Network Security and NMAP - Blog

Passive Reconnaissance

WHOIS

whois <domain name>
contains
- registrar info
- contact info of registrant
- creation, update and expiration date
- name server

nslookup And dig

nslookup
- nslookup <options> <domain name> <server>
- options
  - A, AAAA, CNAME, MX, SOA and TXT
- server
  - dns server used for query
    - cloudflare 1.1.1.1
    - google 1.0.0.1, 8.8.8.8
    - quad9 9.9.9.9, 149.112.112.112
- ip address domain name points to
dig
- dig <domain name> <options>
- for more advanced queries

DNSDumpster

https://dnsdumpster.com/
online tool for finding subdomains
provides tables and graphs

Shodan.io

https://www.shodan.io/
information about networks without having to connect to them
information
- ip address
- hosting company
- geographic location
- server type and version

Active Reconnaissance

Web Browser

Tools
- developer tools
- FoxyProxy
  - quickly change proxy server
  - useful when using burp suite
- User-Agent Switcher and Manager
  - pretend to use different operating system or browser
- Wappalyzer
  - insights about technologies used on website
  - framework, version, cms, os, analytics …

Ping

ping <hostname>
ping -c 10 <hostname> to send 10 ping packets
ping -s 56 <hostname> sends packets of size 56 bytes to target

Traceroute

traceroute <hostname>
traces route from your system to target system

Telnet

telnet <hostname> <port>
only tcp
default port 23
sends all data as cleartext
example
- telnet <hostname> 80 to connect to web server on port 80
- GET /page.html HTTP/1.1, enter
- host: telnet, double enter

Netcat

nc <hostname> <port>
tcp and udp
options
- -l listen mode
- -p port
- -n numeric only, no hostname resolution via DNS
- -v verbose
- -vv very verbose
- -k keep listening after disconnect

Nmap Live Host Discovery

Using ARP

root user in local network –> ARP
root user outside of local network –> ICMP
regular user outside local network –> TCP 3 way handshake
nmap -sn <targets> scans for live hosts without port scanning
nmap -PR -sn <targets> ARP scan without port scanning , -PR indicates ARP only

arp-scan

tool for only arp scanning
arp-scan --localnet or arp-scal -l
- use -I to specify interfaces

Using ICMP

nmap -PE -sn <targets> scan using ICMP echo requests without port scanning
- might run into missing hosts because ICMP echo requests tend to be blocked
nmap -PP -sn <targets> scan using ICMP timestamp request without port scanning
- to get around ICMP echo request block
nmap -PM -sn <targets> scan using ICMP Address Mask Reply
all of these options could be blocked by a firewall

Using TCP and UDP

TCP SYN Ping
- nmap -PS<optional? port or port range> -sn <targets> scan using TCP SYN without port scanning
- does not require a privileged account
TCP ACK Ping
- nmap -PA<default:80; port or port range> -sn <targets> scan using TCP ACK without port scanning
- requires a privileged account
UDP Ping
- nmap -PU<port or port range> -sn <targets> scan using UDP without port scanning

Masscan

aggressive with rate of packets
masscan <targets> -p<port or port range>

Reverse DNS Lookup

-n for no DNS lookup
-R reverse DNS lookup for all hosts
-sn host discovery only

Nmap Basic Port Scans

port states in NMAP
- open: service is listening on port
- closed: no service listening, but port is accessible –> reachable and not blocked by firewall or others
- filtered: cannot determine if open or closed, port is not accessible –> blocked by firewall or others. OR response blocked from reaching nmap
- unfiltered: cannot determine if open or closed, but port is accessible. encountered when ACK scanning -sA
- open|filtered: cannot determine if port is open or filtered
- closed|filtered: cannot determine if port is closed or filtered

TCP Flags

nmap can set the following flags
- urg: incoming data is urgent and to be processed immediately without consideration of waiting on previously sent TCP segments
- ack: acknowledge receipt of TCP segment
- psh: push data to application promptly
- rst: reset connection, firewall might send to tear TCP connection, used when no service on other end to recieve answer
- syn: initiate TCP 3 way handshake and synchronize sequence numbers with other host
- fin: sender has no more data to send

TCP Connect Scan

nmap -sT <target> starts TCP scan
- Theory
  - syn –>
  - <– syn, ack
  - ack –>
  - rst, ack –>
only possible option to discover open TCP ports as unprivileged user
note: use -F to enable fast mode, only scans 100 most common ports, instead of 1000
note: use -r to scan ports in consecutive order instead of random, useful when testing after target boot

TCP SYN Scan

nmap -sS <target> TCP SYN scan
requires privileged user
decreases chance of scan being logged, since no TCP connection was established

UDP Scan

nmap -sU <target>
cant guarantee that service listening would respond. but udp to closed port, returns ICMP port-unreachable error
can be combined with TCP scan

Fine-Tuning Scope and Performance

defining ports
- -p<ports> can be either port, port list or port range
- all ports by using -p-, scanns all 65535
- most common 100 ports -F
- top 10 common ports --top-ports 10
scan time
- -T<0-5>
- -T0 is slowest (paranoid)
- -T5 is fastet
  - 0 paranoid
  - 1 sneaky
  - 2 polite
  - 3 normal
  - 4 aggresive
  - 5 insane
- to avoid IDS alert, consider -T0 or -T1
control packet rate
- --min-rate <number>
- --max-rate <number>
  - no more than x packets per second
probing parallelization
- --min-parallelism <numprobes>
- --max-parallelism <numprobes>
  - no more than x probes in parallel

