Appsec nmap slides

advertisement
AppSec USA 2014
Denver, Colorado
nmap 101
An introduction to the timeless network scanner
Introduction
Jon Pettyjohn
Jon Pettyjohn is a Cybersecurity professional at Aerstone
with over ten (10) years of experience conducting
penetration testing of networks and web applications. Mr.
Pettyjohn started IT security testing in 2003 for Science
Applications International Corporation (SAIC), now known
as Leidos. During his time at SAIC, Mr. Pettyjohn was a
member of a penetration test team that conducted over
sixty-five (65) testing engagements a year for the Defense
Department and the Federal Government. At Aerstone,
Jon is a member of the security testing and Payment Card
Industry assessment practice.
Jon Pettyjohn,
jon@aestone.com
2
Objectives
• To provide an introduction to nmap
• Learn basic network discovery/enumeration
• Cover other uses:
– Service Enumeration
– OS detection
– Slow or “Stealth” scanning
• Not covering installation and every option
• Hands-on practice!
3
Background
• Free and Open Source
– http://nmap.org/download.html
• Short for “Network Mapper”
• Written and maintained by
– Gordon “Fyodor” Lyon
• First released in 1997
• Appeared in “The Matrix Reloaded”
• Still used today
4
What is it?
• Nmap is a port scanner with lots of options
• Excellent tool for discovering “live” hosts and devices
on a network
• Excellent tool for identifying available services on a host
or device
• Very good tool for identifying operating system of a
host or device
• Good tool for identifying type and version of available
services on a host or device
5
nmap and Pentesting
nmap
Discovery
Phase
IPs
IPs
Ports/Services
Confirmed
Weaknesses
Enumeration
Pentesting
IPs
Ports/
Services
Vuln
Scanning
IPs
Ports/Services
Potential
Vulns
Collected
Data
6
Basic Usage: Discovery
• Process of sending probes to solicit responses from
active devices.
• AKA Network Recon, Ping Sweep
• Examples:
# nmap -sn 192.168.1.1-254
Basic ping sweep of 192.168.1.x. (-sn no port scanning). When scanning local networks,
nmap uses ARP to determine live hosts.
# nmap -sn –PS21,22,80,443 192.168.1.1-254
(need root) SYN Ping, sends empty SYN packet to attempt 3-way handshake to common ports
# nmap -Pn -p21,22,23,53,80,113,137,139,443,3389 192.168.1.1254
No Ping. Skips normal nmap discovery and attempts to connect to several TCP ports to every
target in target list.
7
Basic Usage: Enumeration
•
•
AKA “Port Scanning”
The goal of enumeration is to identify open ports, services, and
OS's of live targets found in the discovery phase.
• Root privileges are needed to run SYN and UDP scans.
• Examples:
# nmap –sS –iL <hostlist>
Default port scan (SYN) of default ports in nmap-services file. Either using host file or IPs as
input.
# nmap –sS –p1-65535 –iL <hostlist> (or –p-)
Scans for all 65k TCP ports. “Dash p Dash” is the equivalent of listing all 65k ports, minus
port 0.
# nmap –sU –p1-65535 –iL <hostlist> (or –p-)
Scans for all 65k UDP ports.
8
Basic Usage Enumeration - cont
Some Common UDP Ports
Port
Service
Description
123
NTP
Network Time Protocol. Used for time synch.
161
SNMP
Simple Network Management Protocol. SNMP traps
listen on UDP 161. Still widely used.
53
DNS
Domain Name Server. Used for name resolution.
111
RPC
Common UNIX port for sharing files over NFS (Network
File System). Used for fingerprinting *NIX boxes.
69
TFTP
Trivial File Transfer Protocol. Less secure FTP. Doesn’t
require credentials.
9
Port Scan Output
10
Port Scan Output Analysis
Understanding the Results, Focusing on the most common
ports/services:
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
Likely a FTP server
Likely a Mail server
Likely a Web server
Typically a Microsoft service
Typically a Microsoft service
Typically a Microsoft service
Likely a SQL server
At this phase, none of the services have been
verified, hence the terms “Likely” and “Typically”.
