Smiley face
Smiley face

Thursday, February 6, 2014

Tutorial Beginner's Guide to Nmap and Reconnaissance

Hello, in this tutorial we will be discussing mainly about a network analysis tool called Nmap , it's Nmap actually but the CLI version is known as "Zenmap". 

Table Of Contents:

1) Installing and Understanding Nmap

- What is Nmap?
- Installation
- Basic CLI Usage
- Main useful Commands 


Target Reconnaissance with Nmap

- OS Detection
- Service Detection
- IDS Bypass and Stealth
- LAN Scan
- Checking Open Ports


Lets begin the tutorial,

1) Installing and Understanding Nmap

- What is Nmap?

Nmap is a security analysis tools frequently used to discover hosts and the services running on the network PC. 
Nmap working is very simple, to explain it very easily. Consider Nmap as a Virtual Server, it then sends specially crafted packets to the target PC, 
As we already know that a Client must respond to it's server for data exchange so in the same manner the target host replies to the Nmap's requests, these replies are then analyzed by Nmap and the result is displayed to the user.

[Image: KQWVHQs.png]

Here's a list of what you can do with Nmap:

1) Host Discovery
2) Services Identification
3) Ping
4) OS Detection
5) Version Detection
6) Detect Online Hosts in your network IP range
7) Identify WebServers
8) Identify Firewalls

and more!


As you have understood the basic working of Nmap, Lets install it and try it out Grin




- Installing Nmap:

- For Windows Users If you are a windows user then go to this website http://nmap.org/download.html and download the Nmap executable, Install it!

- For Linux Users Open your terminal and run this command:

Code:
sudo apt-get install nmap



Basic CLI Usage

So, now that you've installed Nmap it's time to run it. Open terminal by pressing Ctrl + Alt + t now type:

Code:
sudo nmap

Remember to use sudo as some of the nmap scans are required to run on full administrator rights!

Ok, now to execute a nmap command you should follow this rule:

Code:
nmap<space>options<space>targer_specs

For example:

If we want to perform a ping scan on some random targets to see if they are online then we use this:

Code:
nmap -sP 192.168.100

If you run this code then you'll get the following output if the target PC is online:

[Image: QgfkiGP.png]

In the command above, out main option is the -sP which means Ping Scan, Run nmap again and read all the commands that are printed on the terminal.

The most useful commands that we are going to use and perform in the next topic are:

-sP IP/RangeIdentify whether any IP is online in the provided range
-O Target IPIdentify the Operating System of the Target PC
-sV Target IPIdentify and Report the Services, Versions used by the Target PC
-sU Target IPScan for open UDP Ports
-sT Target IPScan for open TCP Ports
-S Spoofed_IPSpoof IP for a Scan

Understanding Result:

Before we further continue I wanna give you a small intro to the result what nmaps presents after analysis, For example here's one:

Image has been scaled down 37% (814x449). Click this bar to view original image (1280x706). Click image to open in new window.
[Image: 6QWslSP.png]


In the image what you see is a result of a scan I preformed using nmap, 

The Port Information section tells you everything about, open, closed, filtered ports. Also about the services running on the ports and what version they have for example in the image:

Code:
80/tcp Open http Apache HTTPD 2.x.x

The 80/tcp Open part tells you that this is the open port, the http part means that this port handles http requests (Normal http Port for webservers) and finally 
the Apache httpd 2.x.x tells you the service running on this port, in our case it's definitely a Webserver, You see we now know that the IP I scanned actually has a server running on the Port 80, Nice eh? But there's more!

Now the Device Type tells you that which type of device is associated with the scanned IP, either it's a PC, a Router or a Bridge. In our case it tells us that the
IP is associated with a Router (See the image too)

The other two boxes tells you about the guesses that Nmap made in deciding which OS it uses, We will leave this part for now as I'll be explaining it later, So now you know how to identify and approach nmap's result.

Target Reconnaissance with Nmap

Before we proceed on gaining access to a remote PC, we might want to have some information about it using which we can find suitable exploits, vulnerabilities etc for it and using them to gain access. For this purpose we do Reconnaissance, we can do recon on a remote pc using Nmap as we've discussed it's use earlier that it's a security auditing, network mapping tool which is able to get request from target PC and analysis the vulnerabilities from the responds it gets. As nmap allows us to scan one of it's servers we will be usingscanme.nmap.org as our target ip. Remember that do not perform simultaneous scans otherwise you'll get blocked!


Operating System Identification:

The first part of hacking is about knowing which OS your target is using, Hence we will use Nmap. 

So first open nmap in your terminal and type this command:

Code:
nmap -O scanme.nmap.org

You'll get the output like:

Image has been scaled down 37% (814x80). Click this bar to view original image (1280x125). Click image to open in new window.
[Image: BVjYyFj.png]


In the image above, nmap has not described that which of the OS is the exact one used by the server, It has given us some list of some OS's (With the match rate with percentage in brackets). This situation occurs when there is a Firewall or a some kind of security patch installed on the target system, Remember that Nmap also states in it's documents that not every guess is a perfect one so the OS scans are not that perfect, It's up to you to do your stuff to confirm whether it's the one for example using SE Skills ( Very Valuable)

In order to get a good OS Match, you should have 1 open and a closed TCP port. Otherwise Nmap will give you guesses of OS that match the target system signature.

