Nmap Lab
Lab Activity 1
Learning Objective (Learn the basic functions of Nmap)
Students will install and use Nmap software on workstations. Nmap (“Network Mapper”) is a free utility that allows an individual to explore a network rapidly and identify potential weaknesses within that network.
Recommended Resources for this Learning Activity
Nmap™ 1.3.1 Available for download:
http://www.insecure.org/nmap/nmap_download.html/
(Windows 2000/XP and Linux version are available)
WinPcap Available for download:
http://winpcap.polito.it/
Assessment of the network. ("Network Mapper") is an open source utility for network examination or security auditing. It was originally designed in the mid-1990’s with the intention of combining multiple styles of network scanning. Nmap uses raw IP packets to determine whether a host is available on the network, what services (application name and version) are being utilized, what operating system (Nmap provides a best guess approach to OS identification) they are running, what type of filters/firewalls are in use, and many other attributes about the network. Nmap runs on most types of computer platforms and offers both command line and graphical versions. Nmap is free software, available with full source code under the terms of the GNU GPL.
Recommended Instructor Preparation for Learning Activity
Instructor Notes:
Scanning, as a method for discovering exploitable holes in the network has been utilized primarily by hackers for many years but it is steadily becoming common place by system administrators. System administrators needed a way of penetration testing their networks rapidly and that is where Nmap comes into the picture. It allows an administrator to perform numerous scans for surveying the protocols and ports on which a target machine or range of machines is listening. Nmap provides valuable information that can be used to harden network defenses and gain insight as to how an attack may have occurred. In most cases a defensive posture is taken by IT personnel and it is only after an attack has occurred that security becomes a factor. It is important to note that a huge amount of data can be derived from using Nmap and that students should be instructed about acceptable use policies as applicable. Students should also identify resources that will allow them to gain more insight into uses for Nmap. Some of the most common scans will be listed in the next section.
Scan Types and Benefits:
There are numerous scan types that are available with Nmap and all offer valuable information to the Administrator and hacker alike. This is a listing of the most common scans:
· Connect() scanning : This is the most basic form of TCP scanning. The connect() system call provided by most operating systems is designed to open a connection to all interesting ports on a machine or network. In the event the port is listening, connect() will be successful, otherwise a notification that the port isn't reachable will be displayed. Connect scans are the quickest scans supported by Nmap but it is also the easiest to detect and filter. Most notably is when the administrator checks their security logs and it displays numerous connections and error messages alerting them to a potential breach and they will shutdown those ports (in theory).
· SYN scanning : This technique is referred to as "half-open" scanning, because you don't open a full TCP connection. You send a SYN packet to the target as if you are going to open a real connection and wait for a response whether it is a ACK or NAK. A SYN ACK indicates the port is listening. Showing that a potential exploit exists. The main advantage to this type of scan is that few sites log this type of activity.
· FIN scanning : SYN scans are usually sent in under the “radar” of most firewalls and IDS’s but some firewalls actually watch for SYN scans on restricted ports so occasionally a deeper scan is required and that is where a FIN scans comes into play. With this scan type, closed ports often reply to FIN packet with the proper RST. Open ports tend to ignore the packet all together.
· Ping Sweep (ICMP echo scanning): Isn't actually a port scan, since ICMP doesn't have a port abstraction. Its main purpose is to scan a large number of hosts to determine if they are up or not. The hosts are all scanned in parallel, allowing this type of scan to be very quick.
· UDP Scan (UDP ICMP port unreachable scanning) : This scanning method is different from most scans as it uses the UDP protocol instead of TCP. While this protocol is less complicated scanning it is more difficult. Due largely in part to the fact that open ports are not required to send a response to our probes.
****NOTE****
There are several other scan types that will be discussed in more detail in the next Nmap lab.
To scan or not to scan, that is the question!
The benefit to scanning a network is that you can use it in your finger printing techniques. A benefit to learning the OS remotely can be extremely valuable since most exploits are based on OS and ports. For instance, you are testing a network and find that Port 80 is active and you want to try and gain access. It is extremely important that you know what OS is running because you can in effect crash the system before you have had the chance to infiltrate the network.
