1Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

Network Reconnaissance using NMAP

Christopher Rodman

2Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

Copyright 2019 Carnegie Mellon University. All Rights Reserved.

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.

This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.

DM19-0596

3Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

Agenda

Introduction to NMAP

• Target specification

• Output

• Scan Types

Defense evasion

Scan performance

Introduction to NSE Scripts

Hands-on lab (Network mapping with NMAP and xprobe)

4Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

IntroductionRecon using NMAP

5Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

Overview

• Simple network mapper used for port scanning, network

discovery and vulnerability enumeration

• Basic syntax (nmap <target> -args)

• Help is your friend

• Complimentary tools include:

• Xprobe

• recon-ng

• Sparta

• Zenmap

• Nessus

Introduction to NMAP

6Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

Target specification

• Single IP address or hostname

• IP address range*

• CIDR notation*

• Input file (-iL)

• Port Definition (-p)

• -p- scans all 65535

* exclude addresses using --exclude

Introduction to NMAP

7Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

Output results

• Output interpretation

• Setting verbosity (-v)

• Setting debugging (-d)

• Output to file

• Text (-oN)

• XML (-oX)

• Grep (-oG)

• All three formats (-oA)

Introduction to NMAP

8Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

Basic scan methods

• TCP SYN scan (-sS) – default scan method

• TCP Connect() (-sT) – method used if sS is not possible

• ACK (-sA)

• Window (-sW)

• Maimon (-sM)

• Ping sweep (-sn)

• Discovery scan (-Pn)

• Service scan (-sV)

• Operating System discovery (-O)

• UDP scanning (-sU)

Introduction to NMAP

9Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

Recon example

• Ping sweep

• Discovery scan

• Service scan

• Operating System

Introduction to NMAP

10Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

Defense EvasionRecon using NMAP

11Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

Scan alteration

• Set timing (-T1 – 5)*

• 1 = paranoid, 5 = insane

• Default is 3

• Set packet header bits (--scan-flags)

• Set packet fragmentation (-f and specify MTU -mtu)

• Set target randomness (--randomize-hosts)

• Spoof MAC (--spoof-mac)

• Add decoy noise (-D)*

• TCP Idle scan (-sI)*

*timing templates primarily adjust values for RTT, retries and other timeout values

Defense Evasion

12Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

Evasion example

• Disable ping scan

• Set timing

• Set random decoy

• Set randomness

* --data-string can be used to fill packets with garbage data or to include useful information

Defense Evasion

13Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

Scan PerformanceRecon using NMAP

14Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

Scan alteration

• Skip port scanning (-sn) if you only need to know if hosts are

online

• Limit number of ports being scanned (default is top 1000)

• Utilize Fast scan (-F) or --top-ports

• Skip advanced scans (-sC, -sV, -O, -A)

• Turn off DNS resolution if not needed (-n)

• Separate TCP and UDP scans

• Adjust timeouts and retries as desired*

• Parallelism (--min/max-parallelism)

• Retries (--min/max-retries)

• Host time (--host-timeout)

Scan Peformance

15Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

Performance example

• Set timing

• Remove unnecessary DNS resolution

• Remove port scan

Defense Evasion

16Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

NSE (NMAP Scripting Engine)Recon using NMAP

17Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

NSE Scripts

• Script files located in /usr/share/nmap/scripts with .nse file

extension

• Syntax (-sC or --script)

• Script help (--script-help)

• Scripts are categorized

• Types

• Prerule

• Host

• Service

• Postrule

NSE Scripts

18Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

Network scanning with NMAP

and xprobe

Hands-on Lab

19Network Reconnaissance with NMAP© 2018 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release

and unlimited distribution.

Hands-on lab

• https://stepfwd.cert.org

• Login credentials provided on entry

• Search for “X-Games 2019”

• Select “X-games 2019 training”

• Under Courses/Available

• Select Launch