Network Mapping with Nmap - Beta version. Network Mapping Issue

There is another article in Beta version concerning recently posted issue of Network Mapping, which is also about to come out on our website shortly.

Whether you are an advanced user of Nmap or simply intend to take some overview, this publication willl match your needs on the subject. Give us some advices in the comments section on the publication and possible changes that you might consider to be necessary adjusted to the article.

Network Mapping with NMAP

 

Introduction

Few penetration testing tools are as highly publicized or as well known as NMAP. In fact this tool is considered a cornerstone of any penetration testing toolkit, and with good reason. Nmap, short for Network Mapper, is a versatile tool that is capable of assisting the tester during various phases of a penetration test but as its name implies, especially during network mapping activities.

[no_access][ym_user_is_not package="1"]
Buy a subscription and get access to all issues on our website


[item title="Create Free Account"]
[ym_register id=1 hide_custom_fields="5"]
[/item]
[item title="Subscribe"]
[ym_register id=8]
[/item]
[item title="Log In"]
[ym_login redirect="/network-mapping-with-nmap-beta-version-network-mapping-issue/" register_text=0]
[/item]




[/ym_user_is_not]
[/no_access]
[ym_user_is package="1"]



[/ym_user_is]

[private]
Network mapping is the process of discovering devices such as servers or network equipment and how they are interconnected. This is one of the first tasks that a penetration tester needs to undertake during a test. This process is then followed by network enumeration, a more in depth analysis of each host during which it is attempted to determine the Operating System version and what services are configured on each host. Nmap is a very adept tool at performing these tasks and when used intelligently can provide significant insight into any network.

 

The first version of NMAP was released back in 1997, therefore it has had ample time to grow and mature as a tool. Since then it has gained a lot of popularity and this has been instrumental in keeping it updated and valid when faced with advances in network security technology. This article will discuss various techniques for network mapping with nmap, with particular attention dedicated to successfully mapping networks and devices that are protected behind security devices such as firewalls and Intrusion Detection Systems. From the author’s experience this is a common obstacle that testers need to overcome when performing penetration tests at security-conscious organisations.

 

Basic Scanning

 

One of the first actions the penetration tester must do is the process of Host Discovery. Identification of live hosts is critical in order to assess the size of the attack surface and to get a clearer picture of the amount of potentially vulnerable hosts that exist on the network. In its simplest form, this can be done through a ping sweep where ICMP Echo requests are sent to each host in the address space. Hosts that are online should respond to the ICMP Echo request with an ICMP Echo Reply message. A ping sweep can be performed using nmap on the 192.168.2.0-255 subnet using the Classless Inter Domain Routing (CIDR) notation with the following syntax.

Ex: nmap –sn 192.168.2.0/24

NMAP will submit an ICMP Echo Request to each IP address within that subnet and checks for a returned ICMP Echo Reply message. The results are then presented to the user on screen and can optionally also be saved to a file. The output from this command will look similar to the below:

nmap-attard-1

Apart from the IP addresses of live hosts, nmap also attempts to display the hostname of each device by resolving the discovered IP addresses, the MAC address and manufacturer of the network card. These details may be significant to launch other attacks such as ARP Poisoning or Man In The Middle attacks during later stages of the penetration test. Obtaining MAC address details is only possible because in this particular case the machine executing the ping sweep is on the same Local Area Network as the discovered devices. This level of network mapping would not be as simple to obtain if such a scan was being done over the Internet or from a separate LAN.

There is a high probability that attempts to perform a ping sweep on a network segment that is protected by a firewall will yield no results. The reason for this is because most network administrators are aware of the ping sweep technique, and in an effort to make network mapping more difficult for attackers, configure the firewall rules or router access lists to drop any incoming ICMP Echo Requests. This renders the ping sweep ineffective and its results will show that there are no live hosts on the network segment which is protected by the firewall. NMAP provides some techniques to circumvent this security control and probe further into the network even when it is not possible to utilize ICMP Echo Requests.

