| Authors: | David Perez and Carlos Perez |
|---|---|
| Date: | 02 de noviembre de 2016 |
Contents
The goal of this exercise is to perform a port scan against a target system the way an attacker would do it in order to determine the network services available on that target system. In this exercise the target system will be "www.example.net" and the scan will be performed from "exta.example.net".
One of the first stages in many network based attacks is the gathering of intelligence about the target system and port scanning is one of the most common techniques used for this purpose. Port scanning is especially effective against TCP services whereas for UDP services it is much less reliable. This exercise will concentrate on TCP port scans only.
Basically, performing a TCP port scan consists of sending connection attempts (SYN packets) against TCP ports on the target system and then analyzing the response or lack of it from the target system in order to determine which ports are open, meaning there is a network service listening on those ports and that service is accessible from the attacking system, closed, meaning no service is listening on them, or filtered, meaning those ports are not accessible from the attacking system because some network element is blocking the traffic directed to them.
In this exercise "exta" ("exta.example.net", "10.5.0.10") will be used as the attacking system and "www.example.net" ("dmza", "10.5.1.10") as the target system. The tool that will be used to perform the port scan is "nmap", one of the most, if not the most, versatile port scanners available on the Internet. Initially, a very simple port scan will be performed and then scans with increasing levels of complexity will be shown in order to explore some of the many different possibilities offered by nmap.
Note
Help on using nmap can be obtained by running the command "man nmap". The man page displayed will show the great number of options offered by this tool.
In order to perform the exercise the NETinVM environment must be brought to life by peforming the following actions:
Start the VMware virtual machine "NETinVM"
Start, inside "NETinVM", the UML (User Mode Linux) virtual machines by running in "base", as user "user1", the command "uml_run_all.sh"
Log in as "root" in "exta"
Verify there is network connectivity between "exta" and "dmza" by running in "exta", as user "root", the following command:
# ping -c 1 dmza The option "-c 1" tells ping to only send one probe packet. The output should look like this:: exta:~# ping -c 1 dmza PING dmza.example.net (10.5.1.10) 56(84) bytes of data. 64 bytes from dmza.example.net (10.5.1.10): icmp_seq=1 ttl=63 time=52.7 ms --- dmza.example.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 52.782/52.782/52.782/0.000 ms exta:~#
If the number of packets transmitted and received is the same, as shown above ("1 packets transmitted, 1 received"), everything is working fine. If, on the contrary, no response from the target system is received then there is some kind of problem that will need to be resolved before continuing with the excercise.
Additionally, it is recommended to run "wireshark" as "root" in "base" and make it listen on the "tap0" network interface in order to see the traffic sent and received by "exta" during the exercise.
Note
Except where otherwise indicated, all commands must be run as user "root" in "exta".
In order to perform a basic port scan against the target system (www.example.net) the command to run is as simple as this:
# nmap www.example.net
The output (after 10 seconds approx.) should be similar to this:
exta:~# nmap www.example.net Starting Nmap 4.62 ( http://nmap.org ) at 2010-11-11 13:38 UTC Interesting ports on dmza.example.net (10.5.1.10): Not shown: 1713 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp closed https Nmap done: 1 IP address (1 host up) scanned in 8.859 seconds exta:~#
The above screen output indicates that port 80, commonly associated with protocol HTTP, is open, port 443, commonly associated with protocol HTTPS, is closed and the other 1713 ports probed by nmap are filtered.
But, what about the rest of TCP ports? (remember, TCP ports range from 0 to 65535). The answer is that so far we don't know their state. With this simple invocation of nmap it only probes the ports listed in the file "nmap-services" (/usr/share/nmap/nmap-services) which contains around 1715 of the most commonly used ports. The contents of this file can be shown with the following command:
# less /usr/share/nmap/nmap-services
In the next section we will scan all TCP ports of the target system.
