S-38.153 Exercise Report: Nmap Introduction Jing Jin (56654T)

advertisement
S-38.153 Exercise Report - Nmap Introduction
S-38.153 Exercise Report: Nmap Introduction
Jing Jin (56654T)
jinjing@cc.hut.fi
October 12, 2002
1
S-38.153 Exercise Report - Nmap Introduction
1. Introduction
There are a number of useful tools available to the network security administrators,
both commercially and from the Internet. Some of them can greatly aid the security
analyst in the identification of security exposures. Nmap(Network Mapper) is an
excellent tool for checking the accuracy of the scan data. It is an open source utility
for network exploration or for security auditing. By using Nmap, it allows the
network administrator to see what is running on the servers in question. It can be
downloaded freely for the Internet. Nmap supports dozens of scanning techniques
such as: UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce attack),
Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, IP
Protocol, Null scan and so on. Nmap also offers a number of advanced features such
as remote OS detection via TCP/IP fingerprinting, stealth scanning, dynamic delay
and retransmission calculations, parallel scanning, detection of down hosts via parallel
pings, decoy scanning, port filtering detection, direct (non-port mapper) RPC
scanning, fragmentation scanning, and flexible target and port specification.
Nmap can be used in many operating systems, for example, Red Hat linux, Debian
linux, FreeBSD and so on. The primary goal of the Nmap is to help to make the
Internet more secure and to provide administrators/hackers/auditors with an advanced
tool for exploring their network. HUT networking laboratory linux machines run
Debian linux version, the Nmap version is V.2.54 beta 30. For more information
about Nmap and download, please visit the web site www.insecure.org/nmap.
2. Scanning and security basics
2.1 scanning in general
The first step of attacking is to get as much information as possible for the target
network. An attacker would find bugs of different OSs and available services. This
can be done by a toll called scanner. Scanning can be made manually, but it is much
easier to automate scanning with scanner tools such as SATAN(Security
Administrator’s Tool for Analyzing Networks), Nessus, Nmap and so on.
2
S-38.153 Exercise Report - Nmap Introduction
Scanners query TCP/IP ports and record the target’s response. They glean valuable
information about the target host by determining
. What services are currently run?
. Who owns those services?
. Whether anonymous logins are supported
. Whether certain network services require authentication
2.2 Port and port scanning
Port is an access point for an application running on a computer system. All Internet
and TCP/IP based networks require a source IP address, destination IP address and
source port as well as destination port. There are three kinds of port, which are wellknown ports, registered ports and dynamic (private) ports. The well-known ports
range from 0 to 1023, the registered ports are those from 1024 through 49151, the
dynamic (private) ports are those from 49152 through 65535.
Port scanning uses some specific tools, like Nmap, to automate the identification of
active ports on a target system.
2.3 Finger printing scanning
Fingerprinting is a technique that tries to identify the target system operating system.
The technique helps an attacker to ascertain each target system host’s OS with a high
probability. Once the target system OS is identified, the attacker can concentrate on
his effort to compromise it.
3. Installing Nmap on Linux
To install Nmap on a linux system, please follow these steps:
1. Open GnomeRPM
Click the ‘tool bar’, choose ‘system’, then ‘GnomeRPM’
2. Click install
3. Click add
3
S-38.153 Exercise Report - Nmap Introduction
4. Click on the Nmap rpm in the directory you downloaded it to
5. Click install
Please download the Nmap from http://www.insecure.org/nmap
4. How Nmap works…
The general format of the Nmap command line is:
Nmap –parameters –options target_specification
4.1 An example
For example, nmap –sS –v 10.50.1.254
This will execute Nmap using an SYN scan (-sS option), also called half-open
scanning, is a basic function in Nmap, This command line with verbose option means
output is in detailed information, and OS identification turned on with –O option. It
will be executed against the IP address 10.50.1.254, our laboratory IP address.
A normal TCP connection begins with a three-way handshake between the initiating
system and receiving system. The initiating system sends an SYN packet, the
receiving system responds with an SYN-ACK message, and the initiating system
answers with an ACK message. In the half-open scanning, it sends an RST (reset)
message instead of an SYN-ACK message.
The process is illustrated shown below.
nmap –sS –v 10.50.1.254
The outputs are shown below.
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) appears to be
up ... good.
Initiating SYN Stealth Scan against vpn1gw.lab.tct.hut.fi (10.50.1.254)
Adding open port 23/tcp
Adding open port 515/tcp
Adding open port 80/tcp
4
S-38.153 Exercise Report - Nmap Introduction
Adding open port 139/tcp
Adding open port 1723/tcp
Adding open port 24/tcp
The SYN Stealth Scan took 1 second to scan 1549 ports.
