24
NMAP SCANNING A Project By: Shrikant Antre Shobhit Gautam NMAP SCANNING By: Shrikant Antre Shobhit Gautam
| Date post: | 15-May-2015 |
| Category: |
Technology |
| Upload: | nu-the-open-security-community |
| View: | 1,823 times |
| Download: | 5 times |
NMAP SCANNING
A Project By:
Shrikant Antre
Shobhit Gautam
NMAP SCANNING
By:Shrikant AntreShobhit Gautam
NMAP SCANNING
INTRODUCTION TO PORT SCANNING
• Port Scanning is one of the most popular reconnaissance techniques used by hackers to
discover services that can be compromised.
• A typical system has 2^16 -1 port numbers and one TCP port and one UDP port for each
number.
• A potential target computer runs many 'services' that listen at „well-known‟ 'ports'.
• By scanning which ports are available on the victim, the hacker finds potential
vulnerabilities that can be exploited.
NMAP SCANNING
A Project By:
Shrikant Antre
Shobhit Gautam
NMAP
• Nmap is the most popular scanning tool used on the Internet.
• Created by Fyodar (http://www.insecure.org) , it was featured in
the Matrix Reloaded movie.
A Project By:
Shrikant Antre
Shobhit Gautam
TCP COMMUNICATION FLAGS
• Standard TCP communications are controlled by flags in the TCP packet header.
• The flags are as follows: Synchronize - also called "SYN”
• Used to initiate a connection between hosts.
– Acknowledgement - also called "ACK”
• Used in establishing a connection between hosts
– Push - "PSH”
• Instructs receiving system to send all buffered data immediately
– Urgent - "URG”
• States that the data contained in the packet should be processed immediately
– Finish - also called "FIN"
• Tells remote system that there will be no more transmissions
– Reset - also called "RST”
• Also used to reset a connection.
A Project By:
Shrikant Antre
Shobhit Gautam
THREE WAY HANDSHAKE
Computer A Computer B
192.168.10.2:2312 ------------syn--------->192.168.1.3:80
192.168.1.2:2312 <---------syn/ack----------192.168.1.3:80
192.168.1.2:2312-------------ack----------->192.168.1.3:80
Connection Established
• The Computer A ( 192.168.1.2 ) initiates a connection to the server ( 192.168.1.3 ) via a packet
with only the SYN flag set.
• The server replies with a packet with both the SYN and the ACK flag set.
• For the final step, the client responds back the server with a single ACK packet.
• If these three steps are completed without complication, then a TCP connection has been
established between the client and server.
A Project By:
Shrikant Antre
Shobhit Gautam
NMAP SCANNING TECHNIQUE
• Most network servers listen on TCP ports, such as web servers on port 80 and mail servers on
port 25. A port is considered "open" if an application is listening on the port, otherwise it is
closed.
• One way to determine whether a port is open is to send a "SYN" (session establishment) packet
to the port. The target machine will send back a "SYN|ACK" (session request acknowledgment)
packet if the port is open, and a "RST" (Reset) packet if the port is closed.
A Project By:
Shrikant Antre
Shobhit Gautam
NMAP SCANNING OPTIONS
•SYN Scanning
•Stealth Scan
•Xmas Scan
•FIN Scan
•NULL Scan
•IDLE Scan
•Fragmentation scanning
•ICMP echo scanning
A Project By:
Shrikant Antre
Shobhit Gautam
SYN SCANNING
• Syn scanning, a technique that is widely across the Internet today.
• The syn scan, also called the "half open" scan, is the ability to determine a ports state without
making a full connection to the host.
• Many systems do not log the attempt, and discard it as a communications error.
A Project By:
Shrikant Antre
Shobhit Gautam
STEALTH SCAN
Computer A Computer B
192.168.1.12:2722 ------------syn----------->192.168.1.23:80
192.168.1.12:2722 <---------syn/ack----------192.168.1.23:80
192.168.1.12:2722-------------RST----------->192.168.1.23:80
• Client sends a single SYN packet to the server on the appropriate port.
• If the port is open then the server responds with a SYN/ACK packet.
• If the server responds with an RST packet, then the remote port is in state "closed”
• The client sends RST packet to close the initiation before a connection can ever be
established.
• This scan also known as “half-open” scan.
A Project By:
Shrikant Antre
Shobhit Gautam
XMAS SCAN
Computer A Computer B
Xmas scan directed at open port:
192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23
192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23
Xmas scan directed at closed port:
192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23
192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23
• Note: XMAS scan only works on OS system's TCP/IP implementation which is developed
according to RFC 793
• Xmas Scan will not work against any current version of Microsoft Windows.
• Xmas scans directed at any Microsoft system will show all ports on the host as being
closed.
