قالب وردپرس درنا توس
Home / Tips and Tricks / Tactical Nmap for Beginners Network Reconnaissance «Zero Byte :: WonderHowTo

Tactical Nmap for Beginners Network Reconnaissance «Zero Byte :: WonderHowTo



When it comes to attacking devices on a network, you can't beat what you can't see. Nmap allows you to explore all devices connected to a network, find information that the operating system a device is running, and which programs are listening to open ports.

Network Recognition for Beginners

Having accessed a Wi-Fi, Ethernet or remote network, the first step for most hackers is to make reconstruction to explore the network and learn more about all available targets. You may be familiar with some devices that report on a network, such as other computers that advertise file sharing. While this is a useful way of discovering devices on the same network as you, most devices do not advertise their presence on the network in this apparent way.

The solution to the problem of exploring a network is network scanning, made possible by programs such as Nmap and arp scan. We are only interested in the former here, enabling very detailed exploration and mapping of local and remote networks, but we can use Nmap to perform an ARP search that you will see later. With Nmap you can see who is on the network, what applications or operating systems a target is running and what the available attack surface is.

Using Nmap for Local Area Network

Running an Nmap Search is often the best way to detect the network size and number of devices connected to it. By performing a "fast" Nmap scan ( -F ) in a network card, you can create a list of all IP addresses that belong to active hosts on the network, plus some extra information.

  sudo nmap - F 192.168.0.0/24

Start Nmap 7.70 (https://nmap.org) at 2018-11-10 22:55 PST
Nmap scan report for 192.168.0.1
Values ​​are up (0.048s latency).
Not shown: 96 closed gates
PORT STATE SERVICE
80 / tcp open http
443 / tcp open https
5000 / tcp open upnp
8081 / tcp filtered blackice ice cap
MAC address: AC: EC: 80: 00: EA: 17 (Arris Group)

Nmap scan report for 192.168.0.35
Values ​​are up (0.065s latency).
Not shown: 93 closed gates
PORT STATE SERVICE
21 / tcp open ftp
23 / tcp open telnet
80 / tcp open http
443 / tcp open https
515 / tcp open printer
631 / tcp open ipp
9100 / tcp open jetdirect
MAC Address: C4: 8E: 8F: 38: 61: 93 (Hon Hai Precision Ind.)

Nmap scan report for 192.168.0.232
Values ​​are up (0.032s latency).
All 100 scanned ports on 192.168.0.232 are closed
MAC Address: 60: A3: 7D: 30: 24: 60 (Apple) 

The information provided, along with some basic information about services that a device is running, can be used as a list of targets for other hack tools, But the opportunities for Nmap go far beyond simple value detection.

The amount of information on a local network that an Nmap scan can collect is impressive, including the MAC address and the manufacturer of connected devices, the operating system a device uses, and the version of all services running on the device. Once you know how many devices are on the network and about what they are, the next step is to scan and investigate devices of interest to the network.

Another key feature of Nmap is to enable port scanning of individual devices or ranges of IP addresses including many devices. This allows an attacker to learn the minute's details of a device they have discovered on a network, including information about ports that are open and services that are running. Ports are gateways that another device can connect to, so finding a lot of services running on open ports can be a big advantage for a hacker, especially if one of them has a version that is outdated and vulnerable.

Using Nmap for Remote Networks

In addition to scanning local networks, Nmap can also display remote network information as well. In fact, you can run Nmap against a site you want to investigate, and it will analyze it and retrieve the IP address associated with that web domain.

  nmap -F wonderhowto.com

Start Nmap 7.60 (https://nmap.org) by 2018-11-11 23:20 PST
Nmap scan report for wonderhowto.com (104.193.19.59)
Values ​​are up (0.14 s latency).
Not shown: 95 closed gates
PORT STATE SERVICE
53 / tcp-filtered domain
80 / tcp open http
139 / tcp filtered netbiosis
443 / tcp open https
445 / tcp filtered microsoft ds

Nmap done: 1 IP address (1 hosted) scanned in 3.21 seconds 

After taking the IP address and noting port numbers that are open, additional Nmap scans can reveal the operating system ( -O ) is used to host a remote site.

