The New Nmap: Gordon "Fyodor" Lyon
The New Nmap: Gordon "Fyodor" Lyon
The New Nmap: Gordon "Fyodor" Lyon
Org
TheNewNmap
GordonFyodorLyon
iSecOpenSecurityForumAugust21,2008
SanJose,CA
Insecure.Org
NmapScriptingEngine(NSE)
# nmap -A -PN -T4 www.ebay.com
Starting Nmap ( http://nmap.org )
Interesting ports on hp-core.ebay.com
(66.135.200.145):
Not shown: 1715 filtered ports
PORT
STATE SERVICE VERSION
80/tcp open
http
Apache Tomcat/Coyote JSP
engine 1.1
| robots.txt: has 3 disallowed entries
|_ /help/confidence/ /help/policies/ /disney/
|_ HTML title: eBay - New & used electronics,
cars, apparel, collectibles...
443/tcp closed https
[...]
Nmap done: 1 IP address (1 host up) scanned in 30.91
seconds
Insecure.Org
NSEDemo
# ./nmap -PN -v -sU -p53 -T4 --script=dns-test-openrecursion,dns-safe-recursion-port.nse,dns-safe-recursiontxid.nse dns-1.blackhat.com archimedes.shmoo.com
Interesting ports on dns-1.blackhat.com (216.231.63.55):
PORT
STATE SERVICE
53/udp open domain
|_ DNS source port randomness: ERROR: Server refused
recursion
|_ DNS TXID randomness: ERROR: Server refused recursion
Interesting ports on archimedes.shmoo.com (12.21.210.234):
PORT
STATE SERVICE
53/udp open domain
|_ Nameserver open recursive querys (CVE-1999-0024) (BID
136, 678): Recursion seems enabled
|_ DNS source port randomness: 12.21.210.234 is GREAT: 51
queries in 3.2 seconds from 51 ports with std dev 16099
|_ DNS TXID randomness: 12.21.210.234 is GREAT: 52 queries
in 3.3 seconds from 52 txids with std dev 20996
Insecure.Org
ZenmapGUI
Insecure.Org
VersionDetection
# nmap -A -T4 scanme.nmap.org
Starting Nmap ( http://nmap.org )
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 1709 filtered ports
PORT
STATE SERVICE VERSION
22/tcp open
ssh
OpenSSH 4.3 (protocol 2.0)
25/tcp closed smtp
53/tcp open
domain ISC BIND 9.3.4
70/tcp closed gopher
80/tcp open
http
Apache httpd 2.2.2 ((Fedora))
|_ HTML title: Site doesn't have a title.
113/tcp closed auth
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.20-1 (Fedora Core 5)
Uptime: 40.425 days (since Tue May 13 12:46:59 2008)
Nmap done: 1 IP address scanned in 30.567 seconds
Raw packets sent: 3464 (154KB) | Rcvd: 60 (3KB)
Nowhas4,803signatures
Moreinfo:http://nmap.org/book/vscan.html
Insecure.Org
OptimizingHostDiscovery
Defaultdiscoverofteninsufficient
TCPSYNprobes(PS)
TCPACKprobes(PA)
UDPprobes(PU)
ICMPechorequest,timestamp,netmask
probes(PE,PP,PM)
Protocolprobes(PO)
Insecure.Org
DefaultHostDiscoveryEffectiveness
# nmap -n -sL -iR 50000 -oN - | grep "not scanned" |
awk '{print $2}' | sort -n > 50K_IPs
# nmap -sP -T4 -iL 50K_IPs
Starting Nmap ( http://nmap.org )
Host dialup-4.177.9.75.Dial1.SanDiego1.Level3.net
(4.177.9.75) appears to be up.
Host dialup-4.181.100.97.Dial1.SanJose1.Level3.net
(4.181.100.97) appears to be up.
Host firewall2.baymountain.com (8.7.97.2) appears to
be up.
[thousands of lines cut]
Host 222.91.121.22 appears to be up.
Host
105.237.91.222.broad.ak.sn.dynamic.163data.com.cn
(222.91.237.105) appears to be up.
Nmap done: 50000 IP addresses (3348 hosts up)
scanned in 1598.067 seconds
Insecure.Org
EnhancedHostDiscoveryEffectiveness
# nmap -sP -PE -PP -PS21,22,23,25,80,113,31339
-PA80,113,443,10042 --source-port 53 -T4 -iL 50K_IPs
Starting Nmap 4.65 ( http://nmap.org ) at 2008-06-22
19:07 PDT
Host sim7124.agni.lindenlab.com (8.10.144.126)
appears to be up.
