Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Nmap and metasploitable


Published on

This was presented in Null Open Security community july meetup, Session was on Nmap and metasploitable

Published in: Software
  • Be the first to comment

Nmap and metasploitable

  1. 1. NMAP and Metasploitable-II
  2. 2. About Me Mohammed Akbar Shariff Cyber Sec Intern – WICS Graduating @akbarshariffak
  3. 3. Agenda • Basics of Network • Metasploitable II • Introduction to NMAP • Port Status • Scan Types • Host Discovery • OS Fingerprinting • Nmap Scripting Engine
  4. 4. Basics of Netwoks TCP Header
  5. 5. Three way Handshake…???
  6. 6. TCP Three way handshake
  7. 7. Metasploitable II The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities.
  8. 8. What is NMAP? • Network Mapper - Utility used to identify assets and map them in a network. • (Current release is 7.50, 20 year old project and active)
  9. 9. Why NMAP..?? • Perhaps I can ping sweep? • How to know which IP’s are alive? • There are only • 65535(PORTS) *2 (TCP &UDP)*24 ( if class C)
  10. 10. Nmap Port Status • OPEN • CLOSED • FILTERED • OPEN|FILTERED
  11. 11. NMAP port “Status” - Open •Open - SYN reached the end system, victim responded with SYN+ACK and Completes the handshake. Nmap -n -sT -p 80
  12. 12. NMAP port “Status” - Closed • Closed - SYN reached the end system, responded with RST+ACK. System is accessible and service is still not open on victim. Nmap -n -sT -p 22
  13. 13. NMAP port “Status” - Filtered • Filtered – Observed when a port does not respond on repeated tries. Nmap -n -sT -p 445
  14. 14. Scan Types nmap <options><scan type> <target>
  15. 15. NMAP Options -iL <filename>: Pass a list of hosts. -iR <number of Hosts>: Choose random targets. Ex: nmap -Pn -sS -p 80 -iR 0 --open -p <port ranges> : Port scanning, Only scan specified ports…. -p- Host Discovery -sL (List Scan): Simply lists each host of the network(s) specified. -sn : No port scan and only ping scan -Pn : Skip ping scan and treat all host to be live -PS <portlist> : TCP SYN Ping -n : No DNS resolution -R : DNS resolution for all targets -PE; -PP; -PM : ICMP Ping Types. -PA <port list> : TCP ACK ping -PU <port list> : UDP Ping
  16. 16. Nmap Scan Types • -sP (Ping Sweep) – Performs ARP ping and ICMP echo request to determine system is alive. • -sS (TCP SYN Scan) – Determines a system/port being alive by sending only SYN and waiting for SYN-ACK • -sU (UDP Scan) – Probes UDP detects system/port is alive when there is a UDP response + ICMP packet Destination unreachable. • -sT (TCP Connect Scan): Performs connection establishment using system call “connect” • -sN (Null scan): Does not set any bits (TCP flag header is 0). • -sF (FIN Scan): Sets just the TCP FIN bit. • -sX (Xmas scan): Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
  17. 17. OS Fingerprinting • Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses. • Nmap compares the results to its nmap-os-db database of more than 2,600 known OS fingerprints and prints out the OS details if there is a match. -O (Enable OS detection)
  18. 18. Nmap – service Version and Enumeration! • Nmap-services database is constantly updated with services, finger printing and banners to identify remote ports and operating systems. • -sV - runs about ~30 Nmap Script Engine (.nse files) to identify and enumerate the service that has been detected earlier. • -sC – runs “default” ~200 Nmap Script Engine (.nse files) to identify and enumerate the services and provide vulnerabilities identified. Optionally can use - -script option.
  19. 19. Nmap service Enumeration! • The Difference between the two in Action TCP scan with Version -sT + -sV = -sTV Regular TCP scan
  20. 20. Nmap Scripting Engine(NSE) –What and Why? • Nmap Script Engine, written in Lua. • Sophisticated Version detection and OS detection. • Example: smb-os-discovery.nse , http-cisco-anyconnect.nse … • Vulnerability detection. • Example: tls-ticketbleed.nse, sslv2-drown.nse,.. • Malware detection. • Example: http-google-malware.nse.. • Vulnerability Exploitation. • Example: smb-psexec.nse,..
  21. 21. NSE – what? where? • -sC and --script uses NSE. There is a default set launched when no option is given.
  22. 22. Nmap Enumeration technique Notice how the service is not shell Even though Banner shows Shell
  23. 23. Nmap Enumeration technique So you need to use –sTV along for Version grab
  24. 24. Nmap Output Formatting Greppable Regular Text XML
  25. 25. References • • •
  26. 26. QUESTIONS??
  27. 27. THANK YOU