Nmap and Nping for Blue Teams

NMAP

   ____  _____  ____    ____       _       _______
  |_   \|_   _||_   \  /   _|     / \     |_   __ \
    |   \ | |    |   \/   |      / _ \      | |__) |
    | |\ \| |    | |\  /| |     / ___ \     |  ___/
   _| |_\   |_  _| |_\/_| |_  _/ /   \ \_  _| |_
  |_____|\____||_____||_____||____| |____||_____|

  NMAP IS A POWERFUL TOOL -- USE CAREFULLY AND RESPONSIBLY

Purpose: Why are we using Nmap?

– Scenario 1: Identify all end points (on-going goal)
– Scenario 2: Search for potentially vulnerable hosts: MS17-010

Scenario 1: Identify all end points

Scan details required; targets, scan type, ports, other (OS detection)

Target(s): network range

CIDR notation

Our range will be stored in a file, one IP/range per line

10.10.0.0/16

  [*] subnet: 10.10.0.0/16
  [*] network: 10.10.0.0, broadcast 10.10.255.255
  [*] netmask: 255.255.0.0, hostmask: 0.0.255.255
  [*] total number of hosts: 65536

10.10.0.0/24

  [*] subnet: 191.168.1.0/24
  [*] network: 191.168.1.0, broadcast 191.168.1.255
  [*] netmask: 255.255.255.0, hostmask: 0.0.0.255
  [*] total number of hosts: 256

10.10.10.0/26

  [*] subnet: 10.10.10.0/26
  [*] network: 10.10.10.0, broadcast 10.10.10.63
  [*] netmask: 255.255.255.192, hostmask: 0.0.0.63
  [*] total number of hosts: 64

Ranges are allowed: 192.168.3-5,7.1

file: network-list

192.168.1.0/24
192.168.2.0/24
192.168.3.1-100

Ports of interest

Situational awareness

  • potentially vulnerable
  • existing vulns
  • generally good to be aware of
-p22,53,80,123,443,445,3306,8000,8080,31337

Nmap defines these ports in one of its data files, /usr/share/nmap/nmap-services

Other useful options

-T<0-5>

  Set timing template (higher is faster). Default 3

-Pn

  Treat all hosts as online -- skip host discovery

-A

  Enable OS detection, version detection, script scanning, and traceroute

-sV

  Probe open ports to determine service/version info

--version-intensity 

  Set from 0 (light) to 9 (try all probes)

--version-light
  
  Limit to most likely probes (intensity 2)

--open

  Only show open (or possibly open) ports

Command for Scenario 1

$ nmap -Pn -A --version-light -p22,53,80,123,443,445,3306,8000,8080,31337 -iL network-list --open

Our command is now targeted to our specific need(s).

Scenario 2: Search for MS17-010

Target hosts with port 445 open

  • scan type (defined by our goal)
  • port 445 (TCP/UDP)
  • NSE (Nmap Scripting Engine)

File: smb-vuln-ms17-010.nse

Command for Scenario 2

$ nmap -p445 --script smb-vuln-ms17-010 scanme.nmap.org

Sample output

Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Reference: https://nmap.org/nsedoc/scripts/smb-vuln-ms17-010.html

NPING

Nping is a great tool for performing specific probes.

“Nping is an open-source tool for network packet generation, response analysis and response time measurement.
Nping allows users to generate network packets of a wide range of protocols, letting them tune virtually any
field of the protocol headers.” – Nping man page

In many environments ICMP traffic is dropped on host-based firewalls. Such a configuration makes the ping
utility mostly useless. Alternative utilities that could be used include IPv6 options to the ping command and
TCP traceroute. However, Nping is a much more powerful tool.

“Additionally, Nping offers a special mode of operation called the “Echo Mode”, that lets users see how the
generated probes change in transit, revealing the differences between the transmitted packets and the packets
received at the other end. See section “Echo Mode” for details.” – Nping man page

Examples:

Are ports 80,443 listening on scanme.nmap.org and google.com?

