17 February 2014

Using NMap to enumerate network devices

1. Some background info
NMap is a free utility for network discovery and security auditing. Initially designed as better replacement to ping, it has grown into a full-fledged network auditing framework which can discover devices, what services and OS versions are running, what firewalls/IDS/IPS are in place and even conduct exploitations or DoS attacks thanks to its flexible scripting engine. More about NMap and what it can do here.

2. The task
We will use various NMap scan techniques to discover targets in our network, what ports they have open and what services are listening on those ports.

3. Requirements
- a laptop/PC running NMap. You can get NMap here for whatever platform you are running. Alternatively you can use a pentest distribution like Kali.
- a target. You can use another computer from your network or a virtual machine. I use Metasploitable. You can get and find more about it here. I advise you to get it as we're going to use it as a target for future lessons.
Please ensure you have permission to scan the target. While port scanning by itself is not illegal in most countries it can be annoying and even dangerous (services on target could crash because of it). Also some ISPs don't take kindly to it so you might end up losing your internet subscription.
My advice: use a virtual machine.

4. Let's begin
Open a command prompt/terminal and execute

nmap

You will get a list of the various arguments NMap can be run with. NMap has a GUI as well but today we're going to use the command prompt. You can scan a range of IPs using this command:

  nmap 192.168.100.1-200

The command above will scan all IPs from 192.168.100.1 to 192.168.100.200. There are many other options for IP ranges. Let's say we found a live target at 192.168.100.102. By default, when we only pass a target/range of targets NMap sends an ICMP echo request, a TCP SYN packet on port 443, a TCP ACK packet on port 80 and an ICMP timestamp request. We can use arguments to change this.
The following command only sends a TCP ACK packet to port 80 skipping ping.

nmap -p80 -sA -Pn 192.168.100.102

This is a much quieter scan but a packet sniffer/IDS/IPS on the target can see our attempt. Fortunately NMap allows us to spoof our IP address. The following command uses fragmentation to evade IDS/IPS and IP spoofing to make it look as if someone else was doing the scan:

nmap -p80 -sA -Pn -f -S 192.168.100.101 -e eth0 192.168.100.102

The command makes it look as if 192.168.100.101 was doing the scan. There is also another way. It's called Idle scan or zombie scan. For this approach we need another live device in the network which is idle and has an open port. The following command uses 192.168.100.101 which has port 2869 open to scan port 80 on target 192.168.100.102:

nmap -p80 -Pn -sI 192.168.100.101:2869 192.168.100.102

NMap can do more than just scanning ports. The next command will try to discover what OS is running on the target:

nmap -O -Pn 192.168.100.102

For OS scan to be reliable the target needs to have at least one open port and one closed port.
NMap has a lot more to offer. We barely scratched the surface. You can begin by studying and doing the examples from NMap Reference Guide.
A great book to have related to NMap is Nmap 6: Network exploration and security auditing Cookbook.
A good idea is to setup Wireshark on your target so you can see how each scan that you do looks like and what it does. You can get some sample captures I made from here.

5. Alternatives
Hping utility is a good alternative. It comes with a lot of features and, just like NMap, you can extend functionality through TCL scripts (NMap uses a flavour of Lua).

6. How to defend
You can't prevent port scanning but then again port scanning by itself is not dangerous. What you can do is limit the information a port scanner like NMap can get from you. Always use a firewall and never open ports unless you really need them to. You can also configure an IPS/IDS and monitor the activity though I haven't found one to get to work easily out of the box for personal use. You can also have Wireshark setup for intrusion detection.

7. What's next?
We now have a target. We know some basic info about it like what ports are open, what services are using those ports and the OS. It is time to find a weakness and exploit it and that's what we'll do next time.

No comments:

Post a Comment

Commenting is a privilege, not a right. Use it wisely.