The New Nmap: Gordon "Fyodor" Lyon

Download as pdf or txt
Download as pdf or txt
You are on page 1of 32

Insecure.

Org

TheNewNmap

GordonFyodorLyon
iSecOpenSecurityForumAugust21,2008
SanJose,CA

Insecure.Org

NmapScriptingEngine(NSE)
# nmap -A -PN -T4 www.ebay.com
Starting Nmap ( http://nmap.org )
Interesting ports on hp-core.ebay.com
(66.135.200.145):
Not shown: 1715 filtered ports
PORT
STATE SERVICE VERSION
80/tcp open
http
Apache Tomcat/Coyote JSP
engine 1.1
| robots.txt: has 3 disallowed entries
|_ /help/confidence/ /help/policies/ /disney/
|_ HTML title: eBay - New & used electronics,
cars, apparel, collectibles...
443/tcp closed https
[...]
Nmap done: 1 IP address (1 host up) scanned in 30.91
seconds

Insecure.Org

NSEDemo
# ./nmap -PN -v -sU -p53 -T4 --script=dns-test-openrecursion,dns-safe-recursion-port.nse,dns-safe-recursiontxid.nse dns-1.blackhat.com archimedes.shmoo.com
Interesting ports on dns-1.blackhat.com (216.231.63.55):
PORT
STATE SERVICE
53/udp open domain
|_ DNS source port randomness: ERROR: Server refused
recursion
|_ DNS TXID randomness: ERROR: Server refused recursion
Interesting ports on archimedes.shmoo.com (12.21.210.234):
PORT
STATE SERVICE
53/udp open domain
|_ Nameserver open recursive querys (CVE-1999-0024) (BID
136, 678): Recursion seems enabled
|_ DNS source port randomness: 12.21.210.234 is GREAT: 51
queries in 3.2 seconds from 51 ports with std dev 16099
|_ DNS TXID randomness: 12.21.210.234 is GREAT: 52 queries
in 3.3 seconds from 52 txids with std dev 20996

Insecure.Org

ZenmapGUI

Insecure.Org

VersionDetection
# nmap -A -T4 scanme.nmap.org
Starting Nmap ( http://nmap.org )
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 1709 filtered ports
PORT
STATE SERVICE VERSION
22/tcp open
ssh
OpenSSH 4.3 (protocol 2.0)
25/tcp closed smtp
53/tcp open
domain ISC BIND 9.3.4
70/tcp closed gopher
80/tcp open
http
Apache httpd 2.2.2 ((Fedora))
|_ HTML title: Site doesn't have a title.
113/tcp closed auth
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.20-1 (Fedora Core 5)
Uptime: 40.425 days (since Tue May 13 12:46:59 2008)
Nmap done: 1 IP address scanned in 30.567 seconds
Raw packets sent: 3464 (154KB) | Rcvd: 60 (3KB)

Nowhas4,803signatures
Moreinfo:http://nmap.org/book/vscan.html

Insecure.Org

OptimizingHostDiscovery

Defaultdiscoverofteninsufficient
TCPSYNprobes(PS)
TCPACKprobes(PA)
UDPprobes(PU)
ICMPechorequest,timestamp,netmask
probes(PE,PP,PM)
Protocolprobes(PO)

Insecure.Org

DefaultHostDiscoveryEffectiveness
# nmap -n -sL -iR 50000 -oN - | grep "not scanned" |
awk '{print $2}' | sort -n > 50K_IPs
# nmap -sP -T4 -iL 50K_IPs
Starting Nmap ( http://nmap.org )
Host dialup-4.177.9.75.Dial1.SanDiego1.Level3.net
(4.177.9.75) appears to be up.
Host dialup-4.181.100.97.Dial1.SanJose1.Level3.net
(4.181.100.97) appears to be up.
Host firewall2.baymountain.com (8.7.97.2) appears to
be up.
[thousands of lines cut]
Host 222.91.121.22 appears to be up.
Host
105.237.91.222.broad.ak.sn.dynamic.163data.com.cn
(222.91.237.105) appears to be up.
Nmap done: 50000 IP addresses (3348 hosts up)
scanned in 1598.067 seconds

Insecure.Org

EnhancedHostDiscoveryEffectiveness
# nmap -sP -PE -PP -PS21,22,23,25,80,113,31339
-PA80,113,443,10042 --source-port 53 -T4 -iL 50K_IPs
Starting Nmap 4.65 ( http://nmap.org ) at 2008-06-22
19:07 PDT
Host sim7124.agni.lindenlab.com (8.10.144.126)
appears to be up.
Host firewall2.baymountain.com (8.7.97.2) appears to
be up.
Host 12.1.6.201 appears to be up.
Host psor.inshealth.com (12.130.143.43) appears to
be up.
[thousands of hosts cut]
Host ZM088019.ppp.dion.ne.jp (222.8.88.19) appears
to be up.
Host
105.237.91.222.broad.ak.sn.dynamic.163data.com.cn
(222.91.237.105) appears to be up.
Host 222.92.136.102 appears to be up.
Nmap done: 50000 IP addresses (4473 hosts up)
scanned in 4259.281 seconds

Insecure.Org

EnhancedDiscoveryResults
Enhanceddiscovery:
took71minutesvs.27(up167%)
Found1,125morelivehosts(up34%)

Insecure.Org

Top10TCPHostDiscoveryPorts

80/http
25/smtp
22/ssh
443/https
21/ftp
113/auth
23/telnet
53/domain
554/rtsp
3389/mstermserver

Insecure.Org

TopPortsProject
AmassivescanofmillionsofInternetIPsto
determinemostcommonlyopenTCPand
UDPports.
Somelargeorganizationsalsocontributed
scandatatogiveabehindthefirewall
perspective.
nmapservicesfileaugmentedwith
frequencydataforeachport.

Insecure.Org

DefaultScanPorts
InNmap4.68:1715portsforTCPscans,
plus1488forUDPscans.Ports11024,
plusallnamedportsabovethat.
Withaugmentednmapservices:Top1000
portsforeachprotocol.Finishesfaster,
andoftenfindsmoreopenports.

Insecure.Org

FastScan(F)Ports
InNmap4.68:1276portsforTCPscans,
plus1017forUDPscans.Includesall
namedports.
Withaugmentednmapservices:Top100
portsforeachprotocol.

Insecure.Org

FastScanExampleTimes
NmapsUVFT4scanme.nmap.org
With4.68:1hour,2minutes,62seconds
Withbhdc08:6minutes,29seconds
Withbhdc08&versionintensity0:13sec
Allthreefoundthesameopenport(53)

Insecure.Org

Newtopportsandportratiofeatures
topports<n>scansthemostcommonly
open<n>portsforeachprotocol
requested.
portratio<n>(where<n>isbetween0
and1)scansallportswithafrequencyofat
leastthegivenlevel.

Insecure.Org

Top10TCPports

80(http)
23(telnet)
22(ssh)
443(https)
3389(mstermserv)
445(microsoftds)
139(netbiosssn)
21(ftp)
135(msrpc)
25(smtp)

Insecure.Org

TCPeffectivenessoftopportvalues

topports10:48%
topports50:65%
topports100:73%
topports250:83%
topports500:89%
topports1000:93%
topports2000:96%
topports3674:100%

Insecure.Org

Top10UDPports

137(netbiosns)
161(snmp)
1434(mssqlm)
123(ntp)
138(netbiosdgm)
445(microsoftds)
135(msrpc)
67(dhcps)
139(netbiosssn)
53(domain)

Insecure.Org

UDPeffectivenessoftopportvalues

topports10:50%
topports50:86%
topports100:90%
topports250:94%
topports500:97%
topports1017:100%
Note:pUDPdatanotyetavailable

Insecure.Org

PacketRateControl
minrate<packetspersecond>
maxrate<packetspersecond>
nmap min-rate 500 scanme.nmap.org

Insecure.Org

nd

2 GenerationOSDetection
# nmap -A -T4 scanme.nmap.org
[...]
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.20-1 (Fedora Core 5)

Moreinfo:
http://nmap.org/book/osdetect.html

Insecure.Org

reason
# nmap --reason -T4 scanme.nmap.org
[...]
Interesting ports on scanme.nmap.org
(205.217.153.62):
Not shown: 1709 filtered ports
Reason: 1709 no-responses
PORT
STATE SERVICE REASON
22/tcp open
ssh
syn-ack
25/tcp closed smtp
reset
53/tcp open
domain syn-ack
70/tcp closed gopher reset
80/tcp open
http
syn-ack
113/tcp closed auth
reset

Insecure.Org

packettrace
# nmap --packet-trace -p 25,113
scanme.nmap.org
Starting Nmap ( http://nmap.org )
[...]
RCVD (0.1430s) TCP 64.13.134.52:25 >
192.168.0.8:46736 RA ttl=55 id=0
iplen=40 seq=0 win=0 ack=2914477947
RCVD (0.1440s) TCP 64.13.134.52:113 >
192.168.0.8:46736 RA ttl=55 id=0
iplen=40 seq=0 win=0 ack=2914477947
[...]
Nmap done: 1 IP address (1 host up)
scanned in 0.15 seconds

