CompTIA Pentest+ PT0-002 – Section 7: Nmap Part 1

55. Nmap (OBJ 2.3 and 2.4)

In this section of the course, we’re going to cover Nmap, which is an extremely versatile security tool that can be used to conduct active reconnaissance, enumeration, and even some basic vulnerability scanning when you use the Nmap scanning engine or NSE. Because of this, Nmap really does fit into both the information gathering and vulnerability scanning activities during phase two of our engagements, which is why I’ve separated out into its own section within this course. As we cover Nmap in this section of the course, we’re going to complete our coverage of the remaining objectives and sub-bullets in Domain 2, Information Gathering and Vulnerability Scanning. Now in this section, we’re going to be focused on two objectives. Objective 2.3, which states, “Given a scenario, you must analyze the results of a reconnaissance exercise.” And objective 2.4, which states, “Given a scenario, you must perform vulnerability scanning.” Now just as before, there is going to be a lot to cover in these two objectives. Now unlike most tools covered by the PenTest+ exam, that just require you to know what the tool is, when you would use it during an engagement, and the type of information you can gather with that particular tool, Nmap is really different.

Now Nmap is clearly listed in the exam objectives, but not just by its name, but also by its common syntax options and individual features. This should give you a hint that you’re going to expect some more in-depth Nmap questions on your exam. For example, you need to be comfortable choosing the right options to run Nmap with, in order to achieve specific results. Let’s say you want to determine what operating system is being run on a given target. Which Nmap syntax option are you going to use to do that? Or they could provide you with the output from an Nmap scan, and you need to be able to read it, understand what ports and services are running on that target, and then identify which one is the most vulnerable one, based on the output you were given. Now Nmap is by far, one of the most useful and important tools that you’re going to use as a penetration tester. This tool can be used to conduct port scanning, service scanning and vulnerability scanning too. We’re also going to cover scripting concepts in Nmap, and finally, we’re going to jump into several demonstrations so you can learn the basics of how to use Nmap to conduct these scans and analyze the results, so you’ll answer those questions right on test day. Now on the exam, if there is one tool that you need to know in depth, it’s definitely Nmap. So please, do yourself a favor. Load it up in your Kali virtual machine. Conduct some scans on your own home network or lab, and that way you can get comfortable using Nmap and analyzing its outputs. With that said, let’s get started with our coverage of Nmap in this section of the course.

56. Nmap Discovery Scans (OBJ 2.3 and 2.4)

In this lesson, we’re going to start our coverage of Nmap which is the world’s most popular enumeration tool. Now Nmap comes to us from the Nmap Project which is an open source project that developed this tool and all of the supporting resources that come with it. When we talk about Nmap, we’re talking about the Nmap Security Scanner. It is a versatile port scanner that’s used for topology, host, service and operating system discovery and enumeration. Now in this lesson specifically, we’re going to talk about discovery scans and an Nmap discovery scan is used to footprint the network. This is the big overview. We want to figure out what hosts are sitting on this network. We want to figure out what this network looks like from a topology standpoint and that would include things like IP addresses and things of that nature. Now when we start talking about Nmap, if you want to use it in its most basic form, it’s really easy. You just type in nmap, the IP address you want to scan or nmap and the IP range you want to scan. For instance, if I type nmap 192.168.1.0/24, that’s going to scan all 256 IPs in that range. Now when you use Nmap in this basic syntax, this is the default configuration. It’s going to have its default behavior being used and that default behavior is to ping and send a TCP acknowledgement packet to ports 80 and 443. This will determine whether a host is there and whether it’s present. If that host is there and detected, Nmap will then perform a port scan against that host to determine which services it’s actually running across the 1,000 most commonly used ports. Now this port scanning can be time-consuming because there’s 1,000 ports it’s checking and if you have a very large range, this can take a lot of time.

The other thing about using Nmap in this default configuration is it is not very stealthy. Most of your intrusion detection systems or intrusion prevention systems or firewalls will see this activity as scanning and they will try to block it. And so you need to make sure that you know all the different ways to use Nmap so you’re not being blocked by these network devices. And that brings us into another way of doing things which is what’s called a host discovery scan. Now a host discovery scan uses the flag -sn. This is what tells us we want to do a host discovery scan instead of using the default procedures. If you only want to perform the host discovery part and not that port scan, you can use nmap -sn and then the IP range. This will suppress that 1,000 port scan that I talked about using the basic syntax using that default behavior. Now there are lots of other scanning options that you can utilize wing using Nmap and they all rely on these things known as switches. That is that -sn that I just showed you, but there’s lots of different options as well. For instance, you might have a list scan which is -sL and this will list the IP addresses from the supplied target range and it’ll perform a reverse DNS query to discover any host names associated with those IPs. So think about this as a DNS lookup. That’s essentially what we’re doing here when we’re doing a list scan.

