SlideShare a Scribd company logo
1 of 28
NMAP
and
Metasploitable-II
About Me
Mohammed Akbar Shariff
Cyber Sec Intern – WICS
Graduating M.tech
www.linkedin.com/in/mohammed-akbar-shariff
@akbarshariffak
Agenda
• Basics of Network
• Metasploitable II
• Introduction to NMAP
• Port Status
• Scan Types
• Host Discovery
• OS Fingerprinting
• Nmap Scripting Engine
Basics of Netwoks
TCP Header
Three way Handshake…???
TCP Three way handshake
Metasploitable II
The Metasploitable virtual machine is an
intentionally vulnerable version of Ubuntu Linux
designed for testing security tools and demonstrating
common vulnerabilities.
What is NMAP?
• Network Mapper - Utility used to identify assets and map them in a
network.
• https://github.com/nmap/nmap (Current release is 7.50, 20 year old
project and active)
Why NMAP..??
• Perhaps I can ping sweep?
• How to know which IP’s are alive?
• There are only
• 65535(PORTS) *2 (TCP &UDP)*24 ( if class C)
Nmap Port Status
• OPEN
• CLOSED
• FILTERED
• OPEN|FILTERED
NMAP port “Status” - Open
•Open - SYN reached the end system, victim responded with
SYN+ACK and Completes the handshake.
Nmap -n -sT -p 80 192.168.56.104
NMAP port “Status” - Closed
• Closed - SYN reached the end system, responded with
RST+ACK. System is accessible and service is still not open
on victim. Nmap -n -sT -p 22 192.168.56.104
NMAP port “Status” - Filtered
• Filtered – Observed when a port does not respond on repeated tries.
Nmap -n -sT -p 445 192.168.56.105
Scan Types
nmap <options><scan type> <target>
NMAP Options
-iL <filename>: Pass a list of hosts.
-iR <number of Hosts>: Choose random targets.
Ex: nmap -Pn -sS -p 80 -iR 0 --open
-p <port ranges> : Port scanning, Only scan specified ports…. -p-
Host Discovery
-sL (List Scan): Simply lists each host of the network(s) specified.
-sn : No port scan and only ping scan
-Pn : Skip ping scan and treat all host to be live
-PS <portlist> : TCP SYN Ping
-n : No DNS resolution
-R : DNS resolution for all targets
-PE; -PP; -PM : ICMP Ping Types.
-PA <port list> : TCP ACK ping
-PU <port list> : UDP Ping
Nmap Scan Types
• -sP (Ping Sweep) – Performs ARP ping and ICMP echo request to determine system is alive.
• -sS (TCP SYN Scan) – Determines a system/port being alive by sending only SYN and
waiting for SYN-ACK
• -sU (UDP Scan) – Probes UDP detects system/port is alive when there is a UDP response +
ICMP packet Destination unreachable.
• -sT (TCP Connect Scan): Performs connection establishment using system call “connect”
• -sN (Null scan): Does not set any bits (TCP flag header is 0).
• -sF (FIN Scan): Sets just the TCP FIN bit.
• -sX (Xmas scan): Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas
tree.
OS Fingerprinting
• Nmap sends a series of TCP and UDP packets to the remote host and
examines practically every bit in the responses.
• Nmap compares the results to its nmap-os-db database of more than 2,600
known OS fingerprints and prints out the OS details if there is a match.
-O (Enable OS detection)
Nmap – service Version and Enumeration!
• Nmap-services database is constantly updated with services, finger
printing and banners to identify remote ports and operating systems.
• -sV - runs about ~30 Nmap Script Engine (.nse files) to identify and
enumerate the service that has been detected earlier.
• -sC – runs “default” ~200 Nmap Script Engine (.nse files) to identify
and enumerate the services and provide vulnerabilities identified.
Optionally can use - -script option.
Nmap service Enumeration!
• The Difference between the two in Action
TCP scan with Version
-sT + -sV = -sTV
Regular TCP scan
Nmap Scripting Engine(NSE) –What and Why?
• Nmap Script Engine, written in Lua.
• Sophisticated Version detection and OS detection.
• Example: smb-os-discovery.nse , http-cisco-anyconnect.nse …
• Vulnerability detection.
• Example: tls-ticketbleed.nse, sslv2-drown.nse,..
• Malware detection.
• Example: http-google-malware.nse..
• Vulnerability Exploitation.
• Example: smb-psexec.nse,..
NSE – what? where?
• -sC and --script uses NSE. There is a default set launched when no
option is given. https://nmap.org/nsedoc/categories/default.html
Nmap Enumeration technique
Notice how the service is not shell
Even though Banner shows Shell
Nmap Enumeration technique
So you need to use –sTV along for
Version grab
Nmap Output Formatting
Greppable
Regular Text
XML
References
• https://www.nmap.org
• https://null.co.in/
• http://insecure.org/
QUESTIONS??
THANK YOU

