The other day a customer was asking me what services were running on their machine. In the case of not being able to login to the customers servers due to security and policy reasons the only way for us to be able to verify the services they were running was by using NMAP; the free open source network exploitation utility for network discovery and security auditing. There are several types of scans you can do, such as discovery for the top most common 1000 ports. Full TCP or UDP scans of all 65535 ports, discovery of alive IP’s in a range or block of IP’s, and much much more. Find below a summary of the most frequent type of NMAP scans;
Discover IP’s in a Subnet thru Ping Scan
$ nmap -sP 192.168.0.0/24 Starting Nmap 5.21 ( http://nmap.org ) at 2015-08-28 11:47 MST Nmap scan report for 192.168.0.1 Host is up (0.0010s latency). Nmap scan report for 192.168.0.33 Host is up (0.0051s latency). Nmap scan report for 192.168.0.105 Host is up (0.0018s latency).
A quick and dirty command known as a ping scan. This tells nmap to send an ICMP echo request (ping), TCP SYN to port 443, TCP ACK to port 80 and ICMP timestamp request to all hosts in the specified subnet. nmap will return a list of the ip’s in the range that responded, (are up/alive) in that range.
Scan for 1000 most common ports on a Subnet
$ nmap 192.168.0.0/24 Starting Nmap 5.21 ( http://nmap.org ) at 2015-08-28 11:00 MST Nmap scan report for 192.168.0.1 Host is up (0.0043s latency). Not shown: 998 closed ports PORT STATE SERVICE 80/tcp open http 443/tcp open https
If specifying no flags with NMAP it will scan using TCP SYN for the typical 1000 most common ports. In this case because we’re scanning for a /24 IP block, it includes the whole 255 ip’s in the range too. It can take at least a few minutes to perform this.
Identify Operating Systems with NMAP
$ nmap -O 184.108.40.206 Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-28 06:50 UTC Nmap scan report for 220.127.116.11 Host is up (0.00080s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp closed https MAC Address: BC:76:4E:08:95:6D (Rackspace US) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 OS details: Linux 2.6.32 - 3.10 Network Distance: 1 hop OS detection performed. Nmap done: 1 IP address (1 host up) scanned in 22.55 seconds
It’s possible to detect the operating system of IP addresses, in the security and hacking industry, when looking for exploits, or vulnerabilities in company servers, it’s important to identify the operating system correctly. This allows one to mount attack, or pentests with the correct rootkits, exploits and tools. Correctly identifying a machine is critical to security.
Find DNS Hostnames in a Range
nmap -sL 18.104.22.168/24 Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-28 06:54 UTC Nmap scan report for 22.214.171.124 Nmap scan report for 126.96.36.199 Nmap scan report for 188.8.131.52 Nmap scan report for 184.108.40.206 Nmap scan report for 220.127.116.11 Nmap scan report for 18.104.22.168 Nmap scan report for 22.214.171.124 Nmap scan report for 126.96.36.199 Nmap scan report for rack-pfc-acc-02.somedreams.com (188.8.131.52)
It’s possible to determine the hostname of all the IP addresses in a range. When performing security scans, exploits or just general pentesting, one can gather and collect information regarding the domains associated with a machine. By doing this one is able to understand what DNS server or record is vulnerable, and, allows the security analyst to find out more about the company and it’s associated infrastructure. For instance when combined with dig and whois it’s possible to reveal more information about any given ip and domain.