the Naval Surface Warfare Center put out an alarming report shortly afterward saying that they were seeing "coordinated, multi-national attacks" where it appeared that computers all over the world wore working together the Navy network. In reality, it was probably just some 15-year-old using Nmap -D. This caused some people to ask me why I even add such an option, which they considered to have no legitimate purpose. Well, first of all, there can be legitimate purposes to use decoys. And more importantly, I was noticing several disturbing trends:
amy~#nmap -p- -sR -I -O www.secret.com Starting nmap V. 2.52 by ( insecure.org/nmap/ ) Interesting ports on foo.bar.com (184.108.40.206): (The 65514 ports scanned but not shown below are in state: closed) Port State Service (RPC) Owner 21/tcp open ftp root 22/tcp open ssh root 23/tcp open telnet root 25/tcp open smtp mail 80/tcp open http http 110/tcp open pop-3 root 111/tcp filtered sunrpc 113/tcp open auth root 220/tcp filtered imap3 443/tcp open https http 512/tcp filtered exec 513/tcp filtered login 514/tcp filtered shell 515/tcp filtered printer 516/tcp filtered videotex 517/tcp filtered talk 518/tcp filtered ntalk 635/tcp filtered unknown 939/tcp open (status V1) root 2049/tcp filtered nfs 3600/tcp open unknown root TCP Sequence Prediction: Class=random positive increments Difficulty=4797787 (Good luck!) Sequence numbers: 702A7726 70243971 7059255D 70F3C86B 710DC518 704EBFEE Remote operating system guess: Linux 2.1.122 - 2.2.14 Nmap run completed -- 1 IP address (1 host up) scanned in 467 secondsNote that this is the traditional command line version. Several X Window versions are also available, and one of them is included with the base Nmap distribution. In addition, web front ends are available so that you can control it from a remote browser.