BSc_NetSec-2014-LAB_1 nmap
advertisement
Network Mapper Nmap Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-1 Contents Introduction Target Specification Host Discovery Port Scanning Service and Version Detection OS Detection Examples Assignment Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-2 Contents Introduction Target Specification Host Discovery Port Scanning Service and Version Detection OS Detection Examples Assignment Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-3 “Network Mapper” (nmap) Definition A powerful utility for network exploration or security auditing. Is used to discover computers and services on a computer network, thus creating a "map" of the network. History First release: September 1, 1997 in Phrack Magazine - “The Art of Portscanning” http://www.insecure.org/nmap/p51-11.txt written by Gordon Lyon Current Version: 6.4 Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-4 Nmap is … (1) Flexible Supports advanced techniques for mapping out networks filled with • IP filters, • firewalls, • Routers etc. Includes • • • • Several port scanning mechanisms (both TCP & UDP), OS Detection, version Detection ping sweeps etc Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-5 Nmap is … (2) Free (under GNU license) Open source Portable Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more... Very popular… Movie star • “Matrix Reloaded“ • “Bourne Ultimatum“ • “Die Hard 4“ Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-6 Nmap Package Nmap command-line executable Zenmap advanced GUI and results viewer Ncat data transfer, redirection, and debugging tool Ndiff utility for comparing scan results Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-7 Nmap - Links Available for downloading: http://nmap.org/download.html Installation instructions for all supported OS http://nmap.org/book/install.html Reference Guide : http://nmap.org/book/man.html Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-8 Nmap Screenshots nmap Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς Zenmap 3-9 Contents Introduction Target Specification Host Discovery Port Scanning Service and Version Detection OS Detection Examples Assignment Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-10 Target Specification Classless Inter-Domain Routing(CIDR) addressing IP Address format: two groups • most significant part : network address - identifies a whole network or subnet • least significant portion :host identifier - particular host interface on that network Examples: 192.168.1.0/24 192.168.1.40/16 132.18.3.210/32 78.184.23.1/0 210.43.1-255.4-140 Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς - Scan: Scan: Scan: Scan: Scan: 192.168.1.0 till 192.168.1.255 192.168.0.0 till 192.168.255.255 ??? ??? ??? 3-11 Scanning with nmap Nmap 192.168.1.1 Port scanning on the specified host Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-12 Contents Introduction Target Specification Host Discovery Port Scanning Service and Version Detection OS Detection Examples Assignment Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-13 Host Discovery (1) List Scan (-sL) lists each host of the network specified, without sending any packets to the target hosts nmap -sL www.skai.gr Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-14 Host Discovery (2) Skip port scan (-sP) “ping scan“ - prints out the available hosts that responded nmap -sP 192.168.1.1/24 Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-15 Host Discovery (3) No Ping (-PN) Performs port scanning without checking if host is up. nmap -sN 192.168.1.1 Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-16 Host Discovery (4) TCP SYN Ping (-PS) Sends an empty TCP packet with the SYN flag set The SYN flag suggests to the remote system that you are attempting to establish a connection. • If destination port closed -> RST (reset) packet sent back • If destination port open -> SYN/ACK TCP packet is sent back – RST is sent in return from Nmap • In both cases, host is alive Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-17 Host Discovery (5) TCP ACK Ping (-PA) Sends an empty TCP packet with the ACK flag set Such an ACK packet purports to be acknowledging data over an established TCP connection, but no such connection exists If destination host is alive-> RST (reset) packet sent back Since - PA and - PS are similar, why have both? Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-18 Host Discovery (7) UDP Ping (-PU) Sends an empty UDP packet • by default, on port 40125 Return value • ICMP port unreachable – Destination host up • other types of ICMP errors – Destination host down or unreachable • No answer – Destination host probably up – Packet is ignored Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-19 Host Discovery (8) SCTP INIT Ping (-PY) Stream Control Transmission Protocol Sends a SCTP packet containing a minimal INIT chunk The INIT chunk suggests to the remote system that you are attempting to establish a connection. • If destination port closed -> ABORT packet sent back • If destination port open -> INIT/ACK packet is sent back – ABORT is sent in return from Nmap Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-20 Host Discovery (9) ARP Ping (-PR) Sends an ARP Request If ARP response -> Host is alive ICMP Ping (-PE) Sends an ICMP type 8 (echo request) packet If ICMP response type 0 (echo reply) -> Host is alive IP Protocol Ping (-PO) Sends IP packets with the specified protocol number set in their IP header. E.g. • ICMP (protocol 1) • IGMP (protocol 2) • IP-in-IP (protocol 4) Response: • If protocol supported, responses using