Analysing Networks With NMAP - OWASP
Analysing Networks with NMAPOWASP Ruhrpott MeetupMarch 2019
Overview Networking BasicsNMAP Basics Scan typesPort statesScan SpeedOutputScript ScansNSE ScriptingNMAP Tool Suite
Networking Basics
Networking Basics - UDPThe User Datagram Protocol is: MinimalisticStatelessUnreliableUnorderedFast? Best effort
Networking Basics - TCPThe User Datagram Protocol is: Much overheadStatefulReliableOrdered Reliable Heavyweight
Networking Basics - TCP II - Handshake Formal handshake3-Way-HandshakeParties are emancipated afterwards
Networking Basics - TCP III - Teardown TCP connections require teardown4-Way-HandshakeClosing party can no longer send data, butshould still read incoming data.
Networking Basics - ICMPThe Internet Control Message Protocol is: Supporting protocolNot usually used to send data*Does things like: pingtraceroute*
NMAP Basics
NMAP Basics
NMAP Basics - Default PrivilegesDefault NMAP behaviour depends on privileges: Privileged (root/Administrator*) TCP SYN scanUnprivileged TCP connect scan
NMAP Basics - Host DiscoverySeveral ways - different outcomes Ping scan (-sP): ICMP pings (-PE, -PP, -PM): nmap -sP scanme.nmap.orgnmap -PE scanme.nmap.orgARP ping nmap -PR scanme.nmap.orgUltimative host discovery command ( 93% detc): nmap -PE -PS80 -PS443 -PP -PU40125 -PS3389-PA21 -PU161 --source-port 53
NMAP Basics - Scan Types IScan types (most common): TCP-SYN-Scan (-sS) TCP-Connect-Scan (-sT) FastStealthy (?)Requires privilegesRelies on OSSlower than TCP-SYN-ScanUDP-Scan (-sU) SlowUnreliable
NMAP Basics - Scan Types IIMore Scan Types: TCP-NULL-Scan (-sN) TCP-FIN-Scan (-sF) NoneFINTCP-Xmas-Scan (-sX) URG, PSH, FIN
NMAP Basics - Scan Types IIIEven More Scan Types: TCP-Idle-Scan (-sI) [Zombie] Spoofing packagesIP-Protocol-Scan (-sO) Enumerating IP Protocols
NMAP Basics - Port StatesNMAP distinguishes between different port states: open closed RST receivedfiltered “Proper” response receivedSomething else happenedopen filtered Couldn’t determine port state often UDP related
NMAP Basics - Scan SpeedsDifferent Speed Settings (-T): paranoid (0)sneaky (1)polite (2)normal (3) [default]aggressive (4)insane (5)
NMAP Basics - Target SyntaxEverything that isn’t an option is considered a host :-) Hostname: nmap scanme.nmap.orgIP-Address: nmap 45.33.32.156CIDR-ish notation: nmap 45.33.32.156/32nmap scanme.nmap.org/32NOT nmap 45.33.32.156/255.255.255.255Octet ranges: nmap45.33.32-35.1-254Everything above can be combined and loaded from a file as well (-iL)
NMAP Basics - Port SyntaxPorts are scanned in a (mostly) random order Scan top 100 ports only (“fast”, -F) nmap -F scanme.nmap.orgScan “all” (1-65535) ports nmap -p- scanme.nmap.orgScan all ports (0-65535) nmap -p0-65535 scanme.nmap.orgScan specific ports and port ranges nmap -p 22,53,80,443,500-1000 scanme.nmap.org
NMAP Basics - Output Normal (-oN)XML (-oX)Greppable (-oG)s rIpt kIddi3 (-oS)The first three can be accessed with -oA
NMAP Basic - Misc. Switches Generate 100 random targets and log your crimes IPv6 scan: nmap -sV scanme.nmap.orgOS detection: nmap -6 scanme.nmap.orgService version probing: nmap -iR 100 -Pn -oA admissible-evidencenmap -O scanme.nmap.orgAggressive (-A) scan, includes OS and version detection, script scanning andtraceroute: nmap -A scanme.nmap.org
NMAP Basics - Script Scan IMore than just port scanning Script-Scan (-sC) Equivalent to --script default--script accepts: FilenameDirectoryCategoryExpressions
NMAP Basics - Script Scan IIScript Categories: r intrusivemalwaresafeversionvulnExpressions are supported: --script ”default or save” --script ”(default and save) and not http-*”
NSE Scripting
NSE Scripting IFour Classes of Scripts: Service scripts Host scripts Executed once per hostPre-rule script Executed once per portExecuted prior any scanPost-rule script Executed after all scans