11
OS and Version Identification
OS Detection
To identify the Operating System for hosts, nmap will compare the results of probes to a
database of OS fingerprints:
#nmap -O (host or hostlist)
Version Fingerprinting
Standard port scans will produce best guess at service running. Version detection will
compare against a database of protocol signatures to attempt to identify: application
name (Apache, Solaris telnetd, etc), version, device type, and OS family.
#nmap -sV -PN (host or hostlist)
12
Stealth Scanning
•
•
•
•
Targets protected by a firewall or filtering device may require adjusting the speed and throughput of
probes sent.
Multiple source IPs may be used if security devices block the tester IPs.
“Throttle” switches include T0-T5 (5 being the fastest, T3 being the default)
The following nmap command may be used to execute a throttled-down discovery scan that sends 1
probe every 3 seconds:
nmap -sS -PN --top-ports 100 --max-rate .33 --max-parallelism 1 --maxretries 2 --max_rtt_timeout 500ms --max-hostgroup 1 <subnet>
OPTION
Description
--top-ports 100
scan top 100 ports
--max-rate .33
send probe every 3 secs
--max-parallelism 1
send 1 probe at a time
--max-hostgroup 1
limit to one host at a time
--max_rtt_timeout 500
limit rtt timeout to 500 ms
--max-retries 2
only retransmit twice
13
Timing Settings
14
NSE
• Nmap Scripting Engine – allows users to use or write scripts to
automate a variety of tasks (vulnerability detection, backdoor
detection, advance version detection, exploitation)
• For Typically located in: /<install location>/nmap/scripts/
• Information Portal for all NSE scripts: http://nmap.org/nsedoc/
• Good for automating “manual” tasks such as:
• Looking for default snmp strings
• Active Windows accounts
• Brute-force popular services (mysql, ldap, wordpress, etc)
• Example of smb-brute NSE script:
15
NSE Example
16
Zenmap
• GUI version of nmap that works on Windows, Linux,
Mac OS X, BSD, etc.
• Popular and common scan commands can be
selected via menu.
• Different “views” of scan output.
• Saved scans can be compared to show differences.
17
Zenmap Examples
18
Other Useful Options
--help
Help! Sooo many options and configurations, we are only scratching the
surface!
-v
Verbosity. Prints more information during a scan, such as timing, flags,
protocol details etc. Can either specify the verbose level in the command, or
during a scan by hitting “v” (increase) or “V” (decrease)
-oX
Output. Different options for directing output to files including:
-oN Normal, human readable results
-oX XML, output for use in other programs or XML parsers
-oG Grepable, (depreciated), easily searched using grep, awk, cut, etc.
-oA All, gives you normal, XML, and Grepable file types.
--resume
Resume. Sometimes scans can take DAYS depending on timing options and
number of targets. If a scan is stopped using ctrl-C and if normal/grepable
output was selected, then a scan can be resumed by:
#nmap --resume <output filename>
19
Hands-on Activity
Practice objectives:
•
•
•
•
How many “active” devices?
List 1 or more operating systems
Find the hidden web application(s).
Identify the “mystery” device.
Restrictions:
• Limit Network range 10.0.0.1-100
• Port scan 1 host at a time
• Limit port scans to - -top-ports 10000 (TCP) - -top-ports 100 (UDP)
• Use –n in all scans (skip DNS lookup)
20
Answers
Live IPs:
10.0.0.1
10.0.0.10
10.0.0.11
10.0.0.15
10.0.0.18
10.0.0.50
10.0.0.88
10.0.0.99
OS:
WiFi Router
Win 2003 Server
CentOS 6.5
Win 2k
CentOS 6.5
IP Cam
Win 8
CentOS 6.5
What’s Running
Nothing special
FTP, SMTP, HTTP, MS-SQL, Web App on 4444
SSH, MySQL, Web app on 80, TFTP (UDP)
MS NetBIOS ports 135, 139, 445
SSH, Web App on port 80
Web Server/Cam feed on port 1984
All Filtered
SSH on port 1433 (needs –T2) to find
21
Download