The above result was of a router, Now if I scan a windows system (PC) (Consider we don't know that it's a Windows OS ), Nmap give's us:

Image has been scaled down 4% (814x136). Click this bar to view original image (845x141). Click image to open in new window.
[Image: 6vgg8pN.png]


Notice that the device type says it's a "General Purpose" so indeed it's correct. Next is the OS besides the Service Info, It says it's a Windows system. You see that using this scan you can at least confirm that a target system is either Unix, Windows, MAC OS X or etc. Now for the OS Footprint, the result says that the system consists either of the 3 OS Vista/2008/7, This is where a things get a bit tricky, the system indeed uses Windows 7 but why did the result shows guess of 3 OS?
It's because of the same reason, You need at least 1 open and closed TCP port for an accurate (Not Precise!) output.

Now that you know how to scan a target system for OS recon, you also know the uncertainty in the result. Also remember that you should not always rely on nmap's OS Footprint, be sure to have a second option for confirmation of your result.

Getting Alive Targets in a Local Area Network:

You might have used tools like ettercap etc which can detect out live targets in lan range, Actually Ettercap does the range function automatically but with nmap it's time to do it manually and more user oriented way. 
To scan your LAN for live hosts you need:

1) An IP (Your's probably, In most cases)
2) A random range (24 to be default in nmap)


For this scan we will use the following command:

Code:
nmap -sP IP/Range

In the command above, the -sP is for Ping Scan, as we only want to know whether the target is alive or not so Ping scan will work for this purpose. the IP is your IP (I.e for me it's 192.168.0.100) and the Range is the range to which you want to scan the network IP. I'll be using the default range that is 24

So my command looks like:

Code:
nmap -sP 192.168.0.100/24

And the Output is:

[Image: u3K6eV1.png]

Bingo! We just found 2 hosts. 
Now we know that our target is alive, lets find out the services it's running.


Detect Services on a Remote PC

Previously we learned about how to read nmap's scan result, now is the time to recall the "Port Information", services usually are binded on certain ports through which theycommunicate for example the common port for a Web Server is 80. If we do a service scan it'll tell us that (If port 80 is open) a webserver is running on port 80 but it won't tell you the version like either it's Apache etc. For that we will use another scan but for now lets do a service scan, the command we will use is:

Code:
nmap -sS Target_IP

The -sS is the main option in this command, it tell nmap to do a Service scan on the target system so if I run this scan on the IP 192.168.0.100 then the command and the output will be as:

Code:
nmap -sS 192.168.0.100

Result:
[Image: OMpnSPt.png]

Oh look! We got lucky this time as the target system had a lame and low profile firewall. So lets study the scan a little bit.

In the result we've come across some open ports, the "Open" status means that the port is open and not blocked by a firewall, if there were then the status would have been either"Closed" or "Filtered". Then the result also states that nmap has been able to identify the service running on the port, the most peculiar one appears to be the msrpc Microsoft Remote Procedure Call for which there are exploits available.

Now that we've got the services, we will run a service version scan to detect the version of those services and to make your life a little bit easier Smile for that run the same command as above but by adding -sV which means scan for service versions also.

Code:
nmap -sS -sV 192.168.0.100

So now you'll get this result:

[Image: dRo1Ygl.png]

Nothing to explain here, as the image itself is a proof that we now have identified the versions, The "Unknown" services also turned out to be RPC. You know the services and then you can exploit the target OS with the respective one you find.

Getting Stealth while Scanning with Nmap

Before scanning a system or a server or any other target, we must make sure that our tracks are covered and we don't leave a trace. Now a days servers and other general purpose devices have IDS (Intrusion Detection Systems) and misc Firewall features which can detect nmap scans and can log IP, MAC etc of the scanner system. Nmap has an option to trick it too using which we can spoof not only our IP but our MAC Address too. Not to forget the special Decoy feature of nmap using which we can assign more than 3 different IP so that the scans gets cloaked by the decoy IP's.

First we will make some decoys for scanning the target, for that we use the following command:

Code:
nmap -sS -sV -O -D xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx target_ip

If my target IP is 192.168.0.100 and xxx.xxx.xxx.xxx are spoofed IP's then:

Code:
nmap -sS -sV -O -D 111.222.444.22,111.65.221.31 192.168.0.100

But how does it work? It's simple, the decoy are actually to trick the IDS, the IDS thinks the scans are coming from those Decoy IP's while your's stays hidden, It's that easy Smile

Also if you want to change your source IP just to be sure in case of any trouble then we use the -S option:

Code:
nmap -sS -sV -S Spoofed_IP Target_IP

So this is how you cloak your scan in order to avoid being caught or being logged by an IDS System. 



Scanning Ports in Custom Range

You can get the result of open ports via the command nmap target_IP but what if you want to scan your port in custom range, E.g I want to scan the ports open on a target system from 1 to 100 so for that we use the -p option followed by starting port-ending port so it will look like this:

Code:
nmap -p 1-100 scanme.nmap.org

So you'll get the result:

[Image: z0K1pcu.png]

As you can see in the image, the result is according to the option that you gave to the command that is scan all the ports in the range 1 to 100

If you want to preform a fast port scan, it's simple by using the -F option, but remember that this scan will be limited and the result will not be accurate as it might skip some port, Why? Because Fast scan is limited to scanning 100 ports while a normal scan can do it up-to 1000 ports, So do the math yourself!

Code:
nmap -F scanme.nmap.org

If you only want to scan either TCP or UDP Port on a target host then we use -sU and -sT respectively, 

For Scanning only TCP Ports:

Code:
nmap -sT target_ip

For Scanning Only UDP Ports:

Code:
nmap -sU target_ip

Export Result in a .XML File:

If you want to export your result as a .xml file then you can add this option at the end of your command:

Code:
> filename.xml

For Example:

Code:
nmap -O -sS -sV 192.168.0.1 > host.xml


The filename is the name of the file which shall contain your result, Thanks

0 Comments:

Post a Comment

Smiley face
Smiley face