$ nping -c 1 --tcp -p 80,443 scanme.nmap.org google.com

Is UDP port 123 (NTPD) open on scanme.nmap.org?

$ nping -c 1 --udp -p 123 scanme.nmap.org

See if the echo server on scanme will respond..

$ nping --echo-client "public" scanme.nmap.org

Resources

https://nmap.org/

https://nmap.org/book/

https://github.com/nmap/nmap

hping3 exercise

TCP 3-way Handshake

This exercise demonstrates the Transmission Control Protocol 3-way handshake.

Getting hping3

Fedora/CentOS

$ dnf install hping3

Available on github, https://github.com/antirez/hping

Description

hping3 – send (almost) arbitrary TCP/IP packets to network hosts

hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping program does with ICMP replies. hping3 handle fragmentation, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported protocols.

Using hping3 you are able to perform at least the following:

  • Test firewall rules
  • Advanced port scanning
  • Test net performance using different protocols, packet size, TOS (type of service) and fragmentation.
  • Path MTU discovery
  • Transferring files between even really fascist firewall rules.
  • Traceroute-like under different protocols.
  • Firewalk-like usage.
  • Remote OS fingerprinting.
  • TCP/IP stack auditing.
  • Lots more.

Exercise

Start a listener on port 80 using netcat.

$ nc -l 127.0.0.1 80

From a different terminal run the following command.

$ sudo hping3 -I lo -c 3 -S 127.0.0.1 -p 80

Next steps.. your turn.

Note: stop the netcat listener after each question and restart using the appropriate port.

1. Explain what the hping3 command above is doing.

2. What hping3 options would you use to send three ACK packets to port 80?

  • run the command and note the responses.

3. What hping3 options would you use to send four SYN-ACK packets to port 443?

  • run the command and note the responses.

4. What hping3 options would you use to send two RST packets to port 22?

  • run the command and note the responses.

5. Why do we receive the various responses above, i.e., what does each type of response mean?

 

Port sensor using Python

One of our darknet sensors receives over one hundred probes on port 0/UDP. To better understand what this traffic is and where it’s coming from, I decided to add a sensor to see if I can find out more information. This is the approach I took.

I need a sensor that listens to UDP requests on port 0. So, what is port 0 all about anyway? The first placed I looked is /etc/services which references IANA for all port assignments. Port 0 is not listed in /etc/services. This is because port 0 TCP/UDP is reserved.

A quick break down on port assigns:

– The Well Known Ports are those from 0 through 1023.
– The Registered Ports are those from 1024 through 49151
– The Dynamic and/or Private Ports are those from 49152 through 65535

The latest IANA port assignments can be found on IANA’s website,

http://www.iana.org/assignments/port-numbers

IANA references RFC 6335, https://tools.ietf.org/html/rfc6335


Sensor code

sensor-udp.py is available in the sensors repo on github,

  https://github.com/clayball/sensors


Setup

Redirect UDP packets arriving at port 0 to port 30999. I’m just picking an arbitrary high port number.

iptables -t nat -A PREROUTING -p udp --dport 0 -j REDIRECT --to-port 30999

Start sensor-udp.py and watch the log file.

# ./sensor-udp.py &

# tail -f udp-received.log


Testing the sensor

The sensor will run on host 192.168.1.13. The test will be run from a different host on the same subnet.

nping --udp 192.168.1.13 -p 30999


Result

Output from the tail command above.

received '\x00\x00\x00\x00' from 192.168.1.12:38446 at 2016-02-14 15:56:36.617687
received '\x00\x00\x00\x00' from 192.168.1.12:60951 at 2016-02-14 15:56:37.619199
received '\x00\x00\x00\x00' from 192.168.1.12:52143 at 2016-02-14 15:56:38.620581
received '\x00\x00\x00\x00' from 192.168.1.12:40711 at 2016-02-14 15:56:39.622143

This sensor detects UDP pings and logs the source IP and time.


Next steps

TODO: