AppSec USA 2014 Denver, Colorado nmap 101 An introduction to the timeless network scanner Introduction Jon Pettyjohn Jon Pettyjohn is a Cybersecurity professional at Aerstone with over ten (10) years of experience conducting penetration testing of networks and web applications. Mr. Pettyjohn started IT security testing in 2003 for Science Applications International Corporation (SAIC), now known as Leidos. During his time at SAIC, Mr. Pettyjohn was a member of a penetration test team that conducted over sixty-five (65) testing engagements a year for the Defense Department and the Federal Government. At Aerstone, Jon is a member of the security testing and Payment Card Industry assessment practice. Jon Pettyjohn, jon@aestone.com 2 Objectives • To provide an introduction to nmap • Learn basic network discovery/enumeration • Cover other uses: – Service Enumeration – OS detection – Slow or “Stealth” scanning • Not covering installation and every option • Hands-on practice! 3 Background • Free and Open Source – http://nmap.org/download.html • Short for “Network Mapper” • Written and maintained by – Gordon “Fyodor” Lyon • First released in 1997 • Appeared in “The Matrix Reloaded” • Still used today 4 What is it? • Nmap is a port scanner with lots of options • Excellent tool for discovering “live” hosts and devices on a network • Excellent tool for identifying available services on a host or device • Very good tool for identifying operating system of a host or device • Good tool for identifying type and version of available services on a host or device 5 nmap and Pentesting nmap Discovery Phase IPs IPs Ports/Services Confirmed Weaknesses Enumeration Pentesting IPs Ports/ Services Vuln Scanning IPs Ports/Services Potential Vulns Collected Data 6 Basic Usage: Discovery • Process of sending probes to solicit responses from active devices. • AKA Network Recon, Ping Sweep • Examples: # nmap -sn 192.168.1.1-254 Basic ping sweep of 192.168.1.x. (-sn no port scanning). When scanning local networks, nmap uses ARP to determine live hosts. # nmap -sn –PS21,22,80,443 192.168.1.1-254 (need root) SYN Ping, sends empty SYN packet to attempt 3-way handshake to common ports # nmap -Pn -p21,22,23,53,80,113,137,139,443,3389 192.168.1.1254 No Ping. Skips normal nmap discovery and attempts to connect to several TCP ports to every target in target list. 7 Basic Usage: Enumeration • • AKA “Port Scanning” The goal of enumeration is to identify open ports, services, and OS's of live targets found in the discovery phase. • Root privileges are needed to run SYN and UDP scans. • Examples: # nmap –sS –iL <hostlist> Default port scan (SYN) of default ports in nmap-services file. Either using host file or IPs as input. # nmap –sS –p1-65535 –iL <hostlist> (or –p-) Scans for all 65k TCP ports. “Dash p Dash” is the equivalent of listing all 65k ports, minus port 0. # nmap –sU –p1-65535 –iL <hostlist> (or –p-) Scans for all 65k UDP ports. 8 Basic Usage Enumeration - cont Some Common UDP Ports Port Service Description 123 NTP Network Time Protocol. Used for time synch. 161 SNMP Simple Network Management Protocol. SNMP traps listen on UDP 161. Still widely used. 53 DNS Domain Name Server. Used for name resolution. 111 RPC Common UNIX port for sharing files over NFS (Network File System). Used for fingerprinting *NIX boxes. 69 TFTP Trivial File Transfer Protocol. Less secure FTP. Doesn’t require credentials. 9 Port Scan Output 10 Port Scan Output Analysis Understanding the Results, Focusing on the most common ports/services: 21/tcp open ftp 25/tcp open smtp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1433/tcp open ms-sql-s Likely a FTP server Likely a Mail server Likely a Web server Typically a Microsoft service Typically a Microsoft service Typically a Microsoft service Likely a SQL server At this phase, none of the services have been verified, hence the terms “Likely” and “Typically”. 11 OS and Version Identification OS Detection To identify the Operating System for hosts, nmap will compare the results of probes to a database of OS fingerprints: #nmap -O (host or hostlist) Version Fingerprinting Standard port scans will produce best guess at service running. Version detection will compare against a database of protocol signatures to attempt to identify: application name (Apache, Solaris telnetd, etc), version, device type, and OS family. #nmap -sV -PN (host or hostlist) 12 Stealth Scanning • • • • Targets protected by a firewall or filtering device may require adjusting the speed and throughput of probes sent. Multiple source IPs may be used if security devices block the tester IPs. “Throttle” switches include T0-T5 (5 being the fastest, T3 being the default) The following nmap command may be used to execute a throttled-down discovery scan that sends 1 probe every 3 seconds: nmap -sS -PN --top-ports 100 --max-rate .33 --max-parallelism 1 --maxretries 2 --max_rtt_timeout 500ms --max-hostgroup 1 <subnet> OPTION Description --top-ports 100 scan top 100 ports --max-rate .33 send probe every 3 secs --max-parallelism 1 send 1 probe at a time --max-hostgroup 1 limit to one host at a time --max_rtt_timeout 500 limit rtt timeout to 500 ms --max-retries 2 only retransmit twice 13 Timing Settings 14 NSE • Nmap Scripting Engine – allows users to use or write scripts to automate a variety of tasks (vulnerability detection, backdoor detection, advance version detection, exploitation) • For Typically located in: /<install location>/nmap/scripts/ • Information Portal for all NSE scripts: http://nmap.org/nsedoc/ • Good for automating “manual” tasks such as: • Looking for default snmp strings • Active Windows accounts • Brute-force popular services (mysql, ldap, wordpress, etc) • Example of smb-brute NSE script: 15 NSE Example 16 Zenmap • GUI version of nmap that works on Windows, Linux, Mac OS X, BSD, etc. • Popular and common scan commands can be selected via menu. • Different “views” of scan output. • Saved scans can be compared to show differences. 17 Zenmap Examples 18 Other Useful Options --help Help! Sooo many options and configurations, we are only scratching the surface! -v Verbosity. Prints more information during a scan, such as timing, flags, protocol details etc. Can either specify the verbose level in the command, or during a scan by hitting “v” (increase) or “V” (decrease) -oX Output. Different options for directing output to files including: -oN Normal, human readable results -oX XML, output for use in other programs or XML parsers -oG Grepable, (depreciated), easily searched using grep, awk, cut, etc. -oA All, gives you normal, XML, and Grepable file types. --resume Resume. Sometimes scans can take DAYS depending on timing options and number of targets. If a scan is stopped using ctrl-C and if normal/grepable output was selected, then a scan can be resumed by: #nmap --resume <output filename> 19 Hands-on Activity Practice objectives: • • • • How many “active” devices? List 1 or more operating systems Find the hidden web application(s). Identify the “mystery” device. Restrictions: • Limit Network range 10.0.0.1-100 • Port scan 1 host at a time • Limit port scans to - -top-ports 10000 (TCP) - -top-ports 100 (UDP) • Use –n in all scans (skip DNS lookup) 20 Answers Live IPs: 10.0.0.1 10.0.0.10 10.0.0.11 10.0.0.15 10.0.0.18 10.0.0.50 10.0.0.88 10.0.0.99 OS: WiFi Router Win 2003 Server CentOS 6.5 Win 2k CentOS 6.5 IP Cam Win 8 CentOS 6.5 What’s Running Nothing special FTP, SMTP, HTTP, MS-SQL, Web App on 4444 SSH, MySQL, Web app on 80, TFTP (UDP) MS NetBIOS ports 135, 139, 445 SSH, Web App on port 80 Web Server/Cam feed on port 1984 All Filtered SSH on port 1433 (needs –T2) to find 21