Recon with Nmap
•Download as PPTX, PDF•
3 likes•1,780 views
The document discusses using Nmap to perform network scanning and reconnaissance. It provides an overview of Nmap, describing common scan types like TCP and UDP scans. It also covers useful Nmap options for tasks like service and operating system detection. The document demonstrates the Nmap Scripting Engine for tasks like vulnerability scanning and brute force attacks. It provides examples of commands for different scan types and scripts.
Report
Share
Related slideshows
Recon with Nmap
- 1. Recon with Nmap - Network scanning for noobs & ninjas
- 2. Who we are? Jayvardhan Singh @Silent_Screamr - Web and Mobile Security researcher - Bugbounty and Hall of Fame - Microsoft | Apple | Nokia | Barracuda | Blackberry | Olark | Heroku | Nikhil Raj @0xn1k5 - Web, Network and Wireless pentesting - RHCSA, RHCE & CEH - Dump my tools at github.com/0xn1k5
- 4. Enterprise Network Firewall Router Switch Hosts Private IP Class A : 10.0.0.0 – 10.255.255.255 Class B : 172.16.0.0 – 172.31.255.255 Class C : 192.168.0.0 – 192.168.255.255 Public IP Internet NAT/PAT
- 5. Find your own IP Public IP Just Google What is my ip address Or, visit http://whatismyip address.com Private IP Open the cmd/terminal and type: # ipconfig (windows) # ifconfig (Unix/Linux)
- 6. Private IP
- 7. Public IP
- 8. Who else is on the network? # ping <target ip>
- 9. What Services are available? - Each hosts needs to perform multiple networking operations as web, instant messenger, file transfer, video streaming and remote management using RDP or SSH - Can either be TCP or UDP based service associated with unique port number
- 10. Port Numbers ● Port no exists at Transport Layer ● Size: 16 bits unsigned integer ● Range: 0 – 65535 (Both TCP & UDP) – Well known port ( 0 – 1023 ) – Reserved port ( 1024 – 49151 ) – Dynamic or Private port ( 49152 – 65535 )
- 11. Common Services & Ports ● Web Services – tcp/80, tcp/8080, tcp/443 ● FTP – tcp/20 & 21 ● SSH – tcp/22 ● Mail – tcp/25 ● Database – Mysql (tcp/3306), Oracle (tcp/1521) ● DNS - udp/53 ● SNMP –udp/161
- 12. TCP vs UDP • Transmission Control Protocol • Reliable • Connection-oriented (3-way handshake) • Flow control, sequencing and acknowledgement • User Datagram Protocol • Unreliable • Connection less • No retransmission and acknowledgement
- 13. TCP 3 Way Handshake SYN SYN + ACK ACK Service is listening (Open ) DATA
- 14. TCP 3 Way Handshake SYN RST Service is listening (Closed)
- 15. Demo Time
- 16. Demo with Netcat Start Netcat Listener (Server) # nc -l -p <port> Use Netcat as client # nc <ip> <port> & Inspect traffic in Wireshark
- 17. Nmap ● Open Source ● Fast and efficient ● Supports multiple platforms ● Active community support ● Popular...Featured in Movies as well :-) ● Can be extended by using its Nmap Scripting Engine
- 18. Specifying Input Targets # nmap scanme.nmap.org # nmap 192.168.0.1 # nmap 192.168.0.1-200 # nmap 192.168.0.1/24 # nmap –sn –iL <ip_list>
- 19. Specifying port range # nmap -p 80 192.168.0.1 # nmap –p 21,22,80 192.168.0.1/24 # nmap –p 1-65535 192.168.0.1/24 # nmap --top-ports 200 192.168.0.1/24 # nmap –top-ports 10 192.168.0.1 --reason PS: By default nmap scans only top 1000 most widely used ports which can be changed using –top-ports
- 20. Nmap – Common Scan Types TCP Connect Scan ( -sT ) - Complete 3-way handshake # nmap -sT <target> TCP SYN Scan ( -sS ) [Default] - Also known as Half-open scan # nmap -sS <target> UDP Scan ( -sU ) - Scan UDP ports, Runs Slow # nmap -sU <target>
- 21. Nmap Options - If host is not responding to ping probes! # nmap -Pn <target> - Version Detection # nmap -sS -sV <ip> - OS Detection # nmap -sS -O <ip> - Use Timing template for faster scan (noisy) # nmap –sS –T4 <ip> - Aggressive Scan ( version, os and script scan ) # nmap –sS –A <ip>
- 22. Nmap – Saving Output - Output Format supported: - Normal ( -oN ) - XML ( -oX ) - Grepable ( -oG ) - All Formats ( -oA ) # nmap -sS -sV -p- <ip> -oA <output_file>
- 23. Nmap scan I − TCP Services # nmap –sS –p- –sV –O –Pn <target> -oA <out_file> - UDP Services # nmap –sU –p U:1-65535 –sV –Pn <target> -oA <out_file> - Combining TCP and UDP Scan # nmap –sU –sS –p U:53,111,137,T:21- 25,80,139,8080 <target> -oA <out_file>
- 24. Nmap Scripting Engine - Script ends with .nse extension - Located at “/usr/share/nmap/scripts” in kali - Invoked using –sC (default) or –-script switch - Categorised as auth, broadcast, brute, default. discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln - Can be used for enumeration, vulnerability detection, exploitation and more.
- 25. NSE Scans - Executing Default script scan # nmap –p 21 –sC –sV <ip> - Executing script scan # nmap -p445 –-script=smb-enum-shares <ip> - Execute all smb scripts # nmap –p445 –-script=smb* <ip> - Execute scripts marked as safe and default # nmap –p445 –-script=safe,default <ip>
- 26. NSE Scans continued - Enumerating services # nmap -p445 –script=smb-enum-shares <ip> - Brute Force Attacks # nmap -p445 --script smb-brute --script-args userdb=users.txt,passdb=passwords.txt <ip> - Vulnerability Scan # nmap -Pn –script=vuln <ip> # nmap -p445 –script=smb-vuln-ms17-010 <ip>
- 27. NSE Scans - Demo
- 28. NSE Scans - Demo
- 29. Demo Time
- 30. Nmap Scan Types II - Not all systems are RFC compliant - Responds differently on receiving certain TCP flags - Mostly used in *nix based system - FIN Scan (-sF) - Sets the TCP FIN bit. - XMAS (-sX) - Sets the FIN, PSH, and URG flags - Null Scan (-sN) - Does not set any flags
- 31. Firewalls - Modify source port # nmap –g 80 <ip> - Fragment the packet # nmap –f <ip> -Send packet with bad checksum # nmap –-badsum <ip>
- 32. Thanks
Editor's Notes
- In a typical home network, all the devices are either connecter by WiFi or Lan to a central router/access point. And a unique IP is assigned to each device.
- While enterprise network is a bit complex, and can have many network devices sitting before your traffic leaves the company’s network. Inside the organization it uses Private IP addressing scheme and is converted into public IP at Gateway device (usually a firewall).
- Ask the audience to find their own public ip?
- Ask the audience to find their own public ip?
- The easiest way to check who else is on the network is to ping the ip(s) sequentially, if they respond it is up else it may down or simply isn’t responding
- When connected on the network, Users may browse the web, stream video, download/upload files with the help of different services. These services are can run on TCP (reliable) , UDP (unreliable) protocol or both on different port numbers.
- TCP – a stable connection must be established before data transfer is initiated via a process known as three-way handshake. UDP is connection less protocol communications are sent without any expectation of a timely confirmation of receipt from the remote end Thus, one has to allow for a longer timeout before it can be assumed that a remote port is closed
- On an network pentest engagement, you will receive a list of ip(s) or network subnet. You have to first identify the alive hosts and confirm the same with the client.
- On an network pentest engagement, you will receive a list of ip(s) or network subnet. You have to first identify the alive hosts and confirm the same with the client.