17 February 2014

Using NMap to enumerate network devices

1. Some background info
NMap is a free utility for network discovery and security auditing. Initially designed as better replacement to ping, it has grown into a full-fledged network auditing framework which can discover devices, what services and OS versions are running, what firewalls/IDS/IPS are in place and even conduct exploitations or DoS attacks thanks to its flexible scripting engine. More about NMap and what it can do here.

2. The task
We will use various NMap scan techniques to discover targets in our network, what ports they have open and what services are listening on those ports.

3. Requirements
- a laptop/PC running NMap. You can get NMap here for whatever platform you are running. Alternatively you can use a pentest distribution like Kali.
- a target. You can use another computer from your network or a virtual machine. I use Metasploitable. You can get and find more about it here. I advise you to get it as we're going to use it as a target for future lessons.
Please ensure you have permission to scan the target. While port scanning by itself is not illegal in most countries it can be annoying and even dangerous (services on target could crash because of it). Also some ISPs don't take kindly to it so you might end up losing your internet subscription.
My advice: use a virtual machine.

4. Let's begin
Open a command prompt/terminal and execute


You will get a list of the various arguments NMap can be run with. NMap has a GUI as well but today we're going to use the command prompt. You can scan a range of IPs using this command:


The command above will scan all IPs from to There are many other options for IP ranges. Let's say we found a live target at By default, when we only pass a target/range of targets NMap sends an ICMP echo request, a TCP SYN packet on port 443, a TCP ACK packet on port 80 and an ICMP timestamp request. We can use arguments to change this.
The following command only sends a TCP ACK packet to port 80 skipping ping.

nmap -p80 -sA -Pn

This is a much quieter scan but a packet sniffer/IDS/IPS on the target can see our attempt. Fortunately NMap allows us to spoof our IP address. The following command uses fragmentation to evade IDS/IPS and IP spoofing to make it look as if someone else was doing the scan:

nmap -p80 -sA -Pn -f -S -e eth0

The command makes it look as if was doing the scan. There is also another way. It's called Idle scan or zombie scan. For this approach we need another live device in the network which is idle and has an open port. The following command uses which has port 2869 open to scan port 80 on target

nmap -p80 -Pn -sI

NMap can do more than just scanning ports. The next command will try to discover what OS is running on the target:

nmap -O -Pn

For OS scan to be reliable the target needs to have at least one open port and one closed port.
NMap has a lot more to offer. We barely scratched the surface. You can begin by studying and doing the examples from NMap Reference Guide.
A great book to have related to NMap is Nmap 6: Network exploration and security auditing Cookbook.
A good idea is to setup Wireshark on your target so you can see how each scan that you do looks like and what it does. You can get some sample captures I made from here.

5. Alternatives
Hping utility is a good alternative. It comes with a lot of features and, just like NMap, you can extend functionality through TCL scripts (NMap uses a flavour of Lua).

6. How to defend
You can't prevent port scanning but then again port scanning by itself is not dangerous. What you can do is limit the information a port scanner like NMap can get from you. Always use a firewall and never open ports unless you really need them to. You can also configure an IPS/IDS and monitor the activity though I haven't found one to get to work easily out of the box for personal use. You can also have Wireshark setup for intrusion detection.

7. What's next?
We now have a target. We know some basic info about it like what ports are open, what services are using those ports and the OS. It is time to find a weakness and exploit it and that's what we'll do next time.

06 February 2014

New tools of the trade - Kali pentest distribution

After encountering some issues configuring and running Metasploit framework on BackTrack 5 R3 in a virtual machine, I have decided to finally make the switch to Kali.

So far, the decision was good. Kali runs fine both in virtual machine and as a live USB stick. The interface is nice and sleek if not a bit too dark and lacking any colors. But it's customizable so it's not a real issue.
I also like the new "Start" menu and how applications are arranged. It's easier to navigate than BackTrack.

The Top 10 Security tools is also a nice addition and lists the best tools you can use like the Metasploit framework for all your exploitation needs, Aircrack-ng for testing and penetrating wireless networks, Wireshark for analyzing network traffic, Nmap for discovering targets and their weak spots and some others just as useful.

Everything runs good without unexpected errors or other anomalies. Instalation is very straightforward, has an intuitive GUI and provides all sorts of neat options (like encrypting the drive).

You can get Kali and read more about it here.