S-38.153 Exercise Report - Nmap Introduction S-38.153 Exercise Report: Nmap Introduction Jing Jin (56654T) jinjing@cc.hut.fi October 12, 2002 1 S-38.153 Exercise Report - Nmap Introduction 1. Introduction There are a number of useful tools available to the network security administrators, both commercially and from the Internet. Some of them can greatly aid the security analyst in the identification of security exposures. Nmap(Network Mapper) is an excellent tool for checking the accuracy of the scan data. It is an open source utility for network exploration or for security auditing. By using Nmap, it allows the network administrator to see what is running on the servers in question. It can be downloaded freely for the Internet. Nmap supports dozens of scanning techniques such as: UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, IP Protocol, Null scan and so on. Nmap also offers a number of advanced features such as remote OS detection via TCP/IP fingerprinting, stealth scanning, dynamic delay and retransmission calculations, parallel scanning, detection of down hosts via parallel pings, decoy scanning, port filtering detection, direct (non-port mapper) RPC scanning, fragmentation scanning, and flexible target and port specification. Nmap can be used in many operating systems, for example, Red Hat linux, Debian linux, FreeBSD and so on. The primary goal of the Nmap is to help to make the Internet more secure and to provide administrators/hackers/auditors with an advanced tool for exploring their network. HUT networking laboratory linux machines run Debian linux version, the Nmap version is V.2.54 beta 30. For more information about Nmap and download, please visit the web site www.insecure.org/nmap. 2. Scanning and security basics 2.1 scanning in general The first step of attacking is to get as much information as possible for the target network. An attacker would find bugs of different OSs and available services. This can be done by a toll called scanner. Scanning can be made manually, but it is much easier to automate scanning with scanner tools such as SATAN(Security Administrator’s Tool for Analyzing Networks), Nessus, Nmap and so on. 2 S-38.153 Exercise Report - Nmap Introduction Scanners query TCP/IP ports and record the target’s response. They glean valuable information about the target host by determining . What services are currently run? . Who owns those services? . Whether anonymous logins are supported . Whether certain network services require authentication 2.2 Port and port scanning Port is an access point for an application running on a computer system. All Internet and TCP/IP based networks require a source IP address, destination IP address and source port as well as destination port. There are three kinds of port, which are wellknown ports, registered ports and dynamic (private) ports. The well-known ports range from 0 to 1023, the registered ports are those from 1024 through 49151, the dynamic (private) ports are those from 49152 through 65535. Port scanning uses some specific tools, like Nmap, to automate the identification of active ports on a target system. 2.3 Finger printing scanning Fingerprinting is a technique that tries to identify the target system operating system. The technique helps an attacker to ascertain each target system host’s OS with a high probability. Once the target system OS is identified, the attacker can concentrate on his effort to compromise it. 3. Installing Nmap on Linux To install Nmap on a linux system, please follow these steps: 1. Open GnomeRPM Click the ‘tool bar’, choose ‘system’, then ‘GnomeRPM’ 2. Click install 3. Click add 3 S-38.153 Exercise Report - Nmap Introduction 4. Click on the Nmap rpm in the directory you downloaded it to 5. Click install Please download the Nmap from http://www.insecure.org/nmap 4. How Nmap works… The general format of the Nmap command line is: Nmap –parameters –options target_specification 4.1 An example For example, nmap –sS –v 10.50.1.254 This will execute Nmap using an SYN scan (-sS option), also called half-open scanning, is a basic function in Nmap, This command line with verbose option means output is in detailed information, and OS identification turned on with –O option. It will be executed against the IP address 10.50.1.254, our laboratory IP address. A normal TCP connection begins with a three-way handshake between the initiating system and receiving system. The initiating system sends an SYN packet, the receiving system responds with an SYN-ACK message, and the initiating system answers with an ACK message. In the half-open scanning, it sends an RST (reset) message instead of an SYN-ACK message. The process is illustrated shown below. nmap –sS –v 10.50.1.254 The outputs are shown below. Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) appears to be up ... good. Initiating SYN Stealth Scan against vpn1gw.lab.tct.hut.fi (10.50.1.254) Adding open port 23/tcp Adding open port 515/tcp Adding open port 80/tcp 4 S-38.153 Exercise Report - Nmap Introduction Adding open port 139/tcp Adding open port 1723/tcp Adding open port 24/tcp The SYN Stealth Scan took 1 second to scan 1549 ports. Interesting ports on vpn1-gw.lab.tct.hut.fi (10.50.1.254): (The 1543 ports scanned but not shown below are in state: closed) Port State Service 23/tcp open telnet 24/tcp open priv-mail 80/tcp open http 139/tcp open netbios-ssn 515/tcp open printer 1723/tcp open pptp Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds 4.2 Main Scan types in Nmap 4.2.1. TCP connection scanning (-sT) This is the most basic form of TCP scanning. It is also called port scanning, or vanilla scanning. The connect() system call provided by your operating system is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, otherwise the port isn't reachable. One strong advantage to this technique is that you don't need any special privileges. Any user on most UNIX boxes is free to use this call. Another advantage is speed. This is the fastest scanning method supported by Nmap, and is available with the -t (TCP) option. However, a big disadvantage is that this sort of scan is easily detectable and filterable. The target hosts logs will show a bunch of connections and error messages for the services which take the connection and then have it immediately shutdown. Below is the output from the Nmap scan. #nmap –sT –v 10.50.1.254 The outputs are: Starting Nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) 5 S-38.153 Exercise Report - Nmap Introduction Interesting ports on vpn1-gw.lab.tct.hut.fi (10.50.1.254): (The 1543 ports scanned but not shown below are in state: closed) Port State Service 23/tcp open telnet 24/tcp open priv-mail 80/tcp open http 139/tcp open netbios-ssn 515/tcp open printer 1723/tcp open pptp Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds 4.2.2 Ident scanning (-I) In ident scanning, -I option is used. The remote host’s identd is required for each open port found. If the host is not running identd, it doesn’t work. This turns on TCP reverse ident scanning. An attacker often may look for a machine in which he/she has a specific exploit for a process, such as a web server running as root. If the target is running identd, an attacker using Nmap will be able to find out what user owns the http daemon to a TCP connection scan. #nmap –I –v 10.50.1.254 Starting Nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) appears to be up ... good. Initiating Connect() Scan against vpn1-gw.lab.tct.hut.fi (10.50.1.254) Adding open port 1723/tcp Adding open port 80/tcp Adding open port 24/tcp Adding open port 23/tcp Adding open port 139/tcp Adding open port 515/tcp The Connect() Scan took 1 second to scan 1549 ports. Interesting ports on vpn1-gw.lab.tct.hut.fi (10.50.1.254): (The 1543 ports scanned but not shown below are in state: closed) Port State Service Owner 6 S-38.153 Exercise Report - Nmap Introduction 23/tcp 24/tcp 80/tcp 139/tcp 515/tcp 1723/tcp open open open open open open telnet priv-mail http netbios-ssn printer pptp Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds 4.2.3. Ping sweeping (-sP) Intruders are capable of sweep networks in order to look for target networks. The –sP flag is used in this case. Nmap sends an ICMP echo and a TCP ACK to each host it scans. Nmap will get the information which hosts responded. In this example, scan all hosts on the 10.50.1.254 network. #nmap –sP –v 10.50.1.254 Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) appears to be up. Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds 4.2.4. Stealth scanning (-sS) Please see the example in session 4.1. 4.2.5. OS fingerprinting scanning (-o) A common option is TCP/IP fingerprinting with the "-O" option to determine the remote operating system. This has to be combined with a port scan and not a ping scan. Nmap accomplishes this by sending different types of probes to the host, which will narrow the target operating system. Mostly, three main techniques are used in Fingerprinting the TCP stack. They include FIN probing , which see what kind of 7 S-38.153 Exercise Report - Nmap Introduction response the target has, BOGUS flag probing, was designed to see the remote host's reaction to undefined flags sent with a SYN packet, and TCP Initial Sequence Number (ISN) sampling , finding patterns of ISN numbers. Some other methods of determining the remote operating system are also used in reality. An article on this topic, which was edited by the author of Nmap, can be found at http://www.insecure.org/nmap/nmap-fingerprinting-article.html. Here is the example of the –o option which I did in the laboratory: #nmap –o –v 10.50.1.254 Starting Nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Interesting ports on vpn1-gw.lab.tct.hut.fi (10.50.1.254): (The 1543 ports scanned but not shown below are in state: closed) Port State Service 23/tcp open telnet 24/tcp open priv-mail 80/tcp open http 139/tcp open netbios-ssn 515/tcp open printer 1723/tcp open pptp Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds OS scanning also reports the TCP sequence number prediction vulnerability of the system. This is valuable to an attacker looking for hosts. 