1 / 18

NMAP

NMAP. Ana Chanaba Robert Huylo. nmap “network mapper”. Security tool - What does your system look like to someone who is trying to break in - Find the holes in your security before somebody else does nmapFE v3.81 - graphical frontend to nmap - rpm available at www.insecure.org/nmap

jmarquez
Télécharger la présentation

NMAP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NMAP Ana Chanaba Robert Huylo

  2. nmap “network mapper” • Security tool - What does your system look like to someone who is trying to break in - Find the holes in your security before somebody else does • nmapFE v3.81 - graphical frontend to nmap - rpm available at www.insecure.org/nmap - lab102 & lab103

  3. Basic nmap functions 1.) Host Discovery - Which hosts are up (IP Addresses) - Ping scans 2.) Port Scanning - Which ports of a target host have servers listening on them - Allows a guess of software and services a machine is running 3.) OS Detection - TCP/IP fingerprinting

  4. Anatomy of nmap argument nmap –sS -PO -O -p 1-1024 134.198.161.* -s_ : Scan type -P_ : Ping type -O : Optional OS detection -p #-# : port range IP range: 134.198.161.0/24, 134.198.161.1-254

  5. 1.) Host Discovery • Determine which hosts are up - Does not include port scans or OS detection nmap –sP 134.198.161.* - Utilizes variety of messaging protocols - ICMP/TCP/UDP • Firewall interference - Firewalls check to see if packets are part of a previously established connection • Used before portscan - Ping sweep (-sP) - Check to see if host is up before scanning ports

  6. Customizing Pings -PO : ICMP -PA : TCP ACK -PU : UDP -PP : ICMP timestamp -PM : Netmask request -PS : TCP SYN -PB : (default) TCP ACK & ICMP Ping specific ports: nmap –sP –PO25 ….

  7. 2.) Port Scanning • Insight to what services a host may be running • “Well-known” or “Interesting” ports - 1-1024 - 65,535 total TCP & UDP ports • Scan displays (for each port) • Service name • Port number • Port State • Protocol

  8. Scanning Options • nmap –sS … - TCP SYN scan - default port scan for nmap user with root privileges - “half-open” – skips last step of 3-way handshake and probes without actual connection for stealth • nmap –sT … - TCP connect() scan - default port scan for default nmap user - requires full connection – easily detectable

  9. Port States • open: will accept connections • filtered: firewall or other network obstacle is covering port • unfiltered or closed: determined to be closed with no obstacles or interference - most common case

  10. Scanning Options • Avoid SYN scanning to probe beyond firewall -sF : Stealth FIN scan -sX : Xmas tree scan -sN : Null scan -sV : Version detection -sU : UDP scan -sI : Idlescan -sA : ACK scan -b : bounce attack (FTP)

  11. 3.) OS Detection • nmap –O … • TCP/IP fingerprinting • OS guess made by looking at the particulars of how a host implements TCP/IP - Includes possible range of versions and “uptime” test • Fingerprint compared to DB of known OS fingerprints • Nmap sends seven TCP/IP crafted packets (called tests) and waits for the answer. Results are checked against a database of known results (OS signatures database). • This database is a text file that contains the result answered (signature) by each OS known.

  12. OS DetectionReasons to hide OS • Security: Hacker could base an attack on a host from known weaknesses in the target OS • Revealing your OS makes things easier to find and successfully run an exploit against any of your devices. • Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS • It could be convenient for other software companies, to offer you a new OS environment

  13. OS Detection • Many techniques to fingerprint networking stacks. If you combine enough of these. You can narrow down the OS very tightly. • You can start out as simply as "nmap -O -sS targethost".

  14. OS Detection • -O requires root privileges, it uses this information to create a fingerprint, and decide what type of system you are scanning. • OS detection is far more effective if at least one open and one close TCP port are found.

  15. Miscellaneous options • -A which turn on OS detection too. • -F tells nmap to scan only ports • registered in nmap-services. • -T4 causes nmap to go faster. • -I gives the username that owns available processes • -iR Use this command to instruct nmap to scan random hosts for you.

  16. Misc. Options -v verbose This is a highly recommended option and it gives out more information. You can use it twice for better effects. -d debug mode -p : port range, what ports you want to specify -T : scan timing or throttling options <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> - Addresses concerns about detection and crashing host

  17. OS DETECTION • nmap -0 134.198.161.254 • nmap -A -T4 -F 134.198.161.101 • nmap -A -T4 134.198.161.101 • RPC services are treated with brute force. RPC scanner to determine version. • nmap -sS -p 80 -O -v 134.198.161.254

  18. References • nmap & nmapFE man pages • www.insecure.org • Text Chp 21.7 • www.linux.org

More Related