CompTIA CYSA+ CS0-002 – Enumeration Tools Part 2

3. Nmap Port Scans (OBJ 1.4)

Nmap port scans. So now that we’ve started and we’ve gone through and done our Discovery scans, we have now finished our footprinting. But we now need to start beginning our fingerprinting and learning information about individual hosts. One of the ways we do this is by using Service Discovery. Now, Service Discovery is going to help us to determine which network services and operating systems are inuced by a target. When we looked at that output from Nmap earlier, I showed you there was different ports that were open and different services that were being told, like SSH and what version it was. This is what I’m talking about when I talk about service discovery. Now, Service Discovery can take several minutes to complete or up to several hours depending on how many IPS you’re searching and how many ports you want to dig into.

Now, let me give you a quick word of wording. Now, you may have heard me say the word stealthy numerous times so far as we talked about Nmap. Now, some scans are going to be described as stealthy or more stealthy than others. But a well configured IDs or IPS can detect most Nmap scanning. Now, this is really important to you as an analyst because your job is to configure IDs and IPS’s, right? And so you want to make sure your devices are configured to protect yourself from these different types of scans and so you can detect more of them. Now, let’s talk about a couple of these ways for us to start doing port scanning and identify individual ports on individual hosts within a network. The first way is by using dash. This is known as a TCP syn.

Now, this type of scan is going to conduct a half open scan by sending a sin packet to identify the port state, but it’s never going to send that acknowledgement packet. Now, this might sound to you like a denial of service or a sin flood, right, because we’re sending these half open packets. Now, we’re not actually going to create a denial of service doing this because we’re not sending enough of them or in a large enough volume. But it is the same concept. We’re starting a three way handshake, but we’re not acknowledging it. And again, that’s going to give us the response that synac packet from the target and we can analyze that to figure out which ports are open. The next one we’re going to talk about is a TCP Connect, which uses dash st as its flag.

This is going to conduct the full three way handshake by doing the scan. It’s going to send out a syn packet to identify the port state and then it’s going to send the acknowledgement once it receives that sync. This is done because sometimes your network card doesn’t support doing a half open scan. This is something special that only certain network cards can do and you have to have administrative or root access. Now, you may wonder, why would I use a full three way handshake when I can just use a TCP sin and use a half open handshake? Well, depending on where you’re doing your scan from, you may not have rights to do a TCP syn because using a half open scan like that requires you to have root or administrative access on the system that you’re scanning from.

And so if you don’t have that, you’re going to be stuck having to do a TCP connect scan instead. The next one we’re going to talk about is a null scan. Now a null scan uses the flag SN for null. Now this is going to conduct the scan by sending a packet with the header bit set to zero, which is why we call it a null scan because there’s no information there. This again looks abnormal and most IDs and IPS’s are going to see this and think it’s malicious. The next one we’re going to talk about is a fin scan. Now a fin scan uses the flag SF. This conducts a scan by sending an unexpected fin packet. If you remember how TCP IP works back from your network plus days, you’ll remember that finn packets are used as a way to end a communication session.

So if you send it in the middle of a session, it’s unexpected. But again, Nmap will support you doing this. Just like the null scan, this is something that will set up flags inside most intrusion detection and protection systems. So it’s not really stealthy to use this. The next one we’re going to talk about is a Christmas scan. This is Dash. Now the reason this is called a Christmas scan is because it lights up like a Christmas tree. You’re conducting a scan by setting a packet with the fin, the push and the urge flags all set to on or one. Now in this case, it’s going to look like a Christmas tree in their logs and in their intrusion detection systems. This is a surefire way for you to get caught. So why would you ever send one of these if you were a penetration tester.

Well, because you’re trying to make sure people are actually paying attention, so you can actually send this out as an easy thing to see if people catch you or not. If they’re not catching some of your hard things, you could throw one of these in there and see if they’re actually awake and actually looking at their logs. The next one we’re going to talk about is a UDP scan. Now, this uses the flag. Su this allows us to conduct a scan by sending a UDP packet instead of a TCP packet. And we’re going to send that to our target and then wait for a response or a timeout. Now, because UDP doesn’t have sin ACK and all the acknowledgments and three way handshakes, we basically have to send it and then wait to hear if we got a response or was there a timeout? And then we use that to figure out if that port was open or closed.

