CMP2007M – Networks and Network Systems Workshop 6
Part 1 – Outline
To complete this entire workshop correctly should take you two weeks, so this workshop will be for this week and next week’s sessions.
We are going to look at the final tool for active network analysis that we are to use in this module. This tool is used as part of network security and so would be useful for your assignments. Treat this session as an assessment support session. This tool complements Wireshark and is used to identify particular machines and structures of networks. This tool is called nmap.
Task 1 – Install
As always, your first task is to download and install the software, in this case it is nmap. It can be found here: http://nmap.org/download.html
Once you have installed it, open it up along with Wireshark, we will use these two together in this workshop.
Task 2 – Testing the water
This is the first and most basic form of network scan that can be done with nmap, to detect hosts that are alive and responding on the network. Lines preceded with a ‘$’ are to be typed into nmap as commands.
First try:
$ nmap -sP 192.168.5.1-254
This will scan ALL machines on a particular subnet, once this has ran, try:
$ nmap -sP 192.168.0.1-254
Starting Nmap 6.40 ( http://nmap.org ) at 2014-02-09 21:42 GMT Standard Time
Nmap scan report for routerlogin.net (192.168.0.1)
Host is up (0.0010s latency).
MAC Address: 9C:D3:6D:45:56:5F (Netgear,)
Nmap scan report for 192.168.0.7
Host is up (0.0020s latency).
MAC Address: 00:1E:E5:94:FF:FD (Cisco-Linksys)
Nmap scan report for 192.168.0.106
Host is up (0.0010s latency).
MAC Address: 00:1A:A0:4E:3C:A5 (Dell)
Nmap scan report for 192.168.0.2
Host is up.
Nmap done: 254 IP addresses (4 hosts up) scanned in 1.92 seconds
CMP2007M – Networks and Network Systems Workshop 6
In the above command we scan all IP addresses from 192.168.0.1 to 192.168.0.254 – That’s the range and can be specified by the short syntax of 192.168.0.1-254
When doing ping sweeps, nmap tries reverse DNS resolution of the target IP addresses. This is generally not needed and can be disabled with the -n option.
$ nmap -sP -n 192.168.1.1-255
Ok so let’s move on and do more scanning with the tool.
Task 3 – Port scan a host
To port scan a particular host, the command would be:
$ nmap 192.168.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2014-02-09 22:02 GMT Standard Time
Nmap scan report for routerlogin.net (192.168.0.1)
Host is up (0.0055s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain
80/tcp open http
1900/tcp open upnp
49152/tcp open unknown
MAC Address: 9C:D3:6D:45:56:5F (Netgear,)
Nmap done: 1 IP address (1 host up) scanned in 2.88 seconds
Now try this address:
$ nmap 82.7.137.59
What machine is this? try tracert and ping on this address. (remember from a previous workshop?)
That’s the simplest command to issue with nmap. Nmap performs a scan to discover open ports on the target host. It can be an IP address or a host/domain name as well. Nmap provides the port number, state and the service that port number if associated with. For example port 80 is for http. If http port is open then the target system is serving web pages most probably.
Try some more comment IP Addresses or domain names. Google, Microsoft, Yahoo, eBay etc.
If you wish to dig deeper and analyse what nmap is doing behind the scene, you can use a packet sniffer like wireshark (which we used last week) to analyse the packets that nmap is generating and sending.
CMP2007M – Networks and Network Systems Workshop 6
Task 4 – Getting the service / banner version info
Nmap can try to get the version number of the banner of each of the services that are running on the host. The -sV flag can be used for this
$ nmap -sV localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2014-02-09 22:09 GMT Standard Time
Skipping SYN Stealth Scan against 192.168.0.2 because Windows does not support
scanning your own machine (localhost) this way.
Nmap scan report for 192.168.0.2
Host is up.
PORT STATE SERVICE VERSION
1/tcp unknown tcpmux
3/tcp unknown compressnet
4/tcp unknown unknown
6/tcp unknown unknown
7/tcp unknown echo
9/tcp unknown discard
13/tcp unknown daytime
17/tcp unknown qotd
19/tcp unknown chargen
20/tcp unknown ftp-data
21/tcp unknown ftp
22/tcp unknown ssh
23/tcp unknown telnet
24/tcp unknown priv-mail
25/tcp unknown smtp
26/tcp unknown rsftp
30/tcp unknown unknown
32/tcp unknown unknown
33/tcp unknown dsp
37/tcp unknown time
42/tcp unknown nameserver
43/tcp unknown whois
49/tcp unknown tacacs
53/tcp unknown domain
70/tcp unknown gopher
79/tcp unknown finger
80/tcp unknown http
That’s lots of information!!
