Post on 08-Nov-2014
description
transcript
1
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Introduction to Nmap
The voice portion of our conference is NOT available through this web front-end!
(ah, modern technology)
The Conference ID for all voice dial-in lines is: 5769010
United States: 1-605-475-8590
Anywhere in the World: Free Skype (No SkypeOut minutes required): +990008275769010
For more information about this conference calland other international dial-in lines, visit:
http://www.professormesser.com/webinar/info.html
© 2007 Professor Messer, LLChttp://www.ProfessorMesser.com
Introduction to Nmap
James “Professor” Messer
James@ProfessorMesser.com
http://www.ProfessorMesser.com
2
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Some of what you’ll learn today
What really happens when you run an Nmap scan?
Using Nmap across multiple operating system environments
How to see what the bad guys see
The details of Nmap’s output
Three useful Nmap scan methods
An overview of Nmap best practices
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
HousekeepingWebinar replay (video, audio, transcript, and slides) will be made available to everyone who registered
Phones are mutedAsk questions at any time on the web, we’ll try interactive Q&A later.
Need online webinar or audio assistance?http://www.ProfessorMesser.com/webinar/info.html
Every link is located on our resources pagehttp://www.ProfessorMesser.com/resources
3
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Introduction to Nmap
The voice portion of our conference is NOT available through this web front-end!
The Conference ID for all voice dial-in lines is: 5769010
United States: 1-605-475-8590
Anywhere in the World: Free Skype (No SkypeOut minutes required): +990008275769010
For more information about this conference calland other international dial-in lines, visit:
http://www.professormesser.com/webinar/info.html
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
You might be a winner!Tonight’s door prize:A copy of the new second edition of our ebook:“Secrets of Network Cartography:A Comprehensive Guide to Nmap”
Randomly chosen member of the web audience sometime in the first hour
You have to be on the web to win!
Don’t forget to sign-up for the Nmap Secrets mini-course!
http://www.NmapSecrets.com
4
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Sponsored by: Secrets of Network Cartography
A Comprehensive Guide to Nmaphttp://www.ProfessorMesser.com/nmapbook
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Announcement: Nmap Training at CanSecWesthttp://www.cansecwest.com/dojorecon.html
Network Reconnaissance with Nmap 4
Instructors: Fyodor and James “Professor” Messer
Dojo: April 16-17, 2007April 16 session is SOLD OUT
Mariott Renaissance Harbourside, Vancouver, Canada
Duration: One Day Courses.Sessions begin at 10:00 a.m. and go to 6 p.m.
Registration Maximum: 10 Students per course session.
Price: CAD $1,800 Full day course (≈$1,550 USD)Price goes up at the door
5
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Today’s Webinar AgendaWhat is Nmap?
Nmap’s protocols
The four-step Nmap scanning process
Installing Nmap in Linux, Windows, and a Virtual Machine Live CD
Live Nmap scans of popular scanning methods
Basic reconnaissance scanning strategies
Q&A
© 2007 Professor Messer, LLChttp://www.ProfessorMesser.com
Introduction to Nmap
What is Nmap?
6
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Professor Messer Poll
How well do you know Nmap?
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
What is Nmap?Nmap = Network Mapper
Written by Fyodorhttp://insecure.org
Free!
Thousands of downloads every day
More than fifteen scanning techniques
Seven different ping types
Open source, constant development
7
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
WARNING!Nmap can sometimes be an unintentional Denial-of-Service (DoS) tool
I break stuff all the timeBut I really mean to.
The default settings very rarely cause any problems
These days.No, really.
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Professor Messer Poll
Have you ever “broken”anything with Nmap?
8
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Still using the defaults?Secrets of Network Cartography: A Comprehensive Guide to Nmap
Nmap Quick Reference Guide
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Know your Protocols
TCP - Transmission Control Protocol
UDP – User Datagram Protocol
ICMP – Internet Control Message Protocol
It’s all about the ports!
9
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Anatomy of a scan
Step 1: DNS Lookup
(unless you used an IP address)
Step 2: Nmap “pings” the remote device
This is NOT an ICMP echo request!
Step 3: Reverse DNS lookup
Didn’t we just do this?
Step 4: Do the scan!
