AppSec USA 2014 Denver, Colorado nmap 101 An introduction to the timeless network scanner.

Slides:



Advertisements
Similar presentations
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Advertisements

Nmap Experiment.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
System Security Scanning and Discovery Chapter 14.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.
Computer Security and Penetration Testing
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.
Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:
Penetration Testing.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Port Scanning.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Ana Chanaba Robert Huylo
SCSC 555 Frank Li.  Port scanning  Port-scanning tools  Ping sweeps 2.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
IPv6 Network Assessor 111 © 2005 Cisco Systems, Inc. All rights reserved. Susan Shareshian Solutions Manager, Cisco Systems, Inc.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
# Ethical Hacking. 2 # Ethical Hacking - ? Why – Ethical Hacking ? Ethical Hacking - Process Ethical Hacking – Commandments Reporting.
Port Scanning and Enumeration (NMAP)
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Linux Networking and Security
Network Assessment How intrusion techniques contribute to system/network security Network and system monitoring System mapping Ports, OS, applications.
Chapter 2 Scanning Last modified Determining If The System Is Alive.
1 Lab 1: Reconnaissance, Network Mapping, and Vulnerability Assessment Reconnaissance Scanning Network Mapping Port Scanning OS detection Vulnerability.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
Trinity Uses Nmap, shouldn’t you?. From “The Art of War” "... knowing your enemy 100% of the time, you will win your battle 100% of the time, knowing.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
CTC228 Nov Today... Catching up with group projects URLs and DNS Nmap Review for Test.
Footprinting and Scanning
Hands-On Ethical Hacking and Network Defense
Scanning.
Footprinting/Scanning/ Enumeration Lesson 9. Footprinting External attack: Enables attackers to create a profile of an organization’s security posture.
Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.
Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.
Network and Port Scanning Chien-Chung Shen
Jen Beveridge and Joe Kolenda. Developed by Gordon Lyon Features –Host discovery –Port scanning –Version detecting –OS detection –Scriptable interaction.
Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Protection (tools).
Hands-On Ethical Hacking and Network Defense
CITA 352 Chapter 6 Enumeration.
Jen Beveridge and Joe Kolenda
Penetration Testing Scanning
Port Scanning James Tate II
Introduction to Network Scanning
Footprinting and Scanning
CITA 352 Chapter 5 Port Scanning.
Port Scanning (based on nmap tool)
CIT 480: Securing Computer Systems
Footprinting and Scanning
Network Security and Monitoring
6. Operating Systems Finger printing & Scanning
EVAPI - Enumeration Auburn Hacking club
Presentation transcript:

AppSec USA 2014 Denver, Colorado nmap 101 An introduction to the timeless network scanner

2 Jon Pettyjohn, Jon Pettyjohn Jon Pettyjohn is a Cybersecurity professional at Aerstone with over ten (10) years of experience conducting penetration testing of networks and web applications. Mr. Pettyjohn started IT security testing in 2003 for Science Applications International Corporation (SAIC), now known as Leidos. During his time at SAIC, Mr. Pettyjohn was a member of a penetration test team that conducted over sixty-five (65) testing engagements a year for the Defense Department and the Federal Government. At Aerstone, Jon is a member of the security testing and Payment Card Industry assessment practice. Introduction

3 To provide an introduction to nmap Learn basic network discovery/enumeration Cover other uses: – Service Enumeration – OS detection – Slow or “Stealth” scanning Not covering installation and every option Hands-on practice! Objectives

4 Free and Open Source – Short for “Network Mapper” Written and maintained by – Gordon “Fyodor” Lyon First released in 1997 Appeared in “The Matrix Reloaded” Still used today Background

5 What is it? Nmap is a port scanner with lots of options Excellent tool for discovering “live” hosts and devices on a network Excellent tool for identifying available services on a host or device Very good tool for identifying operating system of a host or device Good tool for identifying type and version of available services on a host or device

6 nmap and Pentesting Discovery Enumeration Vuln Scanning IPs Ports/ Services Pentesting IPs Ports/Services Potential Vulns IPs Ports/Services Confirmed Weaknesses Phase Collected Data nmap

7 Basic Usage: Discovery Process of sending probes to solicit responses from active devices. AKA Network Recon, Ping Sweep Examples: # nmap -sn Basic ping sweep of x. (-sn no port scanning). When scanning local networks, nmap uses ARP to determine live hosts. # nmap -sn –PS21,22,80, (need root) SYN Ping, sends empty SYN packet to attempt 3-way handshake to common ports # nmap -Pn -p21,22,23,53,80,113,137,139,443, No Ping. Skips normal nmap discovery and attempts to connect to several TCP ports to every target in target list.