More Related Content

What's hot (20)

Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 
NMap
NMapNMap
NMap
 
Metasploit
MetasploitMetasploit
Metasploit
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Nmap
NmapNmap
Nmap
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
Scanning with nmap
Scanning with nmapScanning with nmap
Scanning with nmap
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
 
Nessus Basics
Nessus BasicsNessus Basics
Nessus Basics
 
Snort
SnortSnort
Snort
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
 
N map presentation
N map presentationN map presentation
N map presentation
 
Nmap
NmapNmap
Nmap
 
Nmap commands
Nmap commandsNmap commands
Nmap commands
 

Viewers also liked

API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meetvinoth kumar
 
A Strategic Path from Secure Code Reviews to Threat Modeling (101)
A Strategic Path from Secure Code Reviews to Threat Modeling (101)A Strategic Path from Secure Code Reviews to Threat Modeling (101)
A Strategic Path from Secure Code Reviews to Threat Modeling (101)Deepam Kanjani
 
Yet another talk on bug bounty
Yet another talk on bug bountyYet another talk on bug bounty
Yet another talk on bug bountyvinoth kumar
 
Basics of Cryptography
Basics of CryptographyBasics of Cryptography
Basics of CryptographySunil Kumar
 
Networking basics by rahul at Null Mumbai
Networking basics by rahul at Null MumbaiNetworking basics by rahul at Null Mumbai
Networking basics by rahul at Null MumbaiAvkash Kathiriya
 

Viewers also liked (6)

API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meet
 
Bit squatting
Bit squattingBit squatting
Bit squatting
 
A Strategic Path from Secure Code Reviews to Threat Modeling (101)
A Strategic Path from Secure Code Reviews to Threat Modeling (101)A Strategic Path from Secure Code Reviews to Threat Modeling (101)
A Strategic Path from Secure Code Reviews to Threat Modeling (101)
 
Yet another talk on bug bounty
Yet another talk on bug bountyYet another talk on bug bounty
Yet another talk on bug bounty
 
Basics of Cryptography
Basics of CryptographyBasics of Cryptography
Basics of Cryptography
 
Networking basics by rahul at Null Mumbai
Networking basics by rahul at Null MumbaiNetworking basics by rahul at Null Mumbai
Networking basics by rahul at Null Mumbai
 

Similar to Nmap and metasploitable

Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Harsh Desai
 
Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019Nikhil Raj
 
NMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge AcademyNMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge Academycyberforgeacademy
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsJoseph Bugeja
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)KHNOG
 
Practical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPractical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPRISMA CSI
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.pptVarunBehere1
 
Christchurch ISIG 27 oct2015
Christchurch ISIG 27 oct2015Christchurch ISIG 27 oct2015
Christchurch ISIG 27 oct2015Kevin Alcock
 
3 scanning-ger paoctes-pub
3  scanning-ger paoctes-pub3  scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsSam Bowne
 

Similar to Nmap and metasploitable (20)

Zen map
Zen mapZen map
Zen map
 
NMAP1.ppt
NMAP1.pptNMAP1.ppt
NMAP1.ppt
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3
 
Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019
 
NMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge AcademyNMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge Academy
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)
 
Practical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPractical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information Gathering
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.ppt
 
Namp
Namp Namp
Namp
 
Christchurch ISIG 27 oct2015
Christchurch ISIG 27 oct2015Christchurch ISIG 27 oct2015
Christchurch ISIG 27 oct2015
 
Nmap
NmapNmap
Nmap
 
3 scanning-ger paoctes-pub
3  scanning-ger paoctes-pub3  scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
 
Network traffic analysis course
Network traffic analysis courseNetwork traffic analysis course
Network traffic analysis course
 
Ethical hacking with Python tools
Ethical hacking with Python toolsEthical hacking with Python tools
Ethical hacking with Python tools
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
 

Recently uploaded

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online  ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online  ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 

