Feb 2019 - "Recon with Nmap" Session by Nikhil Raj and Jayvardhan Singh

1. Recon with Nmap
- Network scanning for noobs & ninjas

2. Who we are?
Jayvardhan Singh @Silent_Screamr
- Web and Mobile Security researcher
- Bugbounty and Hall of Fame
- Microsoft | Apple | Nokia | Barracuda |
Blackberry | Olark | Heroku |
Nikhil Raj @0xn1k5
- Web, Network and Wireless pentesting
- RHCSA, RHCE & CEH
- Dump my tools at github.com/0xn1k5

3. Home Network
192.168.0.1
192.168.0.102192.168.0.101
192.168.0.103 192.168.0.104

4. Enterprise Network
Firewall Router Switch
Hosts
Private IP
Class A : 10.0.0.0 – 10.255.255.255
Class B : 172.16.0.0 – 172.31.255.255
Class C : 192.168.0.0 – 192.168.255.255
Public IP
Internet
NAT/PAT

5. Find your own IP
Public IP
Just Google What is my
ip address
Or, visit
http://whatismyip
address.com
Private IP
Open the cmd/terminal
and type:
# ipconfig (windows)
# ifconfig (Unix/Linux)

6. Private IP

7. Public IP

8. Who else is on the network?
# ping <target ip>

9. What Services are available?
- Each hosts needs to perform multiple
networking operations as web, instant
messenger, file transfer, video streaming and
remote management using RDP or SSH
- Can either be TCP or UDP based service
associated with unique port number

10. Port Numbers
● Port no exists at Transport Layer
● Size: 16 bits unsigned integer
● Range: 0 – 65535 (Both TCP & UDP)
– Well known port ( 0 – 1023 )
– Reserved port ( 1024 – 49151 )
– Dynamic or Private port ( 49152 – 65535 )

11. Common Services & Ports
● Web Services – tcp/80, tcp/8080, tcp/443
● FTP – tcp/20 & 21
● SSH – tcp/22
● Mail – tcp/25
● Database – Mysql (tcp/3306), Oracle
(tcp/1521)
● DNS - udp/53
● SNMP –udp/161

12. TCP vs UDP
• Transmission Control
Protocol
• Reliable
• Connection-oriented
(3-way handshake)
• Flow control,
sequencing and
acknowledgement
• User Datagram
Protocol
• Unreliable
• Connection less
• No retransmission
and
acknowledgement

13. TCP 3 Way Handshake
SYN
SYN + ACK
ACK
Service is listening (Open )
DATA

14. TCP 3 Way Handshake
SYN
RST
Service is listening (Closed)

15. Demo Time

16. Demo with Netcat
Start Netcat Listener (Server)
# nc -l -p <port>
Use Netcat as client
# nc <ip> <port>
& Inspect traffic in Wireshark

17. Nmap
● Open Source
● Fast and efficient
● Supports multiple platforms
● Active community support
● Popular...Featured in Movies as well :-)
● Can be extended by using its Nmap Scripting
Engine

18. Specifying Input Targets
# nmap scanme.nmap.org
# nmap 192.168.0.1
# nmap 192.168.0.1-200
# nmap 192.168.0.1/24
# nmap –sn –iL <ip_list>

19. Specifying port range
# nmap -p 80 192.168.0.1
# nmap –p 21,22,80 192.168.0.1/24
# nmap –p 1-65535 192.168.0.1/24
# nmap --top-ports 200 192.168.0.1/24
# nmap –top-ports 10 192.168.0.1 --reason
PS: By default nmap scans only top 1000 most widely
used ports which can be changed using –top-ports

20. Nmap – Common Scan Types
TCP Connect Scan ( -sT )
- Complete 3-way handshake
# nmap -sT <target>
TCP SYN Scan ( -sS ) [Default]
- Also known as Half-open scan
# nmap -sS <target>
UDP Scan ( -sU )
- Scan UDP ports, Runs Slow
# nmap -sU <target>

21. Nmap Options
- If host is not responding to ping probes!
# nmap -Pn <target>
- Version Detection
# nmap -sS -sV <ip>
- OS Detection
# nmap -sS -O <ip>
- Use Timing template for faster scan (noisy)
# nmap –sS –T4 <ip>
- Aggressive Scan ( version, os and script scan )
# nmap –sS –A <ip>

22. Nmap – Saving Output
- Output Format supported:
- Normal ( -oN )
- XML ( -oX )
- Grepable ( -oG )
- All Formats ( -oA )
# nmap -sS -sV -p- <ip> -oA <output_file>

23. Nmap scan I
− TCP Services
# nmap –sS –p- –sV –O –Pn <target> -oA <out_file>
- UDP Services
# nmap –sU –p U:1-65535 –sV –Pn <target> -oA
<out_file>
- Combining TCP and UDP Scan
# nmap –sU –sS –p U:53,111,137,T:21-
25,80,139,8080 <target> -oA <out_file>

24. Nmap Scripting Engine
- Script ends with .nse extension
- Located at “/usr/share/nmap/scripts” in kali
- Invoked using –sC (default) or –-script
switch
- Categorised as auth, broadcast, brute,
default. discovery, dos, exploit, external,
fuzzer, intrusive, malware, safe, version, and
vuln
- Can be used for enumeration, vulnerability
detection, exploitation and more.

25. NSE Scans
- Executing Default script scan
# nmap –p 21 –sC –sV <ip>
- Executing script scan
# nmap -p445 –-script=smb-enum-shares <ip>
- Execute all smb scripts
# nmap –p445 –-script=smb* <ip>
- Execute scripts marked as safe and default
# nmap –p445 –-script=safe,default <ip>

26. NSE Scans continued
- Enumerating services
# nmap -p445 –script=smb-enum-shares <ip>
- Brute Force Attacks
# nmap -p445 --script smb-brute --script-args
userdb=users.txt,passdb=passwords.txt <ip>
- Vulnerability Scan
# nmap -Pn –script=vuln <ip>
# nmap -p445 –script=smb-vuln-ms17-010 <ip>

27. NSE Scans - Demo

28. NSE Scans - Demo

29. Demo Time

30. Nmap Scan Types II
- Not all systems are RFC compliant
- Responds differently on receiving certain TCP flags
- Mostly used in *nix based system
- FIN Scan (-sF)
- Sets the TCP FIN bit.
- XMAS (-sX)
- Sets the FIN, PSH, and URG flags
- Null Scan (-sN)
- Does not set any flags

31. Firewalls
- Modify source port
# nmap –g 80 <ip>
- Fragment the packet
# nmap –f <ip>
-Send packet with bad checksum
# nmap –-badsum <ip>

32. Thanks