Peeking On Your Ports
Reconnaissance is one of the first steps involved in hacking or penetration testing a computer network, and one of the most popular and prominent tools for performing that first network analysis is Nmap (or Network Map). A powerful tool used by system administrators, security professionals, network researchers and hackers, Nmap is considered the de facto industry standard in network analysis and vulnerability detection.
In this article we will talk about the what, the who and the how of Nmap. Additionally we will also be demonstrating the use of the tool in the context of an offensive information gathering exercise in the Kali Linux environment.
What Is Nmap?
Nmap is a free, open source network scanner that is used to discover hosts and the services those hosts are running. It provides a wide range of features and functionality, from operating system discovery and vulnerability detection to simple port scanning and enumeration. Although it was designed to rapidly scan large networks, it works fine on single hosts.
Fundamentally it is an advanced network scanning tool, that uses specially crafted IP packets to identify devices and services running on a host or selection of hosts, with a wide range of specialized features.
A more in depth look at these features:
- Host discovery: identifies hosts on a network and tries to resolve the hosts name and physical address
- Port scanning: detects and enumerates open ports
- Version detection: advanced identification of network services and applications including the name and version
- OS detection: attempts to detect a hosts operating system by analyzing it’s fingerprint
- Scriptable interaction with a target: using the builtin Nmap scripting engine or the Lua programming language enabling more refined scan results with scripts
Some typical uses of Nmap include:
- Auditing the security of a network by identifying network connections that can be made to a host
- Generating traffic to hosts, response analysis and response time measurement
- Discovery of open ports on a host
- Identifying and exploiting vulnerabilities
Nmap started as a Linux utility, but now has several ports to all the main operating systems in use, however it is most popular on Linux. Typically used entirely from the command line, several GUI interfaces exist for Nmap, the most notable being Zenmap. It is also an included module in the Metasploit Framework (msfconsole) for vulnerability identification and immediate exploitation.
Who Made Nmap?
First released September 1997 as source code in Phrack Magazine, Nmap was written in C++ by Gordon Lydon. Since then it has grown from a huge community of developers and enthusiasts.
Different Scan Types
Nmap has a wide range of different scan types, for a wide variety of different situations and environments. Your scan type is dependent on your target system, or the type of results you are after and how they are acquired. Let’s discuss some of the common scan types and how they work in further detail.
One of the “nosiest” scan types, TCP scans are generally used to see if you can complete what’s known as a “three way handshake” between you and a target. This scan type is considered noisy as it can be detected fairly easily, as services may log the sender of the scan packets which could potentially trigger an Intrusion Detection System (IDS) on the target.
These scans are used to check whether there is any UDP ports up and listening for incoming requests on a target. As UDP has no mechanism to respond with a positive acknowledgment, there is always a chance for a false positive in the scan results. UDP scans can also be used to reveal Trojan horses that might be running on UDP ports or even reveal hidden RPC services.
Basically another form of TCP scan, the main difference being Nmap creates a synchronize packet, which is the initial packet sent to establish a TCP connection. During a SYN scan the connection is never actually formed, instead the responses to these created packets that are sent to the target are analyzed by Nmap to produce the scan results. Considered to be far more “stealthy” of a scan than a TCP scan.
This scan type determines whether a port is filtered by a firewall. Simple packet filtering will allow established connections (packets with the ACK bit set), whereas a more sophisticated firewall might not.
Much like a SYN scan, but instead of Nmap sending a specially crafted TCP SYN packet, it sends a TCP FIN packet. Most but not all computers will send an RST packet (reset packet) back if they get this packet, so the FIN scan can show false positives and negatives — but it may get under the radar of some IDS programs and other countermeasures.
This is the stealthiest of all scans discussed, as the packets are bounced off an external host. Control over the host is generally not necessary, but the host needs to meet a specific set of conditions. This scan is entirely used for malicious attacks.
Nmap has a variety of flags (or switches) that you can use to perform the various scan types, format the output into a particular type or for selecting specific ports for scanning. Here are the most common ones:
Now we know what Nmap is and how it generally works, let’s put this knowledge into use. In future ‘TryHackMe‘ write-ups, we will be using Nmap for offensive information gathering on a target machine. This is an important and vital first step in compromising a remote target, as it allows us to assess, plan and map our point of entry or vector of attack.
Important note: if you aren’t scanning a box that is yours, ensure you have the correct permission to do so. Although using Nmap is not illegal, you shouldn’t scan boxes that aren’t yours as it probably will be perceived as an attempt at intrusion.
Let’s start with a basic port scan to see which ports are open by issuing:
nmap -Pn <targetIP>
As we can see from the results, there are nine ports open on the host we scanned and Nmap has attempted to enumerate some of the service names. To demonstrate using a different scan technique and to get even more information on the services running on the ports, issue the following:
nmap -sS -sV <targetIP>
Pretty much the same as the last scan, only this time we used the more stealthy scan technique (TCP SYN) and a more intrusive port scan which enumerated all the services and their versions. The output seems to suggest that the host is running a Windows OS version between 7 and 10, based on what appears to be running on port 445. Let’s try and identify exactly which version of Windows it is by performing an OS detection scan by issuing:
nmap -sS -O <targetIP>
Again we used the TCP SYN scan technique for a more quiet scan and we also used the OS identification flag, however Nmap couldn’t identify exactly what OS the host is using. So let’s perform a far more aggressive scan by issuing:
nmap -A -T 5 <targetIP> -vv
Because we used the ‘very verbose’ flag, Nmap outputted a lot more information. Not only did this scan validate the information we gathered on the service versions, we also now know the host is definitely running Windows 7. Finally let’s wrap up and scan the host for vulnerabilities using the vulnerability script by issuing:
nmap –script vuln <targetIP>
We will continue with the exploitation of this vulnerability in the next article on the Metasploit Framework.
In this article we have demonstrated how to use a variety of scan techniques, the successful enumeration of ports on a host, the services and the versions running on those ports, how to discover a hosts physical address (MAC), how to ascertain a hosts operating system and how to detect vulnerable services running on a host.