network security testing with nmap workshop1
TRANSCRIPT
• Name: Shaikh Jamal Uddin• Entire Experience: Over 5 years of hardcore Information Security
experience of consultancy and training for clients from Finance, Military, Energy, Shipping, and Telecom sectors. He has completed Computer Engineering from Sir Syed University (SSUET) – Karachi.
• Certifications: CPTE, CEH, ECSA, TCSE, MCSA, MCITP, MCS, BCSE, TCSP.
About Trainer
Why Workshop ?Workshops are great for brainstorming , interactive learning , building relationships and problem solving.
Introduction to Ethical Hacking
Foot printing & Reconnaissance
Scanning Networks
Enumeration
System Hacking
Trojans & Backdoors
Viruses & Worms
Sniffers
Social Engineering
Denial of Services (DoS)
Session Hijacking
Hacking Web Servers
Hacking Web Applications
SQL Injection
Hacking Wireless Networks
Hacking Mobile Platforms
Evading IDS, Firewalls & Honeypots
Buffer Overflow
Cryptography
Penetration Testing (Reporting)
CPTE &CEH
Network Security Testing with NMAP
NMAP (Network Mapper) is a security scanner used to discover hosts and services on a computer network, therefore creating a “map” of the network.
NMAP cab be used to:• map a network• enumerate hosts• enumerate services• obtain details about services
What is NMAP?
NMAP send specially crafted packet to the target host and then analysis the responses
Active Probing
4 Steps Performing Security Audit of Your
Network
1. Map the Network
2. Identify Hosts
3. Identify Services
4. Identify Services Details
Power of NMAP - Examples# nmap 192.168.3.1
# nmap -sn 192.168.3.0/24 -v
# nmap -p 80 --script http-chrono \
Installing NMAP
NMAP is Free and Open Source Software - FOSS• Its Free• Open Source• http://nmap.org/download.html• Primary Interface is command line• ZenMAP, GUI• http://nmap.org/book/install.html• http://nmap.org/book/man.html
Configure SSH on Linux Remote Service
Connect to Kali Remotely
• First SSH need to be install/update
#apt-get install openssh-server
#service ssh start
• Verify that the server is up and listening using the “netstat” command
#netstat –antp |grep ssh
Now connect with “putty.exe” to your SSH linux servers (Kali/ ubuntu / redhat / centos)
SSHD | SSH Server
Scan Phases and Basic Options
nmap 192.168.10.201
Nmap Gear stick – Get Stealthy• -sS• -sn• -iL file• --top-ports• -O• -sX• --open• -PU• --script• -PE• --traceroute• -sF• -oN file• -Pn
Nmap Scan PhasesTarget Expansion
Host Enumeration
Reverse DNS Resolution
Port Scanning
Version Detection
OS Detection
Traceroute
Script Scanning
Output
Target Expansion• Single 192.168.10.201• Namewww.domain.com• List 192.168.10,55.1,10• Range 192.168.10.2-29 172.16.-4.1 10.-.20.255• CIDR 192.168.128.240/29
Combinations• 192.168.10.201 www.domain.com• 192.168-172.-.1,254• 50.50.50.65/28 www.domain.com ftp.domain.com
pop.domain.com
Expansion Testing• -sL, list Scan• nmap –sL 192.168.10.1/29
Note: Cannot use –F (fast scan) –p (port scan)
File Input• -iL file name (contains list of IPs, ranges & network)
Reverse DNS Resolution• Nmap -p 80 www.domain.com• -n (disable rDNS)• -R (Enable rDNS)
Port Scanning• Explicitly using -p flag• By reference using nmap-services
-p flag• Single port: 443• List of ports: 80,81,443,21,8080• Rage: 135-139 / -1024 / -• Protocol: U:25 T:25
nmap-services
nmap-services• Name: ftp• Wildcard: http*• --top-ports count• --port-ratio frequency
Note: nmap scan the top 1000 ports by default
nmap-services• -p 80,443,8080-8090• -p http,ftp*,25• -p U:53,123,161 T:1-1024,3306
Output• Interactive (press enter)• --reason (includes result)• --open (only for open ports)• -o (save results in different formats)
- N, Normal- X, XML- G, grepable
Host Enumeration and Network Mapping
Nmap Scan PhasesTarget Expansion
Host Enumeration
Reverse DNS Resolution
Port Scanning
Version Detection
OS Detection
Traceroute
Script Scanning
Output
NMAP send specially crafted packet to the target host and then analysis the responses
Active Probing
Application
Presentation
Session
Transport
Network
Data link
Physical
Nmap operates at Network & Transport Layers
OSI Models
Network Layer
Responsible for the movement or routing of packets across the network
Transport Layer
Provides the flow of data between two hosts, for the application layer above
