Nmap and Nping for Blue Teams

NMAP

   ____  _____  ____    ____       _       _______
  |_   \|_   _||_   \  /   _|     / \     |_   __ \
    |   \ | |    |   \/   |      / _ \      | |__) |
    | |\ \| |    | |\  /| |     / ___ \     |  ___/
   _| |_\   |_  _| |_\/_| |_  _/ /   \ \_  _| |_
  |_____|\____||_____||_____||____| |____||_____|

  NMAP IS A POWERFUL TOOL -- USE CAREFULLY AND RESPONSIBLY

Purpose: Why are we using Nmap?

– Scenario 1: Identify all end points (on-going goal)
– Scenario 2: Search for potentially vulnerable hosts: MS17-010

Scenario 1: Identify all end points

Scan details required; targets, scan type, ports, other (OS detection)

Target(s): network range

CIDR notation

Our range will be stored in a file, one IP/range per line

10.10.0.0/16

  [*] subnet: 10.10.0.0/16
  [*] network: 10.10.0.0, broadcast 10.10.255.255
  [*] netmask: 255.255.0.0, hostmask: 0.0.255.255
  [*] total number of hosts: 65536

10.10.0.0/24

  [*] subnet: 191.168.1.0/24
  [*] network: 191.168.1.0, broadcast 191.168.1.255
  [*] netmask: 255.255.255.0, hostmask: 0.0.0.255
  [*] total number of hosts: 256

10.10.10.0/26

  [*] subnet: 10.10.10.0/26
  [*] network: 10.10.10.0, broadcast 10.10.10.63
  [*] netmask: 255.255.255.192, hostmask: 0.0.0.63
  [*] total number of hosts: 64

Ranges are allowed: 192.168.3-5,7.1

file: network-list

192.168.1.0/24
192.168.2.0/24
192.168.3.1-100

Ports of interest

Situational awareness

  • potentially vulnerable
  • existing vulns
  • generally good to be aware of
-p22,53,80,123,443,445,3306,8000,8080,31337

Nmap defines these ports in one of its data files, /usr/share/nmap/nmap-services

Other useful options

-T<0-5>

  Set timing template (higher is faster). Default 3

-Pn

  Treat all hosts as online -- skip host discovery

-A

  Enable OS detection, version detection, script scanning, and traceroute

-sV

  Probe open ports to determine service/version info

--version-intensity 

  Set from 0 (light) to 9 (try all probes)

--version-light
  
  Limit to most likely probes (intensity 2)

--open

  Only show open (or possibly open) ports

Command for Scenario 1

$ nmap -Pn -A --version-light -p22,53,80,123,443,445,3306,8000,8080,31337 -iL network-list --open

Our command is now targeted to our specific need(s).

Scenario 2: Search for MS17-010

Target hosts with port 445 open

  • scan type (defined by our goal)
  • port 445 (TCP/UDP)
  • NSE (Nmap Scripting Engine)

File: smb-vuln-ms17-010.nse

Command for Scenario 2

$ nmap -p445 --script smb-vuln-ms17-010 scanme.nmap.org

Sample output

Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Reference: https://nmap.org/nsedoc/scripts/smb-vuln-ms17-010.html

NPING

Nping is a great tool for performing specific probes.

“Nping is an open-source tool for network packet generation, response analysis and response time measurement.
Nping allows users to generate network packets of a wide range of protocols, letting them tune virtually any
field of the protocol headers.” – Nping man page

In many environments ICMP traffic is dropped on host-based firewalls. Such a configuration makes the ping
utility mostly useless. Alternative utilities that could be used include IPv6 options to the ping command and
TCP traceroute. However, Nping is a much more powerful tool.

“Additionally, Nping offers a special mode of operation called the “Echo Mode”, that lets users see how the
generated probes change in transit, revealing the differences between the transmitted packets and the packets
received at the other end. See section “Echo Mode” for details.” – Nping man page

Examples:

Are ports 80,443 listening on scanme.nmap.org and google.com?

$ nping -c 1 --tcp -p 80,443 scanme.nmap.org google.com

Is UDP port 123 (NTPD) open on scanme.nmap.org?

$ nping -c 1 --udp -p 123 scanme.nmap.org

See if the echo server on scanme will respond..

$ nping --echo-client "public" scanme.nmap.org

Resources

https://nmap.org/

https://nmap.org/book/

https://github.com/nmap/nmap