TCP Connect() Scan

The TCP Connect() scan, also known as a Full Open Scan, issues a connect() call from the scanning machine and attempts to establish a connection to interesting ports on the destination. It does this by completing the TCP/IP three way handshake and attempting to establish a full connection between the source and destination nodes.

nmap-attard-2

The NMAP syntax to perform this type of scan against ports 80 and 443 on the IP address of 192.168.2.1 is:

nmap –sT –p80,443 192.168.2.1

The output for this command is shown below:

nmap-attard-3

NMAP will determine whether the host is alive and if the scanned port is open based on the response it receives from the target. Attempts by the scanning machine to establish a connection with an open port will be met with an acknowledgement packet (SYN/ACK), whereas attempts to connect with a port that is not listening will be met with a request from the target machine to reset the connection (RST). In its most comprehensive form and in an effort to determine whether any service is running on a machine, this scan can be configured to attempt a connection with all 65535 ports. This is called a Vanilla Scan and should be used with caution as it may take significant time over WAN links and slow connections.

There are two syntaxes to execute a Vanilla Scan against an individual IP address. They are as follows and the end result is the same for both commands:

Ex: nmap –Pn -sT -p1-65535 192.168.2.1

nmap –Pn -sT -p- 192.168.2.1

The fact that the machine responds to our attempts at connecting to it determines that the host is in fact online, even if it failed to respond to any ICMP Echo Request sent during a ping sweep. Nmap can also be instructed to perform the scan without even attempting to submit an ICMP Echo Request through the use of the –Pn switch. The Full Open Scan is a very reliable form of network scan, however it is worth noting that this reliability comes at a cost as such scans are extremely noisy and easily detected and logged. If stealth is a factor or if there are Intrusion Detection/Prevention Systems on the network that need to be avoided during the penetration test, then the TCP Full Open Scan, and especially the Vanilla Scan, are not the best approach and a more advanced scanning technique might better suit the purpose.

Advanced Scanning and Network Mapping Techniques

NMAP employs some clever techniques to bypass network restrictions and succeed in mapping parts of the network which are protected. These techniques manipulate flags in the TCP headers which determine the state of connections to trick the firewall into allowing the communication through. The following TCP flags are all relevant to advanced NMAP scans and are used in one or more of its scanning methods.

SYN flag: - Synchronizes sequence numbers. This flag should be present in the first packet that is sent from the source to the destination.

ACK flag: - The Acknowledgement flag signifies that the transmission has been received by the destination.

PSH flag: - The Push flag requests that all the buffered data is forwarded immediately to the application receiving it.

URG flag: - The Urgent flag requests that all the data is handled as quickly as possible. This implies having the receiving application process data out-of-band.

FIN flag: - The Finish flag signifies that the transmission is over and that no more data will be sent to the destination

RST flag: - The Reset flag resets the connection between the source and destination.

Stealth Scan

The Stealth scan, also called SYN scan, attempts to determine whether a port is open and in listening mode on the target without fully establishing a connection. Through this method, nmap sends a SYN request to the destination port and waits for the response. If the port is not listening, the destination requests to reset the connection with an RST packet and if the port is open and in listening mode, the target should reply with a SYN/ACK response as expected from the TCP/IP three way handshake. However instead of completing the handshake by sending an ACK response, nmap replies with a request to reset the connection by sending an RST packet. It is for this reason that the Stealth Scan is also known as the Half Open Scan. Because the connection is never actually completed this method is considered to be stealthy and is usually not logged as an established connection by the service on the target address.

Ex: nmap –sS 192.168.2.1

XMAS Scan

This type of scan attempts to determine the state of a port on a target machine by exploiting the implementation of the TCP protocol stack in certain operating systems. A packet is sent with all the flags set and the reply is analyzed. Since some systems may crash on receiving such a packet, nmap only sets the FIN, URG and PSH flags instead of all flags. If the tested port is closed, the target should reply with a request to reset the connection via an RST packet. When the tested port is open no reply is sent back to the attacking host. It is important to note that due to the different ways in which TCP is implemented, this scan is only accurate for Unix-based hosts as Windows hosts typically give false positives. Since the TCP/IP three-way handshake is not completed this scan can also be stealthy as the connection attempt would not be logged by the application on the destination host. Such attempts might also be successful in evading firewalls and Intrusion Prevention Systems, but since the pattern for XMAS scans is easy to detect one can expect high security environments to have installed signatures for this type of scan on their devices.

