2007 04 05 Introduction to Nmap

1

© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com

Introduction to Nmap

The voice portion of our conference is NOT available through this web front-end!

(ah, modern technology)

The Conference ID for all voice dial-in lines is: 5769010

United States: 1-605-475-8590

Anywhere in the World: Free Skype (No SkypeOut minutes required): +990008275769010

For more information about this conference calland other international dial-in lines, visit:

http://www.professormesser.com/webinar/info.html

© 2007 Professor Messer, LLChttp://www.ProfessorMesser.com


James “Professor” Messer

[email protected]

http://www.ProfessorMesser.com

2


Some of what you’ll learn today

What really happens when you run an Nmap scan?

Using Nmap across multiple operating system environments

How to see what the bad guys see

The details of Nmap’s output

Three useful Nmap scan methods

An overview of Nmap best practices


HousekeepingWebinar replay (video, audio, transcript, and slides) will be made available to everyone who registered

Phones are mutedAsk questions at any time on the web, we’ll try interactive Q&A later.

Need online webinar or audio assistance?http://www.ProfessorMesser.com/webinar/info.html

Every link is located on our resources pagehttp://www.ProfessorMesser.com/resources

3



The voice portion of our conference is NOT available through this web front-end!

The Conference ID for all voice dial-in lines is: 5769010

United States: 1-605-475-8590

Anywhere in the World: Free Skype (No SkypeOut minutes required): +990008275769010

For more information about this conference calland other international dial-in lines, visit:

http://www.professormesser.com/webinar/info.html


You might be a winner!Tonight’s door prize:A copy of the new second edition of our ebook:“Secrets of Network Cartography:A Comprehensive Guide to Nmap”

Randomly chosen member of the web audience sometime in the first hour

You have to be on the web to win!

Don’t forget to sign-up for the Nmap Secrets mini-course!

http://www.NmapSecrets.com

4


Sponsored by: Secrets of Network Cartography

A Comprehensive Guide to Nmaphttp://www.ProfessorMesser.com/nmapbook


Announcement: Nmap Training at CanSecWesthttp://www.cansecwest.com/dojorecon.html

Network Reconnaissance with Nmap 4

Instructors: Fyodor and James “Professor” Messer

Dojo: April 16-17, 2007April 16 session is SOLD OUT

Mariott Renaissance Harbourside, Vancouver, Canada

Duration: One Day Courses.Sessions begin at 10:00 a.m. and go to 6 p.m.

Registration Maximum: 10 Students per course session.

Price: CAD $1,800 Full day course (≈$1,550 USD)Price goes up at the door

5


Today’s Webinar AgendaWhat is Nmap?

Nmap’s protocols

The four-step Nmap scanning process

Installing Nmap in Linux, Windows, and a Virtual Machine Live CD

Live Nmap scans of popular scanning methods

Basic reconnaissance scanning strategies

Q&A



What is Nmap?

6


Professor Messer Poll

How well do you know Nmap?


What is Nmap?Nmap = Network Mapper

Written by Fyodorhttp://insecure.org

Free!

Thousands of downloads every day

More than fifteen scanning techniques

Seven different ping types

Open source, constant development

7


WARNING!Nmap can sometimes be an unintentional Denial-of-Service (DoS) tool

I break stuff all the timeBut I really mean to.

The default settings very rarely cause any problems

These days.No, really.



Have you ever “broken”anything with Nmap?

8


Still using the defaults?Secrets of Network Cartography: A Comprehensive Guide to Nmap

Nmap Quick Reference Guide


Know your Protocols

TCP - Transmission Control Protocol

UDP – User Datagram Protocol

ICMP – Internet Control Message Protocol

It’s all about the ports!

9


Anatomy of a scan

Step 1: DNS Lookup

(unless you used an IP address)

Step 2: Nmap “pings” the remote device

This is NOT an ICMP echo request!

Step 3: Reverse DNS lookup

Didn’t we just do this?

Step 4: Do the scan!


Running a Scan

nmap -v –p 80 –-randomize-hosts 192.168.0.*

-v = verbose-p 80 = only port 80--randomize-hosts192.168.0.* = IP range with a wildcard

CIDR blocks, hyphens, and commas are also

10



Nmap Port Dispositions


Nmap Port Dispositions - Open

Source192.168.0.8

Destination192.168.0.10

SYN + Port 80

SYN / ACK

RST

Open port from TCP SYN Scan (-sS)

11


Nmap Port Dispositions - Closed

Closed port from TCP SYN Scan (-sS)

Source192.168.0.8


SYN + Port 113

RST


Nmap Port Dispositions - Filtered

Filtered port from SYN Based Scan (-sS, -sT, etc.)

Source192.168.0.8


SYN + Port 113

12


Nmap Port Dispositions – Open|Filtered

Open|Filtered port from UDP Scan (-sU)

Source192.168.0.8


UDP + Port 80


Nmap Port Dispositions – Closed|Filtered

Closed|Filtered port from Idlescan (-sI)

Source192.168.0.8


Zombie192.168.0.7

SYN+Port 135 Spoofed from 192.168.0.7

SYN/ACK

RST/

IPID=1034

13


Nmap Port Dispositions – Unfiltered

Unfiltered port from ACK Scan (-sA)



Installing Nmap

14



On which operating system(s) do you use Nmap?


