LAB 1 Network Mapping 4
Evaluation on Networking Mapping 7
LAB 2 RPC and NFS Exercise 8
UDP NFS Versions: 2-4 (RPC # 100003) 9
Analysis and Evaluation 11
LAB 3 RSH and Rlogin 12
Evaluation of Rlogin 12
Lab 4 X Window System Exercise 14
Evaluation on X windows 16
LAB 5 Common Solaris RPC Programs 17
Evaluation and Analysis 18
6.Windows Password Hashes Question 18
LAB 7 Windows Enumeration 19
LAB 8.Finger 21
Evaluation on Finger 22
Lab 9 SMTP 23
LAB 10DNS 25
DNS EVALUATION 27
LAB 11.Web Application 28
LEASON LEARNTAND EVALUATION 29
Network Mapping is a way for rapidly scanning large network. Network mapping uses IP packets in determine what hosts are alive on the network, what service hosts are offering.
1. Ping sweep is a basic network scanning technique used to determine which of a range of IP addresses map to live host (computers).A ping sweep consists of ICMP Echo request sent to multiple hosts. If a given address is alive, it will return an ICMP ECHO reply.
In this lab, a ping sweep against range 10.0.57.1-10.0.57.39 was conducted using a tool, ANGRY IP SCANNER and below figure 1.1 shows the results.
Figure 1.1 showing the ip range 10.0.57.1-39
The table 1.1 shows the IP address and ICMP TTL
IP Address ICMP TTL
2. Ping sweeps were sent on the network and most of them responded. One host that was alive on the network but didn???t respond to ping was 10.0.57.9 after running the scan again, Figure 1.2 below shows the results
Host IP Address: 10.0.57.9
MAC Address: 00:24:81:6c:6c:3A
Figure 1.2 showing a live machine not responding to ping
3. TCP port scan allows one to discover which tcp ports are open on target host. These are the entry points to a host that is either connected on a network or internet. TCP port scan was done on host 10.0.57.20 using a tool ,???ZENMAP??? and command nmap ???T4 ???v ???PE 10.0.57.20 and below figure 1.3 shows the results of the scan and 7 ports where open
Figure 1.3 TCP port scan
4.UP port scan was also done on host 10.0.57.20 using tool backtrack and only one port was open .figure 1.4 shows the result and the command that was run to get the results was nmap ???Su 10..0.57.20
Fig 1.5 UDP port scans
Evaluation on Networking Mapping
From the lab exercise, pings are useful in determining if a host is alive and we can use ping tools for host discovery. After obtaining a list of targets, next task was to scan the ports on the network. Main goal was to identify which ports where open on a host .scan was done and TCP and UDP, and from the information obtained, the results can be used to attack network devices, as vulnerabilities related to these ports are discovered.
LAB 2 RPC and NFS Exercise
RPC enables a system to make calls to programs such as NFS across the network transparently,
1. To list the rpc services listening on host pine, we use nmap with the following command Procedure :nmap ???sV 10.0.57.1.
The TCP NFS version is 2-4(rpc # 100003),
Below figure shows the results of the scan.
Fig 2.1 showing RPC services on pine
UDP NFS Versions: 2-4 (RPC # 100003)
Procedure:nmap ???sU sV 10.0.57.1
Fig 2.2 showing UDP port scan
2 .the results below show which NFS file system are exported by pine using the command showmount ???e
Fig 2.3 showmount -e
Filesystem Allowed Hosts
File system Not Allowed Hosts
3. Trophy Filename: pen_Test_Trophy_file
Fig 2.4 trophy file
Trophy File UID: 0
Trophy File GID: 0
The figure below shows the Trophy file UID and GID
Fig 2.5 showing UID and GID
4. Display contents of the trophy file, you run the cat command as show below
Fig 2.6 contents of the trophy file
Analysis and Evaluation
From the lab analysis of RPC, I have learnt that you can point Nmap to a remote machine and see what ports are open. After running a tcp and UDP port scan, ports are discovered to be open. The version detection interrogates those ports to determine more about what is actually running.
The show mount will display a list of exported directories on a host. Using the showmount ???e command, attackers can send a malicious crafted RPC request to obtain a list of directories exported and attacker may exploit them .File access are determined by the servers in most cases. NFS uses UID and GID. From the lab experiment, both had a value of 0.any user who has access to this will have root access, and if a malicious user has access, they can create any account or modify the uid and gid.
LAB 3 RSH and Rlogin
RSH, remote shell is a command that executes the command on a remote machine and Rlogin allows remote login like telnet
1. To remotely login into Rodney???s account, we run the command rlogin 10.0.57.1 ???l Rodney and the figure below show the results
rlogin 10.0.57.1 ???l Rodney
Fig 3.1login into rodneys account
To gain interactive access to rodneys account and run the runme .we use the command sudo /.runme which will allows us to execute the runme.The result will show the trophy file
The trophy file is lab 3 trophy file as shown in the figure below
Fig 3.2 lab 3trophy file
Evaluation of Rlogin
Rlogin is a service that runs on port 513 and allows users to login into the host remotely. Hats was successfully achieved was that I was able to login into pine using the command rlogin ???l.I successfully logged into the remote host using Rodney???s account on pine as shown in figure 3.1.
