Host Security Analysis with Nmap

Why would you Scan?

– To collect empirical data to help secure your infrastructure

– Detect and resolve Nmap bugs and performance issues through the large scale scanning.

– Demonstrate useful techniques for routine scans

Scan Challenges ?

– P2P scanning?– Legal issues– ISP response– Network Conditions

Can you member anything from this?

What is NMAP?Nmap, short for "network mapper", is an open source utility which can quickly scan broad ranges of devices and provide valuable information about the devices on your network. It can be used for IT auditing and asset discovery as well as for security profiling of the network.

Supported Platform – – Linux/Unix– MAC– Windows

What is NMAP?

What does Nmap do?

It uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Namp Process

– If hostname use as target, nmap will perform dns lookup to scan. But if ip address use as target, dns lookup will not process

– Nmap pings the romote device. Can disable ping with option (- Pn)

– If IP address is specified as the remote host, Reverse DNS will occur. We can use option (-n) to disable if we think it is not necessary

– Nmap executes the scan.

Some of Scan Types

Connect PING

FIN, Xmas, Null IP Protocol Scan

UDP Scan Windows Scan

ACK Scan List Scan

RPC Scan

SYN Stealth

Nmap Basic – first scan

Nmap Basic – TCP SYN Scan (-sS)

– Allow nmap to gather information about open ports without completing the TCP handshake process.

– By default if nmap scan option isn’t specified on the command line, TCP SYN scan is use

[~]$ namp --sS -v 172.16.0.111

Nmap Basic – TCP SYN Scan (-sT)

– Allow nmap to gather information about open ports with completing the TCP handshake process.

[~]$ nmap –sT –v 172.16.0.111

Nmap Basic – PING Scan (-sP)

– Ping Scan is a quickest scan that nmap perform. – It is useful to determine remote hosts are up or down.

[~]$ nmap -v -sP 172.16.0.111 --packet_trace

Nmap Basic – Version check (-sV)

– Gather version of application of remote host

– The version detection scan runs automatically if the Aggressive Scan (-A) is selected.

[~]$ nmap -v -sV -A 172.16.0.111

Nmap Basic – UDP Scan (-sV)

– UDP has no need to process 3 way handshake or SYN, FIN, and RST.

[~]$ nmap -v -sU -A 172.16.0.111 --packet_trace

Nmap Basic – ACK Scan (-sA)

– ACK Scan to determine port filter or unfilter

[~]$ nmap -v -sA 172.16.0.111

Nmap output loggingThere are couple of options to save the output.

– Normal Format (-oN <Logfilename>)#nmap -sS -v 172.16.0.111 --packet_trace -oN nmap_output

– XML Format (-oX <Logfilenmae>) #nmap -sS -v 172.16.0.111 --packet_trace -oN nmap_output

– Grepable Format (-oG <filename>) #nmap -sS -v 172.16.0.111 --packet_trace -oG nmap_output

– All Formats (-oA <filename>), it will create 3 different output (Normal, XML, grepable output) #nmap -sS -v 172.16.0.111 --packet_trace -oA nmap_output

Vulnerability check with Nmap– Nmap can be used to check target host vulnerability. It has an scripting options by-default, named NSE Nmap Scripting Engine.– Advanced user can create their own script according to their need.– Location of nmap scripting directory

Questions ????

1. Do the exercise

– install nmap

– run a scan to you fellow partner

– check the output and study