Interesting ports on vpn1-gw.lab.tct.hut.fi
(10.50.1.254):
(The 1543 ports scanned but not shown below are in state:
closed)
Port
State
Service
23/tcp
open
telnet
24/tcp
open
priv-mail
80/tcp
open
http
139/tcp
open
netbios-ssn
515/tcp
open
printer
1723/tcp
open
pptp
Nmap run completed -- 1 IP address (1 host up) scanned in
2 seconds
4.2 Main Scan types in Nmap
4.2.1. TCP connection scanning (-sT)
This is the most basic form of TCP scanning. It is also called port scanning, or vanilla
scanning. The connect() system call provided by your operating system is used to
open a connection to every interesting port on the machine. If the port is listening,
connect() will succeed, otherwise the port isn't reachable. One strong advantage to this
technique is that you don't need any special privileges. Any user on most UNIX boxes
is free to use this call. Another advantage is speed. This is the fastest scanning method
supported by Nmap, and is available with the -t (TCP) option. However, a big
disadvantage is that this sort of scan is easily detectable and filterable. The target
hosts logs will show a bunch of connections and error messages for the services which
take the connection and then have it immediately shutdown.
Below is the output from the Nmap scan.
#nmap –sT –v 10.50.1.254
The outputs are:
Starting Nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
5
S-38.153 Exercise Report - Nmap Introduction
Interesting ports on vpn1-gw.lab.tct.hut.fi
(10.50.1.254):
(The 1543 ports scanned but not shown below are in state:
closed)
Port
State
Service
23/tcp
open
telnet
24/tcp
open
priv-mail
80/tcp
open
http
139/tcp
open
netbios-ssn
515/tcp
open
printer
1723/tcp
open
pptp
Nmap run completed -- 1 IP address (1 host up) scanned in
3 seconds
4.2.2 Ident scanning (-I)
In ident scanning, -I option is used. The remote host’s identd is required for each open
port found. If the host is not running identd, it doesn’t work. This turns on TCP
reverse ident scanning.
An attacker often may look for a machine in which he/she has a specific exploit for a
process, such as a web server running as root. If the target is running identd, an
attacker using Nmap will be able to find out what user owns the http daemon to a TCP
connection scan.
#nmap –I –v 10.50.1.254
Starting Nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) appears to be
up ... good.
Initiating Connect() Scan against vpn1-gw.lab.tct.hut.fi
(10.50.1.254)
Adding open port 1723/tcp
Adding open port 80/tcp
Adding open port 24/tcp
Adding open port 23/tcp
Adding open port 139/tcp
Adding open port 515/tcp
The Connect() Scan took 1 second to scan 1549 ports.
Interesting ports on vpn1-gw.lab.tct.hut.fi
(10.50.1.254):
(The 1543 ports scanned but not shown below are in state:
closed)
Port
State
Service
Owner
6
S-38.153 Exercise Report - Nmap Introduction
23/tcp
24/tcp
80/tcp
139/tcp
515/tcp
1723/tcp
open
open
open
open
open
open
telnet
priv-mail
http
netbios-ssn
printer
pptp
Nmap run completed -- 1 IP address (1 host up) scanned in
2 seconds
4.2.3. Ping sweeping (-sP)
Intruders are capable of sweep networks in order to look for target networks. The –sP
flag is used in this case. Nmap sends an ICMP echo and a TCP ACK to each host it
scans. Nmap will get the information which hosts responded.
In this example, scan all hosts on the 10.50.1.254 network.
#nmap –sP –v 10.50.1.254
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) appears to be
up.
Nmap run completed -- 1 IP address (1 host up) scanned in
0 seconds
4.2.4. Stealth scanning (-sS)
Please see the example in session 4.1.
4.2.5. OS fingerprinting scanning (-o)
A common option is TCP/IP fingerprinting with the "-O" option to determine the
remote operating system. This has to be combined with a port scan and not a ping
scan. Nmap accomplishes this by sending different types of probes to the host, which
will narrow the target operating system. Mostly, three main techniques are used in
Fingerprinting the TCP stack. They include FIN probing , which see what kind of
7
S-38.153 Exercise Report - Nmap Introduction
response the target has, BOGUS flag probing, was designed to see the remote host's
reaction to undefined flags sent with a SYN packet, and TCP Initial Sequence
Number (ISN) sampling , finding patterns of ISN numbers. Some other methods of
determining the remote operating system are also used in reality. An article on this
topic, which was edited by the author of Nmap, can be found at
http://www.insecure.org/nmap/nmap-fingerprinting-article.html.
Here is the example of the –o option which I did in the laboratory:
#nmap –o –v 10.50.1.254
Starting Nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on vpn1-gw.lab.tct.hut.fi
(10.50.1.254):
(The 1543 ports scanned but not shown below are in state:
closed)
Port
State
Service
23/tcp
open
telnet
24/tcp
open
priv-mail
80/tcp
open
http
139/tcp
open
netbios-ssn
515/tcp
open
printer
1723/tcp
open
pptp
Nmap run completed -- 1 IP address (1 host up) scanned in
2 seconds
OS scanning also reports the TCP sequence number prediction vulnerability of the
system. This is valuable to an attacker looking for hosts.