My other observation, the reason why I was able to connect remotely without any authentication problems was because the rlogin service is insecure and can potentially allow anyone to login in without providing a password or using the same password the remote user uses.
Lab 4 X Window System Exercise
X windows system x11, is a windows system for bitmap displays or the standard UNIX windowing system.
1. Use a TCP port scan to find a system in the range 10.0.57.1 ??? 10.0.57.39 that is running the X Window system and accepting network connections. Enter the host???s IP address and the listening TCP port below.
Fig 4.1 X11
2. Given this IP address and port, what value would you need to use for the DISPLAY environment variable or ???display option to cause an X client program to use the X server on this system?
Fig 4.2 display string
Display String: 10.0.57.12 43042 10.0.571.22
3. To determine the information from the server, the figure below shows the results
Fig 4.3 X.org version
X.org version number: 7.1.1
Screen dimensions (pixels): width 800, height 600, depth 600 visual class: truecolor
Fig 4.4 screen dimensions
Evaluation on X windows
X windows was lab was a challenge but interesting as this gave me depth understanding of how a client is an applications and server controls the display.the x server runs multiple displays and each display has multiple screens attached to it .
X windows is implemented from start as a client/server model, and from my observation run on Rodeys account on pine, it???s also suited for remote application deployment.
LAB 5 Common Solaris RPC Programs
Program Solaris Versions Vulnerability / Notes
bootparam 8,9 Attacker can obtain the domain name from bootparam.attacker can guess which system on the client or server. Attacker can use the domain name to make NIS provide password file
cachefsd 2.5.1 Allows a remote attacker to execute arbitrary command with root privileges
cmsd 4 Owned by bin, run by root
dmispd 7 Allows local users to fill up restricted disk space by adding files to the /var/dmi/db database
kcms_server 2.6, 7, 8, 9 read any file as root
mountd 0.4 Allows remote attacker to cause a buffer overflow
Nfs Any Often allows access via uid/gid manipulation
nlockmgr Any Remote denial of service attack,causes lock demon to fail
rpcbind Any Always present if RPC enabled
rquotad any It returns quotas for a user of a local file system which is mounted by remote machine over the NFS
rstatd 2,3,4 Server which returns performance statistics obtained from kernel
rusersd any Command returns users currently on the network
sadmind 7, 8, 9 root command execution
snmpXdmid 2.6, 7, 8 root command execution
sprayd Version1 Used to send a stream of packets to host you specify
ttdbserverd 2.6,8 Attacker can cause buffer overflow and execute aribitary code
walld 2.6 Allows local users to send messages to logged on users that appear to come from arbitrary users ids
Evaluation and Analysis
6.Windows Password Hashes Question
Analysis and evaluation
LAB 7 Windows Enumeration
1. Retrieve the NetBIOS name table for each of the systems below and complete the table. The first row has been filled in for you.
Fig 7.1 NetBIOS name
IP System Name Domain / WG DC (Yes/No) Master Browser (Yes/No)
10.0.57.10 AZURE LONDON No No
10.0.57.12 Mumbika-hp workgroup No no
10.0.57.13 chelani workgroup No No
10.0.57.15 Nduba cathias No No
10.0.57.16 cholwe workgroup No No
10.0.57.17 Edward-pc workgroup No No
2. To obtain the results, I used nmap ???T4 ???A ???v 10.0.57.10-17
System Name Version Service Pack SQL Server PDC
AZURE Windows 2003 SP1 No No
mumbika Windows 7 Sp1 no
cathias Windows 7 ultimate SP1 No NO
cholwe Windows7 ultimate SP1 No NO
edward Windows 7 enterprise SP1 NO NO
3. The Windows 2000 system has Restrict Anonymous set to zero. Obtain a list of users on this system and find the trophy user with a username of six random lowercase characters. Write the trophy username below:
Note: you should not use RID cycling for this question.
Trophy username: YENDOR
4. Find the trophy share name on the Windows 2000 system, and write the share name below:
Trophy share name: yendor@pine
5. Obtain a list of users from the PDC for the LONDON domain. Find the name of the built in administrator account, and the name of the trophy user. The trophy user name consists of six lowercase letters, and is not a window built in account. Write the names below:
Administrator username: admin
Windows enumeration was done using a tool called advanced ip scanner to scan to the network. Main goal was to enumerate users on the windows system to retrieve information of the NetBIOS name and work group they belong. A pen tester who is examiming the network may wish to determine the purpose each result, it being computer name, work group or operating system. From the lab that was carried from Nmap, the computer name and domain where returned in the SMB OS discovery.