Now the list scan is considered more of a passive method because you’re not actually sending probes directed at the host. Instead you’re taking their IP range and you’re asking the DNS server to do those reverse lookups for you so you’re never really touching the host themself. Now another option you can use is what’s known as -PS and this is a TCP SYN ping. Now what this does is it’s going to probe all the specific ports that you list in the command and it’s going to do this using a TCP SYN packet. This is really helpful because some networks are going to block ICMP packets from being used for ping and if you try to ping something using the ping command, it’s going to come back as host not found or no response. But by using something like -PS here, you can actually use a SYN packet to conduct that because when you send a SYN packet to somebody, they are going to send back a SYNAC and then normally you’d send back an acknowledgement request as an act packet and that would finish the three-way handshake. Well here what we’re going to do is send out the SYN, we’re going to get back the SYNAC and that tells us that host is alive and then we’re not going to finish the three-way handshake. We’re not going to send back the acknowledgement and that way it’s less information that can go towards that host to figure out who we are. Now the next one we want to talk about is using sparse scanning. Now again, if you want to be more stealthy and you don’t want to do a ping sweep or a port scan really quickly, you can actually spread out your timing. And if I do it over a long period of time, that can make it harder for detection to occur. So what we do is we use –scan-delay and the amount of time we want to wait. This will issue probes with significant delays to become much more stealthy and avoid detection by an IDS or an IPS. The next one we want to talk about is scan timing and this uses the flag -Tn. This is going to issue probes when you using a timing pattern with that end being the timing pattern you want to utilize. If you use a zero, that’s going to be the slowest. If you use a five, that’s going to be the fastest. If you use a three it’s somewhere in the middle. The idea here again, is to try to evade detection by an IDs, IPS or firewall. The next flag we’re going to talk about is -sI which is used for a TCP ID idle scan This is another stealthy method and this is going to allow the scan to make it appear like it’s coming from another machine which we’ll call a zombie.

Now this is going to allow that machine to pretend like it started the scan to hide the true identity of the scanning machine. Essentially, it’s a redirection. We’re trying to throw the defenders off our tail and be a little bit more stealthy as we go. The next thing we can use is fragmentation and this can be done using either of two flags, either -f or –mtu. This is a technique that splits that TCP header of each probe being sent through multiple IP datagrams and this will make it harder for an IDS or IPS to detect you. Notice a trend here. The last couple of things we’ve talked about were all about trying be more stealthy so we can’t be detected as an attacker. Now the results of a discovery scan should be a list of IP addresses and whatever they responded to in regards to the probes. It’ll look something like this. Notice here I have nmap -A -T4 scanme.nmap.org. Notice that -T4. Which type of scan was that? That’s right. It’s a scan timing type of scan. We’re using -Tn which tells us in this case -T4 which means it’s pretty darn fast. It’s not the fastest, but it’s pretty fast. Now notice the results here. You’ll see that we had two clients that were scanned. We had scanme.nmap.org and d0ze.

Once we scanned those, we got a response from them and they showed us what interesting packets there were and this is giving us more information. We’ll talk more about these port states and the different services and versions in a later lesson as we go through and learn more about Nmap. Now another thing you got to think about is the way output is given to you in Nmap. For instance this output you’re seeing right now is displayed to the screen and this is what is known as interactive. This is the default setting. Whenever you run a command, by default it will display it to the screen. But you don’t have to do that. You can actually send data to a file as well. You can do this in a normal method using the -oN command. This flag will say take what I saw on the screen and instead of putting it on the screen, put it in a file. You also can use XML using -oX and this will put it in an XML format to a file. Or you can use something that is grepable using -oG. This will allow a grepable format being sent to a file that you can later then use grep upon to find information. This is really helpful if you have really large datasets. Let me give you a quick exam tip. I know I covered a lot of different flags here. You’re going to have to be very comfortable with scanning networks and hosts using Nmap. It is a listed objective inside of the PenTest+ exam and they go into a lot of depth and all the different flags. You really need to understand the concept of Nmap and what you use it for. You are going to use Nmap a lot to do your job so spending some time and getting comfortable with some basic Nmap information is very critical and that’s why we’re going to spend quite a bit of time on it in this course.

