Scribd
Upload
90 views35 pages

Analysing Networks With NMAP: OWASP Ruhrpott Meetup March 2019

This document provides an overview of using NMAP to analyze networks. It begins with networking basics on protocols like UDP, TCP and ICMP. It then covers NMAP basics such as default privileges, host discovery methods, scan types, port states, scan speeds, target syntax and output formats. Next, it discusses NMAP script scanning and the different categories and expressions that can be used. It introduces the concept of NSE scripting and the different classes of scripts. Finally, it briefly mentions other tools in the NMAP suite like Ncat, Ndiff and Nping, and encourages safe usage of NMAP for training purposes only on dedicated or consented networks.

Uploaded by

Fshhan arethusa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
90 views35 pages

Analysing Networks With NMAP: OWASP Ruhrpott Meetup March 2019

This document provides an overview of using NMAP to analyze networks. It begins with networking basics on protocols like UDP, TCP and ICMP. It then covers NMAP basics such as default privileges, host discovery methods, scan types, port states, scan speeds, target syntax and output formats. Next, it discusses NMAP script scanning and the different categories and expressions that can be used. It introduces the concept of NSE scripting and the different classes of scripts. Finally, it briefly mentions other tools in the NMAP suite like Ncat, Ndiff and Nping, and encourages safe usage of NMAP for training purposes only on dedicated or consented networks.

Uploaded by

Fshhan arethusa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 35

Analysing Networks with NMAP

OWASP Ruhrpott Meetup


March 2019
Overview
● Networking Basics
● NMAP Basics
○ Scan types
○ Port states
○ Scan Speed
○ Output
○ Script Scans
● NSE Scripting
● NMAP Tool Suite
Networking Basics
Networking Basics - UDP
The User Datagram Protocol is:

● Minimalistic
● Stateless
● Unreliable
● Unordered
● Fast?

=> Best effort


Networking Basics - TCP
The User Datagram Protocol is:

● Much overhead
● Stateful
● Reliable
● Ordered

=> Reliable Heavyweight


Networking Basics - TCP II - Handshake
● Formal handshake
● 3-Way-Handshake
● Parties are emancipated afterwards
Networking Basics - TCP III - Teardown
● TCP connections require teardown
● 4-Way-Handshake
● Closing party can no longer send data, but
should still read incoming data.
Networking Basics - ICMP
The Internet Control Message Protocol is:

● Supporting protocol
● Not usually used to send data*
● Does things like:
○ ping
○ traceroute*
NMAP Basics
NMAP Basics
NMAP Basics - Default Privileges
Default NMAP behaviour depends on privileges:

● Privileged (root/Administrator*)
○ TCP SYN scan
● Unprivileged
○ TCP connect scan
NMAP Basics - Host Discovery
Several ways - different outcomes

● Ping scan (-sP):


○ nmap -sP scanme.nmap.org
● ICMP pings (-PE, -PP, -PM):
○ nmap -PE scanme.nmap.org
● ARP ping
○ nmap -PR scanme.nmap.org

Ultimative host discovery command (~93% detc):

● nmap -PE -PS80 -PS443 -PP -PU40125 -PS3389


-PA21 -PU161 --source-port 53
NMAP Basics - Scan Types I
Scan types (most common):

● TCP-SYN-Scan (-sS)
○ Fast
○ Stealthy (?)
○ Requires privileges
● TCP-Connect-Scan (-sT)
○ Relies on OS
○ Slower than TCP-SYN-Scan
● UDP-Scan (-sU)
○ Slow
○ Unreliable
NMAP Basics - Scan Types II
More Scan Types:

● TCP-NULL-Scan (-sN)
○ None
● TCP-FIN-Scan (-sF)
○ FIN
● TCP-Xmas-Scan (-sX)
○ URG, PSH, FIN
NMAP Basics - Scan Types III
Even More Scan Types:

● TCP-Idle-Scan (-sI) [Zombie]


○ Spoofing packages
● IP-Protocol-Scan (-sO)
○ Enumerating IP Protocols
NMAP Basics - Port States
NMAP distinguishes between different port states:

● open
○ “Proper” response received
● closed
○ RST received
● filtered
○ Something else happened
● open|filtered
○ Couldn’t determine port state
■ often UDP related
NMAP Basics - Scan Speeds
Different Speed Settings (-T):

● paranoid (0)
● sneaky (1)
● polite (2)
● normal (3) [default]
● aggressive (4)
● insane (5)
NMAP Basics - Target Syntax
Everything that isn’t an option is considered a host :-)

● Hostname: nmap scanme.nmap.org


● IP-Address: nmap 45.33.32.156
● CIDR-ish notation:
○ nmap 45.33.32.156/32
○ nmap scanme.nmap.org/32
○ NOT nmap 45.33.32.156/255.255.255.255
● Octet ranges: nmap 45.33.32-35.1-254

Everything above can be combined and loaded from a file as well (-iL)
NMAP Basics - Port Syntax
Ports are scanned in a (mostly) random order

● Scan top 100 ports only (“fast”, -F)


○ nmap -F scanme.nmap.org
● Scan “all” (1-65535) ports
○ nmap -p- scanme.nmap.org
● Scan all ports (0-65535)
○ nmap -p0-65535 scanme.nmap.org
● Scan specific ports and port ranges
○ nmap -p 22,53,80,443,500-1000 scanme.nmap.org
NMAP Basics - Output
● Normal (-oN)
● XML (-oX)
● Greppable (-oG)
● s|<rIpt kIddi3 (-oS)

The first three can be accessed with -oA


NMAP Basic - Misc. Switches
● Generate 100 random targets and log your crimes
○ nmap -iR 100 -Pn -oA admissible-evidence
● IPv6 scan:
○ nmap -6 scanme.nmap.org
● Service version probing:
○ nmap -sV scanme.nmap.org
● OS detection:
○ nmap -O scanme.nmap.org
● Aggressive (-A) scan, includes OS and version detection, script scanning and
traceroute:
○ nmap -A scanme.nmap.org
NMAP Basics - Script Scan I
More than just port scanning

● Script-Scan (-sC)
○ Equivalent to --script=default
● --script accepts:
○ Filename
○ Directory
○ Category
○ Expressions
NMAP Basics - Script Scan II
Script Categories:

● auth ● intrusive
● broadcast ● malware
● brute ● safe
● discovery ● version
● dos ● vuln
● exploit
● external
● fuzzer

Expressions are supported:


● --script=”default or save”
● --script=”(default and save) and not http-*”
NSE Scripting
NSE Scripting I
Four Classes of Scripts:

● Service scripts
○ Executed once per port
● Host scripts
○ Executed once per host
● Pre-rule script
○ Executed prior any scan
● Post-rule script
○ Executed after all scans
NSE Scripting - Example http-title

https://svn.nmap.org/nmap/scripts/http-title.nse
NMAP Tool Suite
NMAP Tool Suite - ncat
● Netcat (nc) alternative
○ Supports SSL
○ Supports IPv6
○ Proxying

Further reading:

● https://nmap.org/ncat/guide/ncat-tricks.html
● http://alexcreek.com/ncat-cheatsheet.html
NMAP Tool Suite - ndiff
● Compares scans
● Takes in two XML files
NMAP Tool Suite - nping
● Network packet generator
● Response analysis
● Response time measurement.
● Also does ping :-)
NMAP Tool Suite - zenmap
● GUI for NMAP
● Quick profile selection
● Graphical organisation
● Topology
Training with NMAP
Training with NMAP
Don’t go wandering off, scanning networks without consent!

This could get you into trouble. Things could break, people could sue you.

To experiment with NMAP use:

● Dedicated hosts like scanme.nmap.org,


● Dedicated lab environments (e.g. Hack-in-the-Box),
● Your own network (NOT the hotel WiFi, NOT your friends WiFi!)
● Virtual machines with interesting services (e.g. metasploitable)

Metasploitable v2: https://sourceforge.net/projects/metasploitable/files/latest/download


Analysing Networks with NMAP

Questions?

You might also like