1. Use the finger service on pine to get a list of users. One of the users has some sensitive information that can be obtained through finger. Write the name of that user below:
Fig 8.1 list of user on pine
2. Using the information obtained, login as the user and display the trophy file.
Fig 8.2 list trophy file
Trophy: lab 4 trophy and lab 8 trophy
Finger successfully completed
Evaluation on Finger
One of the first activities in conducting penetration testing using backtrack is to perform user enumeration In order to discover valid user names.in this lab, I examined how to manually discover user names using finger on pine host and obtaining some sensitive information on a user .once logged in ,remotely ,I was able to run the runme file. Obtaining user information of a specific user can lead to loss of data.
Lab 9 SMTP
Use the SMTP service on oak to determine which of the following users exist:
User Exists (Yes/No)
Fig 9.1 users on oak
To enumerate users in an SMTP server using nmap, you enter the command nmap – -script smtp-enum-users 10.0.57.7.once users are found, they will be included in the script
SMTP is a service that can help a pen tester to perform user enumeration. The SMTP lab was performed using Nmap and the smtp-user-enum command. The only thing that was required was to enter the Ip address of the remote host and execute the command.
SMTP is a common service that can be found on every network as learnt from this lab.Its best practice to properly configure mail servers by disallowing the execution of commands.
DNS resolves names to ip addresses allowing us to type a website into the address bar without having to remember the ip address instead.
1. using the name server 10.0.57.1, determine the following information. You can obtain all this information with regular DNS queries.
IP address of host yew.training.nta-monitor.com 10.0.57.103
IP address of name server for london.training.nta-monitor.com 10.0.57.102
IP address of primary mail server for training.nta-monitor.com 10.0.57.104
Serial number for training.nta-monitor.com zone 13
Operating system for yew.training.nta-monitor.com Windows 98
Hostname associated with ntp0.training.nta-monitor.com
Fig 10.1 determine name servers
2. using the name server 10.0.57.1, determine the following information:
FQDN of host with address 10.0.57.99 Training.nta-monitor.com
3Using the name server 10.0.57.1, obtain all the DNS records for the zone demo.nta-monitor.com, and determine the name of the text record with the value “DNS zone transfer trophy”.
Text Record Name:
Determine the version of the BIND name server at 10.0.57.1 using a DNS query:
BIND Version 9.3.6-P1-redhat-9.3.6
This lab was based on security reconnaissance point of view after carrying out the DNS labs on host yew.trainning.nta.monitor.com.DNS can be exploited and offers a means of discovery of an organisation public and possibly private server???s service and the corresponding IP addresses location. One observation noticed, a domain authorative DNS server will give information regarding the domain mail servers. To successfully complete the lab, I used nslookup to obtain all the results.
LAB 11.Web Application
Valid User Message: thank you for banking with hacme bank
Invalid User Message: invalid login
2. the sql injection used was ???OR 1=1 ??? in hack me bank
LEASON LEARNTAND EVALUATION
The web application penetration test lab was focused on evaluating the security of a website. The process involved activities and analysis of the application weakness flaws and vulnerabilities. From the lab exercise, a very important observation is that an attacker can gain access to unauthorised data or perform activities .An attacker is able to force user sessions ids to explicit value and thus, they process steal or manipulate user session and cookies, which may be used to impersonate a legitimate user allowing the hacker to view or altar certain records and perform transactions.
The website had stored administrative contents such as directories. An attacker can manipulate these directories and they can be able to access them. In other word, the attacker is able to reconfigure the web servers and access sensitive information.
An attacker can launch cross site scripting attacks or several other tricks to obtain the session id of the remote logged in user and can gain access to the user account sitting remotely through different ip addresses and cause loss of information. Cross site scripting attack have proven to be an injection problem. From my evaluation, malicious scripts were injected into the websites and they mostly occur on web applications.
The SQL injection technique exploited security vulnerability in the database layer of the web application. Vulnerabilities where presented by inserting strings in the login boxes.
Nmap: a “Hacker Tool” for Security Professionals
by Justin Hutchens
The notion of the “ethical hacker” has always been an ironic one. The developing trends of ethical hacking and offensive security have transformed the information security industry into one of the most self-perpetuating industries in the world.
The software and tools that are used to secure vulnerable information assets are the same tools that can be used to exploit them. Perhaps it’s the other way around. Perhaps the tools that were created for the sole purpose of exploiting information assets are now being used to safeguard them. I suppose this is a debate that could go on forever and is really just another instance of “what came first…the chicken or the egg?”
The purpose of this essay is not to discuss the philosophical question of intent. My intentions are more modest. I merely seek to justify the importance of a tool that has been consistently labeled as malicious hacking software. The tool that I am referring to is Network Mapper, or nmap for short. Whether you are a crazed rogue agent that is bent on inciting global revolution or a network security professional (hopefully the latter, rather than the former), nmap should have a permanent place in your toolkit. Perhaps, instead of hurling criticism at an extremely functional networking tool, we should hold individuals accountable for their actions and reflect upon the well-known Benjamin Parker caveat…“with great power, comes great responsibility.” Despite some claims to the contrary, nmap is not malicious software. And I think the only reason that it is often labeled as such is because of its very impressive list of capabilities. Despite its potential to do harm, nmap can certainly play an important role in securing a network infrastructure within a professional environment.