Nmap Advanced Port Scans

TCP Null Scan

nmap -sN <targets>
TCP packet with no flags
will not trigger any responses, lack of reply indicates open port or blocked by firewall
if response is RST packet, port is closed

TCP FIN Scan

nmap -sF <targets>
TCP packet with FIN flag set
no response if port is open, or blocked by firewall
response is RST if port is closed

TCP Xmas Scan

nmap -sX <targets>
TCP packet with FIN, PSH and URG flag set
no response if port is open, or blocked by firewall
response is RST if port is closed

TCP ACK Scan

nmap -sA <targets>
send TCP packet with ACK set
response is RST, regardless of state
so useless if no firewall in place
- but with firewall in place: shows which ports are not blocked

TCP Window Scan

nmap -sW <targets>
same as ACK scan, but inspects Window field in RST packet
can reveal if port is open on specific systems
useless without firewall
- but with firewall: shows which ports are blocked

TCP Custom Scan

nmap --scanflags <custom flags> <targets>
can combine flags the way you want

Spoofing and Decoys

nmap -e <network interface> -Pn -S <spoofed ip> <targets>
useless if attacker cannot monitor network for responses
if on same subnet as target
- can spoof mac address
- --spoof-mac <spoofed mac address>
only works under certain conditions
alternative are decoys
- using -D <specific or random ip>
- nmap -D <ip1><ip2>,RND,RND,ME <ip3>
  - scan of will appear as comming from and
  - ME to indicate your IP should appear in third order

Fragmented Packets

-f to fragment packets, data will be divided into 8 bytes or fewer
-ff to fragment packets, data will be divided into 16 byte fragments or fewer

Idle / Zombie Scan

requires idle system connected to network
run idle scan using nmap -sI <zombie ip> <targets>

Getting More Details

--reason to get more info regarding reasoning and conclusions
-v for more verbose output, and -vv for even more

Nmap Post Port Scans

Service Detection

nmap -sV <targets> to try to detect the running services and their version
- --version-intensity <level>
  - values from 0, lightest, to 9, most complete
- will use TCP 3 way handshake

OS Detection

nmap -sS -O <targets>
based on behavior and telltale signs in responses

Traceroute in nmap call

nmap -sS --traceroute <targets>

Nmap Scirping Engine

nmap uses lua
standard folder for preinstalled scripts /usr/share/nmap/scripts
run script from a category with nmap --script=<group> or nmap -sC to run default group

category / group	description
auth	Authentication related scripts
broadcast	Discover hosts by sending broadcast messages
brute	Performs brute-force password auditing against logins
default	Default scripts, same as -sC
discovery	Retrieve accessible information, such as database tables and DNS names
dos	Detects servers vulnerable to Denial of Service (DoS)
exploit	Attempts to exploit various vulnerable services
external	Checks using a third-party service, such as Geoplugin and Virustotal
fuzzer	Launch fuzzing attacks
intrusive	Intrusive scripts such as brute-force attacks and exploitation
malware	Scans for backdoors
safe	Safe scripts that won’t crash the target
version	Retrieve service versions
vuln	Checks for vulnerabilities or exploit vulnerable services

nmap -sS -sC <target> runs SYN scan against target and executes default scripts after
call specific script using --script "<script name>" or using patterns --script "ftp*,
nmap -sS -n --script "http-date" <target> runs SYN scan against target, and executes http-date script to guess targets server date and time

Save Output

normal output
- nmap -oN <filename>
grepable
- nmap -oG <filename>
xml
- nmap -oX <filename>
each can be combined with the others

Protocols and Servers

Telnet

used to access terminal on another client
unencrypted communication between clients
only requires username and password
port 23

FTP

file transfer protocol
unencrypted communication between host and client
only requires username and password
- possibly even anonymous login as a guest
port 21
STAT can provided more information
SYST shows system type of the target
PASV switches to passive mode
- passive mode: data is sent over separate channel origination from FTP clients port, above number 1023
- active mode: data is sent over separate channel origination from FTP server port 20
TYPE A switches file transfer mode to ASCII
TYPE I switches file transfer mode to binary
GET to download file

SMTP

simple mail transfer protocol
- steps email need to go through
  - MUA, mail user agent: email client, forwards to MSA
  - MSA, mail submission agent: checks for errors before transferring to MTA
  - MTA, mail transfer agent: send email to MTA of recipient, can also function as MSA
  - typical setup would also have MTA as MDA, mail delivery agent
  - recipient collects email from MDA using email client
port 25

POP3

post office protocol 3
port 110

IMAP

internet message access protocol
port 143

Protocols and Servers 2

Sniffing Attack

TCPdump and Wireshark

requires access to network traffic
- wiretap, switch with port mirroring or MTM
sudo tcpdumo port 110 -A
- requires root privileges
- -A to display content as ASCII
filter by protocol in wireshark

SSH

secure shell
ssh <username>@<target machine>
scp <username>@target machine>:<path to file> <download to> download a file from target machine
scp <file to upload> <username>@<target machine>:<target folder> upload file to target machine

Password Attack

THC Hydra

hydra -l <username> -P wordlist.txt <server> <service>
- -l <username> to try passwords for
- <server> hostname or ip of target
- <service> target service, e.g. ftp, ssh …
- optional
  - -s <port> to specify non standard port for service
  - -v or -vV verbose and very verbose
  - -t <n> number of parallel connections
  - -d enable debugging, get more detailed information