Cadence BlackOps Nmap: See More
Cadence BlackOps
1. What is Nmap?2. How many have you used Nmap?3. How have you used it?
Nmap for Windows: http://nmap.org/zenmap/
What Is Nmap Good At?
Cadence BlackOps
• Host Discovery• Port Scanning• Mapping firewall rule sets• Service and Application Version Detection• Remote OS Detection
What is Nmap Not Optimal At?
Cadence BlackOps
• Broad Vulnerability Assessments• Remote Exploits• Defending against Cadence Kittehs . . .
Host Discovery
Cadence BlackOps
• Have you ever wanted to know all hosts connected to your network?
Remote, remote and stealthy discovery . . . Reverse DNS Lookup
Ping Sweep (ICMP) Stealthy Ping Sweep . . . without Ping (ICMP)
Use Case 1: Host Discovery
Cadence BlackOps
• Discover lost, forgotten, or unauthorized systems• You can’t protect what you don’t know about• Useful when this guy asks you what’s on his
network.
Cadence BlackOps
o List Scano nmap –sL x.x.x.x/[subnet mask]
o Remote, remote and stealthy (hits only your DNS server and lists what you would scan)
o Ping Sweepo nmap -sn x.x.x.x/[subnet mask]
o Useful for a quick list of live hosts on a network.o Uses ICMP, TCP Syn to port 443 and TCP Ack to port 80
o Ping Sweep . . . Without Pingo nmap –sn [–PS, –PA, –PU] x.x.x.x/[subnet mask]
o Turns Ping (ICMP) off (Useful when network admin is monitoring repeated ICMP echo requests)
Use Case 1: Host Discovery
“Who Dat? Who Dere?”
Cadence BlackOps
o Most Common Port Scanso TCP Syn and Ack Scans
o nmap –sS x.x.x.x/[subnet mask]o Possible port states: Open, Closed, Filtered (most likely
a firewall blocking traffic on port)
o nmap –sA x.x.x.x/[subnet mask]o Possible results: Unfiltered (no firewall), Filtered
(firewall)
o UDP Scano nmap –sU x.x.x.x/[subnet mask]
o Possible results: Open, Open|Filtered, Closed, Filtered
Use Case 2: Port Scanning and Firewall
Mapping
Cadence BlackOps
o Stateful firewall should block TCP ACK packets that are not related to an established
o nmap –sA -T4 x.x.x.xo -sA: TCP Ack Scano -T4: Scan quicklyo Unfiltered = No firewall rules blocking the port or “special” rules
for the port.o Filtered = most likely a stateful firewall is in place (however, your
scan’s point of origin may affect the results, if there are any type of outbound firewall rules in place).
Use Case 2: Port Scanning and Firewall
Mapping
“Hi, I’m a QSA. Does your firewall perform statefulpacket inspection?”
Cadence BlackOps
o Aggressive modeo nmap –sS -A -T4 x.x.x.x
o -A: enable OS Detection and Service/Version Detection, Script Scanning (NSE default scripts), and Traceroute
Use Case 3: OS, Service and
Version Detection
“BE AGGRESSIVE. B-E AGGRESSIVE!”
Cadence BlackOps
o Use existing scripts or write your own. Based on the LUA programming language. Very flexible.
o Didn’t we see XP Professional?o MS08-067 remote code execution?o Nmap can tell if it’s vulnerable
o nmap --script smb-check-vulns.nse --script-args=unsafe=1 x.x.x.xo --script: runs the specified NSE scripto --script-args: various arguments for the script in question
Use Case 4: Nmap Scripting Engine
(NSE)
Cadence BlackOps
• Specify ports to scan• -p• -p- = all ports• -p1-10 = ports 1 to 10
• Specify hosts to scan in a range• x.x.x.x/[subnet mask]• x.x.x.1-254
Other Things?