Nmap has steadily evolved over the years from a simple scanning utility into a full blown penetration testing platform. It can be used in every step of the security auditing process, to include network discovery, port scanning, service enumeration, vulnerability mapping and even exploitation. Throughout this article, I will discuss the capabilities of nmap as they pertain to each step in the penetration testing process.
Installation and Preparation
Obviously, prior to using nmap, it is important to have a functional version installed on the system that you are using. By default, nmap is already installed on most penetration testing and network security operating systems such as Kali-Linux, Backtrack, DEFT, Node-Zero, Security Onion and NST. However, it can also be loaded to nearly any platform of your choice. Nmap can easily be installed on all commonly used operating systems to include Windows, Linux and OSX. There is also documentation available for installing it on more obscure platforms to include BSD, Solaris, AIX and AmigaOS. Installation packages and instructions on how to perform the install on any of these systems can be found at http://nmap.org/book/install.html.
Zenmap – Graphical Interface
In addition to the traditional command-line interface for nmap, there is also a graphical front-end interface called Zenmap. Zenmap is also integrated into many of the different penetration testing platforms previously discussed. However, it is not installed by default in Kali-Linux (the platform that I will be using for this tutorial). Fortunately, it is in the installation repository and can easily be installed with a single command:
apt-get install zenmap
Zenmap’s point-and-click interface not only effectively streamlines what would otherwise require complicated commands but it can also be an extremely useful tool for learning how to use nmap. It uses ‘profiles’ to save commonly used scan configurations for later modification and/or use. Take a look at the image of the Zenmap interface that is provided in Figure 1 and we will briefly address each of the components.
Figure 1. Zenmap Graphical Interface
The first component is the Target field (Figure 1. A). This field is where you can specify the remote systems that you want to run a scan against. You can enter a single IP address (e.g. 192.168.1.1), you can enter a sequential range of IP addresses (e.g. 192.168.1.0-255) or you can use CIDR notation to specify a desired subnet (e.g. 192.168.1.0/24). The second component is the Profile field (Figure 1. B). You can click on the drop down arrow to the right of this field to see several pre-configured profiles for scanning. Profiles allow you to save commonly used scan configurations for future use. You can also create profiles of your own and they will then appear in this list (we’ll discuss how to do this later in this article). The third component is the Command field (Figure 1. C). This field will indicate the command that is going to be sent to the backend. To launch the command appearing in this field, you simply click the Scan button. You can modify the value in this field directly; however, it will be automatically populated based on the values of the Target field and the selected profile. If you are new to nmap, you should pay close attention to this field, as it will provide you with a better understanding of the appropriate syntax and use of different nmap commands. The fourth component is the Host/Service list (Figure 1. D). Once you have performed scans, information will be populated in this list. If you have the Hosts button selected, all discovered host IP addresses will be listed. And if you have the services button selected, all discovered network services will be listed. The final component (Figure 1. E) is where you can sort through all of the information that has been produced by all the scans that you have performed. The Nmap Output tab will display the exact output that would be provided if the command had been entered from the command-line interface. The Ports/Hosts tab content will vary depending on if you have the Hosts or Services button selected for your list. If the Hosts button is selected, then the information under the Ports/Hosts tab will reflect the services that were identified on the actively highlighted IP address in the list. Otherwise, if the Services button is selected, the information under the Ports/Hosts tab will identify all hosts that were found to have the particular service that is highlighted in the list. The topology tab will provide a graphical representation of the logical topology of the network, to include all hosts that have been discovered by scanning. It will use returned TTL (Time-To-Live) values to display the logical orientation of hosts, relative to one another. The Host Details tab is where you will find the bulk of information that has been discovered about a selected host. This information includes MAC addresses, IP addresses, open ports, identified services, operating system information and any additional information that has been collected. Finally, the scans tab will provide a history of scans that have been performed during the session.
At the top of the screen you will see several different drop-down menus to include Scan, Tools, Profile and Help. The Help menu is self-explanatory. The Scan menu contains options to create new scans, save scans or open previously saved scans. The Tools menu provides some additional functions that can be used to sort through and organize information collected during your scans. And the Profile menu provides options to create new scan profiles or edit existing profiles.
We will now briefly discuss how to create a new profile and then launch a scan using that profile. To get started, select the Profile drop-down menu and then select “New Profile or Command.” This will open up a profile configuration interface that can be seen in Figure 2.