Insecure.Org

AdvancedTraceroute
# nmap traceroute scanme.nmap.org
[...]
TRACEROUTE (using port 22/tcp)
HOP RTT
ADDRESS
1
0.60 wap.nmap-int.org (192.168.0.6)
[...]
6
9.74 151.164.251.42
7
10.89 so-1-0-0.mpr1.sjc2.us.above.net
(64.125.30.174)
8
10.52 so-4-2-0.mpr3.pao1.us.above.net
(64.125.28.142)
9
14.25 metro0.sv.svcolo.com
(208.185.168.173)
10 12.80 scanme.nmap.org (64.13.134.52)

Insecure.Org

PerformanceandAccuracy
# nmap -T4 --max_rtt_timeout 200
--initial_rtt_timeout 150
--min_hostgroup 512 max_retries
0 -n -P0 -p80 -oG pb3.gnmap
216.163.128.0/20
Starting Nmap
[...]
Nmap run completed -- 4096 IP
addresses (4096 hosts up) scanned
in 46.052 seconds

Insecure.Org

TCPandIPHeaderOptions
# nmap -vv -n -sS -P0 -p 445
--ip-options "L 10.4.2.1"
10.5.2.1

Insecure.Org

Ncat
AmoderninterpretationofHobbit'svenerable
Netcat
SupportsvirtuallyalloftheNetcat1.10features,
exceptthebasicportscanner.
AlsosupportsSSL,IPv6,multipleplatforms,
connectionbrokering,portredirection,proxies
(client,server,chaining),shellexecution,access
control,andmore.
Indevelopmentsince2005,nearlyreadyfor
release.CurrentdevleadisKrisKatterjohn.
Availablefromsvn://svn.insecure.org/ncat(login:
guest/guest)

Insecure.Org

Ndiff
Comparestwo(ormore)scans,displays
changes(new/removedhosts,ports,
changedservices,etc.)
Greatforquickchangedetectionwith
recurringscans.
Perlversionavailablefrom:
svn://svn.insecure.org/nmapexp/ndiff

Insecure.Org

NmapNetworkScanning
http://nmap.org/book/

Insecure.Org

UpgradeyourNmap
Manybugfixesandperformance
improvementsinversion4.68.See
http://nmap.org/changelog.html
Forevennewer,trythesvnrelease.See
http://nmap.org/book/install.html#instsvn
Forallthegoodsinthispresentation:
svncousernameguestpassword
svn://svn.insecure.org/nmapexp/bhdc08

Insecure.Org

TopNmapContributorssince4.50
AaronLeininger,AdrianoMonteiroMarques,AllisonRandal,
AndrewJ.Bennieston,AndyLutomirski,ArturoBuanzo
Busleiman,BensonKalahar,BillPollock,BrandonEnright,
BrianHatch,ChadLoder,ChrisGibson,DanielRoethlisberger,
DavidFifield,DavidMoore,DimanTodorov,DougHoyte,
DragosRuiu,DudiItzhakov,EddieBell,EmmaJaneHogbin,
GisleVanem,GuilhermePolo,HDMoore,Ithilgore,Jabra,
Jah,JamesMesser,JasonDePriest,JeffNathan,Jesse
Burns,JoaoMedeiros,JurandNogiec,KrisKatterjohn,Lamont
Jones,LanceSpitzner,LeighHoneywell,LionelCons,Martin
Macok,MaxSchubert,MichaelPattrick,Mixter,NathanBills,
PatrickDonnelly,PhilipPickering,RainerMller,RavenAlder,
RobNicholls,SebastinGarca,SimpleNomad,Solar
Designer,StephanFijneman,SteveChristensen,Sven
Klemm,ThomasBuchanan,ThorstenHolz,TimAdam,Tom
Duffy,TomSellers,TylerReguly,vanHauser,VladAlexa,
VladimirMitrovic,WilliamMcVey,ZhaoLei

Insecure.Org

QuestionsandResources
DownloadNmapfromhttp://nmap.org
Downloadtheseslidesfrom:
http://insecure.org/presentations/iSec08/
NmapNetworkScanningbookinfo:
http://nmap.org/book
TopportsNmap:
svn://svn.insecure.org/nmapexp/bhdc08

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy