Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NMAP by Shrikant Antre & Shobhit Gautam

2,433 views

Published on

NMAP by Shrikant Antre & Shobhit Gautam @ null Pune Meet, August, 2010

Published in: Technology
  • Be the first to comment

NMAP by Shrikant Antre & Shobhit Gautam

  1. 1. NMAP SCANNING NMAP SCANNING By: A Project By: Shrikant Antre Shobhit Gautam Shrikant Antre Shobhit Gautam
  2. 2. INTRODUCTION TO PORT SCANNING • Port Scanning is one of the most popular reconnaissance techniques used by hackers to discover services that can be compromised. NMAP SCANNING • A typical system has 2^16 -1 port numbers and one TCP port and one UDP port for each number. • A potential target computer runs many 'services' that listen at „well-known‟ 'ports'. • By scanning which ports are available on the victim, the hacker finds potential vulnerabilities that can be exploited.
  3. 3. NMAP • Nmap is the most popular scanning tool used on the Internet. • Created by Fyodar (http://www.insecure.org) , it was featured in NMAP SCANNING the Matrix Reloaded movie. A Project By: Shrikant Antre Shobhit Gautam
  4. 4. TCP COMMUNICATION FLAGS • Standard TCP communications are controlled by flags in the TCP packet header. • The flags are as follows: Synchronize - also called "SYN” • Used to initiate a connection between hosts. – Acknowledgement - also called "ACK” • Used in establishing a connection between hosts – Push - "PSH” • Instructs receiving system to send all buffered data immediately – Urgent - "URG” • States that the data contained in the packet should be processed immediately – Finish - also called "FIN" • Tells remote system that there will be no more transmissions – Reset - also called "RST” A Project By: • Also used to reset a connection. Shrikant Antre Shobhit Gautam
  5. 5. THREE WAY HANDSHAKE Computer A Computer B 192.168.10.2:2312 ------------syn--------->192.168.1.3:80 192.168.1.2:2312 <---------syn/ack----------192.168.1.3:80 192.168.1.2:2312-------------ack----------->192.168.1.3:80 Connection Established • The Computer A ( 192.168.1.2 ) initiates a connection to the server ( 192.168.1.3 ) via a packet with only the SYN flag set. • The server replies with a packet with both the SYN and the ACK flag set. • For the final step, the client responds back the server with a single ACK packet. A Project•By: If these three steps are completed without complication, then a TCP connection has been established between the client and server. Shrikant Antre Shobhit Gautam
  6. 6. NMAP SCANNING TECHNIQUE • Most network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. A port is considered "open" if an application is listening on the port, otherwise it is closed. • One way to determine whether a port is open is to send a "SYN" (session establishment) packet to the port. The target machine will send back a "SYN|ACK" (session request acknowledgment) packet if the port is open, and a "RST" (Reset) packet if the port is closed. A Project By: Shrikant Antre Shobhit Gautam
  7. 7. NMAP SCANNING OPTIONS •SYN Scanning •Stealth Scan •Xmas Scan •FIN Scan •NULL Scan •IDLE Scan •Fragmentation scanning •ICMP echo scanning A Project By: Shrikant Antre Shobhit Gautam
  8. 8. SYN SCANNING • Syn scanning, a technique that is widely across the Internet today. • The syn scan, also called the "half open" scan, is the ability to determine a ports state without making a full connection to the host. • Many systems do not log the attempt, and discard it as a communications error. A Project By: Shrikant Antre Shobhit Gautam
  9. 9. STEALTH SCAN Computer A Computer B 192.168.1.12:2722 ------------syn----------->192.168.1.23:80 192.168.1.12:2722 <---------syn/ack----------192.168.1.23:80 192.168.1.12:2722-------------RST----------->192.168.1.23:80 • Client sends a single SYN packet to the server on the appropriate port. • If the port is open then the server responds with a SYN/ACK packet. • If the server responds with an RST packet, then the remote port is in state "closed” • The client sends RST packet to close the initiation before a connection can ever be A Project By: established. Shrikant AntreThis scan also known as “half-open” scan. • Shobhit Gautam
  10. 10. XMAS SCAN Computer A Computer B Xmas scan directed at open port: 192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23 192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23 Xmas scan directed at closed port: 192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23 192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23 • Note: XMAS scan only works on OS system's TCP/IP implementation which is developed according to RFC 793 • Xmas Scan will not work against any current version of Microsoft Windows. A Project By: • Xmas scans directed at any Microsoft system will show all ports on the host as being closed. Shrikant Antre Shobhit Gautam
  11. 11. FIN SCAN Computer A Computer B FIN scan directed at open port: 192.5.5.92:2031 -----------FIN------------------->192.5.5.110:23 192.5.5.92:2031 <----------NO RESPONSE------------192.5.5.110:23 FIN scan directed at closed port: 192.5.5.92:2031 -------------FIN------------------192.5.5.110:23 192.5.5.92:2031<-------------RST/ACK--------------192.5.5.110:23 • Note: FIN scan only works OS system's TCP/IP implementation is developed according to RFC 793 • FIN Scan will not work against any current version of Microsoft Windows. A Project By: • FIN scans directed at any Microsoft system will show all ports on the host as being closed. Shrikant Antre Shobhit Gautam
  12. 12. NULL SCAN Computer A Computer B NULL scan directed at open port: 192.7.8.91:4231 -----------NO FLAGS SET---------->192.6.7.110:23 192.7.8.91:4231 <----------NO RESPONSE------------192.6.7.110:23 NULL scan directed at closed port: 192.7.8.91:4231 -------------NO FLAGS SET---------192.6.7.110:23 192.7.8.91:4231<-------------RST/ACK--------------192.6.7.110:23 • Note: NULL scan only works OS system's TCP/IP implementation is developed according to RFC 793 • NULL Scan will not work against any current version of Microsoft Windows. A Project By: • NULL scans directed at any Microsoft system will show all ports on the host as being closed. Shrikant Antre Shobhit Gautam
  13. 13. IDLE SCAN • A few years ago, security researcher „Antirez‟ posted an innovative new TCP port scanning technique. • Idle scan, as it has become known, allows for completely blind port scanning. • Attackers can actually scan a target without sending a single packet to the target from their own IP address. A Project By: Shrikant Antre Shobhit Gautam
  14. 14. IDLE SCAN: BASICS • One way to determine whether a port is open is to send a "SYN" (session establishment) packet to the port. • The target machine will send back a "SYN|ACK" (session request acknowledgment) packet if the port is open, and a "RST" (Reset) packet if the port is closed. • A machine which receives an unsolicited SYN|ACK packet will respond with a RST. An unsolicited RST will be ignored. • Every IP packet on the Internet has a "fragment identification" number. • Many operating systems simply increment this number for every packet they send. • So probing for this number can tell an attacker how many packets have been sent since the last probe. A Project By: Shrikant Antre Shobhit Gautam
  15. 15. IDLE SCAN: STEP 1 Choose a "zombie" and problem for its current IPID number A Project By: Shrikant Antre Shobhit Gautam
  16. 16. IDLE SCAN: STEP 2 Send forged packet "from" Zombie to target. A Project By: Shrikant Antre Shobhit Gautam
  17. 17. IDLE SCAN: STEP 3 Probe Zombie IPID again A Project By: Shrikant Antre Shobhit Gautam
  18. 18. FRAGMENTATION SCANNING • Instead of just sending the probe packet, you break it into a couple of small IP fragments. • You are splitting up the TCP header over several packets to make it harder for packet filters and so forth to detect what you are doing. • The -f switch instructs the specified SYN or FIN scan to use tiny fragmented packets. A Project By: Shrikant Antre Shobhit Gautam
  19. 19. ICMP ECHO SCANNING • This isn't really port scanning, since ICMP doesn't have a port abstraction. • But it is sometimes useful to determine what hosts in a network are up by pinging them all. • nmap -P A Project By: Shrikant Antre Shobhit Gautam
  20. 20. PING DETECTION -P0 (don’t ping) -PT (TCP ping) -PS (SYN ping) -PI (ICMP ping) -PB (= PT + PI) -PP (ICMP timestamp) -PM (ICMP netmask) A Project By: Shrikant Antre Shobhit Gautam
  21. 21. OUTPUT FORMAT -oN(ormal) -oX(ml) -oG(repable) -oA(ll) A Project By: Shrikant Antre Shobhit Gautam
  22. 22. TIMING -T Paranoid – serial scan & 300 sec wait -T Sneaky - serialize scans & 15 sec wait -T Polite - serialize scans & 0.4 sec wait -T Normal – parallel scan -T Aggressive- parallel scan & 300 sec timeout & 1.25 sec/probe -T Insane - parallel scan & 75 sec timeout & 0.3 sec/probe --host_timeout --max_rtt_timeout (default - 9000) --min_rtt_timeout --initial_rtt_timeout (default – 6000) A Project By: --max_parallelism --scan_delay (between probes) Shrikant Antre Shobhit Gautam
  23. 23. TIMING --resume (scan) --append_output -iL <targets_filename> -p <port ranges> -F (Fast scan mode) -D <decoy1 [,decoy2][,ME],> -S <SRC_IP_Address> -e <interface> -g <portnumber> --data_length <number> --randomize_hosts -O (OS fingerprinting) -I (dent-scan) -f (fragmentation) -v (verbose) -h (help) -n (no reverse lookup) -R (do reverse lookup) -r (dont randomize port scan) -b <ftp relay host> (FTP bounce) A Project By: Shrikant Antre Shobhit Gautam
  24. 24. THANK YOU A Project By: Shrikant Antre Shobhit Gautam

×