Figure 2. Zenmap Profile Editor
The first tab (Profile tab) allows you to create a unique name and description for the profile. All the other tabs are where you will specify different configurations that will be used in your scan. As you can see in the Scan tab displayed in Figure 2, creating a scan profile is as simple as checking the boxes for options that you want to enable, entering values so that those options can be effectively employed, or selecting from pre-defined choices in the drop-down menu. If you are unsure about the function or appropriate use of any option here, you can hover over it with your mouse and the help column on the right side of the screen will be automatically populated with information on what the specific option does and appropriate values and syntax for any requested input fields. With each minor adjustment that you make to the scan configuration, the command field at the top is adjusted accordingly. This feature makes Zenmap an extremely effective tool in learning how to use nmap commands correctly. Once you have configured the scan options to your liking, you can either select the Scan button at the top right of the screen for single use, or you can select Save Changes at the bottom right. The Save Changes button will save the profile with the name provided on the first tab configurations and can then be used immediately or at a later time by selecting it by name from the Profile drop down menu on the main Zenmap interface. Although Zenmap is very powerful, you should not allow it to become a crutch that prevents you from learning the command line functions of nmap. Although Zenmap can perform many of the same functions, it still has its limitations and is not as powerful as nmap. To use nmap effectively and to its full potential, it is important to become equally familiar with the command line interface.
The first step in the penetration testing process that we are going to discuss is network discovery. Prior to evaluating the security of information systems on a network, you first need to identify what you are evaluating. There are a number of different ways that you can discover hosts on a network by using nmap. In this section, we will discuss how to use nmap to perform host discovery at layers 2, 3 and 4 of the OSI model and we will also discuss the advantages and disadvantages of each. An example of a command to perform layer 2 discovery can be seen here:
nmap -PR -sn 192.168.1.0-255
The switch specifies an ARP ping. This uses layer 2 ARP (Address Resolution Protocol) packets to identify live hosts within the specified range. It does this by sending out an ARP broadcast request for each of the IP addresses identified. If there is a live host on the network with one of those IP addresses, that host will send an ARP reply to the scanning system with its IP address and its corresponding layer 2 MAC address. Nmap will collect replies from all live hosts and then will return a list of hosts that were discovered. The switch is used to request nmap not perform any port scanning. This prevents the transmission of any additional traffic, beyond what is necessary to perform the layer 2 host discovery sweep. Layer 2 discovery is effective because it is the fastest of all three options. However, it is limited by the fact that it can only be performed against hosts that are on the same local area network as the system that is performing the scan.
For remote hosts, you will have to use either layer 3 or layer 4 discovery. An example of a command that could be used to perform layer 3 discovery is:
nmap -PE -sn 126.96.36.199-255
This command will send a series of ICMP echo requests to each layer 3 IP address in the list. Nmap will collect all ICMP echo replies that are received and will return a list of all live hosts. This discovery scan is slower than performing an ARP ping, but it will return results for hosts on remote networks.
Finally, suppose that you are attempting to discover remote systems (so you can’t use layer 2) that are behind a firewall that drops all incoming ICMP traffic (so you can’t use layer 3). To address this problem, you will need to perform discovery at the transport layer (layer 4). There are several different ways that you can use layer 4 scans to perform discovery. One effective method is using a UDP ping. An example of a UDP ping command is:
nmap -PU53 -sn 188.8.131.52-255
This command generates a series of DNS server status requests for each of the target IP addresses. A series of DNS query responses will be received from live hosts and nmap will then return these results. Because DNS is a commonly used service on UDP port 53, it is possible to identify additional live hosts by using this technique that may have been configured to not respond to ICMP traffic. Another effective layer 4 alternative to ICMP ping sweeps is to use a TCP ACK ping. An example of this can be seen below:
nmap -PA80 -sn 184.108.40.206-255
This command will send a series of unsolicited ACK replies to the specified port for all of the hosts in the IP range. Because these ACK packets were out of context of any established line of communication, live hosts will reply with a TCP RST packet to indicate that the communication should be discontinued. Nmap will collect these responses as the indication of live hosts and will then return a list of them.
Port Scanning and Service Enumeration
Now that we have discovered the active IP addresses on the network that we are performing a penetration test against, we next need to identify open ports on each system and the services running on those ports. Scanning TCP ports on remote systems is the most basic function of nmap. To perform a TCP scan of a target system, use the basic command:
Like other nmap commands, this can also be used to perform scans against multiple hosts by using a sequential series (192.168.1-255) or CIDR notation (192.168.1.0/24). This standard nmap command performs a scan on 1000 commonly used TCP ports. Alternatively, you can specify a single port to scan by using the -p switch followed by the port number that you want to scan.
nmap 220.127.116.11 -p 21
This above command will scan TCP port 21 on the specified system. You can also scan a series of ports by using the -p switch and then listing the desired ports, separating them with commas.
nmap 18.104.22.168 -p 80,443
This command will scan ports 80 and 443 on the target system. You can scan a sequential range of ports by using the switch followed by the first value in the range, a dash, and then the last value in the range.
nmap 22.214.171.124 -p 0-100
The above command scans the first 100 ports. To scan all 65,536 TCP ports on a target, use the following command:
nmap 126.96.36.199 -p 0-65535
You can use a TCP ACK scan to identify ports that are filtered. To do this, use the -sA switch. You can then specify a port or series of ports. No port specification will scan the standard 1,000 ports. This will then return a list of filtered ports. An example of this command can be seen below:
nmap 188.8.131.52 -sA
Penetration testers and security professionals will sometimes only scan for open TCP ports on target systems. Overlooking UDP services can cause one to completely overlook glaring vulnerabilities that might easily lead to compromise. To scan for UDP services on a target system, use the following command:
nmap 184.108.40.206 -sU
Because UDP services are not connection oriented in the same way that TCP services are, this will take longer than a typical TCP scan. The time required to complete UDP scans can be reduced by scanning for specific ports. You can specify ports the same way you had with TCP scans.
