Note - Nmap
Nmap
Introduction
- is a security scanner and Network Mapper is a free and opens source utility for network explorations and security audition.
The IP Protocol Scan attempt to determine IP Protocol support on target
#nmap -c -sO 192.168.1.100 --packet_trace
ACK Scan (-sA)
ACK Scan to determine port filter or unfilter
#nmap -sA -v 192.168.1.100
Window Scan (-sA)
Allow nmap to gather information about open ports without completing TCP handshake process. the version detection scan runs automatically if the aggressive Scan (-A) is selected
Idle Scan(-sl)
Idle Scan use other station to scan remote host device
#nmap -sl -v 192.168.1.50 192.168.1.100
How to detect OS with nMap
Nmap provides a rich feature that detects what OS that remote devices are using.
-Os fingerprint with option (-O)
#nmap -sS -O 192.168.1.100
- Additional, Advance and Aggressive (-A)
(shortcut for running (-O) and (-sV))
#nmap -sS -A 192.168.1.100
Nmap Script Engine(NSE)
- Network Descovery
- Version Detection
- Vulnerability Detection
- Malware Detection
- Exploitation
Anatomy of NSE
require
import libraries
matadata
Includes description of script , author name, license information, etc
categories
Define the type of the script
-auth, broadcast, brute,default, discovery, dos , exploit, external, fuzzer,
intrusive, malware, safe, version, vuln.
portrule
Script executions are conditional
action
The actual code to execute based of the portrule
Script that Exist
Brute Force
mySQL
VNC
SVN
malware
Http-malware-host
Smtp-strangeport
Discovery
Whois
Stuxnet
SMB
Version
Socks
SSL
X11
Scan Types
-sS - TCP SYN
-sT -TCP Conncet
-sA -TCP ACK
-sW -TCP Window
-sM -TCP Maimon
-sU -UDP Scan
-sN -TCP null(no flags)
-sF -TCP FIN(just FIN flag)
-sX -TCP Xmas(all flags)
-sY -SCTP INIT
-sZ -SCTP COOKIE-ECHO
-sO -IP Protocol scan
Output Options
Output Types
-oN<file> -Normal
-oX<file> -XML
-oS<file> -s|rlpt klddi3
-oG<file> -Grepable
-oA<file> -3 Major Formats
Output Options
-v -Increase verbosity level
-d[level] -set or increase debugging level
--reason -Display the reason a port is in a perticular state
--open -Only show open ports
--packet-tracer -show all the packets sent and received
--iflist -print host interfaces and routes(for debugging)
--log-errors -log errors/warnings to the normal-format output file
--append-output -Appwnd to rather than clobber specified output files
--resume<filename> -Resume an abroted scan
Pros and Cons on Scans
SYN scans
PRO - very fast and very common scan used.
CON - Funky stuff happens when a firewall, packet filter , or packet shaper is in- between user and the target.
FIN scans
PRO - can sneak around non-stateful firewalls and packet filters.
CON - because of the way the scan is conducted, ports respond as either closed, or open-filtered. Many major OS' sent a RST reguardless of open or closed.
NOTE - variation of this are NULL and Xmas scans
ACK Scan
PRO - Determines filters from unfiltered ports.
CON - Will not tell of the port is opened or closed
Window Scan
PRO - can tell if a port is opened or closed, where as the ACK scan can not
CON - Work on only a few OS's and sometimes acts flaky.
References
Scripting
Introduction
- is a security scanner and Network Mapper is a free and opens source utility for network explorations and security audition.
-is used to discover hosts and services on the computer network thus creating a "map" of the network.
- sends specially crafted packets to the target host and then analyzes the response.
-uses raw IP packets in novel ways to determine what hosts are available on the network , what services those services are offering , what operation systems they are running
supports all platform of OS like
-linux
-Microsoft
- Mac
In nMap, raw IP packets are used.
In nMap, raw IP packets are used.
Features
- Host discovery - identify the hosts on the network
- port planning - enumerating the open ports on the target hosts
- version detection - integrating network services on remote devices to determine the application name and the version number
- OS detection - Determine the operation system and hardware characteristics of the network devices
- Scriptable interaction with the target - using Nmap Script Engine and Lua programming languedge
- Nmap can provide further informations about on targets, including reverse DNS names, device types, and MAC addresses
- port planning - enumerating the open ports on the target hosts
- version detection - integrating network services on remote devices to determine the application name and the version number
- OS detection - Determine the operation system and hardware characteristics of the network devices
- Scriptable interaction with the target - using Nmap Script Engine and Lua programming languedge
- Nmap can provide further informations about on targets, including reverse DNS names, device types, and MAC addresses
Uses of Nmap
- Auditing the security of a device or firewall by identifying the network connections which can be made to, or though it.
- Identifying the open ports on the target host in preparation for audition
- Network inventory, network mapping, maintenance and asset management.
- Auditing the security of a network by identifying new servers
- Generating the traffic to hosts on the network
- Find and exploit the vulnerabilities in a network
if hostname use as target, nmap will perform DNS lookup to scan, but if ip address is entered, then DNS lookup will not process.
