NMAP- NETWORK MAPPER

Installation:

Pre-installed on Linux

Windows: https://nmap.org/download

To verify is nmap is isntalled nmap —version

NMAP, short for network mapper is an open source, Linux command line, tool used for port scanning and discovering hosts on a network. a useful reconnaissance tool for penetration testers. Some of NMAPs features include ping sweeps, port scanning, OS detection, version detection.

NMAP can allow you to find devices running on your network and unused applications.

In one scene in the matrix, Trinity uses NMAP. She uses NMAP to find a vulnerable SSH server and exploits it using SSH1 CRC32 exploit, to hack the city power grid.

how does nmap actually work?

Nmap uses raw socket scans to send raw packets to the ethernet layer of your network which bypasses the TCP/IP processing. Essentially communicating with an IP address directly,. Other sockets such as datagram sockets or stream sockets revive transport data that is from the transport layer and only contains the payload, this means there is no information about the source of the data. One of the downsides of this is UNIX systems will restrict raw packet communication to root users and admins to prevent users abusing priveledges.

The reason NMAP is structured like this is because, most operating systems will have a raw socket API that allows programs to access the network interface card (NIC)/ethernet card/network adapter directly. By bypassing other communication protocols, it gives Nmap more control over packet creation and transmission.

port states

During a port scan nmap will show you the different states ports can be in. This tells us if the target is vulnerable or not.

• open- application is open and listening for connections on the port

• closed- cannot make connections as ports are closed

• filtered- port is protected by a firewall, unable to tell if port is open or closed

• unfiltered- responsive to probes, but nmap is unable to tell if it is open or closed

• open/filtered- appears when port gives no response

firewalls and bypassing them

Secure home networks will have firewalls configured. Firewalls definitely make network scanning more difficult as they will block packets. Firewalls can be configured to block packets on ports commonly used by nmap such as TCP ports like 21,22,23,80,443. It can also filter traffic basic on certain protocols like IMCP, TCP, UDP to stop different scanning techniques.

To bypass a firewall, it is useful to know the rules that the firewall has in place. Knowing whether or not the network you are scanning has IDS/IPS in place. A decent Firewall should be updated regularly and should be able to detect signatures as well as behavioural anomalies.

It’s important to understand the types of firewalls we are dealing with.

• packet filtering firewall- examines each packet based on the source IP, destination IP, ports, and protocols. This is a basic firewall.

• stateful inspection firewall- keeps track of session state, Blocks or allows connections based on context.

• Proxy firewall- examines traffic at the application layer of the network and allows more granular control over data and applications.

• next generation firewall- Almost a security solution on its own, this is an advanced firewall that combines multiple security solutions and techniques like IDS/IPS, Malware detection.

ACK scans are one of the first techniques we can use to try bypassing a firewall. An ACK scan send TCP packets with only the ACK bit set. A normal TCP connection works as a three-way-hanshake where a SYN a SYN-ACK and an ACK packet are sent back and fourth. The basic syntax for an ACK scan is ‘nmap -sA {target IP address}’ . The output of an ACK scan will show ports as either filtered or unfiltered, unfiltered can still mean that a port is closed.

We can also use the -f scan to fragment packets. Modern firewalls are becoming more efficient at detecting fragmented nmap packets so this isn’t a guaranteed win. Normal packets sent to a destination a transmitted as a complete unit with all the information data and header within a packet. Fragmented packets are broken down into smaller pieces called fragments. This normally occurs when a packet exceeds the MTU of a network link and the packet is reassembled at the destination. This can bypass firewalls by either overloading the firewall, similar to a DDoS attack where all of its resources are being used to inspect the packets. Some firewalls may not ressamble the fragmented packets correctly which allows our packets to slip through, undetected. Other firewalls may not be capable of handling fragmented packets or it may be a vulnerability.

The basic syntax for a fragmented packet scan is {nmap -f (target IP address) we can also choose how many fragments we would like our packets broken into by offsetting the maximum transmission unit if we use the flag {-- mtu} we could add a value like 16. The MTU value has to be a multiple of 8 bytes and smaller values will make the scan longer.

TCP Null scan can be used as well, we use the TCP scan if we do not have raw socket rpiviledges. the (-sN) flag sends a packet with no flags set which can sometimes bypass firewalls.

basic scans:

a basic scan: {target host} is replaced with the IP address of the host

this will provide a basic scan

• the host may respond to pings

• open ports or services running
  
  

TCP scan- focuses on TCP ports, common communication protocol. This works by nmap sending a SYN to the target port but completes the three-way-handshake by sending an ACK back. If the target send a SYN-ACK back the port is considered open. This scan is useful when raw socket privileges are not available or we are scanning ipv6 networks. remember that nmap has less control over the connect call with a TCP scan then when using raw packets to connect, and has to complete full connects rather then a half open SYN scan.

UDP scan- for DNS and gaming servers. UDP scans are generally slower and run on ports 53, 161/162, and 67/68. UDP scans work by sending empty packets with no payload (no data present). So the output of UDP scans will be different. If there is any response from the port it will be marked open.

SYN scans- faster than TCP scans but can trigger firewalls, note these will only be able to gather information if their is no firewall present.

OS detection- find out the operating system of your target host

Port scanning

to scan a specific port on a target, for example 80 we would use the -p80 flag

we can specify the range of ports we want to scan with a dash between the first and last port. for example -p 1-80

we can also use stealth scans to avoid firewalls or intrusion detection systems (IDS)

the flag -sS sends half open connections

the flag -MA uses fragmented packets to bypass packet filtering

we can also customise the output of our scans

-oA {filename} can save the scan in outputs such as grepable or XML

-oG {filename} can save the output in graphical format

verbosity

The -v flag (verbose) can provide additional details from your scan.

There are nine levels of verbosity available.

• -4 provides no output

• -3 no output but provides you with error messages to see if scan has failed

• -2 no output but with warnings and error messages

• -1 shows run time and statistics

• 0 default level, shows packets received as well as other information

• 1 same as 0 but provides protocol details, flags, and timing.

• 2 provides more information on sent and received packets

• 3 shows the complete transfer of sent and received packets

• 4 like 3 but with more information

nmap scripting engine

NSE allows users to write and share simple scripts using LUA programming language, which can automate different networking tasks.

the basic syntax for using scripts is either the -sC flag to enable the most common scripts or —scripts to specify which script

NSE scripts are broken down into categories

{auth} provides scripts to deal with authentication mechanisms on target systems

{broadcast} gathers information about devices on a network using broadcast techniques. it doesn’t target hosts directly, instead sends packets to a network to find targets that respond.

{brute} for brute force password cracking and authentication (there is an overlap between auth category and brute category)

{discovery} to find out more about services and networks

NMAP’s basic scans already provide good coverage when trying to gather information. trying to gather more detailed knowledge is where we start needing to use scripts.

They can be a valuable tool for vulnerability assessment, automation, and penetration testing. remember never use NMAP for unethical purposes.