nmap 220.127.116.11 -sU -p 69
The above command performs a scan of UDP port 69, a commonly used port for TFTP (Trivial File Transport Protocol). It is also possible to identify the version and version number for each particular service. To do this, use the -sV switch.
nmap 18.104.22.168 -sV
This command will use a combination of banner grabbing and probe-response analysis to attempt to identify the service and version number of that service for each scanned port. Using similar techniques, it is also possible to have nmap attempt to determine the operating system that is running on the target. To do this, use the switch.
nmap 22.214.171.124 -O
Once completed, it will either return a positive identification of the operating system or it will give a best guess and then a list of other possible operating systems.
Advanced Scanning Techniques
There is a common problem that you will frequently encounter when performing a penetration test against mid to large size enterprise networks. Most companies and organizations these days have become more security-minded and will likely have firewalls or intrusion detection systems standing between you and the systems that you are trying to scan. To scan such systems, we will need to employ some more advanced scanning techniques. One way to potentially bypass firewalls and/or intrusion detection systems is to use some traditional stealth scanning techniques that are integrated into nmap. One method that can be employed is to use a slower timing template. Timing templates range from (paranoid scan) all the way up to (Insane scan). The lower the value of the timing template, the slower the scan will be performed. Slower scans are less likely to be flagged by intrusion detection systems. An example of a paranoid scan would be:
nmap 126.96.36.199-255 -T0
Another technique that can be used to mask your scan is to flood the network with additional decoy traffic using the switch. This function will allow you to specify multiple addresses to spoof traffic from or you can use the RND option to spoof traffic from random addresses.
nmap 188.8.131.52-255 -D RND:5
In addition to performing the traditional TCP port scan of the target systems, the command above will also spoof traffic from 5 random addresses to obfuscate the actual scan traffic. Another technique that can be used is to vary the packet length of your transmitted requests. Some intrusion detection systems and firewalls will drop packets based on signature packet lengths. To prevent this, you can specify the data length by using the switch followed by the packet size in number of bytes.
nmap 184.108.40.206-255 –data-length 15
This command will send all scanning traffic in packets that are 15 bytes in length. While this might be helpful to avoid some signature based intrusion detection systems, consistently sending packets of an unusual specified packet length could flag an anomaly based intrusion detection systems. Network intrusion detection systems will also flag traffic if you begin to sequentially connect to systems within a specified network range. To avoid performing your scans in sequence, you can use the switch.
nmap 220.127.116.11-255 –randomize-hosts
This command above will randomly scan each host in the range instead of performing them in sequence (18.104.22.168, then 22.214.171.124, then 126.96.36.199, etc…). While you can’t spoof your IP address (because you wouldn’t receive the replies necessary to determine open ports), you can spoof your MAC address. To do this, you can use the –spoof-mac switch, followed by a vendor ID, a specific MAC address, or 0.
nmap 188.8.131.52-255 –spoof-mac 0
Using 0 as your argument will apply a random MAC address to your scan traffic. One final technique that is worth mentioning is using the -f switch to fragment packets.
nmap 184.108.40.206-255 -f
Fragmenting packets will separate the data payloads of your scan traffic into multiple packets, allowing it to more easily bypass content inspection intrusion detection systems or firewalls. While all of these techniques can be effective for scanning publically accessible servers behind a firewall, they are usually not sufficient for scanning hosts on an internal network. While certain publically accessible servers will be available for scanning, much of the internal infrastructure will be deeper within the network and not so easily accessible. Consider the diagram in Figure 3. This is a simple example of a common configuration in enterprise networks.
Figure 3. Common Network Configuration
The problem that we encounter here is that the internal network lies behind an internal firewall, which has stricter rules about ingress traffic, compared to the external firewall. This internal firewall is likely blocking inbound traffic from remote addresses on the web; however, it is possible that the systems in the DMZ can communicate with the internal systems. In order to be able to scan these internal systems, we must make the systems in the DMZ work on our behalf. We will discuss several different ways to do this, to include proxy scanning, zombie scanning and FTP bounce scanning.
Probably the easiest way to scan the internal systems is by using a proxy chain. Let us suppose that we have acquired access to a proxy service within the DMZ by locating an open-access proxy service, brute forcing a proxy service with hydra or by installing a proxy service on an already compromised machine. Once you have configured your system to route traffic through that proxy, you can perform nmap scans by using a full connection scan ().
nmap 10.1.1.0-255 -sT
If there is no proxy service available, there are some clever ways that you can leverage machines within the DMZ to get scan results on internal systems. One way to do this is to use zombie scanning, also referred to as idle scanning. In order to perform a zombie scan against the systems on the internal LAN, we have to find a viable zombie host within the DMZ. A zombie host is any relatively idle system that uses incremental IPID sequencing. In order to locate a zombie host, we can use an nmap script to scan the DMZ for a system that fits this description.
nmap –script ipidseq 220.127.116.11-255
This script will send a series of packets to each host and track the IPID numbers for all replies received. It will then analyze these IPID numbers to classify each system as either random sequence, all zeros, or incremental. See Figure 4 for an example of the output for an incremental system.