A Project By:
Shrikant Antre
Shobhit Gautam
FIN SCAN
Computer A Computer B
FIN scan directed at open port:
192.5.5.92:2031 -----------FIN------------------->192.5.5.110:23
192.5.5.92:2031 <----------NO RESPONSE------------192.5.5.110:23
FIN scan directed at closed port:
192.5.5.92:2031 -------------FIN------------------192.5.5.110:23
192.5.5.92:2031<-------------RST/ACK--------------192.5.5.110:23
• Note: FIN scan only works OS system's TCP/IP implementation is developed according to
RFC 793
• FIN Scan will not work against any current version of Microsoft Windows.
• FIN scans directed at any Microsoft system will show all ports on the host as being closed.
A Project By:
Shrikant Antre
Shobhit Gautam
NULL SCAN
Computer A Computer B
NULL scan directed at open port:
192.7.8.91:4231 -----------NO FLAGS SET---------->192.6.7.110:23
192.7.8.91:4231 <----------NO RESPONSE------------192.6.7.110:23
NULL scan directed at closed port:
192.7.8.91:4231 -------------NO FLAGS SET---------192.6.7.110:23
192.7.8.91:4231<-------------RST/ACK--------------192.6.7.110:23
• Note: NULL scan only works OS system's TCP/IP implementation is developed according
to RFC 793
• NULL Scan will not work against any current version of Microsoft Windows.
• NULL scans directed at any Microsoft system will show all ports on the host as being
closed.
A Project By:
Shrikant Antre
Shobhit Gautam
IDLE SCAN
• A few years ago, security researcher „Antirez‟ posted an innovative new TCP port
scanning technique.
• Idle scan, as it has become known, allows for completely blind port scanning.
• Attackers can actually scan a target without sending a single packet to the target from
their own IP address.
A Project By:
Shrikant Antre
Shobhit Gautam
IDLE SCAN: BASICS
• One way to determine whether a port is open is to send a "SYN" (session establishment) packet to the port.
• The target machine will send back a "SYN|ACK" (session request acknowledgment) packet if the port is open, and a "RST" (Reset) packet if the port is closed.
• A machine which receives an unsolicited SYN|ACK packet will respond with a RST. An unsolicited RST will be ignored.
• Every IP packet on the Internet has a "fragment identification" number.
• Many operating systems simply increment this number for every packet they send.
• So probing for this number can tell an attacker how many packets have been sent since the last probe.
A Project By:
Shrikant Antre
Shobhit Gautam
IDLE SCAN: STEP 1
Choose a "zombie" and problem for its current IPID number
A Project By:
Shrikant Antre
Shobhit Gautam
IDLE SCAN: STEP 2
Send forged packet "from" Zombie to target.
A Project By:
Shrikant Antre
Shobhit Gautam
IDLE SCAN: STEP 3
Probe Zombie IPID again
A Project By:
Shrikant Antre
Shobhit Gautam
FRAGMENTATION SCANNING
• Instead of just sending the probe packet, you break it into a couple of small IP fragments.
• You are splitting up the TCP header over several packets to make it harder for packet filters and
so forth to detect what you are doing.
• The -f switch instructs the specified SYN or FIN scan to use tiny fragmented packets.
A Project By:
Shrikant Antre
Shobhit Gautam
ICMP ECHO SCANNING
• This isn't really port scanning, since ICMP doesn't have a port abstraction.
• But it is sometimes useful to determine what hosts in a network are up by pinging them all.
• nmap -P
A Project By:
Shrikant Antre
Shobhit Gautam
PING DETECTION
-P0 (don’t ping)
-PT (TCP ping)
-PS (SYN ping)
-PI (ICMP ping)
-PB (= PT + PI)
-PP (ICMP timestamp)
-PM (ICMP netmask)
A Project By:
Shrikant Antre
Shobhit Gautam
OUTPUT FORMAT
-oN(ormal)
-oX(ml)
-oG(repable)
-oA(ll)
A Project By:
Shrikant Antre
Shobhit Gautam
TIMING
-T Paranoid – serial scan & 300 sec wait
-T Sneaky - serialize scans & 15 sec wait
-T Polite - serialize scans & 0.4 sec wait
-T Normal – parallel scan
-T Aggressive- parallel scan & 300 sec timeout & 1.25 sec/probe
-T Insane - parallel scan & 75 sec timeout & 0.3 sec/probe
--host_timeout --max_rtt_timeout
(default - 9000)
--min_rtt_timeout --initial_rtt_timeout
(default – 6000)
--max_parallelism --scan_delay (between probes)
A Project By:
Shrikant Antre
Shobhit Gautam
TIMING
--resume (scan) --append_output
-iL <targets_filename> -p <port ranges>
-F (Fast scan mode) -D <decoy1 [,decoy2][,ME],>
-S <SRC_IP_Address> -e <interface>
-g <portnumber> --data_length <number>
--randomize_hosts -O (OS fingerprinting) -I (dent-scan)
-f (fragmentation) -v (verbose) -h (help)
-n (no reverse lookup) -R (do reverse lookup)
-r (dont randomize port scan) -b <ftp relay host> (FTP bounce)
A Project By:
Shrikant Antre
Shobhit Gautam
THANK YOU
