NETinVM

Exercise: Port Scanning With Nmap

Authors: David Perez and Carlos Perez
Date: 04 de septiembre de 2012

Contents

Objective

The goal of this exercise is to perform a port scan against a target system the way an attacker would do it in order to determine the network services available on that target system. In this exercise the target system will be "www.example.net" and the scan will be performed from "exta.example.net".

Introduction

One of the first stages in many network based attacks is the gathering of intelligence about the target system and port scanning is one of the most common techniques used for this purpose. Port scanning is especially effective against TCP services whereas for UDP services it is much less reliable. This exercise will concentrate on TCP port scans only.

Basically, performing a TCP port scan consists of sending connection attempts (SYN packets) against TCP ports on the target system and then analyzing the response or lack of it from the target system in order to determine which ports are open, meaning there is a network service listening on those ports and that service is accessible from the attacking system, closed, meaning no service is listening on them, or filtered, meaning those ports are not accessible from the attacking system because some network element is blocking the traffic directed to them.

In this exercise "exta" ("exta.example.net", "10.5.0.10") will be used as the attacking system and "www.example.net" ("dmza", "10.5.1.10") as the target system. The tool that will be used to perform the port scan is "nmap", one of the most, if not the most, versatile port scanners available on the Internet. Initially, a very simple port scan will be performed and then scans with increasing levels of complexity will be shown in order to explore some of the many different possibilities offered by nmap.

Note

Help on using nmap can be obtained by running the command "man nmap". The man page displayed will show the great number of options offered by this tool.

Preparation

In order to perform the exercise the NETinVM environment must be brought to life by peforming the following actions:

Note

Except where otherwise indicated, all commands must be run as user "root" in "exta".

Basic Port Scan

In order to perform a basic port scan against the target system (www.example.net) the command to run is as simple as this:

# nmap www.example.net

The output (after 10 seconds approx.) should be similar to this:

exta:~# nmap www.example.net

Starting Nmap 4.62 ( http://nmap.org ) at 2010-11-11 13:38 UTC
Interesting ports on dmza.example.net (10.5.1.10):
Not shown: 1713 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 8.859 seconds
exta:~#

The above screen output indicates that port 80, commonly associated with protocol HTTP, is open, port 443, commonly associated with protocol HTTPS, is closed and the other 1713 ports probed by nmap are filtered.

But, what about the rest of TCP ports? (remember, TCP ports range from 0 to 65535). The answer is that so far we don't know their state. With this simple invocation of nmap it only probes the ports listed in the file "nmap-services" (/usr/share/nmap/nmap-services) which contains around 1715 of the most commonly used ports. The contents of this file can be shown with the following command:

# less /usr/share/nmap/nmap-services

In the next section we will scan all TCP ports of the target system.

Port Scan of All TCP Ports

In order to tell nmap to scan all TCP ports of the target system and not only those listed in the "nmap-services" file we need to use the option "-p". This option takes an argument that will be interpreted by nmap as the port number or numbers that must be scanned. This argument can be a single port number (e.g. "22"), a list of port numbers separated by commas (e.g. "22,80,443") or a port range with the begining and ending port numbers separated by a minus sign (e.g. "1-1024"). In our case, since we want to scan all 65536 ports the command to run will be the following:

# nmap -p 0-65535 www.example.net

The execution of this command will take considerably longer than before (probably around 6 minutes) because now nmap has to send and receive many more packets. Optionally, while the command is running, the network traffic can be observed using wireshark in "base" as it was described in the Preparation section or by running as "root" in "exta" in a different terminal window the following command: "tcpdump -nn -i eth0".

The output on the screen should be similar to this:

exta:~# nmap -p 0-65535 www.example.net

Starting Nmap 4.62 ( http://nmap.org ) at 2010-11-11 13:48 UTC
Interesting ports on dmza.example.net (10.5.1.10):
Not shown: 65534 filtered ports
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 150.727 seconds
exta:~#

Note that no other port was found open nor closed in "dmza" because all other ports were filtered ("Not shown: 65534 filtered ports"). In this case it is the system "fw" that is filtering all traffic destined to "dmza" to ports other than 80 or 443.

At this point the attacker would have concluded that the only network service accesible throught the network from his attacking system is a process listening on port 80 and that the only other port to which he has access is port 443, but there is no process listening on that port.

The next step in the attack could be trying to identify which service is actually listening on port 80 including, if possible, its exact version and also to identify the operating system of the target system. Of course nmap has options for both purposes and the following sections show how to use them.

Operating System Identification of the Target System

In order to identify the operating system of the target system nmap provides the option "-O" (capital letter "o"), which takes no arguments. For the identification to be reliable namp needs to find at least one open port and one closed port on the target system. We could simply run "nmap -O www.example.net", but since we already found an open port (80) and a closed port (443) in the target system before, we can make the execution faster if we tell nmap to contact only those ports, like this:

# nmap -O -p 80,443 www.example.net

The output on the screen should be similar to this:

exta:~# nmap -O -p 80,443 www.example.net

Starting Nmap 4.62 ( http://nmap.org ) at 2010-11-11 13:59 UTC
Interesting ports on dmza.example.net (10.5.1.10):
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.23
Uptime: 0.041 days (since Thu Nov 11 13:00:53 2010)

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.639 seconds
exta:~#

Note that nmap correctly identifies the OS of the target system as Linux, although it is not able to assert with certainty which exact version of the kernel nor the Linux distribution (the perfect answer in the above scan would have been "Linux 2.6.26q").

Service Identification

Note that so far we know that port 80 and only that port is open in "www.example.net" and we also know that port 80 is commonly associated with protocol HTTP, so one would expect the service listening on that port to be a web server, but the truth is that it might be a totally different service, like an SSH server, for example.

In order to identify the services listening on the open ports of the target system nmap provides the option "-sV". In our case, to identify the service listening on port 80 we could execute the following command:

# nmap -sV -p 80 www.example.net

In a few seconds we should obtain a screen output similar to this:

exta:~# nmap -sV -p 80 www.example.net

Starting Nmap 4.62 ( http://nmap.org ) at 2010-11-11 14:03 UTC
Interesting ports on dmza.example.net (10.5.1.10):
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.9 ((Debian))

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.692 seconds
exta:~#

In the above output we can see that nmap has identified the service correctly as an Apache web server, version 2.2.9, compiled for a Debian Linux distribution ("Apache httpd 2.2.9 ((Debian))").

Additional Tests

Apart from the examples shown in the previous sections, nmap offers lots of additional options. In order to explore some of them, it is suggested to try and determine the purpose and output of the following commands (executed in "exta"):

# nmap -sP 10.5.1.0/24
# nmap -sA -p 80,81 10.5.1.10
# nmap -n -P0 -sW -p 80,81 10.5.1.10
# nmap -n -P0 -sX -p 80,81 10.5.1.10
# nmap -n -T5 -p 0-65535 10.5.1.10

End of the exercise "Port Scanning With Nmap".