• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
NMAP by Shrikant Antre & Shobhit Gautam
 

NMAP by Shrikant Antre & Shobhit Gautam

on

  • 1,975 views

NMAP by Shrikant Antre & Shobhit Gautam @ null Pune Meet, August, 2010

NMAP by Shrikant Antre & Shobhit Gautam @ null Pune Meet, August, 2010

Statistics

Views

Total Views
1,975
Views on SlideShare
1,922
Embed Views
53

Actions

Likes
2
Downloads
100
Comments
0

2 Embeds 53

http://null.co.in 52
http://www.health.medicbd.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    NMAP by Shrikant Antre & Shobhit Gautam NMAP by Shrikant Antre & Shobhit Gautam Presentation Transcript

    • NMAP SCANNING NMAP SCANNING By: A Project By: Shrikant Antre Shobhit Gautam Shrikant Antre Shobhit Gautam
    • INTRODUCTION TO PORT SCANNING • Port Scanning is one of the most popular reconnaissance techniques used by hackers to discover services that can be compromised. NMAP SCANNING • A typical system has 2^16 -1 port numbers and one TCP port and one UDP port for each number. • A potential target computer runs many 'services' that listen at „well-known‟ 'ports'. • By scanning which ports are available on the victim, the hacker finds potential vulnerabilities that can be exploited.
    • NMAP • Nmap is the most popular scanning tool used on the Internet. • Created by Fyodar (http://www.insecure.org) , it was featured in NMAP SCANNING the Matrix Reloaded movie. A Project By: Shrikant Antre Shobhit Gautam
    • TCP COMMUNICATION FLAGS • Standard TCP communications are controlled by flags in the TCP packet header. • The flags are as follows: Synchronize - also called "SYN” • Used to initiate a connection between hosts. – Acknowledgement - also called "ACK” • Used in establishing a connection between hosts – Push - "PSH” • Instructs receiving system to send all buffered data immediately – Urgent - "URG” • States that the data contained in the packet should be processed immediately – Finish - also called "FIN" • Tells remote system that there will be no more transmissions – Reset - also called "RST” A Project By: • Also used to reset a connection. Shrikant Antre Shobhit Gautam
    • THREE WAY HANDSHAKE Computer A Computer B 192.168.10.2:2312 ------------syn--------->192.168.1.3:80 192.168.1.2:2312 <---------syn/ack----------192.168.1.3:80 192.168.1.2:2312-------------ack----------->192.168.1.3:80 Connection Established • The Computer A ( 192.168.1.2 ) initiates a connection to the server ( 192.168.1.3 ) via a packet with only the SYN flag set. • The server replies with a packet with both the SYN and the ACK flag set. • For the final step, the client responds back the server with a single ACK packet. A Project•By: If these three steps are completed without complication, then a TCP connection has been established between the client and server. Shrikant Antre Shobhit Gautam
    • NMAP SCANNING TECHNIQUE • Most network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. A port is considered "open" if an application is listening on the port, otherwise it is closed. • One way to determine whether a port is open is to send a "SYN" (session establishment) packet to the port. The target machine will send back a "SYN|ACK" (session request acknowledgment) packet if the port is open, and a "RST" (Reset) packet if the port is closed. A Project By: Shrikant Antre Shobhit Gautam
    • NMAP SCANNING OPTIONS •SYN Scanning •Stealth Scan •Xmas Scan •FIN Scan •NULL Scan •IDLE Scan •Fragmentation scanning •ICMP echo scanning A Project By: Shrikant Antre Shobhit Gautam
    • SYN SCANNING • Syn scanning, a technique that is widely across the Internet today. • The syn scan, also called the "half open" scan, is the ability to determine a ports state without making a full connection to the host. • Many systems do not log the attempt, and discard it as a communications error. A Project By: Shrikant Antre Shobhit Gautam
    • STEALTH SCAN Computer A Computer B 192.168.1.12:2722 ------------syn----------->192.168.1.23:80 192.168.1.12:2722 <---------syn/ack----------192.168.1.23:80 192.168.1.12:2722-------------RST----------->192.168.1.23:80 • Client sends a single SYN packet to the server on the appropriate port. • If the port is open then the server responds with a SYN/ACK packet. • If the server responds with an RST packet, then the remote port is in state "closed” • The client sends RST packet to close the initiation before a connection can ever be A Project By: established. Shrikant AntreThis scan also known as “half-open” scan. • Shobhit Gautam
    • XMAS SCAN Computer A Computer B Xmas scan directed at open port: 192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23 192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23 Xmas scan directed at closed port: 192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23 192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23 • Note: XMAS scan only works on OS system's TCP/IP implementation which is developed according to RFC 793 • Xmas Scan will not work against any current version of Microsoft Windows. A Project By: • Xmas scans directed at any Microsoft system will show all ports on the host as being closed. Shrikant Antre Shobhit Gautam