NSE Scripting - Example itle.nse
NMAP Tool Suite
NMAP Tool Suite - ncat Netcat (nc) alternative Supports SSLSupports IPv6ProxyingFurther reading: /alexcreek.com/ncat-cheatsheet.html
NMAP Tool Suite - ndiff Compares scansTakes in two XML files
NMAP Tool Suite - nping Network packet generatorResponse analysisResponse time measurement.Also does ping :-)
NMAP Tool Suite - zenmap GUI for NMAPQuick profile selectionGraphical organisationTopology
Training with NMAP
Training with NMAPDon’t go wandering off, scanning networks without consent!This could get you into trouble. Things could break, people could sue you.To experiment with NMAP use: Dedicated hosts like scanme.nmap.org,Dedicated lab environments (e.g. Hack-in-the-Box),Your own network (NOT the hotel WiFi, NOT your friends WiFi!)Virtual machines with interesting services (e.g. metasploitable)Metasploitable v2: les/latest/download
Analysing Networks with NMAPQuestions?
NMAP Basic - Misc. Switches Generate 100 random targets and log your crimes nmap -iR 100 -Pn -oA admissible-evidence IPv6 scan: nmap -6 scanme.nmap.org Service version probing: nmap -sV scanme.nmap.org OS detection: nmap -O scanme.nmap.org Aggressive (-A) sca
The Nmap project relies on volunteers to support and develop this amazing tool. If you would like to help improve Nmap, there are several ways to get involved: Promote Nmap Nmap is a wonderful tool that every administrator network should know about. Despite its popularity, Nmap isn't widely known outside of technically elite circles.
How to customize the Nmap scanner to best suit your needs. You can change various aspects of the Nmap scanner by using the Asset Discovery Nmap Scan Wizard. You can schedule periodic Nmap scans of your network using previously designated Scan Points. Note: The Nmap scanner requires that the UnmanagedAssetImporter -NMAP service is running on the .
OWASP Code review guide, V1.1 The Ruby on Rails Security Guide v2 OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool) Internationalization Guidelines and OWASP-Spanish Project OWASP Application Security Desk Reference (ASDR) OWASP .NET Project Leader OWASP Education Project
--iflist nmap --iflist Shows the host interfaces and routes--resume nmap --resume results.file Resume a scan Helpful Nmap Output examples Command Description nmap -p80 -sV -oG - --open 192.168.1.1/24 grep open Scan for web s
complex Nmap commands can be run from this location. 2 www.insecure.org 3 Currently the downloadable version is nmap-3.75 . Figure 4: nmap in Windows command prompt 2 1 The figure shows Nmap run on a host with IP 172.16.4.34 from a Windows machine (Callout 1 in Figure 4). The make of the computer and the MAC or theFile Size: 528KB
From the command-line, Nmap is executed by simply calling the name of the application (nmap or nmap.exe) and applying the appropriate parameters or switches. It is very helpful, especially for the new user or for advanced confi guration, to have a copy of the help instructions clo
Nmap – Nmap can be used in Linux, Mac, or Windows to locate machines on a network. After Nmap is used to discover machines on a network, it can also be utilized to determine which open Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports the machine has open. Nmap
Basic counselling skills for drug dependence treatment Drug dependence and basic counselling skills Module 1 Special considerations when involving families in drug dependence treatment. Basic counselling skills for drug dependence treatment Workshop 1. At the end of this workshop you will be able to: Training objectives Identify a minimum of 4 counselling strategies useful in drug abuse .