Transport Layer
• Internet Control Message Protocol (ICMP)• User Datagram Protocol (UDP)• Transmission Control Protocol (TCP)
ICMP
• Used to send messages from one computer to another or perform diagnostics
• Works on IP Layer and functions on TCP Layer
UDP• Unreliable
- No guarantee of delivery- No error checking- No delivery validation
• Connectionless- No handshaking- No packet ordering- No duplicate protection
• Low overhead• Reduced latency
UDP is a perfect solution, strong example is DNS & Syslog
TCP• Reliable• Ordered• Error-checked
TCP Session
Host Enumeration with TCP• -PS• -PA• nmap -n -sn -PE -PP -PM -PU -PS -PA 192.168.10.201
Note: Best for Network Auditing
Traceroute• Nmap -n -p 80 --traceroute 192.168.10.1 / wateen.com
Note: Best technique to bypass firewall over port 80
UDP and TCP Port Scanning
Scan PhasesTarget Expansion
Host Enumeration
Reverse DNS Resolution
Port Scanning
Version Detection
OS Detection
Traceroute
Script Scanning
Output
Host Enumeration• What function does the systems performs• What services does this offer• Is the system is Mail Server, Database Server, Web Server or
etc…• Nmap can help us to determine through port scanning
Host Enumeration – How Port Scanning Help• We find the system with the open service port 25, recognized as a
mail server• Might have other applications associated with mail server running on
at the same time• Proper network security audit should be able to identify all services
running on a particular system
Scan Options• -s (lower case)
- U, UDP- S, SYN- T, TCP/ Full- N, Null- F, FIN- X, Xmas- A, ACK
Port Scan Results
Open
Application Reply
Closed
UDP: ICMP unreachable
TCP, RST
Error Message
ICMP 3,X/ Port Prohibited
Filtered
No Response
UDP Port Scanningnmap -sU 192.168.3.1
nmap -sU –p 53 192.168.3.1 --reason
TCP Connect Port Scanning• Nmap perform complete 3-way handshake, if the connection is
establish nmap terminate the connection with the reset packet• Very noisy and can detect easily• Bad idea to use this type of scan
nmap -sT 192.168.3.1
nmap -sT –p 80 192.168.3.1 --reason
TCP Half-Open Port Scanning• Nmap perform half-open scan• By nmap uses this switch
nmap -sS 192.168.3.1
nmap -sS –p 80 192.168.3.1 --reason
TCP Null,Fin,Xmas Port Scanning• Use only on last resort when IDS/IPS blocked your IP
nmap –sN –p 80,443 192.168.3.1nmap –sF –p 80,443 192.168.3.1nmap -sX –p 80,443 192.168.3.1
TCP Ack Scanning• Send acknowledgement to existing ports and assume get reply
from ports• Very secure and undetectable
nmap -sA -p 80,443 192.168.3.1
Performance and Timing
Scan PhasesTarget Expansion
Host Enumeration
Reverse DNS Resolution
Port Scanning
Version Detection
OS Detection
Traceroute
Script Scanning
Output
Performance vs Accuracy• These option effect on Host & Port scanning phases• If we scan a target and get immediate response then no need
to worried about performance issues or accuracy, because quickly & shortly target is there and port is open or closed
• If we don’t get a response it could be network is slower or congested, might be firewall is blocking access or all kind of things
• By default Nmap delay scan waiting and sending repeat probes, all attempt to be as accurate as possible but takes time because of scanning 1000 ports
• Network security testers can pick the right balance between speed and precision
Arguments• Time
- ms- s (default)- m- h
• nmap --host-timeout 5m 192.168.3.1• nmap --host-timeout 3h 192.168.3.1
Timings Templates• -T<0-5>
- 0, paranoid (for IDS evasion)
- 1, sneaky (for IDS evasion)
- 2, polite (slows down the scan to use less bandwidth and target machine resources)
- 3, normal (normal mode is the default so -T3 does nothing)
- 4, aggressive (speeds scans up by making the assumption that you are on a fast and reliable network)
- 5, insane (assumes that you are on an extraordinarily fast network and willing to sacrifice some accuracy)
Timings Templates• nmap –T polite 192.168.3.1• nmap –T 4 polite 192.168.3.1
Evading Firewalls and Other Sneakiness
Scan PhasesTarget Expansion
Host Enumeration
Reverse DNS Resolution
Port Scanning
Version Detection
OS Detection
Traceroute
Script Scanning
Output
Anti-Scanning Technologies
Firewalls Network Address Translation (NAT)
Intrusion Detection Systems (IDS)