Installing in WindowsEasy to install

Requires WinPcap libraryBundled with Nmap installerMore information at http://www.winpcap.org

Default directory:\Program Files\Nmap

Command line onlyWant a graphical front end? Try UMIT:

http://sourceforge.net/projects/umit

15


Installing in LinuxSource, binaries and RPMs on insecure.org

For RPMs, get the nmap packageGet the nmap-frontend package for the GUI interface

Compile it!./configure;make;make install

I often use yumyum install nmapyum install nmap-frontend


Using a LiveCD Distribution

Useful and popular distributionsBackTrack

http://www.remote-exploit.org/backtrack.html

Security Tools Distribution (STD)http://www.s-t-d.org/

Damn Small Linux (DSL)http://www.damnsmalllinux.org/

Linux Network Security Toolkithttp://www.networksecuritytoolkit.org/Includes a VMware machine download

16


Installation Summary

The OS doesn’t matter!

Have optionsGot your LiveCD / LiveUSB / Virtual Machine?

Great installation guides athttp://insecure.org/nmap/install/



Popular Nmap Scanning Methods

17



How often do you use Nmap?


Nmap Bread and Butter

TCP SYN Scan (-sS)It’s the default for a reason

TCP ACK Scan (-sA)Great for testing firewall configurations

UDP Scan (-sU)UDP is ports, too.

18


Pick a Scan, Any Scan


TCP SYN ScanTCP SYN Scan - Closed Port

TCP SYN Scan – Open Port

You are the wind.

19


TCP SYN Scan Results# nmap -sS -v 192.168.0.10

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-11 12:25 EDTInitiating SYN Stealth Scan against 192.168.0.10 [1663 ports] at 12:25Discovered open port 80/tcp on 192.168.0.10Discovered open port 3389/tcp on 192.168.0.10Discovered open port 3306/tcp on 192.168.0.10Discovered open port 139/tcp on 192.168.0.10Discovered open port 135/tcp on 192.168.0.10Discovered open port 520/tcp on 192.168.0.10Discovered open port 445/tcp on 192.168.0.10The SYN Stealth Scan took 1.35s to scan 1663 total ports.Host 192.168.0.10 appears to be up ... good.Interesting ports on 192.168.0.10:(The 1656 ports scanned but not shown below are in state: closed)PORT STATE SERVICE80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds520/tcp open efs3306/tcp open mysql3389/tcp open ms-term-servMAC Address: 00:30:48:11:AB:5A (Supermicro Computer)

Nmap finished: 1 IP address (1 host up) scanned in 2.117 secondsRaw packets sent: 1705 (68.2KB) | Rcvd: 1664 (76.5KB)

#


TCP ACK Scan (-sA)The TCP ACK Scan will never find an open port

Filtered

Unfiltered

20


ACK Scan Output# nmap -v -sA 68.46.234.161 -P0

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-24 10:40 EDTInitiating ACK Scan against pcp05116560pcs.tallah01.fl.comcast.net

(68.46.234.161) [1663 ports] at 10:40ACK Scan Timing: About 9.02% done; ETC: 10:46 (0:05:03 remaining)ACK Scan Timing: About 75.68% done; ETC: 10:42 (0:00:36 remaining)The ACK Scan took 119.13s to scan 1663 total ports.Host pcp05116560pcs.tallah01.fl.comcast.net (68.46.234.161) appears to be up

... good.Interesting ports on pcp05116560pcs.tallah01.fl.comcast.net (68.46.234.161):(The 1662 ports scanned but not shown below are in state: filtered)PORT STATE SERVICE6969/tcp UNfiltered acmsoda

Nmap finished: 1 IP address (1 host up) scanned in 119.271 secondsRaw packets sent: 3328 (133KB) | Rcvd: 8 (368B)

#


UDP Scan (-sU)Don’t forget about UDP!Closed, or Open|Filtered(almost never “open”)

Closed

Open|Filtered

21


UDP Scan Output# nmap -sU -v 192.168.0.10

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-11 12:44 EDTInitiating UDP Scan against 192.168.0.10 [1478 ports] at 12:44Discovered open port 2001/udp on 192.168.0.10The UDP Scan took 1.47s to scan 1478 total ports.Host 192.168.0.10 appears to be up ... good.Interesting ports on 192.168.0.10:(The 1468 ports scanned but not shown below are in state: closed)PORT STATE SERVICE123/udp open|filtered ntp137/udp open|filtered netbios-ns138/udp open|filtered netbios-dgm445/udp open|filtered microsoft-ds500/udp open|filtered isakmp1031/udp open|filtered iad21032/udp open|filtered iad31900/udp open|filtered UPnP2001/udp open wizard4500/udp open|filtered sae-urnMAC Address: 00:30:48:11:AB:5A (Supermicro Computer)Nmap finished: 1 IP address (1 host up) scanned in 2.241 seconds

Raw packets sent: 1489 (41.7KB) | Rcvd: 1470 (82.3KB)#



Nmap ScanningBest Practices

22


Nmap Best PracticesScanning

Start with the Ping Scan (-sP)Pick the IP address range carefullyConsider excluding IP addresses

--exclude, --excludefile

FocusPick your ports (-p)A faster scan (-F)

MiscSave all scan logs (-oA)Use the verbosity levels (-v, -vv, -vvv)Timing policies are your friend (-T0 to -T5)

Paranoid, Sneaky, Polite, Normal, Aggressive, Insane



Ebook Giveaway:Secrets of Network Cartography:A Comprehensive Guide to Nmap

- New Second Edition -

23


Sponsored by: Secrets of Network Cartography

A Comprehensive Guide to Nmaphttp://www.ProfessorMesser.com/nmapbook



Q and A

24


Thanks for attending!

Resource pagehttp://www.ProfessorMesser.com/resources

Watch your inbox for information about the replay

Comments are always welcomehttp://www.ProfessorMesser.com/contact_us

Post-webinar survey is moments away



Thank you for joining us!http://www.ProfessorMesser.com

2007 04 05 Introduction to Nmap

Documents

skypeout minutes required

nmapthe voice portion

tcp syn scan

tcp ack scan

professor messer poll

nmap port dispositions

ack scan

voice dial