This can be used if you want to be a little bit more stealthy and figure out if things are actually working well for you. Next, we have port ranges. You can use the flagp to specify the port you want to scan. Now, when you’re scanning ports, by default, it’s going to scan 1000 of the most commonly used ports. That can take a lot of time, and it’s not very stealthy. So when I’m doing my scans as a penetration tester, I will usually scan for just a couple of ports that I think are important or ones that I want to go after. I might go after port 80 if they’re running a web server, port four, four, three if they’re using a web server. Port 22 if they’re running an SSH server. Instead of going after 1000 ports. It’s another way to try to sneak in past the sensors and try to get through the firewall and get through the intrusion detection and prevention systems.

Now, all of these techniques can be made more or less stealthy, as well as combined with other options covered in our Discovery Scans. So I can use things like timing for my Discovery scans and use T Zero to make it really slow, and then I can use a half open scan using Dash SS, and I can combine these together to give me something that looks a little bit more stealthy. I also can use that with Dash P and add in only port 80. And so by doing this and crafting my Nmap scans, I can make myself more stealthy and have a better chance of not being detected if I’m an attacker.

4. Nmap Port States (OBJ 1.4)

Nmap port states. Now, as I mentioned, when you conduct your scan, you’re going to be scanning a host and fingerprinting it and to identify what ports may be open or which ones may be closed. Now, there’s lots of different port states and you have to understand these. As a cyber defender, this is important because these different states can tell you what that port is capable of doing and whether or not you have a vulnerability. Now, the first three of these are known as OS, open, closed, and filtered. Let’s take a look at each of these. First we have open. Now, open is when an application of the host is ready to accept connections. So if I’m running a web server, port 80 should be open because I need to be open and listening and ready to accept a connection from whatever client wants to get access to my web server.

But if I’m not running something like telnet, then port 23 should not be open. And that brings us to our second state, which is known as closed. This is when the port responds to pros by setting a reset packet. That means there’s no application available to accept connections there. So again, if I have a web server and it’s not running telnet, it’s not going to have port 23 open. So if I send a packet to it and say, is port 23 open? I want to make a connection, it’s going to send back a reset packet that says this port is closed. You know, there is no application installed on that system for that particular port. Now, the third category we have is what’s known as filtered. Now filtered occurs when Nmap can’t probe the port, but it doesn’t necessarily know that it’s closed. This is usually due to a firewall blocking the scan on the network or host.

And so when you see filtered, the first thing you should be thinking as somebody who’s scanning this network is there’s a firewall in place? And so that brings us to other states that could be shown as well. There are three other states that are displayed if the scan cannot determine a reliable result. Again, filtered is one result where we’re sure there’s a firewall, but there’s other ones when we’re not so sure. These are unfiltered, open, filtered, and closed filtered. Now, unfiltered is when Nmap can probe the port, but it can’t determine if it’s open or closed. It’s not filtered, it’s not being blocked by a firewall, but I’m really not sure if it’s open or closed. I know this sounds kind of weird and it really is. It is not very common to find ports labeled as unfiltered in your Nmap scans.

Next we have open, filtered. Now, this happens when Nmap can’t determine if the port is open or filtered. So it’s one or the other. So when it does its UDP or IP protocol scan, this is pretty common that it’ll come back open, filtered, if you’re using a sin scan, it should actually tell you whether or not it was open or filtered. It can determine that based on the response from the server. Now, the third one we have is closed filtered, and this is when MMAP can’t determine if the port is closed or filtered when conducting the TCP Idle scan. So if you’re conducting a TCP Idle scan using Dash ti, you may get back something that shows closed filtered. Again, these three are not nearly as common as the open, closed and filtered, but they are important to know. Now, why is it important for us to know all these different port states? Well, as a cyber defender, it’s important for us to understand this because an open port indicates a host that is ready to accept connections.

