Scanning with nmap

1,691 views

Published on

An introduction to scanning with NMAP, the network mapping tool. Presented at our local DC612 group!

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,691
On SlideShare
0
From Embeds
0
Number of Embeds
25
Actions
Shares
0
Downloads
102
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Scanning with nmap

  1. 1. Scanning With NMAPSpenser ReinhardtmplsCTFgames.org2­10­11
  2. 2. What is NMAP? Nmap or Network Mapper, is an open source utility designed to quickly scan and identify devices across networks. It can be used to simply locate machines or delve deeper into individual ports and services of each one.
  3. 3. How Does NMAP Work?Through the use of raw sockets NMAP is able to identify: Hosts on a network Services enabled Likely operating systems Possible firewalls and IDSIPSWith raw sockets, NMAP is able to craft many different types of IP packetsthat allow for enumeration of hosts and elicitation of information that wouldnot otherwise be available. These abilities is gained due to the way socketsare able to create different packets and apply various flags to each asneeded. These sometimes strange or disallowed packets, are what cause anapplication or machine to respond when otherwise it may not.
  4. 4. IPv4 Header Layout (RFC 791) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|Version| IHL |Type of Service| Total Length |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Identification |Flags| Fragment Offset |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Time to Live | Protocol | Header Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Source Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Destination Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Options | Padding |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Example Internet Datagram Header
  5. 5. TCP Header Layout (RFC 793) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Source Port | Destination Port |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Sequence Number |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Acknowledgment Number |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Data | |U|A|P|R|S|F| || Offset| Reserved |R|C|S|S|Y|I| Window || | |G|K|H|T|N|N| |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Checksum | Urgent Pointer |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Options | Padding |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| data |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TCP Header Format
  6. 6. Scan Types-sS – TCP SYN-sT – TCP Connect-sA – TCP ACK-sW – TCP Window-sM – TCP Maimon-sU – UDP Scan-sN – TCP Null (No Flags)-sF – TCP FIN (Just FIN Flag)-sX – TCP Xmas (All Flags)-sY – SCTP INIT-sZ – SCTP COOKIE-ECHO-sO – IP protocol scan-b <FTP relay host> - FTP bounce scan--scanflags <flags> - Customize TCP flags-sI <zombie host[:probeport]> - Idle scan
  7. 7. Output OptionsOutput Types-oN <file> – Normal-oX <file> – XML-oS <file> – s|<rIpt kIddi3-oG <file> - Grepable-oA <file> - 3 Major FormatsOutput Options-v: Increase verbosity level (use twice or more for greater effect)-d[level]: Set or increase debugging level (Up to 9 is meaningful)--reason: Display the reason a port is in a particular state--open: Only show open (or possibly open) ports--packet-trace: Show all packets sent and received--iflist: Print host interfaces and routes (for debugging)--log-errors: Log errors/warnings to the normal-format output file--append-output: Append to rather than clobber specified output files--resume <filename>: Resume an aborted scan--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML--webxml: Reference stylesheet from Nmap.Org for more portable XML--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
  8. 8. Identify Hosts Unmap -v -sL 192.168.1.0/24nmap -v -sP 192.168.1.0/24 SEnumerate Services Inmap -v -sS -sV 192.168.1.250 NIdentify Operating Systemsnmap -v -sS -O 192.168.1.250 GExcluding Hostsnmap -v -sS -A -exclude 192.168.1.5 192.168.1.0/24nmap -v -sS -A -excludefile exclusions.lst 192.168.1.0/24 NAdvanced Scanning MSudo nmap -T4 -sI 192.168.1.10 -A 192.168.1.250 A P
  9. 9. nmap -sP -T5 192.168.1.0/24 U S I N G N M A P
  10. 10. nmap -sV -T5 192.168.1.250 U S I N G N M A P
  11. 11. Sudo nmap -O -T5 192.168.1.250 U S I N G N M A P
  12. 12. Sudo nmap -sS -A -T5 192.168.1.250 U S I N G N M A P
  13. 13. Packet Alteration D -f – Fragment packets (-f = 8 bytes -f -f = 16 bytes)--mtu – Set maximum MTU size (Do not use with -f) E -D <decoy1>[, <decoy2>] - Include decoys in scan F -S <IP> - Spoof source IP -g <portnumber> - Specify source port E--data-length <number> - Append an amount of data A--ip-options - Specify IP layer options--ttl – Set time to live T--randomize-hosts – Allow nmap to select random targets I--spoof-mac – Specify a mac address, vendor or random--badsum – Force an invalid checksum N GTiming Commands--scan-delay <time> - Sets a minimum wait between probes--max-scan-delay <time> - Sets max delay between probes I--min-rate --max-rate – Sets min and max packet per sec -T <0-5> - Set generic scan speeds D S
  14. 14. N MNMAP Scripting Engine (NSE) A ZeNMAP P scanme.nmap.org & Other Similar Tools Unicorn Scan B SuperScan E X-Scan Fping Y O N D

×