NMAP 101

[Music] I involved in the InfoSec community here for about three years I've done computers for a lot longer but InfoSec for there before that I was gonna do it I had a lot of jobs one of them I was a drill sergeant in the army I won't make anyone do push-ups I won't you know but when in basic training in the Army there certain like core tools I mean if you're going to be a soldier you have to be good at shooting a rifle you know just it's fundamental and I think actually nmap kind of falls in InfoSec it's one again those core tools like like Wireshark and map those are tools that you want you there core so

what I've done we got about half an hour for the presentation the URL at the bottom is I've got the presentation and this example script that we're going to go through so don't worry about taking notes as long as you download the git repo you're going to have everything we're going to go through examples the reality is you're going to have to run the scans to get it fully and to get comfortable with it so that's why I made materials so you can go ahead and do it again the more you do it the more will be familiar to so obviously the first question is what is nmap and if you think about blue earth and finding

buildings and then finding doors to buildings you can kind of use that parable basically you know host discovery in fact yes next slide host discovery you know look at what machines exist on this subnet or even bigger what ports are open on that machine add more detail about the machine not just what ports are open what services are running what versions are running and it also can fingerprint a OS so that when it is through with the scan it compares results nil tell you what the degree of confidence what operating system is running on the machine absolute but do the results are pretty good and then additional functionality through the in map scripting engine basically you can add programmatically

enhance the capabilities of an map and we're going to go through some of that that's in a nutshell what an end map can do because scanning people don't like people don't like getting scanned I know if it's legal or illegal but I cover myself so obviously get written explicit permission before you scan somebody unless you own it this is what URL at the bottom if you're going if you're in the court in in the class and you're going to try some examples this is a URL a host ran by the guy who wrote end map and he explicitly says on the page you can scan this machine so if you can't spin up some VMs to play with it I would

say go a go scan this host you've been given permission ways to get it I mean most of us will be on Kali or some type of Linux and so you know package management probably the best option I like it because you're updating and managing the Stiles just it's easy that way binaries if you're not on Linux that's probably the best or the most convenient way to put it in and it is open source so obviously if you want to compile it most people don't but if you do that's great now most of what we're going to go through is a command line environment using nmap but it's actually got a GUI it's actually a really good

GUI I still do a lot command line but the nice thing about it is you're learning and map is the if you use then map which is the GUI you it will actually show the different options so if you don't know everything and you're just still filling it out using Zen map is a good way to learn the tool and it's also included in Cali so the you by default now when they say a port scanner you know most of us probably understand what that means for just to make sure that we understand basically a port would be if a built if a host was an apartment building then each apartment would be like a port in the

door where you can knock on and see who's available and if they if they answer and what's available on that porch or that door you know there's some that are pretty well established we know about those one thing to take in mind is that if you want to run a service on from port 1 to 124 most of the time the operating system will require that you have a some type of privileged user to run a service so you know if you poor port 80 hae HTTP so on and so forth now I'm niet IP header a port is given basically fixing bits of possible address space which basically means about 65,000 possible ports on each

machine one thing by default with nmap is they will scan by default unless you specify to scan otherwise it'll do the thousand most popular ports the most commonly used ports and I'm going to show you the configuration option where you can actually say let's use them all obviously that costs you in time usually we consider a pork open and if our general reason if you can if it responds if it doesn't respond closed and some ports especially when you go with UDP and you main the results because it's the is not a definitive process may be hard to ascertain if that's ports actually open or not speaking of which TCP is a very young again most you know about this but has a

very definitive connection process you're either connect is either open or it's not and it has your reliability features built into it UDP best-effort so a UDP scans will take a lot longer if your port scanning for UDP I'll show you how but it will take a long time and just accept that that's the way it is the thing about it is say if you're doing a syslog like four five one one four that's usually by default UDP and you'll have to scan you do a UDP scan if you want to find out if that's open for TCP the reason why we know that it will Canadia the connections fairly established is it does what's called the

three-way handshake I want to talk to you yes let's talk okay you know that type of approach then there's different ways you can scan where you can either go with the whole connection process or you can actually just get the initial response and not complete that handshake it's faster especially if you're scanning a lot of ports and a lot of hosts there's some advantages to not doing the full three-way handshake nmap does a lot it doesn't just scan the port what I will do is we'll okay I've got these are machines I want to reach you know it'll try to discover the hosts usually we recall that ping except it doesn't just do ICMP they actually tries to connect

on 443 and port 80 so say if you have a firewall that blocks ICMP it can still discover a host if it can reach on port 80 so a little little different ping than you would normally think it will try to do reverse DNS obviously the port scan which you all know about it will actually try to find out what services is running if you include the right option I'll show you that and also kind of fingerprinting traceroute not frequently uses there and also if you writing a script it will show you that and then obviously the output there's a way you can turn off some of these features you're not always running it but this is the sequence it works in