8
S-38.153 Exercise Report - Nmap Introduction
4.2.6 RPC scanning (-sR)
RPC scanning method always works in combination with several of port scan
methods of Nmap. The idea of this is that try to determine the target ports are RPC
ports or not. Decoys are not used in RPC scanning.
#nmap –sR –v 10.50.1.254
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) appears to be
up ... good.
Initiating Connect() Scan against vpn1-gw.lab.tct.hut.fi
(10.50.1.254)
Adding open port 23/tcp
Adding open port 80/tcp
Adding open port 139/tcp
Adding open port 1723/tcp
Adding open port 24/tcp
Adding open port 515/tcp
The Connect() Scan took 1 second to scan 1549 ports.
Interesting ports on vpn1-gw.lab.tct.hut.fi
(10.50.1.254):
(The 1543 ports scanned but not shown below are in state:
closed)
Port
State
Service (RPC)
23/tcp
open
telnet
24/tcp
open
priv-mail
80/tcp
open
http
139/tcp
open
netbios-ssn
515/tcp
open
printer
1723/tcp
open
pptp
Nmap run completed -- 1 IP address (1 host up) scanned in
1 second
4.2.7 ACK scanning (-sA)
The ACK scanning is an advanced method in Nmap, usually used to map out firewall
rulesets. It helps to determine whether a firewall is stateful or not. ACK scanning
sends an ACK packet to the specified ports. If an RST comes back, the specified ports
9
S-38.153 Exercise Report - Nmap Introduction
are classified as ‘unfiltered’. If nothing comes back, the ports are determined as
‘filtered’. The scan never showing ports indicates they’re in the ‘open’ state.
Below is the example in our laboratory.
#nmap –sA –v 10.50.1.254
Starting Nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) appears to be
up ... good.
Initiating ACK Scan against vpn1-gw.lab.tct.hut.fi
(10.50.1.254)
The ACK Scan took 1 second to scan 1549 ports.
All 1549 scanned ports on vpn1-gw.lab.tct.hut.fi
(10.50.1.254) are: UNfiltered
Nmap run completed -- 1 IP address (1 host up) scanned in
1 second
4.2.8 List scanning (-sL)
List scanning generates and prints a list of IPs/Names without actually pinging or port
scanning them. The outputs are shown below.
#nmap –sL –v 10.50.1.254
Starting Nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) not scanned
Nmap run completed -- 1 IP address (0 hosts up) scanned
in 0 seconds
4.2.9. P0 option (-P0)
An option that is useful with scans is "-P0". Also called ‘Don’t ping host.’ Do not try
and ping host at all before scanning them. This option allows the scanning of
networks that don’t allow ICMP echo requests (for example, Microsoft.com) through
their firewalls. Since Nmap will ping a target with both TCP "ping" and ICMP echo
before attempting a port scan, sites blocking ICMP and TCP probes will not be
scanned by default.
#nmap –p0 –v 10.50.1.254
Starting Nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
10
S-38.153 Exercise Report - Nmap Introduction
Interesting ports on vpn1-gw.lab.tct.hut.fi
(10.50.1.254):
(The 1543 ports scanned but not shown below are in state:
closed)
Port
State
Service
23/tcp
open
telnet
24/tcp
open
priv-mail
80/tcp
open
http
139/tcp
open
netbios-ssn
515/tcp
open
printer
1723/tcp
open
pptp
Nmap run completed -- 1 IP address (1 host up) scanned in
1 second
4.2.10 Other frequent used options
-v: Verbose mode. You will see ports come up as they’re found
-h: To get nmap help
-R: In random order which the target host’s ports are scanned
-F: Fast mode
For some other basic scanning techniques, please see the Finnish document in the web
page
http://tct.hut.fi/opetus/s38153/Lisamateriaali/nmap.doc
5 Summary
Nmap can be used by both administers and attackers. Now we are thinking how to
prevent an attacker using Nmap. In reality, some tools , such as Scanlogd, Courtney
and Shadow exist. However, the most important point here is the knowledge of a
network administer. Scanners are tools to help administers to make plan, they are
precursor to an attack. By using Nmap to monitor their web sites, the administrators
can discover a potential intruder.
11
S-38.153 Exercise Report - Nmap Introduction
6 Reference
1. S-38.153 lecture slides
http://tct.hut.fi/opetus/s38153/slides/S38153_2.pdf
2. www.insecure.org/nmap
3. http://sinbad.zhoubin.com
4. www.linuxsecurity.com
5. Anonymous: Maximum security, 2nd edition, USA 1998, Sams publishing
house
7 Thanks
I would like to appreciate Prof. Jorma Jormakka, Assistant Vesa Kosonen and senior
laboratory scientist Markus Peuhkuri. They help me a lot in the exercise!
12
Download