Scanning can also be used in Social Engineering attacks. If you have identified the OS and ports that are open, you can use this information to gain even more valuable information by pretending to be IT support. Simply by telling them that your are “insert name here” from IT and that due to excessive traffic on port “insert port number here” we are trying to tailor the bandwidth to your needs. May I have your USERID and PASSWORD so we can setup the appropriate TxPort channels so your internet connection will be faster? Sadly, this approach is often very successful.
Starting a basic scan:
Recommended Instructor Preparation for Learning Activity
Instructor Notes:
During this portion of the lab the students will install Nmap on the machines. The instructor will have a machine designated as the target host with a static IP address to enable continued scanning of the same IP address. A server running IIS with a web page or an FTP server will add to the realism of the lab. Students can also choose a range of IP addresses that the instructor wants scanned. Have the students take note of the task bar on Nmap that shows all of the command line commands that are used to accomplish the same tasks. The instructor can require the students to take note of all output and have them research potential exploits and counter measures for each exploit.
Steps:
1. The students will start the Nmap program.
2. The students will choose a scan type based on the needs of the scan. (OS finger print, port scan etc.)
3. The students will use the address that was given by the instructor to begin their scan. (ex. 192.168.0.6)
****Choose a ping scan first to show an error message.****
4. The student will enter the address and select ping scan. Then click the scan button.
****Notice the warning about using a ping sweep to conduct OS fingerprints!!! As discussed earlier, Nmap will give an error if the scan you choose doesn’t work.****
5. The student will enter the address and select SYN scan. Then click the scan button.
****The students should take note that not only did the scan reveal open ports, it was able to determine the OS in under 5 seconds!!!!****
****Based on the results of the scan, have students lookup potential exploits of the ports or services and present those to the instructor.****
Interesting ports on HOST (192.168.0.6):
(The 1591 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1027/tcp open IIS
5000/tcp open UPnP
Remote operating system guess: Windows 2000/XP/ME
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
****Here is what a typical SYN scan looks like on an Intrusion Detection System:
This is a snort log of a SYN scan.
[**] [111:13:1] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection [**]
07/15-14:45:47.877211 192.168.0.3:10004 -> 202.87.19.229:1002
TCP TTL:255 TOS:0x0 ID:2304 IpLen:20 DgmLen:40
******SF Seq: 0x90AB213 Ack: 0x0 Win: 0x1000 TcpLen: 20
Jul 16 11:52:17 192.168.0.4:1460 -> 192.168.0.3:1109 SYN ******S*
Jul 16 11:52:17 192.168.0.4:1461 -> 192.168.0.3:317 SYN ******S*
Jul 16 11:52:17 192.168.0.4:1462 -> 192.168.0.3:174 SYN ******S*
Jul 16 11:52:17 192.168.0.4:1463 -> 192.168.0.3:504 SYN ******S*
Jul 16 11:52:17 192.168.0.4:1464 -> 192.168.0.3:343 SYN ******S*
Jul 16 11:52:17 192.168.0.4:1465 -> 192.168.0.3:672 SYN ******S*
****
Instructor Notes:
During this portion of the lab the students will be scanning using the UDP protocol. UDP is a connection-less protocol that simply sends out packets and is considered a best effort delivery method. UDP is useful for streaming audio or video. Nmap will send a 0 (zero) byte packet to the ports. When a ICMP port unreachable message is received Nmap believes that the port is closed. If no message is received then the port is considered open. Since UDP is considered unreliable, it is often not monitored. This provides a huge hole in the perimeter of the networks security.
6. The student will enter the address and select UDP scan. Then click the scan button.
****Have the students note that a UDP scan could not identify the OS.****
Instructor Notes:
Have the students look up potential exploits that are unique to UDP protocols and present those to the instructor. A good place to try and gather information about exploits is at:
www.cert.org
www.insecure.org
www.astalavista.com
Instructor Notes:
During this portion of the lab the students will be scanning using the TCP connect scan. TCP is a connection-oriented protocol that attempts to establish a 3 way handshake with the target. If the session is established then the port is considered interesting (open), and if not the scanner moves on to the next port. This provides valuable information to a would be hacker about the security of your network.
