Scribd
Upload
41 views45 pages

Nmap Scanning Techniques and Tips

Uploaded by

kirankatila99
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
41 views45 pages

Nmap Scanning Techniques and Tips

Uploaded by

kirankatila99
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Insecure.

Org

Nmap: Scanning the Internet


by Fyodor
Black Hat Briefings USA – August 6, 2008; 10AM
Defcon 16 – August 8, 2008; 4PM
[Link]

Scan Goals

• Collect empirical data and use it to enhance


Nmap functionality.
• Use the data to help knowledeable people
make your scans more effective.
• Detect and resolve Nmap bugs and
performance issues through the large­scale
scanning.
• Demonstrate techniques useful for routine
scans as well as wide­scale Internet
scanning.
[Link]

Scan Challenges:
Determining the IP addresses to Scan
• Dozens of large but targeted scans rather
than one giant scan.
• Many options: BGP routing tables, DNS
zone files, registry allocation, etc.
• Nmap's own random IP generation:
– nmap ­iR 25200000 ­sL ­n | grep "not scanned"
| awk '{print $2}' | sort ­n | uniq >! tp; head
­25000000 tp >! 25M­IPs; rm tp
[Link]

Scan Challenges:
Scan Source
• P2P scanning?
• Legal issues
• ISP response
• US Department of Defense response
– DoD JTF­GNO: Joint Task Force for Global
Network Operations
[Link]

Scan Challenges:
Firewalls
• Network conditions often differ significantly
behind firewalls vs. Internet scanning
• Contributed data
[Link]

Scan Challenges:
Performance and Accuracy
• Internet scanning is long, hard work. Can
be disheartening:
– Stats: [Link] elapsed; 254868 hosts
completed (2048 up), 2048 undergoing UDP
Scan
UDP Scan Timing: About 11.34% done; ETC:
03:21 (­688:­41:­48 remaining)
• Finding and resolving performance and accuracy
problems is a key goal.
[Link]

Optimizing Host Discovery

• Goals
• Big challenge: Deciding on discovery
methods
• Echo requests and even Nmap default
discovery (TCP ACK to port 80 & echo
request) are often insufficient for Internet
scanning.
[Link]

TCP Host Discovery Methods (­PS, ­PA)

• SYN packet discovery (­PS)


– Best against stateful filrewalls
• ACK packet discovery (­PA)
– Best against stateless firewalls
[Link]

TCP Host Discovery Example


# nmap -n -sP -PS80 [Link]

Starting Nmap ( [Link] )


Host [Link] appears to be up.
Nmap done: 1 IP address (1 host up) scanned in 0.05
seconds

# nmap -n -sP -PA80 [Link]

Starting Nmap ( [Link] )


Note: Host seems down. If it is really up, but
blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 2.07
seconds
[Link]

TCP Host Discovery Methods: Top Ports

• Adding more TCP SYN and ACK probes


can help, but which ports work the best?
[Link]

Top 10 TCP Host Discovery Ports

• 80/http
• 25/smtp
• 22/ssh
• 443/https
• 21/ftp
• 113/auth
• 23/telnet
• 53/domain
• 554/rtsp
• 3389/ms­term­server
[Link]

UDP Host Discovery (­PU)

• Closed ports better than open one because


they are more likely to respond.
• Port 53 often worthwhile due to firewall
exceptions for DNS.
[Link]

ICMP Host Discovery Methods (­PE, ­PM, ­


PP)
• Some systems intentionally allow echo
requests, but block the others.
• Others block echo requests explicitly, but
forget about netmask/timestamp requests.
• Solution: Use both – echo request and one
of the other two.
[Link]

Protocol Ping (­PO)

• Default is to send 3 probes, for protocols 1


(ICMP), 2 (IGMP), and 4 (IP­in­IP)
[Link]

