The other day a customer was asking me what services were running on their machine. In the case of not being able to login to the customers servers due to security and policy reasons the only way for us to be able to verify the services they were running was by using NMAP; the free open source network exploitation utility for network discovery and security auditing. There are several types of scans you can do, such as discovery for the top most common 1000 ports. Full TCP or UDP scans of all 65535 ports, discovery of alive IP’s in a range or block of IP’s, and much much more. Find below a summary of the most frequent type of NMAP scans;
Discover IP’s in a Subnet thru Ping Scan
$ nmap -sP 192.168.0.0/24
Starting Nmap 5.21 ( http://nmap.org ) at 2015-08-28 11:47 MST
Nmap scan report for 192.168.0.1
Host is up (0.0010s latency).
Nmap scan report for 192.168.0.33
Host is up (0.0051s latency).
Nmap scan report for 192.168.0.105
Host is up (0.0018s latency).
A quick and dirty command known as a ping scan. This tells nmap to send an ICMP echo request (ping), TCP SYN to port 443, TCP ACK to port 80 and ICMP timestamp request to all hosts in the specified subnet. nmap will return a list of the ip’s in the range that responded, (are up/alive) in that range.
Scan for 1000 most common ports on a Subnet
$ nmap 192.168.0.0/24
Starting Nmap 5.21 ( http://nmap.org ) at 2015-08-28 11:00 MST
Nmap scan report for 192.168.0.1
Host is up (0.0043s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open httpsIf specifying no flags with NMAP it will scan using TCP SYN for the typical 1000 most common ports. In this case because we’re scanning for a /24 IP block, it includes the whole 255 ip’s in the range too. It can take at least a few minutes to perform this.
Identify Operating Systems with NMAP
$ nmap -O 162.13.136.212
Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-28 06:50 UTC
Nmap scan report for 162.13.136.211
Host is up (0.00080s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp closed https
MAC Address: BC:76:4E:08:95:6D (Rackspace US)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
OS detection performed.
Nmap done: 1 IP address (1 host up) scanned in 22.55 secondsIt’s possible to detect the operating system of IP addresses, in the security and hacking industry, when looking for exploits, or vulnerabilities in company servers, it’s important to identify the operating system correctly. This allows one to mount attack, or pentests with the correct rootkits, exploits and tools. Correctly identifying a machine is critical to security.
Find DNS Hostnames in a Range
nmap -sL 162.13.136.0/24
Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-28 06:54 UTC
Nmap scan report for 162.13.136.0
Nmap scan report for 162.13.136.1
Nmap scan report for 162.13.136.2
Nmap scan report for 162.13.136.3
Nmap scan report for 162.13.136.4
Nmap scan report for 162.13.136.5
Nmap scan report for 162.13.136.6
Nmap scan report for 162.13.136.7
Nmap scan report for rack-pfc-acc-02.somedreams.com (162.13.136.8)It’s possible to determine the hostname of all the IP addresses in a range. When performing security scans, exploits or just general pentesting, one can gather and collect information regarding the domains associated with a machine. By doing this one is able to understand what DNS server or record is vulnerable, and, allows the security analyst to find out more about the company and it’s associated infrastructure. For instance when combined with dig and whois it’s possible to reveal more information about any given ip and domain.
Pending completion.