Transcript nmap

Hands-On Ethical
Hacking and Network
Defense
Chapter 5
Port Scanning
Updated 11/7/2016 - jw
Objectives
 Describe port scanning
 Describe different types of port scans
 Describe various port-scanning tools
 Explain what ping sweeps are used for
 Explain how packet generation works
2
Introduction to Port Scanning
 Port Scanning
 Determine which applications/ services are
offered by a host
 Identifies vulnerabilities
 Open services can be used on attacks
 Identify a vulnerable port
 Launch an exploit
 Scan all ports when testing
 Not just well-known ports
3
Angry IP Port Scanner
4
Introduction to Port Scanning
(continued)
 Port scanning programs
report




Open ports
Closed ports
Filtered ports
Best-guess assessment
of which OS is running
5
Port Scanning Artifacts
 IDS/IPS alerts referencing port/protocol scans.
 Firewall logs showing blocked attempts to
access large number of ports, in close
sequence, on single host, in short time
 TCP session initiated to IP address,
immediately terminated, not followed by
additional communication, observable in firewall
log
 TCP session only half set up then abandoned,
potentially observable in firewall log
6
Is Port Scanning Legal?
 The legal status of port scanning is
unclear
 If you have permission, it's legal
 If you cause damage of $5,000 or more, it
may be illegal
 For more info, see links:
 http://www.securityfocus.com/news/126
 https://www.sans.org/readingroom/whitepapers/legal/ethics-legality-portscanning-71
7
Using Port-Scanning Tools
 Port-scanning tools
 Hundreds available
 Not all are accurate
 Be familiar with a variety of tools
 Practice often to gain proficiency
 Do not use one tool exclusively
 Some tools include:
 Nmap
 Nessus and OpenVAS
8
Nmap
9
Nmap
 Originally written for Phrack magazine
 One of the most popular tools
 GUI versions
 ZenMap, Xnmap and Ubuntu's NmapFE
 Makes working with complex options easier
 Open source tool
 Standard tool for security professionals
10
Types of Port Scans
 Ping scan
 Simplest method sends ICMP ECHO
REQUEST to the destination(s)
 TCP Ping sends SYN or ACK to any port
(default is port 80 for Nmap)
 Any response shows the target is up
 Example - nmap -sn 192.168.1.*
11
Normal TCP Handshake
Client
SYN  Server
Client  SYN/ACK Server
Client
ACK  Server
After this, you are ready to send data
12
SYN Port Scan
Client
SYN  Server
Client  SYN/ACK Server
Client
RST  Server
The server is ready, but the client decided
not to complete the handshake
Example - nmap -sS 192.168.1.* -reason
13
Types of Port Scans
 SYN scan
 Stealthy scan, because session handshakes
are never completed
 That keeps it out of some log files
 Three states
 Closed
 Open
 Filtered
 Example - nmap -sS 192.168.1.*
14
Types of Port Scans
 Connect scan
 Completes the three-way handshake
 Not stealthy--appears in log files
 Three states
 Closed
 Open
 Filtered
 Example - nmap -sT 192.168.1.* -reason
15
Types of Port Scans
 NULL scan
 All the packet flags are turned off
 Two results:
 Closed ports reply with
RST
 Open or filtered ports give
no response
 Example - nmap -sN 192.168.1.* -reason
16
Types of Port Scans
 XMAS scan
 FIN, PSH and URG flags are set
 Works like a NULL scan – a closed port
responds with an RST packet
 Example - nmap -sX 192.168.1.* -reason
17
Types of Port Scans
 FIN scan
 Only FIN flag is set
 Closed port responds with an RST packet
 Example - nmap -sF 192.168.1.* -reason
18
Windows Machines
 NULL, XMAS and FIN scans don't work on
Windows machines
 Win 2000 Pro and Win Server 2003 shows all
ports closed
 Win XP Pro all ports open/filtered
 See the NMAP tutorial
https://nmap.org/bennieston-tutorial/
19
Types of Port Scans
(continued)
 ACK scan
 Used to get information about a firewall
 Stateful firewalls track connection and block
unsolicited ACK packets
 Stateless firewalls just block incoming SYN
packets, so you get a RST response
 Example - nmap -sA 192.168.1.* -reason
20
Types of Port Scans
(continued)
 UDP scan
 Closed port responds with ICMP “Port
Unreachable” message
 Rarely used
 Example - nmap -sU 192.168.1.* -reason
21
Types of Port Scans
(continued)
 Nping
 Part of the Nmap suite
 Open-source tool for network packet generation,
response analysis and response time
measurement.
 Nping allows users to generate network packets of
a wide range of protocols, letting them tune virtually
any field of the protocol headers.
 Examples
 nping -c 1 --tcp -p 80,433 scanme.nmap.org google.com
 nping --tcp -c 2 1.1.1.1 -p 100-102
22
Using Port-Scanning Tools
 Nmap (ZenMap GUI)
 Unicornscan
 NetScanTools Pro
 Nessus
 OpenVAS (or Greenbone Security Assistant)
23
Nmap
OS Fingerprinting
 nmap -O 192.168.96.36
24
Nmap
Service Fingerprinting
 nmap -sV 192.168.96.36
25
Nmap
26
The Matrix Reloaded
 Trinity uses Nmap
 Video at
https://www.youtube.com/watch?v=0PxTA
n4g20U
27
Online Nmap Scanning
 https://pentest-tools.com/networkvulnerability-scanning/tcp-port-scanneronline-nmap
28
Unicornscan
 Developed in 2004 for Linux & UNIX only
 Ideal for large networks
 Scans 65,535 ports in three to seven
seconds
 Optimizes UDP scanning
 Alco can use TCP, ICMP, or IP
 Free from http://unicornscan.org/
29
Unicornscan
 Scatter Connect feature – Off load scans
to multiple servers
30
NetScanTools Pro
 Robust easy-to-use commercial tool
 Runs on Windows
 Types of tests






