Open Source Tools: Part Two (More nmap options)

nmap optionsIn the previous article, we began our look at open source tools, beginning with nmap. In this article, we continue our look at some nmap options.

nmap Options: Stealth Scanning

For any scanning you perform, it is not a good idea to use a connect scan (-sT), which fully establishes a connection to a port. Excessive port connections can cause a DoS to older machines, and will definitely raise alarms on any IDS system. Therefore, you should use a stealthy port testing method with nmap, such as a SYN scan. To launch a SYN scan from nmap, you use the -sS flag, which produces a listing of the open ports on the target, and possibly open/filtered ports if the target is behind a firewall. The ports returned as open are listed with what service that port corresponds to, based on IANA port registrations, as well as any commonly used ports.


In addition to lowering your profile with half-open scans, an nmap option you may also consider is the FTP or “bounce” scan and idle scan options that can mask your IP from the target. The FTP scan (which was discussed in a previous article) takes advantage of a feature of some FTP servers, which allow anonymous users to proxy connections to other systems. If you find during your enumeration that an anonymous FTP server exists or one to which you have login credentials, try using the -b option with user:pass@server:ftpport. If the server does not require authentication, you can skip the username and password, and unless FTP is running on a nonstandard port, you can leave out the FTP port option as well. The idle scan, using -sI zombiehost:port, has a similar result, but a different method of scanning. If you can identify a target with low traffic and predictable IPID values, you can send spoofed packets to your target, with the source set to the idle target. The result is that an IDS sees the idle scan target as the system performing the scanning, keeping your system hidden. If the idle target is a trusted IP address and can bypass host-based access control lists (ACLs), then you’ll get even better results. Do not expect to be able to use a bounce or idle scan on every penetration test, but keep looking around for potential targets. Older systems, which do not offer useful services, may be the best targets for some of these scan options.

nmap Options: Fingerprinting

You should be able to create a general idea of the remote target’s operating system from the services running and the ports open. For example, ports 135, 137, 139 or 445 often indicate a Windows-based target. [135 is used by the End Point Manager (EPMAP) to remotely manage services (and is also used by DCOM); 137 and 139 are used by NetBIOS; 445 is used by Active Directory.] However, if you want to get more specific, you can use nmap’s -O flag, which invokes nmap’s fingerprinting mode. Care needs to be taken here as well, as some older operating systems such as AIX prior to 4.1 and older SunOS versions have been known to die when presented with a malformed packet. Keep this in mind before using -O across a Class B subnet. Note also that the fingerprint option without any scan types will invoke a SYN scan, the equivalent of -sS.


In the next article, we will look at some more nmap options.

External Links:

nmap.org – the nmap site

Open Source Tools: Part One (nmap)

open source toolsNow that we’ve described the concepts of port scanning, enumeration and fingerprinting, it is time to discuss implementing them with open source tools. This article will cover two categories of tools: scanning tools and enumeration tools.

Port scanners accept a target or a range as input, send a query to specified ports, and then create a list of the responses for each port. The most popular scanner is nmap, written by Fyodor, and which is available from www.insecure.org. There are several open source tools for scanning, but Fyodor’s multipurpose tool has become a standard item among penetration testers and network auditors.


Open Source Tools: Using nmap

Before scanning active targets, consider using the ping sweep functionality of nmap with the -sP option. This option will not port scan a target, but will simply report which targets are up. When invoked as root with nmap -sP ip_address, nmap will send both ICMP echo packets and TCP SYN packets to determine if a host is up. However, if you know that ICMP is blocked, and don’t want to send those unnecessary ICMP packets, you can simply modify nmap’s ping type with the -P option. For example, -P0 -PS enables a TCP ping sweet, with -P0 indicating “no ICMP ping” and -PS indicating “use TCP SYN method.” By isolating the scanning method to just one variant, you increase the speed as well, which may not be a major issue when scanning only a handful of systems, but when scanning multiple Class C networks, or even a Class B network, you may need the extra time for other testing.

If nmap can’t see the target, it won’t scan unless the -P0 (do not ping) option is used. Using the -P0 option can create problems, since nmap will scan each of the target’s ports, even if the target isn’t up, which can waste time. To strike a good balance, consider using the -P option to select another type of ping behavior. For example, the -PP option will use ICMP timestamp requests, and the -PM option will use ICMP netmask requests. Before you perform a full sweep of a network range, it might be useful to do a few limited tests on known IP addresses, such as web servers, DNS, and so on, so you can streamline your ping sweeps and reduce the number of total packets sent and the time taken for the scan.

Capturing the results of the scan is extremely important, as you will be referring to the this information later in the testing process. The easiest way to capture all the needed information is to use the -oA flag, which outputs scan results in three different formats simultaneously: plain text (file extension .nmap), greppable test (.gnmap), and XML (.xml). The gnmap format is especially important to note, because if you need to stop a scan and resume it later, nmap will require this file to continue by using the –resume switch.


In the next article, we will continue our look at open source tools by covering some of nmap’s various options.

External Links:

nmap official site

insecure.org – features nmap news and several open source tools, including security tools

Port Enumeration and Fingerprinting

port enumerationPort Enumeration

Port enumeration is based on the ability to gather information from an open port, by either straightforward banner grabbing when connecting to an open port, or by inference from the construction of a returned packet. There is not much true magic here, as services are supposed to respond in a predictable manner.

Once the open ports are captured, by running a port scanner such as nmap, you need to be able to verify what is running on said ports and thus move one step closer to completing port enumeration. For example, you might assume SMTP is running on TCP port 25, but perhaps the system administrator is trying to obfuscate the service, and is running telnet on that port instead. The easiest way to check the status of a port is a banner grab. Upon connecting to a service, the target’s response is captured and compared to a list of known services, such as the response when connecting to an OpenSSH server.

Some services are wrapped in other frameworks, such as Remote Procedure Call (RPC). On UNIX-like systems, an open TCP port 111 indicates this. UNIX-style RPC can be queried with the rpcinfo command, or a scanner can send NULL commands on the various RPC-bound ports to enumerate what functions a particular RPC service performs.


Fingerprinting

The next step after port enumeration is system fingerprinting. The goal of system fingerprinting is to determine the operating system version and type. There are two common methods of performing system fingerprinting: active and passive scanning. The more common active methods use responses sent to TCP or ICMP packets. The TCP fingerprinting process involves setting flags in the header that different operating systems and versions respond to differently. Usually, several different TCP packets are sent and the responses are compared to known baselines to determine the remote operating system (OS). Typically, ICMP-based methods use fewer packets than TCP-based methods, so when you need to be more stealthy and can afford a less-specific fingerprint, ICMP is a viable alternative. Higher degrees of accuracy can often be achieved by combining TCP/UDP and ICMP methods, assuming that no device between you and the target is reshaping packets and mismatching the signatures.

Passive fingerprinting provides the ultimate in stealthy detection. Similar to the active method, this style of fingerprinting does not send any packets, but depends on sniffing techniques to analyze the information sent in normal network traffic. If your target is running publicly available services, passive fingerprinting may be a good way to start your fingerprinting. A drawback of passive fingerprinting is that it is less accurate than a targeted active fingerprinting session and relies on an existing traffic stream.


External Links:

Defining Footprinting, Fingerprinting, Enumeration and SNMP Enumeration?? at the World of Information Technology and Security blog

Router Hacking Part 2 (Service Enumeration, Fingerprinting, And Default Accounts at www.securitytube.net

Fingerprinting at projects.webappsec.org

© 2013 David Zientara. All rights reserved. Privacy Policy