the same protocol as a probe • If protocol not supported, ICMP protocol unreachable messages Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-21 Contents Introduction Target Specification Host Discovery Port Scanning Service and Version Detection OS Detection Examples Assignment Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-22 Port Scanning - Port States Open An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Closed A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. Filtered unable to determine whether the port is open because packet filtering prevents its probes from reaching the port. • dedicated firewall device, router rules, or host-based firewall software. Unfiltered (only ACK Scan) Port is accessible, but Nmap is unable to determine whether it is open or closed Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-23 Port Scanning (1) TCP SYN Scan (-sS) Sends a TCP packet with the SYN flag set The SYN flag suggests to the remote system that you are attempting to establish a connection. • RST (reset) packet sent back -> dest. port closed • SYN/ACK TCP packet is sent back -> dest. port open – RST is sent in return from Nmap • If no response is received -> port is marked as filtered • ICMP unreachable -> port is marked as filtered This technique is often referred to as half-open scanning Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-24 Port Scanning (2) TCP ACK scan (-sA) Used only to determine Filtered/Unfiltered ports • Both open and closed ports return RST Sends an empty TCP packet with the ACK flag set Such an ACK packet purports to be acknowledging data over an established TCP connection, but no such connection exists Response: • RST packet -> port is unfiltered – both open/closed ports return RST • No response -> port is filtered Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-25 Port Scanning (3) TCP Window scan (-sW) exactly the same as ACK scan exams the TCP Window field of the RST packets returned. • open ports use a positive window size • closed ports have a zero window Unreliable since the TCP Window field implemented in the minority of systems Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-26 Port Scanning (4) TCP RFC 793 states that any packet not containing SYN, RST, ACK bits will result • RST if the port is closed • no response at all if the port is open Three different port scanning Techniques combination of the other three bits FIN, PSH, URG • Null scan (-sN) – Does not set any bits • FIN scan (-sF) – Sets just the TCP FIN bit • Xmas scan (-sX) – Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-27 Port Scanning (5) UDP scans (-sU) Sends UDP packets • For known protocol ports, protocol-specific payload is sent – DNS port 53 – SNMP ports 161/162 – DHCP ports 67/68 • For the rest, an empty payload is sent Return value • ICMP port unreachable – Port is closed • other types of ICMP errors – Port is filtered • UDP packet – Port is open Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-28 Port Scanning (6) SCTP INIT scan (-sY) Sends SCTP packet containing an INIT chunk The INIT chunk suggests to the remote system that you are attempting to establish a connection. • Response: • ABORT packet -> destination port closed • INIT/ACK packet -> destination port open – ABORT is sent in return from Nmap • No response is received -> port filtered • ICMP unreachable -> port filtered Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-29 Port Scanning (7) SCTP COOKIE ECHO scan (-sZ) Sends SCTP packet containing an SCTP COOKIE ECHO chunk • Response: • ABORT packet -> port is closed. • No Response -> port is open| filtered – Remote host drops packets containing COOKIE ECHO chunks Downsize: cannot differentiate between open and filtered ports. Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-30 Contents Introduction Target Specification Host Discovery Port Scanning Service and Version Detection OS Detection Examples Assignment Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-31 Service and Version Detection Version scan (-sV) Tries to determine: the service protocol • e.g. FTP, SSH, Telnet, HTTP Application name • e.g. ISC BIND, Apache httpd, Solaris telnetd version number hostname device type • e.g. printer, router miscellaneous details Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-32 Contents Introduction Target Specification Host Discovery Port Scanning Service and Version Detection OS Detection Examples Assignment Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-33 OS Detection Enable OS detection (-O) Nmap compares the scan results against known OS fingerprints. Each fingerprint includes • a freeform textual description of the OS • a classification which provides – the vendor name (e.g. Sun), – underlying OS (e.g. Solaris), – OS generation (e.g. 10), – device type general purpose router • Switch • game console • Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-34 Contents Introduction Target Specification Host Discovery Port Scanning Service and Version Detection OS Detection Examples Assignment Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-35 Examples Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-36 Contents Introduction Target Specification Host Discovery Port Scanning Service and Version Detection OS Detection Examples Assignment Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-37 Assignment Scan network and check whether specific ports are open Scan network and determine Virtual Machines Scan network and determine • OS • Fingerprints • Ports/services Etc… Ασυάλεια Δικτύων, Τμήμα Πληρουορικής, Ο.Π.Α., Επικ Καθ. Ι. Μαριάς 3-38