two so if you want to find out if the hosts exist but you don't want a port scan right away you just want post discovery the first option you see is the option that was it won't do port scanning it'll just try to discover the host so if you're for time you don't want a port scan an entire subnet you just want to see what hosts are there maybe port scan specific ports that's useful the second option doesn't try to discover and in one of the scans I'm going to show you later on that's desirable and the last one is actually kind of an interesting one most of these can be done over the internet but if you

want to scan machines that you're on the local network to and maybe they're not even running like in a TCP or any of those services but they're local to a network and they're up the PR watch they do an ARP scan and so for local host discovery that's that's a neat trick doesn't work over the Internet but local network another type of scan this is the simpler the more kind of straightforward scan TCP it does the full three three-way handshake you do not have to be privileged in OS in order to perform a connect scan it does the full handshake comes back with the results and the bottom is an example of that the scan where you don't do the full

three-way handshake and faster especially if you're doing a lot of hosts and a lot of ports is the sin scan and if you're a route on a system then map will try to optimize the scan and will this will be the default and what it will do is they'll do the sin as soon as soon as it gets the syn ACK it will be done it won't do the last act and that will speed up the results but you have three privileged obviously UDP scan it takes time the planet but it's the only way to find out what UDP services are available on a machine so well I would say that is not the first scan I would do against a

machine eventually it does have enough value to do it just might not be the first thing you do so the UV is important because we're going to talk about version detection if you're going to spend the time doing ATI UDP scan adding the B flag enhances the results you're going to get back from the scan two scans they're kind of interesting and why the way they could do it our Christmas and null scans in TCP are in un IP actually TCP there are some flags like syn syn ACK and so forth all right what it does is it turns on some of those flags kind of breaking some of the rules but it can go in I reapply a

discover hosts in a unique way sometimes they call this kind of what they call a stealth scan because if you pet in the past the Machine might not recognize that it's actually being interrogated but I wouldn't count on that for stealth anymore one thing is it depends on the standard on a host on the other end following the standards the RFC's and Windows is known not to follow the standards with this so what happens is if you scan Windows host this the results you get from this may not be that good just expect that and it's probably the most interesting scan what it is when you're when you're writing an idle scan what happens is

there's a machine your host your target host but you don't want the target host to see that it's getting scanned by you so what you do is you says you Forge that you're sending it from another machine that machine has to be idle basically not doing a lot like that dusty print network printer that's a good example host you would use for that so what happens is you send the request but you say that you're the idle machine what before you send a request you check the item machine it will respond with the sequence ID you send a request if that floor is open it will respond back to the idle machine and actually increase the sequence number

then you can request from that tidal machine and if you see the sequence number moving up you're effectively able to discover what ports are open on a machine without that machine that you're scanning seeing that it's coming from you it's the real stealth scan the thing that kind of makes this one work or not work is that idle machine really has to be idle because if it's doing other things then that sequence ID will not work for you does that make sense

Iverson detection besides just knowing if a port is open or not it's you can find out what program is running and we usually want version a lot of software programs will will come back and say Apache version whatever or SSH version whatever and the benefit is if you're trying to attack a machine is you know you know oh this is where this software this version I think there's an exploit for that and so you're getting more it gives you more value out of the skin by getting the version detecting version and basically each service a lot of services will have banners and it basically will display that banner as they do the port scan - oh is basically

what I'll do is they'll attempt to fingerprint as it scans and it will come back and look at the results that scan against fingerprints that nmap has okay I'll tell you hey I think this is Linux I think this is Windows I think this is Mac I think it's this version and the value of that is again you all your recon you know the new phrase in the phase that you're reconning information is useful to know the more you know the better right so that's that's good for recon the only thing I'd say and realize one well actually is that you know if you're trying to be discreet you know the port scanning is not

necessarily that discreet why don't you guys show some options for that I in fact this next option which is timing what it is is you get by default it has basically between I think one or zero and five by default it's at three so labs you can up you can go to like say four or five you'll get results faster but sometimes the results will actually not be as good it's rushing and the results may suffer from that now reason why you might slow it down is that when you have you ever wire turn on wire shark and then port scan somebody it's obvious that you can see there's someone's port scanning if you slow it

down it won't be this big rush of traffic and maybe you might not be is obvious you know try to yeah hide the fact that your port scanning somebody uh one is fast yr sorry five is fast one is slow sorry yes good question now as for as far as timeouts what happens is sometimes it put it makes a request they'll wait for quite some time before it will you'll move on to next one and you can actually specify hey don't wait more than this and benefit as obviously if there's got latency or that machine you skipped post discovery then you know you're going to be trying to port scan something that doesn't exist by putting a timeout you save yourself

some time it doesn't it won't go on and wait for a longer period of time now usually if you run it it will show output to the screen but you may actually want to use nmap to feed another tool like there may be some type of other necessarily scanner that you want to take the results the from your nmap scan and feed it into the vulnerability scanner so nmap allows you to format your output in a few different ways and it's just what you usually see on the screen X is XML s is script kitty and it's kind of an interesting I suggest you do that at least once I know what utility is but it looks a little