Figure 4. Zombie host located with IPID Sequence Script
Once we have acquired an IP address for our zombie system, we are ready to attempt our zombie scan. Prior to addressing how to perform the scan, I will briefly discuss how the scan works. Refer to Figure 5 for a diagram of what takes place when a zombie scan is performed against an open port.
Figure 5. Zombie scan against open port
First, our nmap scanner determines the current IPID value of the zombie system by sending an unsolicited SYN/ACK packet. Because no SYN packet was originally sent by the zombie system to establish a connection, the zombie then replies to our scanner with an RST packet. Our scanning system will then use the IPID of the RST packet as a reference point. Then, our scanning system will immediately follow this up with a spoofed SYN packet sent to the target system using a source IP address of the zombie system. Because the source IP address is one within the DMZ, this connection request is more likely to be able to pass through the firewall. If the target receives the packet and the destination port is open, the target will then return a SYN/ACK packet to the zombie system (who it thinks sent the original SYN packet). Because this SYN/ACK packet is received out of context, the zombie system will then reply to the target system with a RST packet, thereby incrementing its IPID value by one. Finally, our scanner will send one last SYN/ACK packet to the zombie system. The subsequent RST reply from the zombie will increment the IPID one more time. So if the targeted port on the remote system is open, the final IPID value returned will be two numbers higher than the original value. Alternatively, Figure 6 illustrates what takes place when the port of the target system is closed.
Figure 6. Zombie scan against closed port
If the port on the target system is closed, the zombie system receives no unsolicited response from the target and is therefore not instigated to send an RST packet to the target. So if the IPID value of the final RST response has only incremented by one, we can deduce that the port is closed because no SYN/ACK reply was sent to the zombie system to instigate a RST response. Otherwise, if the final IPID value has incremented by two from the original value, then we can deduce that the port on the target system must be opened because it must have replied to the zombie which instigated the response that incremented the IPID value of the zombie system.
While this may sound extremely complicated; do not become intimidated by the description, as nmap does nearly all the work for you. To actually perform a zombie scan, you just have to enter a simple command.
nmap -sI 192.168.199.132 -Pn 192.168.199.130
The switch tells nmap to perform a zombie scan using the following IP address as the zombie host (192.168.199.132). The switch prevents nmap from performing an initial ICMP ping on the target system prior to attempting the scan. So, the final IP address in the command identifies the target system. The output for this command can be seen in Figure 7.
Figure 7. Zombie scan against closed port
It should be noted that the IP range that I used to demonstrate this zombie scan is a private range on my internal network. For this to work effectively against a remote network, as described in the original scenario, the systems in both the DMZ and the internal network must be on publically routable IP ranges. If the internal network is configured on a private range behind a NAT (Network Address Translation) server, then the nmap scanner will not be able to send the spoofed SYN packet to the internal address from its remote location.
Another way to use systems within the DMZ to attempt to scan hosts on the internal network is to use FTP bounce. Some legacy FTP servers support the capability of transmitting files to a third party system. If you have discovered an FTP server in the DMZ that allows anonymous login or that you have brute forced with hydra, you can test the FTP server to determine if it supports FTP bounce. To do this, use the ftp-bounce script.
nmap –script ftp-bounce –script-args
[email protected] 18.104.22.168
This command uses the nmap script with username and password arguments against the FTP server. Once completed, this scan will indicate if FTP bounce is possible or not. If the script indicates that FTP bounce is working, you can use the FTP server to perform a port scan against other systems on the network. Figure 8 illustrates how this works.
Figure 8. FTP bounce scan
The scanner will attempt to send binary data, via the FTP bounce function, to the target system at a designated port. If the data is transmitted, the FTP server will then report back this back to the scanner, indicating that the port on the target system is open. To perform an FTP bounce scan, use the switch.
nmap -b ftpuser:[email protected]:21 10.1.1.128-255
In this command, the function is used to perform a ftp bounce scan using the username “ftpuser” and the password , against the FTP server at 192.168.11.201 hosted on TCP port 21. The actions described in the diagram above will then be performed against each of the common 1000s ports on each of the target hosts from 10.1.1.128 to 10.1.1.255.