That means there might be a vulnerability there because there’s an inbound connection that’s open. If you have a web server and port 80 is open, that’s not really a vulnerability because you know that port 80 is open because it’s a web server. You’re expecting that. But if I do a scan against your host inside your network for your workstations and I find port ad is open, that is something that I’m going to look into, that is a vulnerability to me because most people aren’t running web servers on their desktops. It’s just not that common. And so by going through and doing these port scans and looking at these port states, it can tell you what you need to look further into as a network defender to be able to harden down your network and minimize your attack surface.

5. Nmap Fingerprinting Scans (OBJ 1.4)

Nmap fingerprinting scans. In this lesson, we are going to talk a little bit more in depth about fingerprinting scans. So we’ve talked about ports and we’ve talked about port states. But there’s more information that you can get by doing your fingerprinting. When you do fingerprinting, this is a technique that gets a list of all the resources on the network, the host or the system as a whole to identify potential targets for future attack. Now, this is the idea here. With fingerprinting as an attacker, I’m trying to find out all about your system so I can figure out a way to penetrate it and a way to exploit it. You as a defender want to know that same information, so you can put defenses in place to stop me from doing that.

Now, once you start identifying the open ports and you’ve discovered those, we’re then going to use Nmap to probe them intensely. Now, what do I mean by intensely? Well, there’s two ways of doing this. You can use the command nmap SV or nmap A. Both of these will do an intensive port scan. Now, these scans do differ just a little bit. When you’re using SV, you’re going to be able to get some basic versioning information, but A is going to do it more intensely and discover even more data. This intensive fingerprint scan can provide you with a lot of detailed information. Things like the protocols in use, the application name inversion, the operating system type inversion, the host name, and the device type. All of this is great information.

So once your scan is complete, you’re going to see something that looks like this. You’re going to receive a list of the ports and their states. Notice there are different states that a port can be in. We talked about those we had open and closed and filtered, right? And so here I see the first port is port 53. It’s a TCP port, and it’s open. Now, what service does this run? It runs Domain service. Domain name service. Now, I also see the fingerprinting strings here and it shows me what version of the bind request TCP was being used. In this case, it couldn’t identify the exact version, but it does know it’s using bind. Then I see the next port, port 80. This again is TCP, and it was open. This is running our unclassified web service, Http.

What version is being run here? Microsoft Internet Information Services, that’s running the Http daemon, which is running on version 10. 0. Now, as I look into that, it gives me even more information, gives me some basic methods of how it’s done that and the information it knows about it. And as you go through this, you’re getting more and more details. As you go further, you can see the Mac address, you can see what operating system it’s using, in this case, Windows Server 2016. And all those types of details are things you can find out by doing this type of in depth intensive probing of those different ports and seeing what the responses are. So you may be wondering, how does Nmap fingerprint what services and versions are running on this server? How does it know all this information? Well, it does.

It using what’s known as a CPE, which is the common platform enumeration. This is a scheme for identifying hardware, devices, operating systems and applications developed by the Mitre Corporation. Essentially, this CPE is a database of different fingerprint signatures. And what Nmap does is it compares the response it’s getting from these ports when it sends that sin packet, what it gets back as the syn AC, it looks at that packet and determines which operating systems it is and which versions, because each one answers just a little bit differently. That’s the idea of using the CPE. Now, Nmap is also a really powerful tool, and it’s even more powerful when you can use scripting with it. Nmap even comes with its own scripting engine. It’s known as the Nmap scripting engine, or NSE.

This allows scripts that are written in the Lua scripting language to be used to carry out detailed probes. This includes things like OS detection and platform enumeration, windows user account discovery, identifying the logged on Windows users against the system, performing some basic vulnerability detection to figure out what software is in use and what might be vulnerable. It can also be used to probe web servers to gather Http data and identify web applications in use. And you can even add geolocation to your different trace route probes. All of this can be done using the NSE, the Nmap scripting engine. If you go to Mmap. org, there are lots of scripts out there that you can use and pass them directly into your MMAP. You don’t have to write these scripts yourself. They already exist for you to do all your work as a cybersecurity analyst.

• Category: Uncategorized