  sudo nmap -O 104.193.19.59

Start Nmap 7.70 (https://nmap.org) at 2018-11-10 23:00 PST
Nmap scan report for wonderhowto.com (104.193.19.59)
Values ​​are up (0.036s latency).
Not shown: 998 closed gates
PORT STATE SERVICE
80 / tcp open http
443 / tcp open https
Unit type: Load balance
Running (JUST GUESSING): Citrix embedded (95%)
Aggressive OS guesses: Citrix NetScaler load balancer (95%), Citrix NetScaler VPX load balancer (88%)
No exact OS matches for host (test conditions that are not ideal).
Network distance: 17 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 hosted) scanned in 8.69 seconds 

Finally, we can also learn about the versions of software running on the ports we find open. If we see one that is sensitive to a known attack, it can make our job on the network much easier. Using the IP address we discovered earlier, we can run another scan with -V which shows that httpd 2.0 is used on the target machine.

  sudo nmap -sV 104.193.19.59

Start Nmap 7.70 (https://nmap.org) at 2018-11-10 23:02 PST
Nmap scan report for wonderhowto.com (104.193.19.59)
Values ​​are up (0.053s latency).
Not shown: 998 closed gates
PORT STATE SERVICE VERSION
80 / tcp opens http Microsoft HTTPAPI httpd 2.0 (SSDP / UPnP)
443 / tcp open ssl / http Microsoft HTTPAPI httpd 2.0 (SSDP / UPnP)
Service Info: OS: Windows; CPE: cpe: / o: microsoft: windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 hosted) scanned 29.27 seconds 

These data are combined – IP address of a remote site or server, the operating system running on the device and the version of any application running on open ports we discover – is all that a hacker needs to get started by attacking devices on a network.

What You Need

To use Nmap, you need a system that supports it. Fortunately, the Nmap cross platform is working on Windows, Linux and MacOS, and will be pre-installed on many systems. If you don't, it's easy to install.

You also need a network to connect to and scan to try these techniques, but be aware that scanning is often seen as a prelude to an attack and can be met with increased scrutiny. What this means is that if you have a job that monitors suspicious behavior, scanning the entire network is a great way to get attention.

Step 1: Configure Nmap to Scan a Single Target

To run a basic scan, we can identify an IP address of interest to run the scan against. One of the most basic but informative scans is to run Nmap, enter a target IP address, and then type -A to enable OS detection, version detection, scanning and tracking.

  sudo nmap 104.193.19.59 -A

Start Nmap 7.70 (https://nmap.org) at 2018-11-10 23:12 PST
Nmap scan report for wonderhowto.com (104.193.19.59)
Values ​​are up (0.038s latency).
Not shown: 998 closed gates
PORT STATE SERVICE VERSION
80 / tcp opens http Microsoft HTTPAPI httpd 2.0 (SSDP / UPnP)
| _http-server header: WonderHowTo
| _http-title: Didn't follow redirect to https://wonderhowto.com/
443 / tcp open ssl / http Microsoft HTTPAPI httpd 2.0 (SSDP / UPnP)
| _http-server header: WonderHowTo
| _http-title: Didn't follow redirect to https://www.wonderhowto.com/
| ssl-cert: Subject: commonName = wonderhowto.com
| Subject Alternative name: DNS: wonderhowto.com, DNS: *. Driverless.id, DNS: *. Gadgethacks.com, DNS: * .invisiverse.com, DNS: *. Zero-byte.com, DNS: *. Reality. news, DNS: *. wonderhowto.com, DNS: driverless.id, DNS: gadgethacks.com, DNS: invisiverse.com, DNS: null-byte.com, DNS: reality.news
| Not valid before: 2017-01-25T00: 00: 00
| _Not valid after: 2019-01-25T23: 59: 59
| _ssl-date: 2018-11-11T07: 12: 53 + 00: 00; 0 s from the scanner time.
Unit type: Load balance
Running (JUST GUESSING): Citrix Embedded (90%)
Aggressive OS guesses: Citrix NetScaler load balancer (90%), Citrix NetScaler VPX load balancer (88%)
No exact OS matches for host (test conditions that are not ideal).
Network distance: 17 hops
Service Info: OS: Windows; CPE: cpe: / o: microsoft: windows