7. The student will enter the address and select TCP connect scan. Then click the scan button.
****This scan doesn’t provide verbose amounts of information but when you only need to see if you can connect with the host there is no need for extra information…..yet.****
Typical output from an Intrusion Detection System by a TCP connect scan.
[**] [100:2:1] spp_portscan: portscan status from 192.168.0.4: 261 connections across 1 hosts: TCP(261), UDP(0) [**]
07/16-12:01:44.071271
[**] [1:469:1] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2]
07/16-12:01:46.050056 192.168.0.4 -> 192.168.0.3
ICMP TTL:45 TOS:0x0 ID:17750 IpLen:20 DgmLen:28
Type:8 Code:0 ID:31266 Seq:8282 ECHO
[Xref => http://www.whitehats.com/info/IDS162]
Jul 16 12:19:39 192.168.0.4:2418 -> 192.168.0.3:7006 SYN ******S*
Jul 16 12:19:39 192.168.0.4:2419 -> 192.168.0.3:7006 SYN ******S*
Jul 16 12:19:39 192.168.0.4:2420 -> 192.168.0.3:7006 SYN ******S*
Instructor Notes:
How does a three way handshake work?
8. The student will enter the address and select SYN scan with the verbose option selected. Then click the scan button.
****First select the verbose option located under the options tab.****
****Then select SYN scan and press scan.****
Pay particular attention to the output from the scan.
Instructor’s notes:
Point out to the students that the sequence numbers are being displayed and why this information can be used in a playback type of attack. Especially since the increments are only by one for every packet.
Instructor Notes:
At the end of this portion the students should have a basic knowledge of how to use Nmap and its capabilities. Provide adequate time for the students to use and practice with the GUI and command line versions. As practice is needed to become more proficient.
Nmap Quiz:
1. Why would an administrator want to scan their own system or network?
2. What is the major difference between a TCP connect and a UDP scan?
3. Using Nmap, provide a scan of additional hosts and document the different results.
4. Using Nmap, provide a scan of the same host using all available scan options.
5. What information is gained by running a scan with the verbose options selected?
6. In the process of identify potential exploits, what additional knowledge was gained?
7. Why is it important to perform an OS fingerprint?
8. Why should ICMP be disabled on a network?
9. Why is UDP used to scan a network more than TCP scans?
10. When using GUI version of Nmap versus the command line, what is the benefit to using one over the other?
Common Flags and Settings:
These settings are taken directly from the MAN pages and are considered free to distribute. Feel free to allow the students to practice with both the GUI version of Nmap and the command line Nmap.
OPTIONS:
Most options sets within Nmap can be utilized together. There are however, some options that are specific to certain scan modes and Nmap will warn you of a combination of options are unsupported or not allowed.
SCAN TYPES
-sS TCP SYN scan: This technique is often referred to as "half-open"
scanning, because you don’t open a full TCP connection. You send
a SYN packet, as if you are going to open a real connection and
you wait for a response. A SYN|ACK indicates the port is listen-
ing. A RST is indicative of a non-listener. If a SYN|ACK is
received, a RST is immediately sent to tear down the connection
(actually our OS kernel does this for us). The primary advantage
to this scanning technique is that fewer sites will log it.
Unfortunately you need root privileges to build these custom SYN
packets. This is the default scan type for privileged users.
-sT TCP connect() scan: This is the most basic form of TCP scanning.
The connect() system call provided by your operating system is
used to open a connection to every interesting port on the
machine. If the port is listening, connect() will succeed, oth-
erwise the port isn’t reachable. One strong advantage to this
technique is that you don’t need any special privileges. Any
user on most UNIX boxes is free to use this call.
This sort of scan is easily detectable as target host logs will
show a bunch of connection and error messages for the services
which accept() the connection just to have it immediately shut-