Scribd Logo
Upload

Welcome to Scribd!

  • Ana Chanaba Robert Huylo

    Uploaded by

    Akshay Choudhary
    0 views18 pages
    nmap pdf for basic reference

    Original Title

    NMAP1

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    nmap pdf for basic reference

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    0 views18 pages

    Ana Chanaba Robert Huylo

    Uploaded by

    Akshay Choudhary
    nmap pdf for basic reference

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 18

    NMAP

    Ana Chanaba
    Robert Huylo
    nmap “network mapper”
     Security tool
    - What does your system look like to someone
    who is trying to break in
    - Find the holes in your security before somebody
    else does
     nmapFE v3.81
    - graphical frontend to nmap
    - rpm available at www.insecure.org/nmap
    - lab102 & lab103
    Basic nmap functions
    1.) Host Discovery
    - Which hosts are up (IP Addresses)
    - Ping scans
    2.) Port Scanning
    - Which ports of a target host have servers
    listening on them
    - Allows a guess of software and services a
    machine is running
    3.) OS Detection
    - TCP/IP fingerprinting
    Anatomy of nmap argument
    nmap –sS -PO -O -p 1-1024 134.198.161.*

    -s_ : Scan type


    -P_ : Ping type
    -O : Optional OS detection
    -p #-# : port range
    IP range:
    134.198.161.0/24, 134.198.161.1-254
    1.) Host Discovery
     Determine which hosts are up
    - Does not include port scans or OS detection
    nmap –sP 134.198.161.*
    - Utilizes variety of messaging protocols
    - ICMP/TCP/UDP
     Firewall interference
    - Firewalls check to see if packets are part of a
    previously established connection
     Used before portscan
    - Ping sweep (-sP)
    - Check to see if host is up before scanning ports
    Customizing Pings
    -PO : ICMP
    -PA : TCP ACK
    -PU : UDP
    -PP : ICMP timestamp
    -PM : Netmask request
    -PS : TCP SYN
    -PB : (default) TCP ACK & ICMP

    Ping specific ports:


    nmap –sP –PO25 ….
    2.) Port Scanning
     Insight to what services a host may be
    running
     “Well-known” or “Interesting” ports
    - 1-1024
    - 65,535 total TCP & UDP ports
     Scan displays (for each port)
    • Service name
    • Port number
    • Port State
    • Protocol
    Scanning Options
     nmap –sS …
    - TCP SYN scan
    - default port scan for nmap user with root
    privileges
    - “half-open” – skips last step of 3-way
    handshake and probes without actual connection
    for stealth
     nmap –sT …
    - TCP connect() scan
    - default port scan for default nmap user
    - requires full connection – easily detectable
    Port States
     open: will accept connections

     filtered: firewall or other network


    obstacle is covering port

     unfiltered or closed: determined to


    be closed with no obstacles or
    interference
    - most common case
    Scanning Options
     Avoid SYN scanning to probe beyond firewall
    -sF : Stealth FIN scan
    -sX : Xmas tree scan
    -sN : Null scan
    -sV : Version detection
    -sU : UDP scan
    -sI : Idlescan
    -sA : ACK scan
    -b : bounce attack (FTP)
    3.) OS Detection
     nmap –O …
     TCP/IP fingerprinting
     OS guess made by looking at the particulars of how a host
    implements TCP/IP
    - Includes possible range of versions and “uptime” test
     Fingerprint compared to DB of known OS fingerprints
     Nmap sends seven TCP/IP crafted packets (called tests)
    and waits for the answer. Results are checked against a
    database of known results (OS signatures database).
     This database is a text file that contains the result
    answered (signature) by each OS known.
    OS Detection
    Reasons to hide OS
     Security: Hacker could base an attack on a host from
    known weaknesses in the target OS
     Revealing your OS makes things easier to find
    and successfully run an exploit against any of
    your devices.
     Knowing your OS can also become more
    dangerous, because people can guess which
    applications are you running in that OS
     It could be convenient for other software
    companies, to offer you a new OS environment
    OS Detection
     Many techniques to fingerprint
    networking stacks. If you combine
    enough of these. You can narrow
    down the OS very tightly.
     You can start out as simply as
    "nmap -O -sS targethost".
    OS Detection
     -O requires root privileges, it uses
    this information to create a
    fingerprint, and decide what type of
    system you are scanning.
     OS detection is far more effective if
    at least one open and one close TCP
    port are found.
    Miscellaneous options
     -A which turn on OS detection too.
     -F tells nmap to scan only ports
     registered in nmap-services.
     -T4 causes nmap to go faster.
     -I gives the username that owns
    available processes
     -iR Use this command to instruct
    nmap to scan random hosts for you.
    Misc. Options

    -v verbose This is a highly recommended option and it


    gives out more information. You can use it twice for
    better effects.
    -d debug mode
    -p : port range,
    what ports you want to specify
    -T : scan timing or throttling options
    <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
    - Addresses concerns about detection and crashing host
    OS DETECTION
     nmap -0 134.198.161.254
     nmap -A -T4 -F 134.198.161.101
     nmap -A -T4 134.198.161.101
     RPC services are treated with brute
    force. RPC scanner to determine
    version.
     nmap -sS -p 80 -O -v
    134.198.161.254
    References
     nmap & nmapFE man pages
     www.insecure.org
     Text Chp 21.7
     www.linux.org

    You might also like