Ultimate portable covert Hacking device – Part 3

Nmap is one of those essential tools that you find yourself always reaching for after a few years of system administration. It’s an excellent tool for network mapping but more importantly for our purposes it can be used for security auditing. The main ways I use Nmap are as a port scanner and in some cases to identify the OS of the IP being scanned. These are by no means the only uses. Nmap has a ton of option and in addition can be extended with scripts.

The most common uses of Nmap are 

  1. Scanning a range of IP’s to see which ones are live (See my previous article here)
  2. Scanning an IP or network to see what ports are open (And possibly what’s running on them)
  3. Identify the OS of a machine at a particular IP address or Network

2 and 3 are what we’re going to cover today. 

Imagine for a moment we have an IP address or network we’re interested in and we want to know if there are any exploitable services running we could sit there and try telneting each and every possible port or we can throw Nmap into the game. Like I said before Nmap has a metric ton of options so here’s a few 

Scan an IP address to see what privileged ports are open
Type

sudo nmap 192.168.1.85

And you’ll get a listing like the following back

Starting Nmap 4.50 ( http://insecure.org ) at 2008-09-17 22:33 PDT
Interesting ports on 192.168.1.85:
Not shown: 1704 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
548/tcp  open  afpovertcp
1723/tcp open  pptp
MAC Address: 00:1A:70:22:0F:GC (Cisco-Linksys)

Nmap done: 1 IP address (1 host up) scanned in 0.732 seconds

Well sure we know what ports are open now and what’s “probably” running on them but if we want to exploit them we need to know what version of Apache or Bind or whatever is running at that IP. So lets run the following command

sudo nmap -sV 192.168.1.85

This tells Nmap to try and fingerprint the service running on any ports it sees open. So we get a response like the following back now

Starting Nmap 4.50 ( http://insecure.org ) at 2008-09-17 22:38 PDT
Interesting ports on 192.168.1.85:
Not shown: 1704 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
548/tcp  open  afpovertcp?
1723/tcp open  pptp        linux (Firmware: 1)
MAC Address: 00:1A:70:22:0F:GC (Cisco-Linksys)
Service Info: Host: local; OS: Linux

Host script results:
|_ Discover OS Version over NetBIOS and SMB: Unix

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.721 seconds

There we go that’s better. Now we know what version of Apache, SSH, Samba, etc that’s running on this server. Now we can filter through Metasploit for example and see if any of these versions have vulnerabilities we can exploit.

Now say we just wanted to know what OS was running at that IP. You could use the command below.

sudo nmap -O 192.168.1.85

And it would throw back this

Starting Nmap 4.50 ( http://insecure.org ) at 2008-09-17 22:44 PDT
Interesting ports on 192.168.1.85:
Not shown: 1704 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
548/tcp  open  afpovertcp
1723/tcp open  pptp
MAC Address: 00:1A:70:22:0F:GC (Cisco-Linksys)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.18 (Gentoo, x86)
Uptime: 13.636 days (since Thu Sep  4 07:28:11 2008)
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.120 seconds

Notice that we get a little more detail on the OS, like it’s uptime and the Linux Kernel version. (Don’t worry it’ll recognize Windows and OS X as well) Just be aware that it’s not always 100% acurate. For example it says here “OS details: Linux 2.6.18 (Gentoo, x86)” but in reality it’s an Ubuntu box running Kernel 2.6.24. So never put all your eggs in one basket and completely trust these fingerprints, always try and verify your intel if possible.

In all the previous examples I’ve scanned an IP address. Any of these commands can be run with a single IP address as in the examples above or you can scan an entire network. You specify the network using the network prefix notation eg 192.168.1.0/24 (192.168.1.0 to 192.168.1.255) or by specifying ranges eg 192.168.1.0-255

So a scan of the 192.168.1.0 network would be

sudo nmap 192.168.1.0/24

Nmap also has some tricks you can use to try and get around Intrusion Detection systems (IDS) or Firewalls. My favorite is the “Decoy” switch. The decoy switch runs some other concurrent scans pretending to be from different IP addresses you specify. This draws attention away from your IP, think of it as gathering a crowd. You become less conspicuous as an individual (IP address) if an IDS sees scans from several different addresses.

The decoy switch looks like this

sudo nmap -D 192.168.2.45,192.168.4.85,192.168.68.1 192.168.1.85

Check here for a full list of Nmaps IDS/Firewall evasion/spoofing tools

This article barely scratches the surface of what Nmap can do check out the Nmap Refrence Guide   for an expanded list of Nmap options and techniques.

One of the best resources for different nmap techniques are some of the different security mailing lists. A list of some of the more active ones is provided on the Nmap website here. I found the Penetration Testing list particularly useful and interesting.

If you haven’t already make sure you read parts [1] and [2] in the “Ultimate portable covert hacking device” series

As always if you have any questions, comments or suggestions please post them in the comment section below.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Published by

LiamM

I'm a self labeled Nerd who enjoys Playing Video Games, restoring classic muscle cars (i have a 65' Mustang in the works) , Running Big Data Clusters, Tattoos, Working on System Automation, Riding and customizing Motorcycles, and writing python Code. I'm an SRE with DemonWare/Activision Specializing in Big Data/Hadoop operations but all opinions and views expressed on this site are solely my own.