Recently uploaded (20)

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online  ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online  ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 

Nmap and metasploitable

  • 2. About Me Mohammed Akbar Shariff Cyber Sec Intern – WICS Graduating M.tech www.linkedin.com/in/mohammed-akbar-shariff @akbarshariffak
  • 3. Agenda • Basics of Network • Metasploitable II • Introduction to NMAP • Port Status • Scan Types • Host Discovery • OS Fingerprinting • Nmap Scripting Engine
  • 6.
  • 7. TCP Three way handshake
  • 8. Metasploitable II The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities.
  • 9. What is NMAP? • Network Mapper - Utility used to identify assets and map them in a network. • https://github.com/nmap/nmap (Current release is 7.50, 20 year old project and active)
  • 10. Why NMAP..?? • Perhaps I can ping sweep? • How to know which IP’s are alive? • There are only • 65535(PORTS) *2 (TCP &UDP)*24 ( if class C)
  • 11. Nmap Port Status • OPEN • CLOSED • FILTERED • OPEN|FILTERED
  • 12. NMAP port “Status” - Open •Open - SYN reached the end system, victim responded with SYN+ACK and Completes the handshake. Nmap -n -sT -p 80 192.168.56.104
  • 13. NMAP port “Status” - Closed • Closed - SYN reached the end system, responded with RST+ACK. System is accessible and service is still not open on victim. Nmap -n -sT -p 22 192.168.56.104
  • 14. NMAP port “Status” - Filtered • Filtered – Observed when a port does not respond on repeated tries. Nmap -n -sT -p 445 192.168.56.105
  • 16. NMAP Options -iL <filename>: Pass a list of hosts. -iR <number of Hosts>: Choose random targets. Ex: nmap -Pn -sS -p 80 -iR 0 --open -p <port ranges> : Port scanning, Only scan specified ports…. -p- Host Discovery -sL (List Scan): Simply lists each host of the network(s) specified. -sn : No port scan and only ping scan -Pn : Skip ping scan and treat all host to be live -PS <portlist> : TCP SYN Ping -n : No DNS resolution -R : DNS resolution for all targets -PE; -PP; -PM : ICMP Ping Types. -PA <port list> : TCP ACK ping -PU <port list> : UDP Ping
  • 17. Nmap Scan Types • -sP (Ping Sweep) – Performs ARP ping and ICMP echo request to determine system is alive. • -sS (TCP SYN Scan) – Determines a system/port being alive by sending only SYN and waiting for SYN-ACK • -sU (UDP Scan) – Probes UDP detects system/port is alive when there is a UDP response + ICMP packet Destination unreachable. • -sT (TCP Connect Scan): Performs connection establishment using system call “connect” • -sN (Null scan): Does not set any bits (TCP flag header is 0). • -sF (FIN Scan): Sets just the TCP FIN bit. • -sX (Xmas scan): Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
  • 18. OS Fingerprinting • Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses. • Nmap compares the results to its nmap-os-db database of more than 2,600 known OS fingerprints and prints out the OS details if there is a match. -O (Enable OS detection)
  • 19. Nmap – service Version and Enumeration! • Nmap-services database is constantly updated with services, finger printing and banners to identify remote ports and operating systems. • -sV - runs about ~30 Nmap Script Engine (.nse files) to identify and enumerate the service that has been detected earlier. • -sC – runs “default” ~200 Nmap Script Engine (.nse files) to identify and enumerate the services and provide vulnerabilities identified. Optionally can use - -script option.
  • 20. Nmap service Enumeration! • The Difference between the two in Action TCP scan with Version -sT + -sV = -sTV Regular TCP scan
  • 21. Nmap Scripting Engine(NSE) –What and Why? • Nmap Script Engine, written in Lua. • Sophisticated Version detection and OS detection. • Example: smb-os-discovery.nse , http-cisco-anyconnect.nse … • Vulnerability detection. • Example: tls-ticketbleed.nse, sslv2-drown.nse,.. • Malware detection. • Example: http-google-malware.nse.. • Vulnerability Exploitation. • Example: smb-psexec.nse,..
  • 22. NSE – what? where? • -sC and --script uses NSE. There is a default set launched when no option is given. https://nmap.org/nsedoc/categories/default.html
  • 23. Nmap Enumeration technique Notice how the service is not shell Even though Banner shows Shell
  • 24. Nmap Enumeration technique So you need to use –sTV along for Version grab