Using Nmap Effectively

Posted: December 1, 2011 in Guides
Tags: ,

A very good friend of mine wrote an article on his blog today about the anatomy of ownage, well not really the title was actually Hacking Introduction and it was a wonderful read. He’s embarking on a difficult journey and seeking a very illustrious certification in the Information Security industry. You should definitely read his article (and the rest of his blog for that matter) if you are interested in learning along with him. In the spirit of his article (hopefully I’m not stepping on his toes) I want to discuss one of the most vital tools used to profile a network, or service on the network. That tool is nmap — yeah I know you know how to use it you just fire up one of these…

nmap -v -A

And you’re ready to roll right? Well — no, not really. Nmap like Wireshark is one of those tools that gets thrown around the Ubuntu community a lot, and truthfully many people really don’t know how to use either of them effectively. This is a late night wednesday post, so this by no means is going to be a comprehensive guide to nmap, as it is probably one of the best security auditing tools available. I’ve seen entire 500+ page manuals written on using nmap that don’t cover all the nifty stuff you can do with it. However, I’m going to toss out a few tips that I like to use to profile systems, services and networks more effectively.

Note : I’m lazy, I didn’t have a Ubuntu system handy so I’m using a Back Track 5 install here because it had nmap. All of this will work just fine with Ubuntu using a standard version of nmap, you may however have to prepend sudo to some of these commands for them to work properly.

Another Note : For this entire guide I will be using the network — just so you know for a frame of reference.

Network Discovery

The first tip I want to discuss is a quick way to get a good picture of what is running on a network without making IDS/IPS go crazy and without taking a million years to do it. There are two quick ways I like to do this; these are especially effective when scanning a larger network, as it can take hours if you get too tricky with your options (that -A option that everyone likes to throw on there). It’s important to understand that these two methods aren’t going to give you a whole lot of information about the network — they are however going to tell you what hosts are up, and one of them will give you a rough guestimate of what services are running on the network.

The Ping Sweep

This is fast, very fast, it doesn’t give you much information other than if a host is up or not; but this is a great way to start determining the network structure and laying out the pieces of where everything goes. If you’re trying this on your home network like I am, you may find a lot of firewalls will eat this scan alive. This is because this utilizes an ICMP echo request to determine if the host is alive or not. This is obviously not the most conclusive method, but as I said on a normal network (that isn’t blocking echo requests) this should give you a decent idea of where what is.

This scan is performed by doing the following.

nmap -sP

As you can see this doesn’t give us much information as to what hosts are running. However I told you it was fast πŸ˜‰

Fast Connect Scan

This scan utilizes the TCP connect() method. Basically what that means is it will attempt to create a valid TCP handshake with a service. This connection is like any other connection that is created legitimately. This scan is not as fast as the TCP SYN Scan that we will talk about in a little bit, however this is often very useful for fast profiling that can bypass IDS/IPS and SPI firewalls. It is important to note here however, that since a connection is created this scan may appear in log files of the scanned machine.

This scan is invoked as such.

nmap -sT

Fast SYN Scan

Alternatively we can do a SYN scan, this is also known as half-open scanning. Meaning a handshake is never completed, because the subsequent TCP RST packet that nmap sends must be forged, this requires privileged access so will be run with the sudo command. This scan can and will often get shot down by firewalls, however it is VERY quiet in logs. An SPI firewall however, WILL slow this scan down considerably. Also important to note is that this will not identify services running on UDP ports.

This scan is invoked as such.

sudo nmap -sS

Profiling a System or Device

Now that we have a good idea of the layout of our network, and we see that we have a variety of interesting services to investigate let’s look at some options we have for profiling an individual system. As we can see from our intitial scans looks like it has a lot going on (bonus points if you can tell me what the VM is ;-)). So let’s take a look at that system.

Obtaining Versioning Information

This is probably one of the most useful features in nmap, it can give you a quick and rather accurate portrait of what versions of a service or piece of software a system is running with little to no information ending up in the system’s log files. For this we’re going to compound our SYN scan with a version detection script.