Vulnerability Mapping and Exploitation with NSE
Once you have discovered live hosts on the target network and have managed to enumerate open ports and/or running services on those hosts, you can begin testing for and exploiting vulnerabilities. With the newly integrated NSE (Nmap Scripting Engine), there are a number of preloaded scripts that come with the standard nmap installation. These scripts have a wide range of different functions from basic information gathering (like the two that we have already discussed), vulnerability mapping, brute forcing, denial of service and even remote exploitation. All of these scripts are located in your nmap installation directory. In Kali-Linux, they can be found at . To browse to these scripts and begin working with them, use the following commands:
The command will change the directory to the location of the NSE scripts, and the command will display the contents of the directory. You can then view any of the scripts by using the command, followed by the name of the script that you want to view. For the purpose of this demonstration, we will use . To view the contents of this script, use the following command:
Figure 9. NSE script contents
Figure 9 displays the contents of this script. If you browse to the top of the script contents, you will see several pieces of helpful information to include a description of the script, a list of additional resources for reference, and appropriate use and syntax of the script. However, sorting through these scripts in the directory and locating a script that performs a specific function can be very tedious. In my opinion, this is where Zenmap (the graphical interface that we had previously discussed) really shines through. To demonstrate how helpful the Zenmap interface can be when working with NSE scripts, open it once again from the command line with the command:
Then select the Profile drop-down menu and click “New Profile or Command.” After the Profile Editor opens up, choose the Scripting tab at the top of the screen. Figure 10 displays an image of the Zenmap Scripting interface.
Figure 10. Zenmap Scripting Interface
A list of all of the available nmap scripts is located on the left side of the screen. You can select any of these to have it included in your nmap command. Some scripts will require arguments in order to be able to run correctly. Post authentication scripts will often require a username and password for specific network services. In the example in Figure 10, arguments can be supplied to configure the brute force attack that is to be performed against the MySQL service. You can also easily pass the script arguments by entering the values in the Arguments window. These arguments will automatically be populated in the generated nmap command. The window in the top center provides a description of the selected script, appropriate use and syntax, and even categories to describe the functions of the script. These categories can be especially helpful if you are trying to perform a specific type of task, such as vulnerability analysis. After launching an NSE script with an nmap command, you will see the results in the standard nmap output. In the case of brute force scripts, the output will show if the brute force attack was successful and, if so, will display the discovered username and password. In the case of vulnerability scripts, the output will indicate if the vulnerability is present on the target system(s). And in the case of exploitation scripts, the output will provide information about the payload that was subsequently delivered to the target system.
Scripting with Nmap
In addition to its own integrated scripting engine, nmap also supports several output options that make it easy to use traditional scripting languages for performing output analysis. Two output formats that can be useful for scripting include greppable output () and XML output (). XML can be effective for higher level scripting languages that have modules that can be imported for XML parsing and greppable output can be used in conjunction with the bash shell scripting to streamline analysis of nmap results. To demonstrate how this output feature could be used in conjunction with scripting, we will review a simple 4-line bash shell script, displayed in Figure 11 to analyze the results of an nmap scan.
Figure 11. Nmap Result Analysis Bash Script
Consider a scenario in which an nmap scan was already performed against a very large network and the output of the scan was saved in greppable format to a networkscan.txt file. And suppose that we want to use hydra to perform a brute force attack against all FTP services on the network, but we do not want to waste the time that would be required to scan port 21 on the entire network again. This simple script will extract all systems that have a specified port open. The first line prompts the user for a port number. The second line then assigns the value of the user input to the ‘port’ variable. The third line indicates to the user that all systems with that open port will be listed. And finally, the last command is where we grep out the results from the nmap greppable output. The script uses the grep command to extract all lines from the output file that reference the specified port. This will include lines that enumerate each instance of where the port is open, closed or filtered. Then, it pipes that output over to another grep function that extracts only instances in which the specified port is open. This output is then piped over to the cut function, which specifies a space character as the delimiter and then outputs the second field. By doing this, our script then outputs the IP address for each system that has the specified port open. Figure 12 displays the output of the script.
Figure 12. Nmap Result Analysis Script Output
While this is a very simple script, it demonstrates how easy it can be to extract information from the greppable output format. Once acquired, this collected information could easily be used for further scripting. It could be used as a starting point to perform some other subsequent task against each system that was identified to have a specific port open.
An All-In-One Penetration Testing Tool
By combining its different capabilities, one could easily perform a complete penetration test by using nmap alone. There is no denying that nmap, with its impressive list of functions and capabilities, is a truly powerful tool. And as the years progress, it will likely become even more powerful as more people continue to contribute to this project. Like a kid with his father’s gun, nmap can be a dangerous tool in the wrong hands. But if used correctly, it can be an invaluable asset for ensuring the security of your network infrastructure. So always remember to use it wisely and to use it well.
About the Author
Justin Hutchens currently does network vulnerability analysis, intrusion detection and digital forensics for a large enterprise network with over 33,000 networked systems. He has filled numerous different roles in the Information Technology field to include network design, system development, database administration and network security. He also currently teaches courses on penetration testing with the Backtrack and Kali-Linux operating systems. He currently holds a Bachelor’s degree in Information Technology and multiple professional certifications to include CISSP (Certified Information System Security Professional), CEH (Certified Ethical Hacker), ECSA (EC-Council Certified Security Analyst) and CHFI (Computer Hacking Forensic Investigator).