8 S-38.153 Exercise Report - Nmap Introduction 4.2.6 RPC scanning (-sR) RPC scanning method always works in combination with several of port scan methods of Nmap. The idea of this is that try to determine the target ports are RPC ports or not. Decoys are not used in RPC scanning. #nmap –sR –v 10.50.1.254 Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) appears to be up ... good. Initiating Connect() Scan against vpn1-gw.lab.tct.hut.fi (10.50.1.254) Adding open port 23/tcp Adding open port 80/tcp Adding open port 139/tcp Adding open port 1723/tcp Adding open port 24/tcp Adding open port 515/tcp The Connect() Scan took 1 second to scan 1549 ports. Interesting ports on vpn1-gw.lab.tct.hut.fi (10.50.1.254): (The 1543 ports scanned but not shown below are in state: closed) Port State Service (RPC) 23/tcp open telnet 24/tcp open priv-mail 80/tcp open http 139/tcp open netbios-ssn 515/tcp open printer 1723/tcp open pptp Nmap run completed -- 1 IP address (1 host up) scanned in 1 second 4.2.7 ACK scanning (-sA) The ACK scanning is an advanced method in Nmap, usually used to map out firewall rulesets. It helps to determine whether a firewall is stateful or not. ACK scanning sends an ACK packet to the specified ports. If an RST comes back, the specified ports 9 S-38.153 Exercise Report - Nmap Introduction are classified as ‘unfiltered’. If nothing comes back, the ports are determined as ‘filtered’. The scan never showing ports indicates they’re in the ‘open’ state. Below is the example in our laboratory. #nmap –sA –v 10.50.1.254 Starting Nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) appears to be up ... good. Initiating ACK Scan against vpn1-gw.lab.tct.hut.fi (10.50.1.254) The ACK Scan took 1 second to scan 1549 ports. All 1549 scanned ports on vpn1-gw.lab.tct.hut.fi (10.50.1.254) are: UNfiltered Nmap run completed -- 1 IP address (1 host up) scanned in 1 second 4.2.8 List scanning (-sL) List scanning generates and prints a list of IPs/Names without actually pinging or port scanning them. The outputs are shown below. #nmap –sL –v 10.50.1.254 Starting Nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) not scanned Nmap run completed -- 1 IP address (0 hosts up) scanned in 0 seconds 4.2.9. P0 option (-P0) An option that is useful with scans is "-P0". Also called ‘Don’t ping host.’ Do not try and ping host at all before scanning them. This option allows the scanning of networks that don’t allow ICMP echo requests (for example, Microsoft.com) through their firewalls. Since Nmap will ping a target with both TCP "ping" and ICMP echo before attempting a port scan, sites blocking ICMP and TCP probes will not be scanned by default. #nmap –p0 –v 10.50.1.254 Starting Nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) 10 S-38.153 Exercise Report - Nmap Introduction Interesting ports on vpn1-gw.lab.tct.hut.fi (10.50.1.254): (The 1543 ports scanned but not shown below are in state: closed) Port State Service 23/tcp open telnet 24/tcp open priv-mail 80/tcp open http 139/tcp open netbios-ssn 515/tcp open printer 1723/tcp open pptp Nmap run completed -- 1 IP address (1 host up) scanned in 1 second 4.2.10 Other frequent used options -v: Verbose mode. You will see ports come up as they’re found -h: To get nmap help -R: In random order which the target host’s ports are scanned -F: Fast mode For some other basic scanning techniques, please see the Finnish document in the web page http://tct.hut.fi/opetus/s38153/Lisamateriaali/nmap.doc 5 Summary Nmap can be used by both administers and attackers. Now we are thinking how to prevent an attacker using Nmap. In reality, some tools , such as Scanlogd, Courtney and Shadow exist. However, the most important point here is the knowledge of a network administer. Scanners are tools to help administers to make plan, they are precursor to an attack. By using Nmap to monitor their web sites, the administrators can discover a potential intruder. 11 S-38.153 Exercise Report - Nmap Introduction 6 Reference 1. S-38.153 lecture slides http://tct.hut.fi/opetus/s38153/slides/S38153_2.pdf 2. www.insecure.org/nmap 3. http://sinbad.zhoubin.com 4. www.linuxsecurity.com 5. Anonymous: Maximum security, 2nd edition, USA 1998, Sams publishing house 7 Thanks I would like to appreciate Prof. Jorma Jormakka, Assistant Vesa Kosonen and senior laboratory scientist Markus Peuhkuri. They help me a lot in the exercise! 12