Database vulnerabilities
DHCP server discovery
IP packets viewer
Name server lookup
OS fingerprinting
http://www.netscantools.com
31
32
Nessus
 First released in 1998 as a free, open source




remote security scanner tool
Uses a client/server technology
Can conduct tests from different locations
Can use different OSs for client and network
2005 – Nessus 3 became a commercial
product
33
Nessus (continued)
 Server
 Any *NIX platform
 Client
 Can be *NIX or Windows
 Functions much like a database server
 Ability to update security checks plug-ins
 Some plug-ins are considered dangerous
34
35
Nessus (continued)
 Finds services running on ports
 Finds vulnerability scanning associated with







identified services
Real-time Vulnerability Updates
Web Application Scanning
Mobile Device Detection
Configuration Checks
Compliance Checks (PCI, CIS, FDCC, NIST, etc.)
Sensitive Data Searches
SCADA Audits
36
37
OpenVAS (or Greenbone
Security Assistant)
 OpenVAS
 Open-source fork of Nessus in 2005
 Now branded as Greenbone Security
Assistant
 Capable of updating security check plug-ins
 Security test programs (scripts)
 Performs complex queries while client
interfaces with server
 Can also determine what vulnerabilities are
associated with services
38
Conducting Ping Sweeps
 Ping sweeps
 Identify which IP addresses belong to active
hosts
 Ping a range of IP addresses
 Problems
 Computers that are shut down cannot
respond
 Networks may be configured to block ICMP
Echo Requests
 Hardware and software firewalls may filter out
ICMP traffic
39
FPing
 Ping multiple IP addresses simultaneously
 Command-line tool
 Input: multiple IP addresses
 To enter a range of addresses
 -g option
 Input file with addresses
 -f option
 See links
 http://fping.org/ - Latest Version
 http://fping.sourceforge.net/
40
Fping
 To ping sweep a range of IP addresses
without using an input file, use the
command:
 fping –g BeginningIPaddress
EndingIPaddress
 The –g parameter is used when no input file is
available
 Example:
 fping –g 192.168.185.1 192.168.185.5
command returns the results shown on next slide
41
Fping on Ubuntu
 sudo apt-get install fping
42
Hping
 Used to bypass filtering devices
 Allows users to fragment and manipulate IP
packets
 Powerful tool
 Supports many parameters (command
options) including OS Fingerprinting
 See links
 www.hping.org/
 https://en.wikipedia.org/wiki/Hping
 https://www.ethicalhacker.net/columns/gates/tutori
al-hping2-basics
 No Longer in Development use Hping 2 or 3
43
hping2 on Ubuntu
 sudo apt-get install hping2
 The command below sends three SYN
packets to port 80 on the 147.144.1.2
server
 Response is SYN/ACK, as expected
44
45
46
47
Broadcast Addresses
 If you PING a broadcast address, that can
create a lot of traffic
 In Class A, B, and C IP addresses
normally the broadcast address ends in
.255
 But if your LAN is subnetted with a subnet
mask like 255.255.255.192 (/26)