TRACEROUTE (with port 995 / tcp)
HOP RTT ADDRESS
1 31.75 ms 192.168.0.1
2 26.02 ms 142,254,236,193
3 35.17 ms agg60.lsaicaev01h.socal.rr.com (24.30.168.25)
4 30.78 ms agg11.lsaicaev01r.socal.rr.com (72.129.18.192)
5 26.19 ms agg26.lsancarc01r.socal.rr.com (72.129.17.0)
6 34.58 ms buder16.atlngamq46w-bcr00.tbone.rr.com (66.109.6.92)
7 30.20 ms ae2.lsancarc0yw-bpr01.tbone.rr.com (66.109.1.41)
8 35.04 ms ix-ae-24-0.tcore1.lvw -los-angeles.as6453.net (66.110.59.81)
9 35.01 ms if-ae-8-2.tcore1.sv1-santa-clara.as6453.net (66.110.59.9)
10 35.11 ms if-ae-0-2.tcore2.sv1-santa-clara.as6453.net (63.243.251.2)
11 38.80 ms if-ae-18-2.tcore1.sqn-san-jose.as6453.net (63.243.205.12)
12 34.39 ms if-ae-1-2.tcore2.sqn-san-jose.as6453.net (63.243.205.2)
13 34.05 ms 64.86.21.62
14 31.16 ms xe-0-0-3.cr6-lax2.ip4.gtt.net (89.149.180.253)
63.54 ms 72.37.158.50
16 ...
17 34.34 ms wonderhowto.com (104.193.19.59)

OS and Service discovery performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 hosted) scanned for 38.60 seconds 

Even with a single target, a basic search can provide much information. Here we simply ran the scan on the IP address of WonderHowTo.com. This can be run against a device on your local network, such as a router or a remote server, like the only one serving WonderHowTo.com.

Step 2: Calculating the Subnet and Scanning a Range to Detect Devices

To identify other devices on a local area network, it is useful to calculate the subnet range. This is the range of possible IP addresses that are issued to devices on a network and it is possible to scan all possible IP addresses that a device on the network can have.

A handy tool to do this for you is ipcalc. This tool takes your IP address (which is easy to find by typing ifconfig or ip a into a terminal window) and calculating the subnet area based on it. Doing so will give you a number such as "192.168.0.0/24", which specifies a number of IP addresses. In the example below, the subnet is calculated as 127.0.0.0/24.

ipcalc 127.0.0.1

Address: 127.0.0.1 01111111.00000000.00000000. 00000001
Network: 255.255.255.0 = 24 11111111.11111111.11111111. 00000000
Wildcard: 0.0.0.255 00000000.00000000.00000000. 11111111
=>
Network: 127.0.0.0/24 01111111.00000000.00000000. 00000000
HostMin: 127.0.0.1 01111111.00000000.00000000. 00000001
HostMax: 127.0.0.254 01111111.00000000.00000000. 11111110
Shipping: 127.0.0.255 01111111.00000000.00000000. 11111111
Hosts / Net: 254 Class A, Loopback 

To be able to scan a scan including information about services running on devices we find, we can open a terminal window and type the following command and add to your network area where I use "172.16. 42.0 / 24 "as an example. The scan is a bit slow, so you can also use a -F flag instead of -A to make a faster search of the most common ports.

  nmap 172.16. 42.0 / 24 -A

Start Nmap 7.60 (https://nmap.org) by 2018-11-11 23:26 PST
Nmap scan report for 172.16.42.1
Values ​​are up (0.0029s latency).
Not shown: 999 closed gates
PORT STATE SERVICE VERSION
53 / tcp open domain?