Ex: nmap –sX 192.168.2.1

ACK Scan

During network mapping it is important to determine if there is a firewall placed between the scanning machine and the targeted hosts. The ACK scan is a technique that is useful in determining whether there is a firewall and whether it is a stateful or stateless one. In this technique, nmap sends a packet with the ACK flag enabled towards a specific port on the destination system. This tricks any firewalls that do not keep track of the connection states into thinking that this packet is a response to an already initiated connection and the firewall lets it pass through. The targeted host will reply with an RST packet if the probe successfully passes through. No response usually means that a stateful firewall has detected the probe attempt and dropped the packet before it ever reached the target.

Ex: nmap –sA 192.168.2.1

FIN Scan

In this scan type, nmap can send a packet to the port being tested with only the FIN flag set. No response is expected from the targeted host if the port is open, but an RST/ACK response should be sent back to the attacker if the port is closed. Like the XMAS scan, this method is not accurate against Windows-based hosts and is therefore prone to give false positives.

Ex: nmap –sF 192.168.2.1

NULL Scan

The NULL Scan does the exact opposite of the XMAS Scan as it sends TCP packets with no flags enabled at all. The targeted host drops the packet if the port is open and sends no response back to the attacker. If the port is closed it will respond with a RST/ACK packet. This approach also does not work well against Windows hosts but has the advantages that it may be able successful in evading logging by Intrusion Detection Systems and by the targeted host.

Ex: nmap –sN 192.168.2.1

The below table summarizes the different responses expected from the scans depending on whether the port is open or closed. Responses may be received from other networking devices that are present on the network between the attacking host and the targeted host. Firewalls or Intrusion Prevention Devices may reply with RST packets or drop the connections before they ever get to their destination, resulting in a lack of response. This may be incorrectly flagged as an open port during exotic scans such as the XMAS scan, FIN scan or NULL scan so these results must always be manually tested and verified by the penetration tester.

Scan Type

Response if Port is Open

Response if Port is Closed

Stealth (SYN) Scan SYN/ACK RST
XMAS Scan No Response RST
FIN Scan No Response RST/ACK
NULL Scan No Response RST/ACK

To get deeper insight into what packets nmap received for its probes and how it interpreted the results, the --reason parameter may be specified. The output from this command will look similar to the below:

# nmap --reason 192.168.2.1 --top-ports=10

Interesting ports on target:

PORT STATE SERVICE REASON TTL

21/tcp open ftp syn-ack 62

22/tcp refused ssh reset (ttl?) 63

23/tcp closed telnet reset 62

25/tcp filtered smtp no-response N/A

80/tcp open http syn-ack 62

110/tcp filtered pop3 no-response N/A

139/tcp filtered netbios-ssn no-response N/A

443/tcp filtered https no-response N/A

445/tcp filtered microsoft-ds no-response N/A

3389/tcp filtered ms-term-serv no-response N/A

Outcomes such as “no-response” should be analyzed with care to weed out false positives.

IDLE Scan

The Idle Scan, also known as a Zombie Scan is an effective way of scanning target hosts, or even whole subnets, without disclosing the IP address of the attacker’s machine. This type of scan utilizes zombies, or intermediaries, to send probes on behalf of the attacker’s machine. The technique behind the Idle Scan takes advantage of the predictability of sequence numbers in IP packets to deduce information about hosts. The idea behind this scan is that since for each data packet that a host sends the next packet’s sequence number is incremented by one, by checking the sequence number information can be deduced about a port’s state. Nmap is capable of launching this type of scan, and using this method may be necessary when stealth is important during a penetration test or when it is discovered that there may be network segments that are inaccessible directly from the attacker’s machine but accessible through other hosts on the network. For this technique to be effective it is imperative that the zombie host is not actively being used as otherwise the scan results will be skewed when the sequence numbers vary unpredictably. From experience, print server machines are potentially good zombies for an Idle Scan as they are rarely used continuously for extended periods of time.