57. Nmap Port Scans (OBJ 2.3 and 2.4)

So, now that we’ve started and we’ve gone through and done our discovery scans, we have now finished our footprinting but we now need to start beginning our fingerprinting and learning information about individual hosts. One of the ways we do this is by using service discovery. Now, service discovery is going to help us to determine which network services and operating systems are in use by a target. When we looked through that output from Nmap earlier, I showed you there was different ports that were open and different services that were being told, like SSH, and what version it was. This is what I’m talking about when I talk about service discovery. Now, service discovery can take several minutes to complete or up to several hours, depending on how many IPs you’re searching and how many ports you want to dig into. Now, let me give you a quick word of warning. Now, you may have heard me say the word “stealthy” numerous times so far as we talked about Nmap.

Now, some scans are going to be described as stealthy or more stealthy than others, but a well-configured IDS or IPS can detect most Nmap scanning. Now, let’s talk about a couple of these ways for us to start doing port scanning and identify individual ports on individual hosts within a network. The first way is by using -sS, this is known as a TCP SYN. Now, this type of scan is going to conduct a half-open scan by sending a SYN packet to identify the port state but it’s never going to send that acknowledgement packet. Now, this might sound to you like a denial of service or a SYN flood because we’re sending these half open packets. Now, we’re not actually going to create a denial of service doing this because we’re not sending enough of them or in a large enough volume, but it is the same concept. We’re starting a three-way handshake but we’re not acknowledging it. And again, that’s going to give us the response, that SYN-ACK packet from the target, and we can analyze that to figure out which ports are open. The next one we’re going to talk about is a TCP connect which uses -sT as its flag. This is going to conduct the full three-way handshake by doing the scan. It’s going to send out a SYN packet to identify the port state and then it’s going to send the acknowledgement once it receives that SYN-ACK. This is done because sometimes, your network card doesn’t support doing a half-open scan. This is something special that only certain network cards can do and you have to have administrative or root access. Now, you may wonder why would I use a full three-way handshake when I can just use a TCP SYN and use a half-open handshake? Well, depending on where you’re doing your scan from, you may not have rights to do a TCP SYN because using a half-open scan like that requires you to have root or administrative access on the system that you’re scanning from. And so, if you don’t have that, you’re going to be stuck having to do a TCP connect scan instead. The next one we’re going to talk about is a Null scan. Now, a Null scan uses the flag -sN for Null. Now, this is going to conduct a scan by sending a packet with the header bit set to zero which is why we call it a Null scan, because there’s no information there. This again, looks abnormal, and most IDS and IPS’s are going to see this and think it’s malicious. The next one we’re going to talk about is a FIN scan. Now, a FIN scan uses the flag -sF. This conducts a scan by sending an unexpected FIN packet.

If you remember how TCP IP works back from your Network+ days, you’ll remember that FIN packets are used as a way to end a communication session. So, if you send it in the middle of a session, it’s unexpected, but again, Nmap will support you doing this. Just like the Null scan, this is something that will set up flags inside most intrusion detection and protection systems, so it’s not really stealthy to use this. The next one we’re going to talk about is a Xmas scan. This is -sX. Now, the reason this is called a Xmas scan is because it lights up like a Christmas tree. You’re conducting a scan by sending a packet with the FIN, the PSH, and the URG flags, all set to on or one. Now, in this case, it’s going to look like a Christmas tree in their logs and in their intrusion detection systems, this is a surefire way for you to get caught. So, why would you ever send one of these if you were a penetration tester? Well, because you’re trying to make sure people are actually paying attention. So, you can actually send this out as an easy thing to see if people catch you or not. If they’re not catching some of your hard things, you could throw one of these in there and see if they’re actually awake and actually looking at their logs. The next one we’re going to talk about is a UDP scan. Now, this uses the flag -sU.