 There are other broadcast addresses ending
in 63, 127, and 191
48
Broadcast Addresses
Flooded Broadcast
Workstation:~ wagnerj$ ping 255.255.255.255
PING 255.255.255.255 (255.255.255.255): 56 data bytes
64 bytes from 10.9.140.1: icmp_seq=0 ttl=255 time=1.805 ms
64 bytes from 10.9.143.200: icmp_seq=0 ttl=64 time=2.020 ms
64 bytes from 10.9.141.178: icmp_seq=0 ttl=64 time=2.188 ms
64 bytes from 10.9.143.173: icmp_seq=0 ttl=64 time=5.243 ms
64 bytes from 10.9.143.232: icmp_seq=0 ttl=64 time=79.445 ms
64 bytes from 10.9.143.154: icmp_seq=0 ttl=64 time=79.601 ms
64 bytes from 10.9.142.85: icmp_seq=0 ttl=64 time=79.998 ms
64 bytes from 10.9.143.134: icmp_seq=0 ttl=64 time=80.334 ms
64 bytes from 10.9.143.185: icmp_seq=0 ttl=64 time=80.742 ms
64 bytes from 10.9.143.157: icmp_seq=0 ttl=64 time=81.466 ms
64 bytes from 10.9.143.235: icmp_seq=0 ttl=64 time=85.078 ms
49
IP ADDRESS OF WORKSTATION = 10.9.142.15/22
Broadcast Addresses
Directed Broadcast
Workstation:~ wagnerj$ ping 10.9.143.255
PING 10.9.143.255 (10.9.143.255): 56 data bytes
64 bytes from 10.9.140.1: icmp_seq=0 ttl=255 time=5.387 ms
64 bytes from 10.9.143.200: icmp_seq=0 ttl=64 time=5.572 ms
64 bytes from 10.9.143.173: icmp_seq=0 ttl=64 time=5.735 ms
64 bytes from 10.9.141.178: icmp_seq=0 ttl=64 time=5.890 ms
64 bytes from 10.9.143.169: icmp_seq=0 ttl=64 time=209.499 ms
64 bytes from 10.9.142.46: icmp_seq=0 ttl=64 time=209.989 ms
64 bytes from 10.9.143.189: icmp_seq=0 ttl=64 time=210.008 ms
64 bytes from 10.9.143.194: icmp_seq=0 ttl=64 time=210.017 ms
64 bytes from 10.9.143.141: icmp_seq=0 ttl=64 time=210.025 ms
64 bytes from 10.9.143.160: icmp_seq=0 ttl=64 time=210.034 ms
64 bytes from 10.9.143.146: icmp_seq=0 ttl=64 time=210.049 ms
50
IP ADDRESS OF WORKSTATION = 10.9.142.15/22
Smurf Attack
 Pinging a broadcast address on an old network




resulted in a lot of ping responses
So just put the victim's IP address in the "From" field
 The victim is attacked by a flood of pings, none of
them directly from you
Modern routers don't forward broadcast packets,
which prevents them from amplifying smurf attacks
Windows and Ubuntu don't respond to broadcast
PINGs
See links
 https://en.wikipedia.org/wiki/Smurf_attack
51
Smurf Attack
52
Smurf Attack
53
Smurf Attack
Mitigation techniques
 Configure individual hosts and routers not to
respond to ICMP requests or broadcasts
 Configure routers not to forward packets
directed to broadcast addresses.
 Network ingress filtering to reject the attacking
packets on the basis of the forged source
address.
54
Crafting IP Packets
 Packet components
 Source IP address
 Destination IP address
 Flags
 Crafting packets helps you obtain more
information about a service
55
Crafting IP Packets
 Tools







Scapy - http://www.secdev.org/projects/scapy/
Yersinia - http://www.yersinia.net/
Ostinato - http://ostinato.org/
Colasoft Packet Builder -http://www.colasoft.com/
Bit-Twist - http://bittwist.sourceforge.net/
Fping
Hping
56