    • FIN SCAN Computer A Computer B FIN scan directed at open port: 192.5.5.92:2031 -----------FIN------------------->192.5.5.110:23 192.5.5.92:2031 <----------NO RESPONSE------------192.5.5.110:23 FIN scan directed at closed port: 192.5.5.92:2031 -------------FIN------------------192.5.5.110:23 192.5.5.92:2031<-------------RST/ACK--------------192.5.5.110:23 • Note: FIN scan only works OS system's TCP/IP implementation is developed according to RFC 793 • FIN Scan will not work against any current version of Microsoft Windows. A Project By: • FIN scans directed at any Microsoft system will show all ports on the host as being closed. Shrikant Antre Shobhit Gautam
    • NULL SCAN Computer A Computer B NULL scan directed at open port: 192.7.8.91:4231 -----------NO FLAGS SET---------->192.6.7.110:23 192.7.8.91:4231 <----------NO RESPONSE------------192.6.7.110:23 NULL scan directed at closed port: 192.7.8.91:4231 -------------NO FLAGS SET---------192.6.7.110:23 192.7.8.91:4231<-------------RST/ACK--------------192.6.7.110:23 • Note: NULL scan only works OS system's TCP/IP implementation is developed according to RFC 793 • NULL Scan will not work against any current version of Microsoft Windows. A Project By: • NULL scans directed at any Microsoft system will show all ports on the host as being closed. Shrikant Antre Shobhit Gautam
    • IDLE SCAN • A few years ago, security researcher „Antirez‟ posted an innovative new TCP port scanning technique. • Idle scan, as it has become known, allows for completely blind port scanning. • Attackers can actually scan a target without sending a single packet to the target from their own IP address. A Project By: Shrikant Antre Shobhit Gautam
    • IDLE SCAN: BASICS • One way to determine whether a port is open is to send a "SYN" (session establishment) packet to the port. • The target machine will send back a "SYN|ACK" (session request acknowledgment) packet if the port is open, and a "RST" (Reset) packet if the port is closed. • A machine which receives an unsolicited SYN|ACK packet will respond with a RST. An unsolicited RST will be ignored. • Every IP packet on the Internet has a "fragment identification" number. • Many operating systems simply increment this number for every packet they send. • So probing for this number can tell an attacker how many packets have been sent since the last probe. A Project By: Shrikant Antre Shobhit Gautam
    • IDLE SCAN: STEP 1 Choose a "zombie" and problem for its current IPID number A Project By: Shrikant Antre Shobhit Gautam
    • IDLE SCAN: STEP 2 Send forged packet "from" Zombie to target. A Project By: Shrikant Antre Shobhit Gautam
    • IDLE SCAN: STEP 3 Probe Zombie IPID again A Project By: Shrikant Antre Shobhit Gautam
    • FRAGMENTATION SCANNING • Instead of just sending the probe packet, you break it into a couple of small IP fragments. • You are splitting up the TCP header over several packets to make it harder for packet filters and so forth to detect what you are doing. • The -f switch instructs the specified SYN or FIN scan to use tiny fragmented packets. A Project By: Shrikant Antre Shobhit Gautam
    • ICMP ECHO SCANNING • This isn't really port scanning, since ICMP doesn't have a port abstraction. • But it is sometimes useful to determine what hosts in a network are up by pinging them all. • nmap -P A Project By: Shrikant Antre Shobhit Gautam
    • PING DETECTION -P0 (don’t ping) -PT (TCP ping) -PS (SYN ping) -PI (ICMP ping) -PB (= PT + PI) -PP (ICMP timestamp) -PM (ICMP netmask) A Project By: Shrikant Antre Shobhit Gautam
    • OUTPUT FORMAT -oN(ormal) -oX(ml) -oG(repable) -oA(ll) A Project By: Shrikant Antre Shobhit Gautam
    • TIMING -T Paranoid – serial scan & 300 sec wait -T Sneaky - serialize scans & 15 sec wait -T Polite - serialize scans & 0.4 sec wait -T Normal – parallel scan -T Aggressive- parallel scan & 300 sec timeout & 1.25 sec/probe -T Insane - parallel scan & 75 sec timeout & 0.3 sec/probe --host_timeout --max_rtt_timeout (default - 9000) --min_rtt_timeout --initial_rtt_timeout (default – 6000) A Project By: --max_parallelism --scan_delay (between probes) Shrikant Antre Shobhit Gautam
    • TIMING --resume (scan) --append_output -iL <targets_filename> -p <port ranges> -F (Fast scan mode) -D <decoy1 [,decoy2][,ME],> -S <SRC_IP_Address> -e <interface> -g <portnumber> --data_length <number> --randomize_hosts -O (OS fingerprinting) -I (dent-scan) -f (fragmentation) -v (verbose) -h (help) -n (no reverse lookup) -R (do reverse lookup) -r (dont randomize port scan) -b <ftp relay host> (FTP bounce) A Project By: Shrikant Antre Shobhit Gautam
    • THANK YOU A Project By: Shrikant Antre Shobhit Gautam