Default Host Discovery Effectiveness


# nmap -n -sL -iR 50000 -oN - | grep "not scanned" |
awk '{print $2}' | sort -n > 50K_IPs

# nmap -sP -T4 -iL 50K_IPs


Starting Nmap ( [Link] )
Host dialup-[Link].[Link]
([Link]) appears to be up.
Host dialup-[Link].[Link]
([Link]) appears to be up.
Host [Link] ([Link]) appears to
be up.
[thousands of lines cut]
Host [Link] appears to be up.
Host
[Link].[Link]
([Link]) appears to be up.
Nmap done: 50000 IP addresses (3348 hosts up)
scanned in 1598.067 seconds
[Link]

Enhanced Host Discovery Effectiveness


# nmap -sP -PE -PP -PS21,22,23,25,80,113,31339
-PA80,113,443,10042 --source-port 53 -T4 -iL 50K_IPs
Starting Nmap 4.65 ( [Link] ) at 2008-06-22
19:07 PDT
Host [Link] ([Link])
appears to be up.
Host [Link] ([Link]) appears to
be up.
Host [Link] appears to be up.
Host [Link] ([Link]) appears to
be up.
[thousands of hosts cut]
Host [Link] ([Link]) appears
to be up.
Host
[Link].[Link]
([Link]) appears to be up.
Host [Link] appears to be up.
Nmap done: 50000 IP addresses (4473 hosts up)
scanned in 4259.281 seconds
[Link]

Enhanced Discovery Results

• Enhanced discovery:
– took 71 minutes vs. 27 (up 167%)
– Found 1,125 more live hosts (up 34%)
[Link]

Upgrade your Nmap

• Many bug fixes and performance


improvements in version 4.68. See
[Link]
• For even newer, try the svn release. See
[Link]
• For all the goods in this presentation:
svn co –username guest –password “”
svn://[Link]/nmap­exp/bhdc08
[Link]

Top Ports Project

• A massive scan of millions of Internet IPs to


determine most commonly open TCP and
UDP ports.
• Some large organizations also contributed
scan data to give a behind­the­firewall
perspective.
• nmap­services file augmented with
frequency data for each port.
[Link]

Default Scan Ports

• In Nmap 4.68: 1715 ports for TCP scans,


plus 1488 for UDP scans. Ports 1­1024,
plus all named ports above that.
• With augmented nmap­services: Top 1000
ports for each protocol. Finishes faster,
and often finds more open ports.
[Link]

Fast Scan (­F) Ports

• In Nmap 4.68: 1276 ports for TCP scans,


plus 1017 for UDP scans. Includes all
named ports.
• With augmented nmap­services: Top 100
ports for each protocol.
[Link]

Fast Scan Example Times

• Nmap ­sUV ­F ­T4 [Link]


– With 4.68: 1 hour, 2 minutes, 62 seconds
– With bhdc08: 6 minutes, 29 seconds
– With bhdc08 & “­­version­intensity 0”: 13 sec
– All three found the same open port (53)
[Link]

New –top­ports and –port­ratio features

• ­­top­ports <n> scans the most commonly


open <n> ports for each protocol
requested.
• ­­port­ratio <n> (where <n> is between 0
and 1) scans all ports with a frequency of at
least the given level.
[Link]

Top 10 TCP ports

• 80 (http)
• 23 (telnet)
• 22 (ssh)
• 443 (https)
• 3389 (ms­term­serv)
• 445 (microsoft­ds)
• 139 (netbios­ssn)
• 21 (ftp)
• 135 (msrpc)
• 25 (smtp)
[Link]

TCP effectiveness of –top­port values

• ­­top­ports 10: 48%


• ­­top­ports 50: 65%
• ­­top­ports 100: 73%
• ­­top­ports 250: 83%
• ­­top­ports 500: 89%
• ­­top­ports 1000: 93%
• ­­top­ports 2000: 96%
• ­­top­ports 3674: 100%
[Link]

Top 10 UDP ports


• 137 (netbios­ns)
• 161 (snmp)
• 1434 (ms­sql­m)
• 123 (ntp)
• 138 (netbios­dgm)
• 445 (microsoft­ds)
• 135 (msrpc)
• 67 (dhcps)
• 139 (netbios­ssn)
• 53 (domain)
[Link]