Firewalls • Firewall is a network security system that control network
traffic passing between two or more networks bases on a configured rule sets, its established a barrier between trusted & public networks
• It simply allow or deny packets or payload from source to destination or vice versa
• Decisions are primarily made based on a socket which is the source IP & Port & destination IP & Port
Firewalls TypesPacket Filter- Stateless- Stateful
Application Proxy
sT (connect) –sS (half open)- passed according to the rule
Firewalls Commonalities• Default deny policy• Rate Limiting
- ICMP (ping of death)- TCP- UDP- ARP
Detecting Firewalls• --traceroute• - O• --badsum
Nmap --badsum 192.168.3.1
Fragmentation• There are two other ways we might be evade
firewalls- Fragmentation field in IP Header
• Fragmentation helps evade firewalls• Firewalls will often pass the fragments & uninspected
through the target• Fragmentation is most effective when we choose the
fragment size that splits the TCP header in the different packets
Fragmentation-f (8 bytes chunks)-f -f (16 bytes chunks)--mtu size (user defined chunks)
nmap -f 192.168.3.1nmap -mtu 24 192.168.3.1
IDLE Scan• This type of scan finding the IDLE system• You can use any IDLE system on your network
nmap -sI <Source IP> <Destination IP>
Intrusion Detection Systems - IDS• IDS is a device that monitor network traffic for
malicious activity and produces report about policy violations
• Its works in promiscuous mode and perform analysis of passing traffic for entire subnets
• Once attack is identified or abnormal behavior sensed an alert can be send to Network Administrator
• IDS can be configured to look many signed to attack including Signatures, Anomalies & Packet Rates
Avoiding IDS Detection• -T (paranoid)• Set the performance templates sufficiently low to avoid
detection• -S <spoof source -IP Address>, -e interface• --spoof-mac
- Full MAC Address- Prefix- Vendor Name
nmap -e eth0 192.168.3.1nmap -S 192.168.1.1 192.168.3.1nmap --spoof-mac Cisco 192.168.3.1
Decoys• We can hide our scan, flood the IDS with misleading data• IDS may see scan come from multiple source and wont know
for sure which one is really initiating the probes ( and you are innocent)
• This may significantly degrade the performance of scan
nmap -D 192.168.1.10, 192.168.1.11, 192.168.1.12 192.168.3.1
OS & Service Version Detection
Scan PhasesTarget Expansion
Host Enumeration
Reverse DNS Resolution
Port Scanning
Version Detection
OS Detection
Traceroute
Script Scanning
Output
Port Scan Result
Versioning OutputNmap tries to determine from their database• Service Protocol (http, https, ftp)• Application Name (Apache, IIS)• Version Name (2.2, 2.4, 7, 7.5, 8)• Hostname (FQDN)• Device Type• OS family
Version Detection-sV--version-intensity <0-9> (default = 7)--version-light <0-9> (intensity = 2)--version-all<0-9> (intensity = 9)
nmap -sV --version-intensity 4 192.168.3.1nmap -sV -p 8080 192.168.3.1
OS DetectionNmap is usefull for• Network Inventory• Support/Patching• Unauthorized Devices• OS detection is most effect if Nmap can find one open and one close
port
OS Detection• -O
- --osscan-limit- --osscan-guess, --fuzzy- --max-os-tries num (default = 5)
nmap –O –p 80,81 192.168.3.1
Nmap Scripting Engine
Scan PhasesTarget Expansion
Host Enumeration
Reverse DNS Resolution
Port Scanning
Version Detection
OS Detection
Traceroute
Script Scanning
Output
Nmap NSE Scripts• -sC
- --script = default http://nmap.org/nsedoc/ 484 scritps
• --script = scripts, script-category• Nmap contains 15 default scripts
- auth - dos - malware- discovery - intrusive - vuln- fuzzer - version - default- safe - brute - external- broadcast - exploit - safe
Script Examplenmap -sC –p 80 www.cnn.com
nmap -sC --script=default -p 80 www.wateen.com -Pn
Nmap Script CapabilitiesVersion Detection
Network Discovery
Vulnerability Detection
Backdoor Detection
Vulnerability Exploitation
Script Examplenmap -p pptp -sV 12.49.222.65 50.242.75.238
nmap -p 80 --script http-headers,http-chrono www.wateen.com
nmap -p 80 --script http-email-harvest bbc.com
nmap --script ipidseq 8.8.8.8
nmap -p 23 --script telnet-brute --script-args userdb=user.lst,passdb=pass.lst 192.168.0.12
Q & Ainteractive learning , building relationships and
problem solving's