2007
A HACKING ODYSSEY PART 2:
NETWORK SCANNING & NMAP CONTINUED...
Ping Sweeps
A lot of people don’t understand Nmap’s full potential when it comes to
‘ping’. Typically a ping refers to an ICMP echo request being sent to a
host and an ICMP echo reply being sent back to the initiating host. For
the majority of people this is enough to determine if a host is up or
down.
However, it is considered good security practise in today’s world to
block most ICMP types from entering a network – take a PIX firewall for
example, by default it will block every ICMP type from coming in to the
network it is protecting – so an internal users can send the ICMP echo
request out to the Internet but the reply will never get back in,
resulting in a **timed out** being displayed to the user.
This can really mess Nmap up if using the default scan options as the
first thing it will do is try and ping the host – if no reply is
received the scan will be aborted.
To overcome this obstacle we can simply use the –P0 switch in our
command, which will tell Nmap to not ping the host we are scanning; a
fact which Nmap will helpfully inform us of:
Code:
C:\Documents and Settings\Nokia>nmap -sT 80.80.80.80
Starting Nmap 4.20 ( http://insecure.org ) at 2007-02-25 13:55 GMT
Standard Time
Note: Host seems down. If it is really up, but blocking our ping
probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 3.937 seconds
With the –P0 option:
Code:
C:\Documents and Settings\Nokia>nmap -P0 -sT 80.80.80.80
Starting Nmap 4.20 ( http://insecure.org ) at 2007-02-25 13:55 GMT
Standard Time
Stats: 0:03:16 elapsed; 0 hosts completed (1 up), 1 undergoing
Connect() Scan
Connect() Scan Timing: About 72.66% done; ETC: 14:00 (0:01:13 remaining)
Interesting ports on 80.80.80.80:
Not shown: 1696 filtered ports
PORT STATE SERVICE
80/tcp open http
Nmap finished: 1 IP address (1 host up) scanned in 253.344 seconds
So either the host is sting behind a firewall of some kind that is
blocking ICMP or the host itself is ignoring our ICMP packets.
(Try an ACK scan to see if you can determine if it is behind a packet
filter or maybe a stateful firewall, and maybe what it will allow
through it)
Nmap does you ICMP response times to judge the speed of its scan, so
you may run in to timing issues if you use the –P0 switch.
If you are using the Idle Scan option or spoofing your IP address it is
a good idea to use the -P0 option as Nmap will use your real IP address
to ping the host before starting the scan – it can’t use the spoofed IP
address as it needs to receive the ICMP echo request back.
However, as mentioned Nmap does not always think of ping in the typical
ICMP way but we may still need to ping a host that is behind a firewall
which is blocking all ICMP types. How can we do this?
Nmap includes a range of non ICMP pings:
Nmap can determine if a host is alive and the latency to that host be
sending a variety of TCP packets with different flags set, to a
specific port; known as a TCP ping.
TCP ACK:
In the same way the TCP ACK scan works, Nmap can send a TCP packet to a
specific port on a host with the ACK bit set. Just like the ACK scan if
a RST packet is returned Nmap will deem the host to be alive, if not
RST is received Nmap deems the host to either be ‘dead’ or that the
packets where filtered.
So even though ICMP may be blocked we could ping it with a TCP packet
instead.
Do not think of this as a port scan as it is not; its sole aim is to
detect if a host is alive behind a given IP address that may have ICMP
filtering active.
The syntax for it is PA<port numbers>:
nmap 80.80.80.80 –PA25
You can still specify a normal scan option too if you so desire:
nmap –sT 80.80.80.80 –PA25
If you want to ping multiple port simply separate them with a comma.
To prove it works, consider the following output:
Code:
C:\Documents and Settings\Nokia>ping 87.237.61.100
Pinging 87.237.61.100 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 87.237.61.100:
Packets: Sent = 4, Received = 0, Lost = 4 (100%
loss),
So something is blocking ICMP from reaching that host; lets try the TCP
ACK Ping:
Code:
C:\Documents and Settings\Nokia>nmap 81.80.80.34 -PA80
Starting Nmap 4.20 ( http://insecure.org ) at 2007-03-02 20:18 GMT
Standard Time
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN
Stealth Scan
SYN Stealth Scan Timing: About 1.41% done; ETC: 20:18 (0:00:28
remaining)
By pressing the space bar we can get Nmap to give us some information
to tell us what stage it is at. Notice the ‘0 hosts completed (1 up)’
part – Nmap has successfully pinged the host with a non ICMP packet.
‘(1 up)’.
TCP SYN Ping:
The TCP SYN Ping is exactly the same as a TCP ACK Ping, except is uses
a SYN packet instead of an ACK packet. Stateful firewalls with usually
filter out unsolicited ACK packets, hence a TCP ACK Ping may fail. To
overcome this we can ping a host on a well known port that we thing may
have a chance of getting through a firewall – usually ports 80 and 25.
We will send a SYN packet to make the firewall think we want to
establish a valid connection to the service that is listening on that
port.
The syntax is:
Nmap <ip address> -PS<port numbers>
Again separate multiple port numbers with a comma.
UDP Ping:
A UDP ping works in conjunction with ICMP and relies on an ICMP Port
Unreachable message to be retuned by the host if a UDP packet is sent
to a closed port.
For this reason you should try and ping a port that has a good chance
of not being open, as open UDP ports may drop a packet completely that
it does not understand (See UDP port scanning, above, for a more
detailed description)
The syntax for a USP ping is:
Nmap <ip address> -PU<port numbers>
Again, separate the port numbers with a comma if you want to scan
multiple ports.
UDP Pinging is an inherently unreliable ping due to it relying heavily
on ICMP packets, which as we know are usually filtered out.
ICMP Mask and Tine-Stamp pings:
There are two rather antiquated pings that Nmap still supports called
an ICMP Time-Stamp ping and an ICMP Mask ping.
I would strenuously suggest staying away from both of these as, a) the
chances of them working are very remote, and b) they stand out like a
MAC at a Defcon meeting to someone analysing the packets flowing
through a network.
A timestamp request is a prehistoric method for two hosts to
synchronize their clocks – now-a-days NTP is the preferred method.
There is a small plus to using this method and that is if it works you
have a very good chance of successfully attacking the network as anyone
who allows there packets to traverse layer 3 devices probably does not
understand their job to well.
An ICMP Mask Ping is an ICMP query to a host asking it for it’s subnet
mask. If this works then just like the timestamp request the chances of
the network not being secured properly are very high, or the OS
patching state is not very recent or even that they are using legacy
infrastructure hardware on the network.
They syntax for the timestamp request is:
nmap <ip address> -PP
And the syntax for the Mask Ping is:
nmap <ip address> -PM
I think this is waaay getting two long now, so will end Part two here.
In Part three I will cover further basic Nmap options, Nmap timing
options, OS fingerprinting, real world examples of using all the
options and some not so well known tips and tricks for using Nmap.
Original Tutorial
by nokia for TheTAZZone-TAZForum
Originally posted on March 2nd, 2007 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.