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Running a Scan
nmap -v –p 80 –-randomize-hosts 192.168.0.*
-v = verbose-p 80 = only port 80--randomize-hosts192.168.0.* = IP range with a wildcard
CIDR blocks, hyphens, and commas are also
10
© 2007 Professor Messer, LLChttp://www.ProfessorMesser.com
Introduction to Nmap
Nmap Port Dispositions
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Nmap Port Dispositions - Open
Source192.168.0.8
Destination192.168.0.10
SYN + Port 80
SYN / ACK
RST
Open port from TCP SYN Scan (-sS)
11
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Nmap Port Dispositions - Closed
Closed port from TCP SYN Scan (-sS)
Source192.168.0.8
Destination192.168.0.10
SYN + Port 113
RST
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Nmap Port Dispositions - Filtered
Filtered port from SYN Based Scan (-sS, -sT, etc.)
Source192.168.0.8
Destination192.168.0.10
SYN + Port 113
12
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Nmap Port Dispositions – Open|Filtered
Open|Filtered port from UDP Scan (-sU)
Source192.168.0.8
Destination192.168.0.10
UDP + Port 80
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Nmap Port Dispositions – Closed|Filtered
Closed|Filtered port from Idlescan (-sI)
Source192.168.0.8
Destination192.168.0.5
Zombie192.168.0.7
SYN+Port 135 Spoofed from 192.168.0.7
SYN/ACK
RST/
IPID=1034
13
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Nmap Port Dispositions – Unfiltered
Unfiltered port from ACK Scan (-sA)
© 2007 Professor Messer, LLChttp://www.ProfessorMesser.com
Introduction to Nmap
Installing Nmap
14
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Professor Messer Poll
On which operating system(s) do you use Nmap?
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Installing in WindowsEasy to install
Requires WinPcap libraryBundled with Nmap installerMore information at http://www.winpcap.org
Default directory:\Program Files\Nmap
Command line onlyWant a graphical front end? Try UMIT:
http://sourceforge.net/projects/umit
15
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Installing in LinuxSource, binaries and RPMs on insecure.org
For RPMs, get the nmap packageGet the nmap-frontend package for the GUI interface
Compile it!./configure;make;make install
I often use yumyum install nmapyum install nmap-frontend
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Using a LiveCD Distribution
Useful and popular distributionsBackTrack
http://www.remote-exploit.org/backtrack.html
Security Tools Distribution (STD)http://www.s-t-d.org/
Damn Small Linux (DSL)http://www.damnsmalllinux.org/
Linux Network Security Toolkithttp://www.networksecuritytoolkit.org/Includes a VMware machine download
16
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Installation Summary
The OS doesn’t matter!
Have optionsGot your LiveCD / LiveUSB / Virtual Machine?
Great installation guides athttp://insecure.org/nmap/install/
© 2007 Professor Messer, LLChttp://www.ProfessorMesser.com
Introduction to Nmap
Popular Nmap Scanning Methods
17
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Professor Messer Poll
How often do you use Nmap?
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Nmap Bread and Butter
TCP SYN Scan (-sS)It’s the default for a reason
TCP ACK Scan (-sA)Great for testing firewall configurations
UDP Scan (-sU)UDP is ports, too.
18
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Pick a Scan, Any Scan
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
TCP SYN ScanTCP SYN Scan - Closed Port
TCP SYN Scan – Open Port
You are the wind.