fun to look at G is graphical which if you're going to feed and then do an links with being grumping certain things it'll make it a little bit more useful and a is all you'll actually do it in all the formats and output it so if you want feed something else or evaluate it after this after your scan specifying output useful now that was actually basically the functionality and map started out just as a pork scanner you can write a port scanner about what eight lines of Python but in about middle part of the last decade Google sponsored la Summer of Code and they added the nmap scripting engine to nmap and it's really added a lot more

functionality it is really enhanced what it can do for you and where we are going to hit it but also Jason who is going to present after this guy hits just that part but yeah there are a lot of scripts even if you don't want to write scripts there are about 500 of them if you usually in Kali it's users share and map scripts and you'll see like 500 or more probably more now that you can use already you don't have to write anything just use it now they usually the scripts are like some scripts are pretty gentle and some scripts might actually take a machine down if you aren't careful so they've categorized them and some

you're actually trying to do something malicious like denial service right and usually they will exist at least in one or two categories usually like you'll have kind of like default and intrusive usually you'll then what obviously won't be in either they won't be in both of those but usually a script will be at least one of those they're written in Lua so just quick question who here is ever scripted world of warcraft there has to be someone in here right okay don't feel bad but they use Lua which is the same scripting engine World of Warcraft uses so if you're familiar with that the syntax will feel formal familiar they have a basic friend pattern that they all have and I'm

actually going to show you some very simple examples of how that how it looks when you're writing your own scripts and things are not working the /d flag is your best friend it'll give you feedback they'll help you understand what's happening and they actually have in nmap a bunch of shared libraries so instead of writing if there's common functionality instead of writing it yourself I recommend first looking in the libraries you can probably save yourself writing a lot of code and use the libraries to do that so here is an example of a some of the simplest in that script I could write and basically at the top where it ends with the line it says categories

that's the header it's a lot of metadata some information about it that's that's the header that the rule part is that port rule to end and all it does is hey if this port state looks like it's open now I'm going to perform the action so the poor if it doesn't pass support or the rule it doesn't perform the action and the rule in this case is is this going to say I'm open not that interesting probably the least useful in match script you're ever going to see but it's useful for understanding the structure so I have a practical example and in here and let me okay there let me cap my okay I've written a script and

let me scroll up here so you have my header it's just the metadata right not that interesting what this script does is it's going to connect to what I like web server get the certificate look at the expiration date and show it to me and the use case for the script is that I've got ton of websites I got SSL certs instead of maintaining an Excel spreadsheet if I just want to know which one they come when they're about to expire this will give me results quickly on a lot of websites that so that's why I use this script for so I have the port rule it basically looks to see if it's about SSL port

I have an additional in here a little a helper function that just formats my string something human readable and then the last action is basically where it gets assert and it runs it and outputs the expiration so nothing super complicated i'm not run it I'll show you I'm going to use another actually let me clear this here and then in this script because I know that I only want 443 I can speed up my end map script by just specifying 443 I don't scan all the ports makes it faster then I'm going to run my script which I just showed you and with this under a uppercase L well I'm basically saying is my input will be

a list and it will be this file and I'm going to just show you the file Plus so like three websites that I run those are the ones I'm going to scan so as I run the script it'll come back fairly quickly and what I do is they'll give me for each host when the expiration date is now four three sites that might not be too useful but if you got like six hundred or more sites this is going to allow this is an example of how nmap can allow you to get information pretty quickly from your sites any questions on this script I'll expect you to totally understand it but just get the idea of what nmap scripting

can allow you to do and if you're interested and I hope you are that's why you came here and you want to learn more there's obviously the page there's Network nmap network scanning is big book good book I've got it you actually have most of that book on the website nmap essentials was actually my first book that taught me how to get used to in map still I think it's a good book and if you just want a quick reference to nmap sans has an map cheat sheet kind of like the tri-folds that you've gotten in your bag as you came here they have one specifically for in map again I think that's once your once you've used

it you probably won't use that cheat sheet for a lot but when you're getting used to using it it's a good tool so with that and I think I have a little bit of time for questions any questions oh good yes

there are scripts yo I told you there's okay the question was is there a script we're checking SSH that accept passwords versus public key is that yeah idea okay that's good scan there are a bunch of SSH scripts the bat let's go I don't want to run over time but let's see here let's see no no no I want a let's see what we can see scripts LS and say so I do LS SSH and so it looks like there's you know in the enumerate the algorithms used host keys and check you for SSH v1 so there isn't one built in but again within match scripting and with the class we're going to have you might be able to write

your own to do that just that good question other questions well if you don't remember anything else and you're not excited about in map just let you know Trinity uses end map and those of you who remember in the second Matrix movie she used end map to discover the SSH was available and then used a at that time a zero-day SSH new to hack into the power grid so you know you can't you can hack the power grid with the end map then must be good so well thank you appreciate you coming out