UDP effectiveness of –top­port values

• ­­top­ports 10: 50%


• ­­top­ports 50: 86%
• ­­top­ports 100: 90%
• ­­top­ports 250: 94%
• ­­top­ports 500: 97%
• ­­top­ports 1017: 100%
• Note: ­p­ UDP data not yet available
[Link]

Packet Rate Control

• ­­min­rate <packets per second>


• ­­max­rate <packets per second>
nmap –min-rate 500 [Link]
[Link]

Putting it all Together


nmap -S [srcip] -d --max-scan-delay 10
-oA logs/tcp-allports-%T-%D -iL tcp-
allports-1M-IPs --max-retries 1
--randomize-hosts -p-
-PS21,22,23,25,53,80,443 -T4 --min-
hostgroup 256 --min-rate 175 –max-rate
300
[Link]

Nmap News!
[Link]

Nmap Scripting Engine (NSE)


# nmap -A -T4 [Link]
Starting Nmap ( [Link] )
Interesting ports on [Link] ([Link]):
Not shown: 1709 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp closed smtp
53/tcp open domain ISC BIND 9.3.4
70/tcp closed gopher
80/tcp open http Apache httpd 2.2.2 ((Fedora))
|_ HTML title: Site doesn't have a title.
113/tcp closed auth
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.20-1 (Fedora Core 5)
Uptime: 40.425 days (since Tue May 13 [Link] 2008)
Nmap done: 1 IP address scanned in 30.567 seconds
Raw packets sent: 3464 (154KB) | Rcvd: 60 (3KB)
[Link]

NSE Demo
# ./nmap -PN -v -sU -p53 -T4 --script=dns-test-open-
recursion,[Link],dns-safe-recursion-
[Link] [Link] [Link]

Interesting ports on [Link] ([Link]):


PORT STATE SERVICE
53/udp open domain
|_ DNS source port randomness: ERROR: Server refused
recursion
|_ DNS TXID randomness: ERROR: Server refused recursion

Interesting ports on [Link] ([Link]):


PORT STATE SERVICE
53/udp open domain
|_ Nameserver open recursive querys (CVE-1999-0024) (BID
136, 678): Recursion seems enabled
|_ DNS source port randomness: [Link] is GREAT: 51
queries in 3.2 seconds from 51 ports with std dev 16099
|_ DNS TXID randomness: [Link] is GREAT: 52 queries
in 3.3 seconds from 52 txids with std dev 20996
[Link]

Zenmap GUI
[Link]

nd
2 Generation OS Detection
# nmap -A -T4 [Link]
[...]
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.20-1 (Fedora Core 5)

More info:
[Link]
[Link]

Version Detection
# nmap -A -T4 [Link]
Starting Nmap ( [Link] )
Interesting ports on [Link] ([Link]):
Not shown: 1709 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp closed smtp
53/tcp open domain ISC BIND 9.3.4
70/tcp closed gopher
80/tcp open http Apache httpd 2.2.2 ((Fedora))
|_ HTML title: Site doesn't have a title.
113/tcp closed auth
Device type: general purpose
Now has 4,803 signatures
Running: Linux 2.6.X
OS details: Linux 2.6.20-1 (Fedora Core 5)
Uptime: 40.425 days (since Tue May 13 [Link] 2008)
More info: [Link]
Nmap done: 1 IP address scanned in 30.567 seconds
Raw packets sent: 3464 (154KB) | Rcvd: 60 (3KB)
[Link]

­­reason
# nmap --reason -T4 [Link]
[...]
Interesting ports on [Link]
([Link]):
Not shown: 1709 filtered ports
Reason: 1709 no-responses
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
25/tcp closed smtp reset
53/tcp open domain syn-ack
70/tcp closed gopher reset
80/tcp open http syn-ack
113/tcp closed auth reset
[Link]

­­packet­trace
# nmap --packet-trace -p 25,113
[Link]

Starting Nmap ( [Link] )


[...]
RCVD (0.1430s) TCP [Link]:25 >
[Link]:46736 RA ttl=55 id=0
iplen=40 seq=0 win=0 ack=2914477947
RCVD (0.1440s) TCP [Link]:113 >
[Link]:46736 RA ttl=55 id=0
iplen=40 seq=0 win=0 ack=2914477947
[...]