8 Basic Usage: Enumeration AKA “Port Scanning” The goal of enumeration is to identify open ports, services, and OS's of live targets found in the discovery phase. Root privileges are needed to run SYN and UDP scans. Examples: # nmap –sS –iL Default port scan (SYN) of default ports in nmap-services file. Either using host file or IPs as input. # nmap –sS –p –iL (or –p-) Scans for all 65k TCP ports. “Dash p Dash” is the equivalent of listing all 65k ports, minus port 0. # nmap –sU –p –iL (or –p-) Scans for all 65k UDP ports.

9 Basic Usage Enumeration - cont Some Common UDP Ports PortServiceDescription 123NTPNetwork Time Protocol. Used for time synch. 161SNMPSimple Network Management Protocol. SNMP traps listen on UDP 161. Still widely used. 53DNSDomain Name Server. Used for name resolution. 111RPCCommon UNIX port for sharing files over NFS (Network File System). Used for fingerprinting *NIX boxes. 69TFTPTrivial File Transfer Protocol. Less secure FTP. Doesn’t require credentials.

10 Port Scan Output

11 Port Scan Output Analysis Understanding the Results, Focusing on the most common ports/services: 21/tcp open ftpLikely a FTP server 25/tcp open smtpLikely a Mail server 80/tcp open httpLikely a Web server 135/tcp open msrpcTypically a Microsoft service 139/tcp open netbios-ssnTypically a Microsoft service 445/tcp open microsoft-dsTypically a Microsoft service 1433/tcp open ms-sql-sLikely a SQL server At this phase, none of the services have been verified, hence the terms “Likely” and “Typically”.

12 OS and Version Identification OS Detection To identify the Operating System for hosts, nmap will compare the results of probes to a database of OS fingerprints: #nmap -O (host or hostlist) Version Fingerprinting Standard port scans will produce best guess at service running. Version detection will compare against a database of protocol signatures to attempt to identify: application name (Apache, Solaris telnetd, etc), version, device type, and OS family. #nmap -sV -PN (host or hostlist)

13 Stealth Scanning Targets protected by a firewall or filtering device may require adjusting the speed and throughput of probes sent. Multiple source IPs may be used if security devices block the tester IPs. “Throttle” switches include T0-T5 (5 being the fastest, T3 being the default) The following nmap command may be used to execute a throttled-down discovery scan that sends 1 probe every 3 seconds: nmap -sS -PN --top-ports max-rate.33 --max-parallelism 1 --max- retries 2 --max_rtt_timeout 500ms --max-hostgroup 1 OPTIONDescription --top-ports 100scan top 100 ports --max-rate.33send probe every 3 secs --max-parallelism 1send 1 probe at a time --max-hostgroup 1limit to one host at a time --max_rtt_timeout 500limit rtt timeout to 500 ms --max-retries 2only retransmit twice

14 Timing Settings

15 NSE Nmap Scripting Engine – allows users to use or write scripts to automate a variety of tasks (vulnerability detection, backdoor detection, advance version detection, exploitation) For Typically located in: / /nmap/scripts/ Information Portal for all NSE scripts: Good for automating “manual” tasks such as: Looking for default snmp strings Active Windows accounts Brute-force popular services (mysql, ldap, wordpress, etc) Example of smb-brute NSE script:

16 NSE Example

17 Zenmap GUI version of nmap that works on Windows, Linux, Mac OS X, BSD, etc. Popular and common scan commands can be selected via menu. Different “views” of scan output. Saved scans can be compared to show differences.

18 Zenmap Examples

19 Other Useful Options --helpHelp! Sooo many options and configurations, we are only scratching the surface! -vVerbosity. Prints more information during a scan, such as timing, flags, protocol details etc. Can either specify the verbose level in the command, or during a scan by hitting “v” (increase) or “V” (decrease) -oXOutput. Different options for directing output to files including: -oN Normal, human readable results -oX XML, output for use in other programs or XML parsers -oG Grepable, (depreciated), easily searched using grep, awk, cut, etc. -oA All, gives you normal, XML, and Grepable file types. --resumeResume. Sometimes scans can take DAYS depending on timing options and number of targets. If a scan is stopped using ctrl-C and if normal/grepable output was selected, then a scan can be resumed by: #nmap --resume

20 Hands-on Activity Practice objectives: How many “active” devices? List 1 or more operating systems Find the hidden web application(s). Identify the “mystery” device. Restrictions: Limit Network range Port scan 1 host at a time Limit port scans to - -top-ports (TCP) - -top-ports 100 (UDP) Use –n in all scans (skip DNS lookup)

21 Answers Live IPs: OS: WiFi Router Win 2003 Server CentOS 6.5 Win 2k CentOS 6.5 IP Cam Win 8 CentOS 6.5 What’s Running Nothing special FTP, SMTP, HTTP, MS-SQL, Web App on 4444 SSH, MySQL, Web app on 80, TFTP (UDP) MS NetBIOS ports 135, 139, 445 SSH, Web App on port 80 Web Server/Cam feed on port 1984 All Filtered SSH on port 1433 (needs –T2) to find

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.