 

During an Idle Scan execution the following actions are carried out:

  1. The scanning host sends an IPID probe or SYN packet to the zombie host to assess if a port is open or not.
  2. Zombie host responds with a SYN/ACK packet if the port is open or an RST packet if the port is closed
  3. The scanning host checks the fragment identifier (IPID number) received by the zombie
  4. The scanning host sends a packet probing a specific port and spoofs the IP address of the zombie host
  5. If the port is open the target will reply to the zombie host with a SYN/ACK packet and the zombie will send an RST packet to the target
  6. If the port is closed the target will send an RST packet to the zombie and the zombie will not send any packets as a reply.
  7. The scanning host then sends an IPID probe to the zombie again. If the port was open, the IPID should be incremented by two since two packets were sent (the RST and the response to IPID probe) after the previous IPID. The IPID would only increase by one if the port was closed as the zombie host has sent nothing back to the target.

 

Figure 4 below depicts how the Idle Scan technique is carried out.

nmap-attard-4

To launch an idle host scan using nmap the following syntax must be used, nmap -sI <zombie host[:probeport]> <target>. In the below example the zombie host is 192.168.2.141 and the target is 192.168.2.113. The –Pn parameter is usually used when performing an Idle Scan so nmap does not ping the target host directly, otherwise the attempt at remaining stealthy would be compromised through the ping probe as this advertises the attacking machine’s source IP address.

Ex: nmap -Pn -sI 192.168.2.141:22 192.168.2.113

UDP Scan
The User Datagram Protocol (UDP) is a lightweight, connectionless protocol that is usually implemented by network management technologies. A number of potentially interesting or vulnerable services that use UDP can sometimes be found installed on targets. One such service is TFTP which is a file server that runs on port 69 and uses no authentication method. TFTP servers may have configuration files that are automatically uploaded by network devices, possibly containing passwords. To discover services running over UDP, a UDP port scan needs to be performed. This can be executed using nmap with the following syntax:

Ex: nmap –sU 192.168.2.1
nmap –sU –p 69 192.168.2.1

Version Scan
Once services are discovered to be running on the network, perhaps through port scanning, network mapping or other techniques, the next logical step would be to determine what server software and version is installed. Accurately determining the software version could lead to successful exploitation of the machine at a later stage since vulnerabilities and ready-made exploits can be more easily researched if the version number of the software is known. Nmap can gather information about software by sending a series of requests and then parsing the responses to accurately determine the application behind the service and its version number. This type of scan can be performed by using the –sV switch. If obtaining the correct version of the application is of utmost importance, the version scan intensity can be increased by using the --version-intensity parameter. High intensity scans take longer and are more detectable by network security devices; therefore they should be used with care. Below are some examples of syntax used to perform version scanning with nmap.

Ex: nmap –sV 192.168.2.1

nmap –sV --version-intensity 2 192.168.2.1

 

The output from these commands looks similar to the following:

#nmap -sV 192.168.2.1

 

Starting Nmap ( http://nmap.org )

Nmap scan report for 192.168.2.1

Not shown: 994 closed ports

PORT STATE SERVICE VERSION

21/tcp open ftp HP-UX 10.x ftpd 4.1

22/tcp open ssh OpenSSH 3.7.1p1 (protocol 1.99)

111/tcp open rpc

445/tcp filtered microsoft-ds

1526/tcp open oracle-tns Oracle TNS Listener

 

 

Evading IDS

 

Larger networks usually found in companies that take security seriously might have firewalls or Intrusion Detection Systems that respond to attempts at network mapping and drop nmap probes, or alert the system administrators about the ongoing activity on the network. This makes the penetration tester’s job more difficult, especially when being stealthy is a requirement and can effectively hide entire network segments from being discovered during a scan. There are different techniques that may be used in an attempt to evade detection by an Intrusion Detection System and they can be summarized into two distinct approaches, timing control and packet fragmentation.

