____ _____ ____ ____ _ _______ |_ \|_ _||_ \ / _| / \ |_ __ \ | \ | | | \/ | / _ \ | |__) | | |\ \| | | |\ /| | / ___ \ | ___/ _| |_\ |_ _| |_\/_| |_ _/ / \ \_ _| |_ |_____|\____||_____||_____||____| |____||_____| NMAP IS A POWERFUL TOOL -- USE CAREFULLY AND RESPONSIBLY
Purpose: Why are we using Nmap?
– Scenario 1: Identify all end points (on-going goal)
– Scenario 2: Search for potentially vulnerable hosts: MS17-010
Scenario 1: Identify all end points
Scan details required; targets, scan type, ports, other (OS detection)
Target(s): network range
Our range will be stored in a file, one IP/range per line
10.10.0.0/16 [*] subnet: 10.10.0.0/16 [*] network: 10.10.0.0, broadcast 10.10.255.255 [*] netmask: 255.255.0.0, hostmask: 0.0.255.255 [*] total number of hosts: 65536 10.10.0.0/24 [*] subnet: 220.127.116.11/24 [*] network: 18.104.22.168, broadcast 22.214.171.124 [*] netmask: 255.255.255.0, hostmask: 0.0.0.255 [*] total number of hosts: 256 10.10.10.0/26 [*] subnet: 10.10.10.0/26 [*] network: 10.10.10.0, broadcast 10.10.10.63 [*] netmask: 255.255.255.192, hostmask: 0.0.0.63 [*] total number of hosts: 64
Ranges are allowed: 192.168.3-5,7.1
192.168.1.0/24 192.168.2.0/24 192.168.3.1-100
Ports of interest
- potentially vulnerable
- existing vulns
- generally good to be aware of
Nmap defines these ports in one of its data files, /usr/share/nmap/nmap-services
Other useful options
-T<0-5> Set timing template (higher is faster). Default 3 -Pn Treat all hosts as online -- skip host discovery -A Enable OS detection, version detection, script scanning, and traceroute -sV Probe open ports to determine service/version info --version-intensity Set from 0 (light) to 9 (try all probes) --version-light Limit to most likely probes (intensity 2) --open Only show open (or possibly open) ports
Command for Scenario 1
$ nmap -Pn -A --version-light -p22,53,80,123,443,445,3306,8000,8080,31337 -iL network-list --open
Our command is now targeted to our specific need(s).
Scenario 2: Search for MS17-010
Target hosts with port 445 open
- scan type (defined by our goal)
- port 445 (TCP/UDP)
- NSE (Nmap Scripting Engine)
Command for Scenario 2
$ nmap -p445 --script smb-vuln-ms17-010 scanme.nmap.org
Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nping is a great tool for performing specific probes.
“Nping is an open-source tool for network packet generation, response analysis and response time measurement.
Nping allows users to generate network packets of a wide range of protocols, letting them tune virtually any
field of the protocol headers.” – Nping man page
In many environments ICMP traffic is dropped on host-based firewalls. Such a configuration makes the ping
utility mostly useless. Alternative utilities that could be used include IPv6 options to the ping command and
TCP traceroute. However, Nping is a much more powerful tool.
“Additionally, Nping offers a special mode of operation called the “Echo Mode”, that lets users see how the
generated probes change in transit, revealing the differences between the transmitted packets and the packets
received at the other end. See section “Echo Mode” for details.” – Nping man page
Are ports 80,443 listening on scanme.nmap.org and google.com?
$ nping -c 1 --tcp -p 80,443 scanme.nmap.org google.com
Is UDP port 123 (NTPD) open on scanme.nmap.org?
$ nping -c 1 --udp -p 123 scanme.nmap.org
See if the echo server on scanme will respond..
$ nping --echo-client "public" scanme.nmap.org