This allows us to conduct a scan by sending a UDP packet instead of a TCP packet, and we’re going to send that to our target and then wait for a response or a timeout. Now, because UDP doesn’t have SYN, and ACK, and all the acknowledgements, and three-way handshakes, we basically have to send it and then wait to hear if we got a response or, was there a timeout? And then we use that to figure out if that port was open or closed. This can be used if you want to be a little bit more stealthy and figure out if things are actually working well for you. Next, we have port ranges. You can use the flag -p to specify the port you want to scan. Now, when you’re scanning ports by default it’s going to scan 1,000 of the most commonly used ports, that can take a lot of time and it’s not very stealthy. So, when I’m doing my scans as a penetration tester, I will usually scan for just a couple of ports that I think are important, or ones that I want to go after. I might go after port 80, if they’re running a web server, port 443, if they’re using a web server, port 22, if they’re running an SSH server, instead of going after 1,000 ports. It’s another way to try to sneak in past the sensors and try to get through the firewall and get through the intrusion detection and prevention systems. Now, all of these techniques can be made more or less stealthy as well as combine with other options covered in our discovery scans. So, I can use things like timing for my discovery scans and use -T0 to make it really slow, and then I can use a half-open scan using dash -sS, and I can combine these together to give me something that looks a little bit more stealthy. I also can use that with -p and add in only port 80. And so, by doing this and crafting my Nmap scans, I can make myself more stealthy and I have a better chance of not being detected if I’m an attacker.

Now, as I mentioned, when you conduct your scan, you’re going to be scanning a host and fingerprinting it and to identify what ports may be open or which ones may be closed. Now, there’s lots of different port states and you have to understand these because these different states can tell you what that port is capable of doing and whether or not you have a vulnerability. Now, the first three of these are known as open, closed and filtered. Let’s take a look at each of these. First, we have open. Now, open is when an application on the host is ready to accept connections. So, if I’m running a web server, port 80 should be open because I need to be open and listening and ready to accept a connection from whatever client wants to get access to my web server. But if I’m not running something like Telnet, then port 23 should not be open. And that brings us to our second state which is known as closed. This is when the port responds to probes by sending a reset packet. That means there’s no application available to accept connections there. So again, if I have a web server and it’s not running Telnet, it’s not going to have port 23 open. So if I send a packet to it and say, is port 23 open? I want to make a connection. It’s going to send back a reset packet that says, this port is closed, you know there is no application installed on that system for that particular port. Now, the third category we have is what’s known as filtered.

Now, filtered occurs when Nmap can’t probe the port but it doesn’t necessarily know that it’s closed. This is usually due to a firewall blocking the scan on the network or host. And so, when you see filtered, the first thing you should be thinking as somebody who’s scanning this network is, there’s a firewall in place. And so, that brings us to other states that could be shown as well. There are three other other states that are displayed if the scan cannot determine a reliable result. Again, filtered is one result where we’re sure there’s a firewall, but there’s other ones when we’re not so sure. These are unfiltered, open-filtered and closed-filtered. Now, unfiltered is when Nmap can probe the port but it can’t determine if it’s open or closed. It’s not filtered, it’s not being blocked by a firewall, but I’m really not sure if it’s open or closed. I know this sounds kind of weird, and it really is. It is not very common to find ports labeled as unfiltered in your Nmap scans. Next, we have open-filtered. Now, this happens when Nmap can’t determine if the port is open or filtered, so it’s one or the other. So, when it does its UDP or IP protocol scan, this is pretty common, that it’ll come back open-filtered. If you’re using a SYN scan, it should actually tell you whether or not it was open or filtered.

It can determine that based on the response from the server. Now, the third one we have is closed-filtered and this is when Nmap can’t determine if the port is closed or filtered when conducting the TCP idle scan. So if you’re conducting a TCP idle scan using dash -TI, you may get back something that shows closed-filtered. Again, these three are not nearly as common as the open, closed and filtered, but they are important to know. Now, why is it important for us to know all these different port states? It’s important for us to understand this because an open port indicates a host that is ready to accept connections. That means there might be a vulnerability there because there’s an inbound connection that’s open. If you have a web server and port 80 is open, that’s not really a vulnerability because you know that port 80 is open ’cause it’s a web server, you’re expecting that. But if I do a scan against your host inside your network for your work stations and I find port 80 is open, that is something that I’m going to look into, that is a vulnerability to me, because most people aren’t running web servers on their desktops. It’s just not that common. And so, by going through and doing these port scans and looking at these port states, it can tell you what you need to look further into and help identify the attack surface of the network.

• Category: Uncategorized