Nmap scan report for 172.16.42.20
Values ​​are up (0.0053s latency).
Not shown: 999 closed gates
PORT STATE SERVICE VERSION
62078 / tcp open tcpwrapped

Nmap scan report for 172.16.42.32
Values ​​are up (0.0057s latency).
Not shown: 999 closed gates
PORT STATE SERVICE VERSION
62078 / tcp open tcpwrapped

Nmap scan report for 172.16.42.36
Values ​​are up (0.011s latency).
Not shown: 999 closed gates
PORT STATE SERVICE VERSION
62078 / tcp open tcpwrapped

Nmap scan report for 172.16.42.49
Values ​​are up (0.0063s latency).
All 1000 scanned ports on 172.16.42.49 are closed

Nmap scan report for 172.16.42.53
Values ​​are up (0.0059s latency).
Not shown: 999 closed gates
PORT STATE SERVICE VERSION
62078 / tcp open iphone synchronization?

Nmap scan report for 172.16.42.57
Values ​​are up (0.013s latency).
All 1000 scanned ports on 172.16.42.57 are closed

Nmap scan report for 172.16.42.63
The values ​​are up (0.00020s latency).
All 1000 scanned ports of 172.16.42.63 are closed

Nmap scan report for 172.16.42.65
The host is up (0.0077s latency).
Not shown: 999 closed gates
PORT STATE SERVICE VERSION
631 / tcp open ipp CUPS 2.2
| HTTP methods:
| _ Potentially Hazardous Methods: PUT
| _http-server-header: CUPS / 2.2 IPP / 2.1
| _http-title: Hem - CUPS 2.2.0

Nmap scan report for 172.16.42.119
Values ​​are up (0.012s latency).
Not shown: 996 closed gates
PORT STATE SERVICE VERSION
898 / tcp filtered solar administration console
1862 / tcp filtered mysql cm-agent
1971 / tcp filtered just-school
62078 / tcp open tcpwrapped

Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 256 IP addresses (10 hosts up) scanned 219.68 seconds 

We basically run Nmap without argument except -A flag. We should expect to see a product as above, showing upcoming devices and services running on them.

Another useful utility for network discovery is arp-scan, which can sometimes display devices that Nmap lacks. We can use Nmap to perform an ARP scan requesting -PR which is quite fast and aggressive to restore web hosting.

  nmap -PR 192.168.0.0/24

Start Nmap 7.60 (https://nmap.org) at 2018-11-12 06:10 PST
Nmap scan report for 192.168.0.1
Values ​​are up (0.019s latency).
Not shown: 994 closed gates
PORT STATE SERVICE
53 / tcp-filtered domain
80 / tcp open http
443 / tcp open https
5000 / tcp open upnp
8081 / tcp filtered blackice ice cap
8082 / tcp filtered blackice alerts 

Step 3: Create a target list of active hosts

Now we can calculate all possible IP addresses on the local network and discover them either with a -F ( quick scan, by running Nmap without argument, but the -A tab for a slower scan with more info, or with a -PR scan that can quickly sweep a local network for active hosts.

If you want to create a TXT file with hosts you discovered, you can use the command below to build a list to avoid having to scan the entire network every time we run a subsequent scan. For example, you can search for devices with a port 80 and save them to a list. We can use some Linux tools and the -and "greppable output" flag to help us cut through the production that Nmap provides.

By running nmap -p 80 -oG – 192.168.0.0/24 – with the network area replaced for you – you can add | awk / 80 / open / {print $ 2} & # 39; >> port80.txt to output the IP addresses belonging to the detected devices to a TXT file called "port80.txt."

  nmap -p 80 -oG - 192.168.0.1 | awk / 80 / open / {print $ 2} & # 39; >> port80.txt
cat port80.txt 

awk command looks for lines that contain the port number and the result "open" with the second string in each row (in this case the IP address) saved by cat command to a new file called port80.txt

Step 4: Identify the operating system of detected devices

One of the most useful things to know about a device we discover On a network, the operating system it is running. Here we can take the TXT target list that we populated in the previous step and run an operating system search that requires root privileges. We can use the flag -O to run an operating system search and the flag -iL to tell the Nmap we want to read from a target TXT file.

  sudo nmap-0-il port80.txt

Password:

Start Nmap 7.60 (https://nmap.org) at 2018-11-12 07:07 PST
Nmap scan report for 192.168.0.1
Values ​​are up (0.033s latency).
Not shown: 994 closed gates
PORT STATE SERVICE
53 / tcp-filtered domain
80 / tcp open http
443 / tcp open https
5000 / tcp open upnp
8081 / tcp filtered blackice ice cap
8082 / tcp filtered blackice alerts
No exact host host matches (If you know which operating system is running on it, see https://nmap.org/submit/).
TCP / IP fingerprints:
OS: SCAN (V = 7.60% E = 4% D = 11/12% OT = 80% CT = 1% CU = 33278% PV = Y% DS = 1% DC = D% G = Y% M = 407 009%
OS: TM = 5BE99771% P = x86_64-apple darwin17.3.0) SEQ (SP = CB% GCD = 1% ISR = CD% TI = Z% CI = Z
OS:% II = I% TS = 7) SEQ (SP = CE% GCD = 1% ISR = CE% TI = Z% CI = Z% TS = 7) OPS (O1 = M5B4ST11NW2% O2 = M
OS: 5B4ST11NW2% O3 = M5B4NN11NW2% O4 = M5B4ST11NW2% O5 = M5B4ST11NW2% O6 = M5B4ST11) WIN
OS: (W1 = 3890% W2 = 3890% W3 = 3890% W4 = 3890% W5 = 3890% W6 = 3890) ECN (R = Y% DF = Y% T = 40% W = 390
OS: 8% O = M5B4NNSNW2% CC = N% Q =) T1 (R = Y% DF = Y% T = 40% S = O% A = S +% F = I% RD = 0% Q =) T2 (R = N) T3 (
OS: R = Y% DF = Y% T = 40% W = 3890% S = O% A = S +% F = I% O = M5B4ST11NW2% RD = 0% Q =) T4 (R = Y% DF = Y% T = 4
OS: 0% W = 0% S = A% A = Z% F = R% O =% RD = 0% Q =) T5 (R = Y% DF = Y% T = 40% W = 0% S = Z% A = S +% F = AR% O =% RD = 0%
OS: Q =) T6 (R = Y% DF = Y% T = 40% W = 0% S = A% A = Z% F = R% O =% RD = 0% Q =) T7 (R = Y % DF = Y% T = 40% W = 0% S = Z%
OS: A = S +% F = AR% O =% RD = 0% Q =) U1 (R = Y% DF = N% T = 40% IPL = 164% FN = 0% RIPL = G% RID = G % RIPCK = G%
OS: RUCK = G% RUD = G) IE (R = Y% DFI = N% T = 40% CD = S)

Network distance: 1 jump

Nmap scan report for 192.168.0.2
Values ​​are up (0.019s latency).
Not shown: 997 closed gates
PORT STATE SERVICE
53 / tcp-filtered domain
80 / tcp open http
8888 / tcp open sun-answerbook
Unit type: General purpose
Run: Linux 2.6.X
OS CPE: cpe: / o: linux: linux_kernel: 2.6
OS details: Linux 2.6.17 - 2.6.36
Network distance: 1 jump

Nmap scan report for 192.168.0.5
Values ​​are up (0.064s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
80 / tcp open http
8080 / tcp open http proxy
8085 / tcp open unknown
8086 / tcp open d-s-n
8087 / tcp open simplifymedia
8088 / tcp open radan-http
8089 / tcp open unknown
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Unit type: General purpose
Running: Linux 3.X
OS CPE: cpe: / o: linux: linux_kernel: 3
OS details: Linux 3.2 - 3.8
Network distance: 1 jump

OS detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 3 IP addresses (3 hosts) scanned in 67.32 seconds 

This tactic allows us to get as much information as possible about the operating system from which list of goals we want to run it on, whether it is an internal network or a list of the site's IP addresses.