19
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
TCP SYN Scan Results# nmap -sS -v 192.168.0.10
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-11 12:25 EDTInitiating SYN Stealth Scan against 192.168.0.10 [1663 ports] at 12:25Discovered open port 80/tcp on 192.168.0.10Discovered open port 3389/tcp on 192.168.0.10Discovered open port 3306/tcp on 192.168.0.10Discovered open port 139/tcp on 192.168.0.10Discovered open port 135/tcp on 192.168.0.10Discovered open port 520/tcp on 192.168.0.10Discovered open port 445/tcp on 192.168.0.10The SYN Stealth Scan took 1.35s to scan 1663 total ports.Host 192.168.0.10 appears to be up ... good.Interesting ports on 192.168.0.10:(The 1656 ports scanned but not shown below are in state: closed)PORT STATE SERVICE80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds520/tcp open efs3306/tcp open mysql3389/tcp open ms-term-servMAC Address: 00:30:48:11:AB:5A (Supermicro Computer)
Nmap finished: 1 IP address (1 host up) scanned in 2.117 secondsRaw packets sent: 1705 (68.2KB) | Rcvd: 1664 (76.5KB)
#
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
TCP ACK Scan (-sA)The TCP ACK Scan will never find an open port
Filtered
Unfiltered
20
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
ACK Scan Output# nmap -v -sA 68.46.234.161 -P0
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-24 10:40 EDTInitiating ACK Scan against pcp05116560pcs.tallah01.fl.comcast.net
(68.46.234.161) [1663 ports] at 10:40ACK Scan Timing: About 9.02% done; ETC: 10:46 (0:05:03 remaining)ACK Scan Timing: About 75.68% done; ETC: 10:42 (0:00:36 remaining)The ACK Scan took 119.13s to scan 1663 total ports.Host pcp05116560pcs.tallah01.fl.comcast.net (68.46.234.161) appears to be up
... good.Interesting ports on pcp05116560pcs.tallah01.fl.comcast.net (68.46.234.161):(The 1662 ports scanned but not shown below are in state: filtered)PORT STATE SERVICE6969/tcp UNfiltered acmsoda
Nmap finished: 1 IP address (1 host up) scanned in 119.271 secondsRaw packets sent: 3328 (133KB) | Rcvd: 8 (368B)
#
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
UDP Scan (-sU)Don’t forget about UDP!Closed, or Open|Filtered(almost never “open”)
Closed
Open|Filtered
21
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
UDP Scan Output# nmap -sU -v 192.168.0.10
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-11 12:44 EDTInitiating UDP Scan against 192.168.0.10 [1478 ports] at 12:44Discovered open port 2001/udp on 192.168.0.10The UDP Scan took 1.47s to scan 1478 total ports.Host 192.168.0.10 appears to be up ... good.Interesting ports on 192.168.0.10:(The 1468 ports scanned but not shown below are in state: closed)PORT STATE SERVICE123/udp open|filtered ntp137/udp open|filtered netbios-ns138/udp open|filtered netbios-dgm445/udp open|filtered microsoft-ds500/udp open|filtered isakmp1031/udp open|filtered iad21032/udp open|filtered iad31900/udp open|filtered UPnP2001/udp open wizard4500/udp open|filtered sae-urnMAC Address: 00:30:48:11:AB:5A (Supermicro Computer)Nmap finished: 1 IP address (1 host up) scanned in 2.241 seconds
Raw packets sent: 1489 (41.7KB) | Rcvd: 1470 (82.3KB)#
© 2007 Professor Messer, LLChttp://www.ProfessorMesser.com
Introduction to Nmap
Nmap ScanningBest Practices
22
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Nmap Best PracticesScanning
Start with the Ping Scan (-sP)Pick the IP address range carefullyConsider excluding IP addresses
--exclude, --excludefile
FocusPick your ports (-p)A faster scan (-F)
MiscSave all scan logs (-oA)Use the verbosity levels (-v, -vv, -vvv)Timing policies are your friend (-T0 to -T5)
Paranoid, Sneaky, Polite, Normal, Aggressive, Insane
© 2007 Professor Messer, LLChttp://www.ProfessorMesser.com
Introduction to Nmap
Ebook Giveaway:Secrets of Network Cartography:A Comprehensive Guide to Nmap
- New Second Edition -
23
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Sponsored by: Secrets of Network Cartography
A Comprehensive Guide to Nmaphttp://www.ProfessorMesser.com/nmapbook
© 2007 Professor Messer, LLChttp://www.ProfessorMesser.com
Introduction to Nmap
Q and A
24
© 2007 Professor Messer, LLCAudio Dial-In Information: http://www.professormesser.com/webinar/info.htmlhttp://www.ProfessorMesser.com
Thanks for attending!
Resource pagehttp://www.ProfessorMesser.com/resources
Watch your inbox for information about the replay
Comments are always welcomehttp://www.ProfessorMesser.com/contact_us
Post-webinar survey is moments away
© 2007 Professor Messer, LLChttp://www.ProfessorMesser.com
Introduction to Nmap
Thank you for joining us!http://www.ProfessorMesser.com