Port number
service name
version/banner information etc
Try it on something online…. say – www.google.com 😉
CMP2007M – Networks and Network Systems Workshop 6
Task 5 – Types of port scan
Nmap does port scanning in a number of ways like TCP connect, SYN scan, FIN scan etc. The most popular ones are TCP connect and SYN scan. In TCP connect scan a full TCP connection is established and in SYN scan only half connection is established. When running as non-root on linux, nmap does TCP connect by default
$ nmap 192.168.0.1
SYN scanning requires root privileges on linux systems. On ubuntu you have to do a sudo. To do a SYN scan use the -sS option like this on Windows or Linux
$ nmap -sS 192.168.0.1
SYN scanning is faster since it does not establish a full TCP handshake. It is to some extent stealthier as well since old style firewalls may not be able to detect SYN scans since full connection is not established. However modern firewalls can very well catch SYN packets and detect port scanning attempts and stop the hacker right away.
However note that when nmap is run as root the default scanning technique used is SYN scan. So the following are equivalent since in both cases nmap is running as root
Additional Task:
Check out the -sF, -sX , -sA , -sN flags for more information on them
Task 6 – Scanning specific ports only
Nmap can be instructed to scan on specific ports or a range of port numbers by using the -p switch as follows :
$ nmap -p1-1000 192.168.1.1/24
The above command would scan port numbers 1 to 1000 on all machines from 192.168.1.1 – 192.168.1.255
$ nmap -p22,23,100-150 192.168.10.0/24
The above will scan port numbers 22 , 23 and 100 to 150
$ nmap -sU -pT:21,22,23,U:53,137 192.168.10.0/24
The above will scan TCP ports 21 22 and 23 and UDP ports 53 and 137
Skipping online check
Nmap by default first check if a host is online or not by doing a ping. If the host is not online then nmap would not port scan it. Many hosts now a days have firewalls installed that block ping
CMP2007M – Networks and Network Systems Workshop 6 requests. In such cases nmap can be instructed to not check if the host is online and that it should
start port scan rightaway. This is done using the -PN option $ nmap 192.168.1.1 -PN
Task 7 – Operating System detection
Nmap can try to find out the operating system on target system by doing some fingerprinting. This can be done by just using the -O switch. It also needs root privileges, since it uses raw sockets. Also note that if you are running some sort of firewall like firestart on linux or zonealarm on windows, then the firewalls may block raw sockets and as a result nmap would fail to show proper results.
$ nmap -O 192.168.1.1
Starting Nmap 6.40 ( http://nmap.org ) at 2014-02-09 22:23 GMT Standard Time
Nmap scan report for 192.168.1.1
Host is up (0.0023s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain
1900/tcp open upnp
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 – 2.6.33
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.52 seconds
So nmap is able to detect that the operating system is Linux. It is important to note that OS fingerprint report by nmap may not be very accurate. It tries to discover the operating system by using some TCP header fields, but this technique cannot tell the exact linux distro for example. It can however in most cases give a correct indication as to whether the target is a linux or windows system.
Aggressive scanning
The -A option can be used to perform an aggressive scan which is equal to – “enable OS detection and Version detection, Script scanning and Traceroute”
Try it out on one of the previous IP addresses.
$ nmap -A -T4 IPADDRESS
CMP2007M – Networks and Network Systems Workshop 6
A new parameter -T has been used in the above example. The T parameter can be used to adjust the speed of the scan. It takes values from 0-5. 0 being the slowest and 5 being the fastest. Over here we used 4.
Apart from open ports, and operating system details, we also have the traceroute output.
Saving output to file
Nmap can save the scan results to various kinds of file formats like normal text, xml etc. The options to use are -oN -oX -oS -oG and -oA. The oA option = oN + oX + oG.
Quick example
$ nmap -sP -n 192.168.1.1-255 -oA lan_scan.txt
The above will create lan_scan.txt.gnmap ,lan_scan.txt.nmap and lan_scan.txt.xml files lan_scan.txt.nmap file looks like this
Part 2 – Assignment
As you know, in the assessment brief you have been asked to ensure that some of the rooms in the ACME Smart home need to be secure. Therefore using this tool you have been learning, and wireshark and other tools you are now able to test your network.
Task 1 – Network Construction
Using the network equipment provided (cables, and switches), set up some of the lab computers so that they resemble the configuration you would like to have in your assessment. Using configuration tools, and network tools, test the configuration of this network to ensure it meets the requirements of the assessment brief.
Make sure to take lots of photos and screen shots to put in your assignment.
Make sure that you correctly subnet your private networks and close down any ports that might provide a security breach.
— End of Workshop –
Note: a REALLY useful resource! – http://www.cyberciti.biz/networking/nmap-command-examples- tutorials/
# Nmap 5.21 scan initiated Thu Aug 16 15:33:45 2012 as: nmap -sP -n -oA lan_scan.txt 192.168.1.1-255 Nmap scan report for 192.168.1.1 Host is up (0.0073s latency). Nmap scan report for 192.168.1.2 Host is up (0.0010s latency). Nmap scan report for 192.168.1.101 Host is up (0.00021s latency). # Nmap done at Thu Aug 16 15:33:48 2012 — 255 IP addresses (3 hosts up) scanned in 2.51 seconds