Host firewall2.baymountain.com (8.7.97.2) appears to
be up.
Host 12.1.6.201 appears to be up.
Host psor.inshealth.com (12.130.143.43) appears to
be up.
[thousands of hosts cut]
Host ZM088019.ppp.dion.ne.jp (222.8.88.19) appears
to be up.
Host
105.237.91.222.broad.ak.sn.dynamic.163data.com.cn
(222.91.237.105) appears to be up.
Host 222.92.136.102 appears to be up.
Nmap done: 50000 IP addresses (4473 hosts up)
scanned in 4259.281 seconds
Insecure.Org
EnhancedDiscoveryResults
Enhanceddiscovery:
took71minutesvs.27(up167%)
Found1,125morelivehosts(up34%)
Insecure.Org
Top10TCPHostDiscoveryPorts
80/http
25/smtp
22/ssh
443/https
21/ftp
113/auth
23/telnet
53/domain
554/rtsp
3389/mstermserver
Insecure.Org
TopPortsProject
AmassivescanofmillionsofInternetIPsto
determinemostcommonlyopenTCPand
UDPports.
Somelargeorganizationsalsocontributed
scandatatogiveabehindthefirewall
perspective.
nmapservicesfileaugmentedwith
frequencydataforeachport.
Insecure.Org
DefaultScanPorts
InNmap4.68:1715portsforTCPscans,
plus1488forUDPscans.Ports11024,
plusallnamedportsabovethat.
Withaugmentednmapservices:Top1000
portsforeachprotocol.Finishesfaster,
andoftenfindsmoreopenports.
Insecure.Org
FastScan(F)Ports
InNmap4.68:1276portsforTCPscans,
plus1017forUDPscans.Includesall
namedports.
Withaugmentednmapservices:Top100
portsforeachprotocol.
Insecure.Org
FastScanExampleTimes
NmapsUVFT4scanme.nmap.org
With4.68:1hour,2minutes,62seconds
Withbhdc08:6minutes,29seconds
Withbhdc08&versionintensity0:13sec
Allthreefoundthesameopenport(53)
Insecure.Org
Newtopportsandportratiofeatures
topports<n>scansthemostcommonly
open<n>portsforeachprotocol
requested.
portratio<n>(where<n>isbetween0
and1)scansallportswithafrequencyofat
leastthegivenlevel.
Insecure.Org
Top10TCPports
80(http)
23(telnet)
22(ssh)
443(https)
3389(mstermserv)
445(microsoftds)
139(netbiosssn)
21(ftp)
135(msrpc)
25(smtp)
Insecure.Org
TCPeffectivenessoftopportvalues
topports10:48%
topports50:65%
topports100:73%
topports250:83%
topports500:89%
topports1000:93%
topports2000:96%
topports3674:100%
Insecure.Org
Top10UDPports
137(netbiosns)
161(snmp)
1434(mssqlm)
123(ntp)
138(netbiosdgm)
445(microsoftds)
135(msrpc)
67(dhcps)
139(netbiosssn)
53(domain)
Insecure.Org
UDPeffectivenessoftopportvalues
topports10:50%
topports50:86%
topports100:90%
topports250:94%
topports500:97%
topports1017:100%
Note:pUDPdatanotyetavailable
Insecure.Org
PacketRateControl
minrate<packetspersecond>
maxrate<packetspersecond>
nmap min-rate 500 scanme.nmap.org
Insecure.Org
nd
2 GenerationOSDetection
# nmap -A -T4 scanme.nmap.org
[...]
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.20-1 (Fedora Core 5)
Moreinfo:
http://nmap.org/book/osdetect.html
Insecure.Org
reason
# nmap --reason -T4 scanme.nmap.org
[...]
Interesting ports on scanme.nmap.org
(205.217.153.62):
Not shown: 1709 filtered ports
Reason: 1709 no-responses
PORT
STATE SERVICE REASON
22/tcp open
ssh
syn-ack
25/tcp closed smtp
reset
53/tcp open
domain syn-ack
70/tcp closed gopher reset
80/tcp open
http
syn-ack
113/tcp closed auth
reset
Insecure.Org
packettrace
# nmap --packet-trace -p 25,113
scanme.nmap.org
Starting Nmap ( http://nmap.org )
[...]
RCVD (0.1430s) TCP 64.13.134.52:25 >
192.168.0.8:46736 RA ttl=55 id=0
iplen=40 seq=0 win=0 ack=2914477947
RCVD (0.1440s) TCP 64.13.134.52:113 >
192.168.0.8:46736 RA ttl=55 id=0
iplen=40 seq=0 win=0 ack=2914477947
[...]
Nmap done: 1 IP address (1 host up)
scanned in 0.15 seconds
Insecure.Org
AdvancedTraceroute
# nmap traceroute scanme.nmap.org
[...]
TRACEROUTE (using port 22/tcp)
HOP RTT
ADDRESS
1
0.60 wap.nmap-int.org (192.168.0.6)
[...]
6
9.74 151.164.251.42
7
10.89 so-1-0-0.mpr1.sjc2.us.above.net
(64.125.30.174)
8
10.52 so-4-2-0.mpr3.pao1.us.above.net
(64.125.28.142)
9
14.25 metro0.sv.svcolo.com
(208.185.168.173)
10 12.80 scanme.nmap.org (64.13.134.52)
Insecure.Org
PerformanceandAccuracy
# nmap -T4 --max_rtt_timeout 200
--initial_rtt_timeout 150
--min_hostgroup 512 max_retries
0 -n -P0 -p80 -oG pb3.gnmap
216.163.128.0/20
Starting Nmap
[...]
Nmap run completed -- 4096 IP
addresses (4096 hosts up) scanned
in 46.052 seconds
Insecure.Org
TCPandIPHeaderOptions
# nmap -vv -n -sS -P0 -p 445
--ip-options "L 10.4.2.1"
10.5.2.1
Insecure.Org
Ncat
AmoderninterpretationofHobbit'svenerable
Netcat
SupportsvirtuallyalloftheNetcat1.10features,
exceptthebasicportscanner.
AlsosupportsSSL,IPv6,multipleplatforms,
connectionbrokering,portredirection,proxies
(client,server,chaining),shellexecution,access
control,andmore.
Indevelopmentsince2005,nearlyreadyfor
release.CurrentdevleadisKrisKatterjohn.
Availablefromsvn://svn.insecure.org/ncat(login:
guest/guest)
Insecure.Org
Ndiff
Comparestwo(ormore)scans,displays
changes(new/removedhosts,ports,
changedservices,etc.)
Greatforquickchangedetectionwith
recurringscans.
Perlversionavailablefrom:
svn://svn.insecure.org/nmapexp/ndiff
Insecure.Org
NmapNetworkScanning
http://nmap.org/book/
Insecure.Org
UpgradeyourNmap
Manybugfixesandperformance
improvementsinversion4.68.See
http://nmap.org/changelog.html
Forevennewer,trythesvnrelease.See
http://nmap.org/book/install.html#instsvn
Forallthegoodsinthispresentation:
svncousernameguestpassword
svn://svn.insecure.org/nmapexp/bhdc08
Insecure.Org
TopNmapContributorssince4.50
AaronLeininger,AdrianoMonteiroMarques,AllisonRandal,
AndrewJ.Bennieston,AndyLutomirski,ArturoBuanzo
Busleiman,BensonKalahar,BillPollock,BrandonEnright,
BrianHatch,ChadLoder,ChrisGibson,DanielRoethlisberger,
DavidFifield,DavidMoore,DimanTodorov,DougHoyte,
DragosRuiu,DudiItzhakov,EddieBell,EmmaJaneHogbin,
GisleVanem,GuilhermePolo,HDMoore,Ithilgore,Jabra,
Jah,JamesMesser,JasonDePriest,JeffNathan,Jesse
Burns,JoaoMedeiros,JurandNogiec,KrisKatterjohn,Lamont
Jones,LanceSpitzner,LeighHoneywell,LionelCons,Martin
Macok,MaxSchubert,MichaelPattrick,Mixter,NathanBills,
PatrickDonnelly,PhilipPickering,RainerMller,RavenAlder,
RobNicholls,SebastinGarca,SimpleNomad,Solar
Designer,StephanFijneman,SteveChristensen,Sven
Klemm,ThomasBuchanan,ThorstenHolz,TimAdam,Tom
Duffy,TomSellers,TylerReguly,vanHauser,VladAlexa,
VladimirMitrovic,WilliamMcVey,ZhaoLei
Insecure.Org
QuestionsandResources
DownloadNmapfromhttp://nmap.org
Downloadtheseslidesfrom:
http://insecure.org/presentations/iSec08/
NmapNetworkScanningbookinfo:
http://nmap.org/book
TopportsNmap:
svn://svn.insecure.org/nmapexp/bhdc08