Network Mapper. Nmap

Network Mapper Nmap 3-1

Contents Introduction Target Specification Host Discovery Port Scanning Service and Version Detection OS Detection Examples Assignment 3-2

Network Mapper (nmap) Definition A powerful utility for network exploration or security auditing. Is used to discover computers and services on a computer network, thus creating a "map" of the network. History First release: September 1, 1997 in Phrack Magazine - The Art of Portscanning http://www.insecure.org/nmap/p51-11.txt written by Gordon Lyon Current Version: 6.4 3-4

Nmap is (1) Flexible Supports advanced techniques for mapping out networks filled with IP filters, firewalls, Routers etc. Includes Several port scanning mechanisms (both TCP & UDP), OS Detection, version Detection ping sweeps etc 3-5

Nmap is (2) Free (under GNU license) Open source Portable Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more... Very popular Movie star Matrix Reloaded Bourne Ultimatum Die Hard 4 3-6

Nmap Package Nmap command-line executable Zenmap advanced GUI and results viewer Ncat data transfer, redirection, and debugging tool Ndiff utility for comparing scan results 3-7

Nmap - Links Available for downloading: http://nmap.org/download.html Installation instructions for all supported OS http://nmap.org/book/install.html Reference Guide : http://nmap.org/book/man.html 3-8

Nmap Screenshots nmap Zenmap 3-9

Target Specification Classless Inter-Domain Routing(CIDR) addressing IP Address format: two groups Examples: most significant part : network address - identifies a whole network or subnet least significant portion :host identifier - particular host interface on that network 192.168.1.0/24 - Scan: 192.168.1.0 till 192.168.1.255 192.168.1.40/16 - Scan: 192.168.0.0 till 192.168.255.255 132.18.3.210/32 - Scan:??? 78.184.23.1/0 - Scan:??? 210.43.1-255.4-140 - Scan:??? 3-11

Scanning with nmap Nmap 192.168.1.1 Port scanning on the specified host 3-12

Host Discovery (1) List Scan (-sl) lists each host of the network specified, without sending any packets to the target hosts nmap -sl www.skai.gr 3-14

Host Discovery (2) Skip port scan (-sp) ping scan - prints out the available hosts that responded nmap -sp 192.168.1.1/24 3-15

Host Discovery (3) No Ping (-PN) Performs port scanning without checking if host is up. nmap -sn 192.168.1.1 3-16

Host Discovery (4) TCP SYN Ping (-PS) Sends an empty TCP packet with the SYN flag set The SYN flag suggests to the remote system that you are attempting to establish a connection. If destination port closed -> RST (reset) packet sent back If destination port open -> SYN/ACK TCP packet is sent back RST is sent in return from Nmap In both cases, host is alive 3-17

Host Discovery (5) TCP ACK Ping (-PA) Sends an empty TCP packet with the ACK flag set Such an ACK packet purports to be acknowledging data over an established TCP connection, but no such connection exists If destination host is alive-> RST (reset) packet sent back Since - PA and - PS are similar, why have both? 3-18

Host Discovery (7) UDP Ping (-PU) Sends an empty UDP packet by default, on port 40125 Return value ICMP port unreachable Destination host up other types of ICMP errors Destination host down or unreachable No answer Destination host probably up Packet is ignored 3-19

Host Discovery (8) SCTP INIT Ping (-PY) Stream Control Transmission Protocol Sends a SCTP packet containing a minimal INIT chunk The INIT chunk suggests to the remote system that you are attempting to establish a connection. If destination port closed -> ABORT packet sent back If destination port open -> INIT/ACK packet is sent back ABORT is sent in return from Nmap 3-20

Host Discovery (9) ARP Ping (-PR) Sends an ARP Request If ARP response -> Host is alive ICMP Ping (-PE) Sends an ICMP type 8 (echo request) packet If ICMP response type 0 (echo reply) -> Host is alive IP Protocol Ping (-PO) Sends IP packets with the specified protocol number set in their IP header. E.g. ICMP (protocol 1) IGMP (protocol 2) IP-in-IP (protocol 4) Response: If protocol supported, responses using the same protocol as a probe If protocol not supported, ICMP protocol unreachable messages 3-21

Port Scanning - Port States Open An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Closed A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. Filtered unable to determine whether the port is open because packet filtering prevents its probes from reaching the port. dedicated firewall device, router rules, or host-based firewall software. Unfiltered (only ACK Scan) Port is accessible, but Nmap is unable to determine whether it is open or closed 3-23

Port Scanning (1) TCP SYN Scan (-ss) Sends a TCP packet with the SYN flag set The SYN flag suggests to the remote system that you are attempting to establish a connection. RST (reset) packet sent back -> dest. port closed SYN/ACK TCP packet is sent back -> dest. port open RST is sent in return from Nmap If no response is received -> port is marked as filtered ICMP unreachable -> port is marked as filtered This technique is often referred to as half-open scanning 3-24

Port Scanning (2) TCP ACK scan (-sa) Used only to determine Filtered/Unfiltered ports Both open and closed ports return RST Sends an empty TCP packet with the ACK flag set Such an ACK packet purports to be acknowledging data over an established TCP connection, but no such connection exists Response: RST packet -> port is unfiltered both open/closed ports return RST No response -> port is filtered 3-25

Port Scanning (3) TCP Window scan (-sw) exactly the same as ACK scan exams the TCP Window field of the RST packets returned. open ports use a positive window size closed ports have a zero window Unreliable since the TCP Window field implemented in the minority of systems 3-26

Port Scanning (4) TCP RFC 793 states that any packet not containing SYN, RST, ACK bits will result RST if the port is closed no response at all if the port is open Three different port scanning Techniques combination of the other three bits FIN, PSH, URG Null scan (-sn) Does not set any bits FIN scan (-sf) Sets just the TCP FIN bit Xmas scan (-sx) Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. 3-27

Port Scanning (5) UDP scans (-su) Sends UDP packets For known protocol ports, protocol-specific payload is sent DNS port 53 SNMP ports 161/162 DHCP ports 67/68 For the rest, an empty payload is sent Return value ICMP port unreachable Port is closed other types of ICMP errors Port is filtered UDP packet Port is open 3-28

Port Scanning (6) SCTP INIT scan (-sy) Sends SCTP packet containing an INIT chunk The INIT chunk suggests to the remote system that you are attempting to establish a connection. Response: ABORT packet -> destination port closed INIT/ACK packet -> destination port open ABORT is sent in return from Nmap No response is received -> port filtered ICMP unreachable -> port filtered 3-29

Port Scanning (7) SCTP COOKIE ECHO scan (-sz) Sends SCTP packet containing an SCTP COOKIE ECHO chunk Response: ABORT packet -> port is closed. No Response -> port is open filtered Remote host drops packets containing COOKIE ECHO chunks Downsize: cannot differentiate between open and filtered ports. 3-30

Service and Version Detection Version scan (-sv) Tries to determine: the service protocol e.g. FTP, SSH, Telnet, HTTP Application name e.g. ISC BIND, Apache httpd, Solaris telnetd version number hostname device type e.g. printer, router miscellaneous details 3-32

OS Detection Enable OS detection (-O) Nmap compares the scan results against known OS fingerprints. Each fingerprint includes a freeform textual description of the OS a classification which provides the vendor name (e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 10), device type general purpose router Switch game console 3-34

Examples 3-36

Assignment Scan network and check whether specific ports are open Scan network and determine Virtual Machines Scan network and determine OS Fingerprints Ports/services Etc 3-38