The next step is to discover the versions of the programs running on open ports. This can show us a port that runs software that is outdated and has a known vulnerability. To run this scan, you can use the -V flag against a target.

  sudo nmap -sV 192.168.0.2 -D 192.168.0.1,192.168.0.2,192.168.0.3

Start Nmap 7.60 (https://nmap.org) at 2018-11-12 07:29 PST
Nmap scan report for 192.168.0.2
Values ​​are up (0.030s latency).
Not shown: 997 closed gates
PORT STATE SERVICE VERSION
53 / tcp-filtered domain
80 / tcp open http?
8888 / tcp open upnp MiniUPnP 1.6 (Linksys / Belkin WiFi Extender; SDK 4.1.2.0; UPnP 1.0; MTK 2.001)
MAC Address: 83: 23: 98: 43: 23: 3D (Dobus International)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 hosted) scanned 26.24 seconds 

Here we have found very specific information about our host so that we can identify an attack on the software listening behind the gate.

Step 5: Advanced Scans and Solutions

There may be some circumstances where you find it difficult to scan a network because ping sent by Nmap is dropped by a firewall on the router. It may seem that no units are up when you know they are. To avoid this, you can include the flag -Pn which will release ping and sometimes allow you to connect directly to devices and get answers.

If you are searching on a network you do not want I do not detect, you can perform a decoding search with the -D flag to make it more difficult to detect who is performing the scan on the network. An example would look like the command below and require root privileges.

  sudo nmap -sS 192.168.0.2 -D 192.168.0.1,192.168.0.2,192.168.0.3

Password:

Start Nmap 7.60 (https://nmap.org) at 2018-11-12 07:26 PST
Nmap scan report for 192.168.0.2
Values ​​are up (0.036s latency).
Not shown: 997 closed gates
PORT STATE SERVICE
53 / tcp-filtered domain
80 / tcp open http
8888 / tcp open sun-answerbook
MAC Address: 83: 23: 98: 43: 23: 3D (Dobus International)

Nmap done: 1 IP address (1 hosted) scanned for 5.16 seconds 

If you need more information on what happens, you can dial a key while the scan progresses to get some information on how to proceed or add to a -v to increase the verbosity (how much information the script provides). In general, you can continue adding more v to -v depending on how frustrated or angry you may learn more about what is happening.

  Initiation of ARP Ping Scan at 07:18
Scanning 192.168.0.1 [1 port]
Completed ARP Ping Scan at 07:18, 0.12s elapsed (1 total number of hosts)
Initiation of parallel DNS resolution of 1 host. at 7:18
Completed Parallel DNS resolution of 1 host. at 07:18 went 0.09s
DNS resolution of 1 IP addresses took 0.10s. Location: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initial SYN Stealth Scan at 07:18
Scanning 192.168.0.1 [1 port]
Discovered open port 80 / tcp at 192.168.0.1
Completed SYN Stealth Scan at 07:18, 0.04s elapsed (1 total number of ports)
Nmap scan report for 192.168.0.1
Values ​​are up, received arp response (0.11s latency).
Scanned at 2018-11-12 07:18:34 PST for 0s

PORT STATE SERVICE REPORT
80 / tcp open http synchronize 64
MAC Address: 23: 78: 32: 76: 34: 90 (Dobis Group)

Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 hosted) scanned for 0.33 seconds
Raw package sent: 2 (72B) | Rcvd: 2 (72B) 

Here we can see the reason reported for port 80 is up and allow us to delve deeper into which parts of a scan a device can respond to or ignore. Varna, you will see everything that the scan does, and this can produce a lot of results on a complicated scan.

Nmap Lights Up the Dark

Finding your way for a network for the first time is a disturbing experience for a novice, whether you learn about networking for the first time or simply trying to find your router.

Keep in mind that network scans are good (and a good idea) to run on your own network to see what is connected, this type of scan may not be welcome on your work network or any other network you do not own. If your employer is looking for suspicious behavior in their networks, a comprehensive scan can easily be interpreted as the threatening behavior if you have no good reason to perform the scan.

One of the most powerful things about Nmap is that it is scriptable with alternatives such as -and and can be used to input into other tools, so if you've ever thought of building a tool like need to be aware of other devices in the same network, Nmap can be just what you are looking for.

I hope you had this guide to using Nmap to map and explore devices on a network! If you have any questions about this network scanning guide or if you have a comment, please contact me on Twitter @ KodyKinzie .

Don't miss: Hack Wi-Fi & Networks Easier with Lazy Script

Cover image of Kody / Null Byte




Source link