Remember that scene in The Matrix when Trinity uses a realistic Nmap port scan, followed by an actual SSH exploit (long since patched) to break into a power company? Well, believe it or not, but that scene is not far fetched at all.
If you want to exploit
vulnerabilities and root boxes, you'll need to learn how to perform the
necessary reconnaissance first. In fact, you will spend far more time
researching your target then you will exploiting it. In this article, I
am going to show you the first step in doing just that... a security
scanner called Nmap.
Port Mapping
Any
service running on a server, from HTTP to SSH, runs on ports. Think of a
port as a door into and out of the computer, that only answers requests
relevant to it. An example would be a web server running on port 80
(HTTP), which would have no idea how to handle an FTP connection request
sent to it.
Nmap (Network Mapper)
scans over those ports telling you everything from what software is
running to what version it is. There is even an option to determine the
operating system.
Before we get started, I do want to point out
something critical. Port mapping, while not illegal on its own, will
show up all over the place in targets' server logs. Using a (non-free)
VPN or a anonymous network like I2P can help keep you safe and hidden.
Getting Started with Nmap
If you are running Backtrack, you already have Nmap installed, along with its GUI version, Zenmap. Zenmap is nice, but we will be focusing on the command line options for Nmap in this article. On Debian/Ubuntu, simply use: $ sudo apt-get install nmap
Any other distributions that do not already include Nmap may download it here.
To get a feel for the software, let's run it with zero options, to see what we can do. $ nmap
As you can see, there's a lot of options:
While
you could write entire books on the full functionality of Nmap (and
they have), much of this is beyond the scope of this article. Instead, I
will go over some of the more commonly used options. Hopefully this
will serve to get your foot in the door with port scanning.
Options, Flags and Settings: Oh My
There
is no doubting the sheer size of options here. Let's break it down with
what scan techniques are the most useful for us right away.
-sU: UDP scan. It can be combined with a TCP
scan type such as SYN scan (-sS) to check both protocols during the
same run. UDP tends to be slower then TCP scans, but some services are
only listening for UDP requests.
-sS:
This technique is often referred to as half-open scanning, because you
don't open a full TCP connection. You send a SYN packet. A SYN/ACK
indicates the port is listening (open), while a RST (reset) means it is
not listening on that port.
-O: This technique crafts raw packets attempting to determine the operating system.
-A: This technique tells Nmap to probe for software versions on the target ports AND operating systems.
Nmap in Action
Here
we will run a series of port scans on a target web server, making note
of the versions and operating systems. Remember, reconnaissance and
patience is key to hacking. Let's take a look at Nmap in action as we
port scan a web server configured just for this article. $ nmap -sS -O 50.22.84.102
Oops!
What happened? The -O switch tells Nmap you wish to perform an
operating system fingerprint on the target. In order to do that, Nmap
needs to be ran with root privileges in order to craft the raw packets
needed for the task. In fact, many scan types require it. $ sudo nmap -sS -O 50.22.84.10
Here
we can easily see this looks like a normal web server so far. Notice
how Nmap attempts to guess the operating system? That's useful when you
are looking for an attack vector to exploit. Open ports - This server is actively accepting TCP connections, UDP datagrams or SCTP
associations on this port. Finding these is often the primary goal of
port scanning. Security-minded people know that each open port is an
avenue for attack. Attackers and pen-testers want to exploit the open
ports, while administrators try to close or protect them with firewalls
without thwarting legitimate users. Open ports are also interesting for
non-security scans because they show services available for use on the
network. Closed ports - A closed port is accessible, but
there is no application listening on it. They can be helpful in showing
that a host is up on an IP address (host discovery or ping scanning),
and as part of OS detection. Because closed ports are reachable, it may
be worth scanning later in case some open up.
Let's try another scan, but this time we want to find out what software is running behind those open ports. $ sudo nmap -sS -A 50.22.84.102
Here
you can see what software is running and what version. For an example,
my web server here is running OpenSSH 4.3 on port 22. If I knew of a
vulnerability in that version, I would know this server is exploitable.
Final Thoughts
This
is by no means an all inclusive listing of everything Nmap has to
offer. I tried to pick and choose the highly relevant portions to give
you a feel for its capabilities. You can now add another tool to your
ever growing arsenal.
Questions? Comments? Concerns? Let's hear 'em!
Comments
Post a Comment