This scan will be invoked as such.

sudo nmap -T4 -v -sS -sV

Note : I did some interesting stuff here -sS is our SYN Scan -sV is our service scan the -v option increases the verbosity of our output and -T4 increases our timing from the default 3, this speeds up the scan, alternatively you can slow down the scan by doing -T2 , 1 being the slowest 5 being breakneck fast.

As you can see we’ve obtained quite a bit of information about this system from this scan, and there are a number of vulnerable services. By the way the bonus points go to whoever said metasploitable πŸ˜›

Obtaining Operating System Information

OS Fingerprinting is another valuable function that nmap provides — we’ll take the same scan and add a little bit to it to perform this type of scan we’ll do the following.

sudo nmap -T4 -v -sS -sV -O

Note : If this fails on your target system you may wish to set the no ping option (-PN).

As you can see this time we’re given a little bit more information about our target’s Operating environment. We know it’s running some version of linux 2.6.x — this can be useful.

Profiling an Individual Service

Now that we’ve gotten a good picture of our overall system let’s take a look at an individual service on the system.

The Nmap Scripting Engine

If you noticed in the previous screen captures nmap was saying it loaded 9 scripts for scanning. Nmap has an extremely powerful scripting engine that allows us to create LUA scripts to use it to scan for pretty much anything we’d like. (these are stored in /usr/local/share/nmap/scripts). So let’s use the nmap scripting engine to take a better look at samba and see what’s going on there since it looks like it might be in a default configuration.

This scan will be invoked as such

sudo nmap -T4 -v -sS -sV -O --script smb-enum-users,smb-enum-shares

As you can see the power of NSE is amazing, we’re presented with a list of corresponding users and shares for the samba service. There are many useful scripts that come pre-loaded with nmap check them out for yourself, also it is extremely easy to write your own LUA scripts to scan for anything you want to.

Profiling a Hardened Target

Occasionally sysadmins will try to be a little bit clever and try to throw together some nifty iptables rules to delay, slow down or otherwise confuse nmap. It will usually look something like this.

This is a rate limit, if we see this in place we know that there is a firewall, and we know that this report may or may not be accurate. At this stage of the game, we know we need to do two things — one we need to switch our method from half open scanning, because the firewall in place is chewing it up, and two we need to slow down our scan a LOT, while still keeping it meaningful. This is where we can use a little bit of common sense, we know that this has a proxy and a webserver running on it. So maybe there is an ssh service as well? Let’s see.

We will try something like this

sudo nmap -sT -PN -sV -v -T1 -p 22

And as you can see we cut right through the smoke and mirrors and got our SSH versioning information in a matter of seconds.

Hopefully this was enjoyable and you learned a little bit about one of the greatest vulnerability scanning tools around. Oh and if you’re wondering how ANY of this was different from using nmap -T4 -v -A , which is ever so popular — remember you want to make as LITTLE noise as possible , note the -A basically just runs all scanning options including all the NSE scripts nmap has access to — this is usually unnecessary.

  1. haqking says:

    Sweet article, thanks for referral. I will definately be covering Nmap so this article will be of use and i will likely link to it. I also highly recommend Fyodor’s “NMAP Network Scanning” which i will be clinging onto for dear life right up until the CREST adjudicator removes it from my clutches….LOL

  2. Carlos says:

    Hey Adam, I got two desktop machines today and I was thinking about turning one into a home server with Ubuntu and and the other one into a pentest machine with Backtrack.

    -PS nice post πŸ™‚

    • dangertux says:

      Cool — that sounds like a fun project. IMO just set up the BT machine with virtual box and virtualize all your victims — just my two cents.

      Thanks for the compliment on the post πŸ™‚

      • Carlos says:

        Thanks for the tip adam. So I should just setup another Ubuntu server and run virtual box from the command line? Sounds fun πŸ™‚

  3. dangertux says:

    Okay if you’re going to run your virtual systems off of a server base, I would just use Xen Hypervisor, or install Xen over Ubuntu server and virtualize the target machines. Just my opinion. VirtualBox is more of a desktop thing.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s