 

Timing Control

Most of the detection capability behind an Intrusion Detection System relies on a packet analysis engine that uses signatures to inspect network traffic in real time and detect attacks that are in progress. This is usually an effective approach and when performed aggressively or in a short period of time, network scanning attempts have a very high probability of being detected. The port scanning traffic itself is however not very different from normal network operation, and it is usually only though the volume of attempts that an Intrusion Detection System can tell what the attacker is trying to accomplish. Furthermore, to reduce the likelihood of false positives being generated during normal network operation, the IDS operator is likely to set certain thresholds to only generate alerts when there is reasonable suspicion that a port scan or other malicious activity is ongoing. Based on knowledge of this common practice, a skilled penetration tester would not launch a noisy and aggressive port scan but would perform the test over a much longer period of time, generating as little traffic as possible in hopes that the thresholds set on the Intrusion Detection System would not be exceeded, and therefore alarms highlighting this activity would never be generated. Proper execution of this technique would lead to a successful network map and host enumeration while also evading the IDS.

NMAP’s default behavior is to run as many network probes in parallel as possible to deliver results in the shortest time possible. This optimization increases performance drastically at the expense of stealth. Fortunately the penetration tester has full control over these features and the nmap scanner already has inbuilt functionality to throttle its scanning speed during a scan, so this technique can be applied without the usage of any other utilities. The options of --max-rate and --scan-delay are of particular interest in this case as they can be utilized to limit nmap to sending only a certain number of probes every few seconds and to set a delay between one probe and another. If this level of control is not required, nmap also has a set of six default timing templates that range from Paranoid (optimized for IDS evasion) to Insane (optimized for performance) which usually suit the purpose without additional manual intervention. Stealth options will obviously take a much longer time to finish so this constraint must be planned for during the early parts of the penetration test. These timing options can be set with the following syntax examples.

Ex: nmap -sS --max-rate 0.1 192.168.2.1

nmap -sS -T2 192.168.2.1

nmap -sS --max-rate 0.1 --scan-delay 3 192.168.2.1

nmap -sS --max-rate 0.5 --scan-delay 5 192.168.2.1 -p22,80,445,3389,3306

Packet Fragmentation

Since the IDS requires the packet being inspected to match a signature or rule, most IDS evasion techniques use some form of packet fragmentation which breaks down the network probe packet into a number of much smaller packets so none of them match the IDS signature. When these fragmented packets are reassembled at the destination address, they will fulfill their aim and the targeted host will respond to the probe, effectively bypassing the IDS. Reassembling fragmented packets increases processing load and memory utilization on the IDS devices. Abnormal system load and a higher occurrence of fragmented packets could be a telltale sign to a security analyst that such a scan is in progress. Nmap comes with inbuilt options to fragment packets during network mapping activity. The –f option specifies to use tiny fragmented IP packets during scans. This option can be used multiple times to keep on splitting packets into even smaller fragments. A specific offset can also be set by using the --mtu parameter. It is important to note that these two options cannot be used together.

Ex: nmap -sS -f -f -v 192.168.2.1 -p21,22,23,80,139,443,445

nmap -sS --mtu 512 -v 192.168.2.1 -p21,22,23,80

Other Evasion Techniques

In some poorly designed networks, it might be possible to bypass the IDS device completely by setting a static source route and forwarding all scanning traffic to a gateway that is not protected behind the IDS. This technique usually implies previous knowledge of the network design and architecture and is more commonly used during White Box testing.

The Achilles’ heel of IDS devices is encryption as the IDS is not capable of inspecting encrypted traffic to determine whether this matches the pattern of a scanning attempt or if it is legitimate traffic. If there is the possibility of sending the network probes through an encrypted tunnel to the target host, this will almost always be successful in bypassing IDS inspection. A good example of this technique would be to tunnel the nmap scans through an already compromised host on the same subnet as the target host using a cryptcat tunnel.

