Cadence BlackOps

Nmap: See More

Cadence BlackOps

1. What is Nmap?2. How many have you used Nmap?3. How have you used it?

Nmap for Windows: http://nmap.org/zenmap/

What Is Nmap Good At?

Cadence BlackOps

• Host Discovery• Port Scanning• Mapping firewall rule sets• Service and Application Version Detection• Remote OS Detection

What is Nmap Not Optimal At?

Cadence BlackOps

• Broad Vulnerability Assessments• Remote Exploits• Defending against Cadence Kittehs . . .

Host Discovery

Cadence BlackOps

• Have you ever wanted to know all hosts connected to your network?

Remote, remote and stealthy discovery . . . Reverse DNS Lookup

Ping Sweep (ICMP) Stealthy Ping Sweep . . . without Ping (ICMP)

Use Case 1: Host Discovery

Cadence BlackOps

• Discover lost, forgotten, or unauthorized systems• You can’t protect what you don’t know about• Useful when this guy asks you what’s on his

network.

Cadence BlackOps

o List Scano nmap –sL x.x.x.x/[subnet mask]

o Remote, remote and stealthy (hits only your DNS server and lists what you would scan)

o Ping Sweepo nmap -sn x.x.x.x/[subnet mask]

o Useful for a quick list of live hosts on a network.o Uses ICMP, TCP Syn to port 443 and TCP Ack to port 80

o Ping Sweep . . . Without Pingo nmap –sn [–PS, –PA, –PU] x.x.x.x/[subnet mask]

o Turns Ping (ICMP) off (Useful when network admin is monitoring repeated ICMP echo requests)

Use Case 1: Host Discovery

“Who Dat? Who Dere?”

Cadence BlackOps

o Most Common Port Scanso TCP Syn and Ack Scans

o nmap –sS x.x.x.x/[subnet mask]o Possible port states: Open, Closed, Filtered (most likely

a firewall blocking traffic on port)

o nmap –sA x.x.x.x/[subnet mask]o Possible results: Unfiltered (no firewall), Filtered

(firewall)

o UDP Scano nmap –sU x.x.x.x/[subnet mask]

o Possible results: Open, Open|Filtered, Closed, Filtered

Use Case 2: Port Scanning and Firewall

Mapping

Cadence BlackOps

o Stateful firewall should block TCP ACK packets that are not related to an established

o nmap –sA -T4 x.x.x.xo -sA: TCP Ack Scano -T4: Scan quicklyo Unfiltered = No firewall rules blocking the port or “special” rules

for the port.o Filtered = most likely a stateful firewall is in place (however, your

scan’s point of origin may affect the results, if there are any type of outbound firewall rules in place).

Use Case 2: Port Scanning and Firewall

Mapping

“Hi, I’m a QSA. Does your firewall perform statefulpacket inspection?”

Cadence BlackOps

o Aggressive modeo nmap –sS -A -T4 x.x.x.x

o -A: enable OS Detection and Service/Version Detection, Script Scanning (NSE default scripts), and Traceroute

Use Case 3: OS, Service and

Version Detection

“BE AGGRESSIVE. B-E AGGRESSIVE!”

Cadence BlackOps

o Use existing scripts or write your own. Based on the LUA programming language. Very flexible.

o Didn’t we see XP Professional?o MS08-067 remote code execution?o Nmap can tell if it’s vulnerable

o nmap --script smb-check-vulns.nse --script-args=unsafe=1 x.x.x.xo --script: runs the specified NSE scripto --script-args: various arguments for the script in question

Use Case 4: Nmap Scripting Engine

(NSE)

Cadence BlackOps

• Specify ports to scan• -p• -p- = all ports• -p1-10 = ports 1 to 10

• Specify hosts to scan in a range• x.x.x.x/[subnet mask]• x.x.x.1-254

Other Things?

Cadence BlackOps

Questions