2007
A HACKING ODYSSEY PART 2:
NETWORK SCANNING & NMAP CONTINUED...
Port Scanning
Port scanning is a very useful tool that is very much in favour of the
attackers. If we are to find a way into a network then it will more
than likely be through a vulnerable service of some kind.
Most newcomers find ‘ports’ a difficult concept to grasp due to them
trying to think of them as physical ports, hence when I say there are
65356 different ports you probably try and picture the back of a
computer with all these ports sticking out of it.
The ports are entirely configured in software and in very simple terms
all they are is a way of keeping traffic from different services
separate.
A service can be a Mail Server, a Web Server, an FTP server etc. If
someone sends you an email, you don’t want it going to your web server
do you?
So all these services are given their own ports to use by way of a port
number. There are 65356 TCP ports and 65356 UDP ports.
Take a SMTP Mail server and an FTP server for example:
An SMTP Mail server usually uses port 25 (TCP) and an FTP server will
usually use port 21 (TCP)
If I send you an email, your computer can’t just simply read it and
determine it is an email and needs to go to the mail server – likewise
if I send you a file via FTP your computer cant read this and know it
is a file destined for the FTP service…only the relevant services will
know what to do with the data. So we need a way to tell your computer
to send the right data to the right service.
To accomplish this we put the destination port number in the packet and
then send it to the computer. This way when the data arrives at the
computer all it has to do is look for a port number, if it says port 25
then it knows to send it to the service listening on port 25, which
will be the Mail server – the mail server receives this traffic,
understands what it is and passes it on up to your mail client so you
can read it.
If I want to send you a file via FTP I first open up a channel to you
on port 21. Your computer receives this data, looks at the destination
port number and knows where to send it to, in this case the service
listening on port 21.
There is more to it than this, but in essence this is what happens.
The obvious limitation to this is that every service needs to be
listening on the correct port – if I am to send an email to you I need
to know that your mail server is listening on port 25 for me to put the
destination port number in the packet…if you have your mail server
listening on port 50, when I send an email to you, your computer will
look at the port number (25), see there is no service listening on that
port and drop the data. You would also be disrupting the service that
should be listening on port 50.
For this reason the Internet Assigned Numbers Authority (IANA) have a
very strict registration process to control which service will listen
on which port.
From the IANA web site:
Quote:
The port numbers are divided into three ranges: the Well Known Ports,
the Registered Ports, and the Dynamic and/or Private Ports.
The Well Known Ports are those from 0 through 1023.
DCCP Well Known ports SHOULD NOT be used without IANA registration.
The registration procedure is defined in [RFC4340], Section 19.9.
The Registered Ports are those from 1024 through 49151
DCCP Registered ports SHOULD NOT be used without IANA registration.
The registration procedure is defined in [RFC4340], Section 19.9.
The Dynamic and/or Private Ports are those from 49152 through 65535
In layman’s terms; Well Known ports are used for the most common
services specific to network and Internet functionality, such as FTP,
SMTP, Telnet, HTTP, DNS etc
Registered Ports are for common services that are not specific for the
functionality of a Network or the Internet such as PC games, Kazza, SQL
cluster manager, Anti Virus etc – things that are widely used and that
others need to know the port number in advance for.
The Dynamic and private ports can be used by anyone for anything.
You can find a constantly updated list of port assignments on the IANA
web site:
http://www.iana.org/assignments/port-numbers
So, taking it a step further and looking at it from a bad guy’s point
of view, if someone wants to run a mail server and receive email then
they need to have a mail server listening on port 25.
If we send a data packet to that port and we get a response back, we
know that as per IANA regulations that is has to be a mail server who
sent this response. If we don’t get a response back then there is
nothing listening on that port, hence there is no service running.
There are two mail types of protocol used for the transmission of data
over a network and the Internet; User Datagram Protocol (UDP) and
Transmission Control Protocol (TCP). Even though they both do the same
job, they do it in very different ways. If you are not to sure about
how TCP and UDP works and the differences between the two, please read
THIS before continuing on with this paper as you will need to have a
rudimentary understanding of it to understand how a port scan works and
the benefits of using different types of scan.
Which brings us nicely on to Nmap….
Nmap (Part 1 of 3)
Nmap is probably the worlds most famous and useful port scanner. It
runs on pretty much every Operating System and is relatively straight
forward to use. For Windows there is a graphical version and a command
line version, which can both be found here:
http://insecure.org/nmap/download.html
For this paper I shall use the Command Line Interface (CLI) version
however if you have never used it before it maybe worth while to use
the graphical version until you are comfortable with it.
After installing Nmap and the Winpcap drivers that come with it Windows
XP Service Pack 2 users should install the registry file. It can be
found in, C:\Program Files\Nmap, simply right click on
‘nmap_performance.reg’ and select merge – the latest release has this
as an install option.
You can now use Nmap by typing nmap directly into a command prompt. You
need to be an administrator/root of the host you install Nmap on to use
all of its features. If you already have Nmap installed use the
following command to ensure you have the latest version (Version 4.20
as of this writing): “nmap --version”
If you do not add any option after typing nmap it will display a list
of commonly used parameters that you can use for your scan:
Code:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Nokia>nmap
Nmap 4.03 ( http://www.insecure.org/nmap )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1;
10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude
hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sP: Ping Scan - go no further than determining if host is online
-P0: Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery
probes
-n/-R: Never do DNS resolution/Always resolve [default:
sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS
servers
--system-dns: Use OS's DNS resolver
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idlescan
-sO: IP protocol scan
-b <ftp relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p
U:53,111,137,T:21-25,80,139,8080
-F: Fast - Scan only the ports listed in the nmap-services file)
-r: Scan ports consecutively - don't randomize
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try
all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for
debugging)
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in milliseconds, unless you
append 's'
(seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T[0-5]: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan
group sizes
--min-parallelism/max-parallelism <time>: Probe
parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout
<time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe
retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between
probes
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--data-length <num>: Append random data to sent packets
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your
MAC address
--badsum: Send packets with a bogus TCP/UDP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML,
s|<rIpt kIddi3,
and Grepable format, respectively, to the
given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use twice for more effect)
-d[level]: Set or increase debugging level (Up to 9 is
meaningful)
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--log-errors: Log errors/warnings to the normal-format output
file
--append-output: Append to rather than clobber specified output
files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML
output to HTML
--webxml: Reference stylesheet from Insecure.Org for more
portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML
output
MISC:
-6: Enable IPv6 scanning
-A: Enables OS detection and Version detection
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP
packets
--privileged: Assume that the user is fully privileged
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sP 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -P0 -p 80
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
Some of these options you will use all the time and some you may never
use but if you spend a few minutes to read through them it will give
you a basic understanding of the way you configure nmap to scan for you.
The syntax is generally ‘nmap’ followed by the scan type and any scan
option, followed by the IP address or IP address range, followed by the
ports you want to scan (not always required), followed by the output
you want i.e. filename and file type:
Code:
Nmap –sT –P0 80.80.80.80 –p 80 –oN scan.doc
This simple scan tells Nmap to conduct a TCP connect scan, against
80.80.80.80 on port 80 and to save the results to a file called
scan.doc.
**I use the IP address of 80.80.80.80 in this paper purely due to the
fact it is quick to type**
The following pages will cover all of the Scan Types, most of the scan
options and a few maybe not so well known tips and tricks we can do
perform with Nmap.
As this moment in time there are 12 different types of scan you can
perform with nmap:
Original Tutorial
by nokia for TheTAZZone-TAZForum
Originally posted on March 2nd, 2007 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.