If bypassing the IDS is not possible, the next best thing may be to hide the IP address from which network mapping attempts are being launched among a number of other IP addresses. Nmap provides this functionality through the use of decoys. When a decoy scan is launched, nmap sends several network probes at the destination host with each one having a different spoofed IP address. For the IDS and security administrators this will look as if the network scanning attempts are being performed from multiple different IP addresses. This is a very noisy technique and will increase the size of logs and the visibility of the attack. In this case it could help the penetration test by lengthening the investigation and response times by the security staff and allowing the penetration tester to complete the network map by the time remedial action is taken. Nmap can be configured to launch a scan with decoys using the following syntax. All IP addresses after the –D switch represent the spoofed decoy IP addresses. ME instructs nmap to use the real attacker’s IP addresses as one of the decoys.

Ex: nmap -v -sS -D 192.168.2.111,192.168.1.22,172.16.78.2,192.168.3.65,ME 192.168.2.1

Going Beyond the Network Map

Nmap’s power and versatility goes beyond discovering the existence of hosts and creating an up to date network map. The next phase in a successful penetration test immediately following network mapping is the enumeration of services running on the discovered hosts. In this area nmap employs several powerful techniques that can be used to accurately determine what software and versions are installed and ready to be exploited on remote systems.

Operating System Detection

After discovering a live host, nmap can attempt to determine to a decent degree of accuracy what Operating System is installed. Since there are subtle variations in the way different Operating Systems respond to certain packets, Nmap attempts to identify the remote hosts’ Operating System and version by sending a series of TCP and UDP packets to the target and then checking each bit in the response to match it against a database of Operating System fingerprints. This information enables the penetration tester to assess what kinds of vulnerabilities, such as missing patches, the remote host may suffer from. The –O parameter can be used to enable Operating System detection. If nmap cannot perform a match with certainty, the parameter --osscan-guess or --fuzzy will instruct it to display possible matches.

Ex: nmap –O –v 192.168.2.1

Protocol detection
Determining whether the remote host supports other IP protocols other than the common TCP and UDP protocol stacks can be useful to a penetration tester for many reasons. During the identification phase of some networking devices it could help to pinpoint specific brands and it could possibly also discover networking-specific protocols like RIP and EGP which may be susceptible to certain attacks. Nmap can perform an IP protocol scan to determine the existence of such protocols using the –sO parameter. This parameter cannot be used in conjunction with a normal port scan and must be launched on its own. The IP Protocol Detection process is very noisy and any Intrusion Detection device will be able to pick up this activity so it should be used with care.

Ex: nmap –sO –v 192.168.2.1

Nmap Scripting Engine
The nmap scripting engine is a versatile and powerful framework which enables the penetration tester to quickly automate most mundane tasks through the use of extensible scripts. These scripts can do anything from network mapping, Operating System fingerprinting, service version detection, vulnerability scanning and backdoor detection. This framework also allows the penetration tester to implement custom scripts. This useful feature may assist when attempting to take advantage of a discovered vulnerability. The nmap scripting engine can be launched by using the --script syntax followed by the script name. There are hundreds of useful scripts which significantly improve the functionality offered by nmap. Below are just a few examples of scripts that are frequently used by the author.

Ex: nmap -p 80 --script http-auth-finder 192.168.2.1

nmap -p 80 --script http-headers 192.168.2.1

nmap -p 445 --script smb-check-vulns 192.168.2.1

Conclusion

Creating an accurate and complete network map is one of the prerequisites for a successful penetration test. Although this is a skill in itself, the number of techniques that nmap provides to successfully perform this task makes it one of the best tools for the job. This tool, together with the techniques outlined in this article, are useful to any penetration tester when faced with a challenging network. Mastering these techniques brings that elusive vulnerability one step closer to successful exploitation!

So, lets now tackle to the discussion!
PenTest Magazine Team!
[/private]

March 21, 2014

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013