Nmap done: 1 IP address (1 host up)


scanned in 0.15 seconds
[Link]

Advanced Traceroute
# nmap –traceroute [Link]
[...]
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 0.60 [Link] ([Link])
[...]
6 9.74 [Link]
7 10.89 [Link]
([Link])
8 10.52 [Link]
([Link])
9 14.25 [Link]
([Link])
10 12.80 [Link] ([Link])
[Link]

Performance and Accuracy


# nmap -T4 --max_rtt_timeout 200
--initial_rtt_timeout 150
--min_hostgroup 512 –max_retries
0 -n -P0 -p80 -oG [Link]
[Link]/20
Starting Nmap
[...]
Nmap run completed -- 4096 IP
addresses (4096 hosts up) scanned
in 46.052 seconds
[Link]

TCP and IP Header Options


# nmap -vv -n -sS -P0 -p 445
--ip-options "L [Link]"
[Link]
[Link]

Ncat
• A modern interpretation of Hobbit's venerable
Netcat
• Supports virtually all of the Netcat 1.10 features,
except the basic portscanner.
• Also supports SSL, IPv6, multiple platforms,
connection brokering, port redirection, proxies
(client, server, chaining), shell execution, access
control, and more.
• In development since 2005, nearly ready for
release. Current dev lead is Kris Katterjohn.
• Available from svn://[Link]/ncat (login:
guest/guest)
[Link]

Ndiff

• Compares two (or more) scans, displays


changes (new/removed hosts, ports,
changed services, etc.)
• Great for quick change detection with
recurring scans.
• Perl version available from:
svn://[Link]/nmap­exp/ndiff
[Link]

Nmap Network Scanning


[Link]
[Link]

Top Nmap Contributors since 4.50


Aaron Leininger, Adriano Monteiro Marques, Allison Randal,
Andrew J. Bennieston, Andy Lutomirski, Arturo Buanzo
Busleiman, Benson Kalahar, Bill Pollock, Brandon Enright,
Brian Hatch, Chad Loder, Chris Gibson, Daniel Roethlisberger,
David Fifield, David Moore, Diman Todorov, Doug Hoyte,
Dragos Ruiu, Dudi Itzhakov, Eddie Bell, Emma Jane Hogbin,
Gisle Vanem, Guilherme Polo, HD Moore, Ithilgore, Jabra,
Jah, James Messer, Jason DePriest, Jeff Nathan, Jesse
Burns, Joao Medeiros, Jurand Nogiec, Kris Katterjohn, Lamont
Jones, Lance Spitzner, Leigh Honeywell, Lionel Cons, Martin
Macok, Max Schubert, Michael Pattrick, Mixter, Nathan Bills,
Patrick Donnelly, Philip Pickering, Rainer Müller, Raven Alder,
Rob Nicholls, Sebastián García, Simple Nomad, Solar
Designer, Stephan Fijneman, Steve Christensen, Sven
Klemm, Thomas Buchanan, Thorsten Holz, Tim Adam, Tom
Duffy, Tom Sellers, Tyler Reguly, van Hauser, Vlad Alexa,
Vladimir Mitrovic, William McVey, Zhao Lei
[Link]

Questions and Resources


• Download Nmap from [Link]
• Download these slides from:
[Link]
• Nmap Network Scanning pre­release is
available at:
– Black Hat Bookstore – Sold out!
– No Starch booth at Defcon starting at
10AM Friday.
• Newest Nmap:
svn://[Link]/nmap­exp/bhdc08

You might also like