Nmap pings the remote device and can disable ping with option (-Pn)
TCP SYN Scan (-sS)
Allow nmap to gather information about open port without completing the TCP handshake process
#nmap -sS -v 192.168.0.100
TCP SYN Scan (-sT)
Allow nmap to gather information about open ports with completing the TCP handshake process
#nmap -sT -v 192.168.0.100
Ping Scan (-sP)
ping scan is a quickest scan that nmap perform
#nmap -v -sP 192.168.1.100 --packet_trace
TCP SYN Scan (-sS)
Allow nmap to gather information about open port without completing the TCP handshake process
#nmap -sS -v 192.168.0.100
TCP SYN Scan (-sT)
Allow nmap to gather information about open ports with completing the TCP handshake process
#nmap -sT -v 192.168.0.100
Ping Scan (-sP)
ping scan is a quickest scan that nmap perform
#nmap -v -sP 192.168.1.100 --packet_trace
Version Detection (-sV)
Allow nmap to gather version of application of remote host and version detection scan runs automatically if the aggressive Scan (-A) is selected.
-sP,-sL,-sO will not run the same command line with version detection.
UDP Scan (-sU)
UDP had no need to process 3 way handshake or SYN, FIN and RST.
#nmap -sU -v 192.168.1.100 --packet_trace
IP Protocol Scan (-sO)
Allow nmap to gather version of application of remote host and version detection scan runs automatically if the aggressive Scan (-A) is selected.
-sP,-sL,-sO will not run the same command line with version detection.
UDP Scan (-sU)
UDP had no need to process 3 way handshake or SYN, FIN and RST.
#nmap -sU -v 192.168.1.100 --packet_trace
IP Protocol Scan (-sO)
The IP Protocol Scan attempt to determine IP Protocol support on target
#nmap -c -sO 192.168.1.100 --packet_trace
ACK Scan (-sA)
ACK Scan to determine port filter or unfilter
#nmap -sA -v 192.168.1.100
Window Scan (-sA)
Allow nmap to gather information about open ports without completing TCP handshake process. the version detection scan runs automatically if the aggressive Scan (-A) is selected
Idle Scan(-sl)
Idle Scan use other station to scan remote host device
#nmap -sl -v 192.168.1.50 192.168.1.100
How to detect OS with nMap
Nmap provides a rich feature that detects what OS that remote devices are using.
-Os fingerprint with option (-O)
#nmap -sS -O 192.168.1.100
- Additional, Advance and Aggressive (-A)
(shortcut for running (-O) and (-sV))
#nmap -sS -A 192.168.1.100
Nmap Script Engine(NSE)
- Network Descovery
- Version Detection
- Vulnerability Detection
- Malware Detection
- Exploitation
Anatomy of NSE
require
import libraries
matadata
Includes description of script , author name, license information, etc
categories
Define the type of the script
-auth, broadcast, brute,default, discovery, dos , exploit, external, fuzzer,
intrusive, malware, safe, version, vuln.
portrule
Script executions are conditional
action
The actual code to execute based of the portrule
Script that Exist
Brute Force
mySQL
VNC
SVN
malware
Http-malware-host
Smtp-strangeport
Discovery
Whois
Stuxnet
SMB
Version
Socks
SSL
X11
Scan Types
-sS - TCP SYN
-sT -TCP Conncet
-sA -TCP ACK
-sW -TCP Window
-sM -TCP Maimon
-sU -UDP Scan
-sN -TCP null(no flags)
-sF -TCP FIN(just FIN flag)
-sX -TCP Xmas(all flags)
-sY -SCTP INIT
-sZ -SCTP COOKIE-ECHO
-sO -IP Protocol scan
Output Options
Output Types
-oN<file> -Normal
-oX<file> -XML
-oS<file> -s|rlpt klddi3
-oG<file> -Grepable
-oA<file> -3 Major Formats
Output Options
-v -Increase verbosity level
-d[level] -set or increase debugging level
--reason -Display the reason a port is in a perticular state
--open -Only show open ports
--packet-tracer -show all the packets sent and received
--iflist -print host interfaces and routes(for debugging)
--log-errors -log errors/warnings to the normal-format output file
--append-output -Appwnd to rather than clobber specified output files
--resume<filename> -Resume an abroted scan
Pros and Cons on Scans
SYN scans
PRO - very fast and very common scan used.
CON - Funky stuff happens when a firewall, packet filter , or packet shaper is in- between user and the target.
FIN scans
PRO - can sneak around non-stateful firewalls and packet filters.
CON - because of the way the scan is conducted, ports respond as either closed, or open-filtered. Many major OS' sent a RST reguardless of open or closed.
NOTE - variation of this are NULL and Xmas scans
ACK Scan
PRO - Determines filters from unfiltered ports.
CON - Will not tell of the port is opened or closed
Window Scan
PRO - can tell if a port is opened or closed, where as the ACK scan can not
CON - Work on only a few OS's and sometimes acts flaky.
References
Comments
Post a Comment