In order to tell nmap to scan all TCP ports of the target system and not only those listed in the "nmap-services" file we need to use the option "-p". This option takes an argument that will be interpreted by nmap as the port number or numbers that must be scanned. This argument can be a single port number (e.g. "22"), a list of port numbers separated by commas (e.g. "22,80,443") or a port range with the begining and ending port numbers separated by a minus sign (e.g. "1-1024"). In our case, since we want to scan all 65536 ports the command to run will be the following:
# nmap -p 0-65535 www.example.net
The execution of this command will take considerably longer than before (probably around 6 minutes) because now nmap has to send and receive many more packets. Optionally, while the command is running, the network traffic can be observed using wireshark in "base" as it was described in the Preparation section or by running as "root" in "exta" in a different terminal window the following command: "tcpdump -nn -i eth0".
The output on the screen should be similar to this:
exta:~# nmap -p 0-65535 www.example.net Starting Nmap 4.62 ( http://nmap.org ) at 2010-11-11 13:48 UTC Interesting ports on dmza.example.net (10.5.1.10): Not shown: 65534 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp closed https Nmap done: 1 IP address (1 host up) scanned in 150.727 seconds exta:~#
Note that no other port was found open nor closed in "dmza" because all other ports were filtered ("Not shown: 65534 filtered ports"). In this case it is the system "fw" that is filtering all traffic destined to "dmza" to ports other than 80 or 443.
At this point the attacker would have concluded that the only network service accesible throught the network from his attacking system is a process listening on port 80 and that the only other port to which he has access is port 443, but there is no process listening on that port.
The next step in the attack could be trying to identify which service is actually listening on port 80 including, if possible, its exact version and also to identify the operating system of the target system. Of course nmap has options for both purposes and the following sections show how to use them.
In order to identify the operating system of the target system nmap provides the option "-O" (capital letter "o"), which takes no arguments. For the identification to be reliable namp needs to find at least one open port and one closed port on the target system. We could simply run "nmap -O www.example.net", but since we already found an open port (80) and a closed port (443) in the target system before, we can make the execution faster if we tell nmap to contact only those ports, like this:
# nmap -O -p 80,443 www.example.net
The output on the screen should be similar to this:
exta:~# nmap -O -p 80,443 www.example.net Starting Nmap 4.62 ( http://nmap.org ) at 2010-11-11 13:59 UTC Interesting ports on dmza.example.net (10.5.1.10): PORT STATE SERVICE 80/tcp open http 443/tcp closed https Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.23 Uptime: 0.041 days (since Thu Nov 11 13:00:53 2010) OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2.639 seconds exta:~#
Note that nmap correctly identifies the OS of the target system as Linux, although it is not able to assert with certainty which exact version of the kernel nor the Linux distribution (the perfect answer in the above scan would have been "Linux 2.6.26q").
Note that so far we know that port 80 and only that port is open in "www.example.net" and we also know that port 80 is commonly associated with protocol HTTP, so one would expect the service listening on that port to be a web server, but the truth is that it might be a totally different service, like an SSH server, for example.
In order to identify the services listening on the open ports of the target system nmap provides the option "-sV". In our case, to identify the service listening on port 80 we could execute the following command:
# nmap -sV -p 80 www.example.net
In a few seconds we should obtain a screen output similar to this:
exta:~# nmap -sV -p 80 www.example.net Starting Nmap 4.62 ( http://nmap.org ) at 2010-11-11 14:03 UTC Interesting ports on dmza.example.net (10.5.1.10): PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.9 ((Debian)) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.692 seconds exta:~#
In the above output we can see that nmap has identified the service correctly as an Apache web server, version 2.2.9, compiled for a Debian Linux distribution ("Apache httpd 2.2.9 ((Debian))").
Apart from the examples shown in the previous sections, nmap offers lots of additional options. In order to explore some of them, it is suggested to try and determine the purpose and output of the following commands (executed in "exta"):
# nmap -sP 10.5.1.0/24 # nmap -sA -p 80,81 10.5.1.10 # nmap -n -P0 -sW -p 80,81 10.5.1.10 # nmap -n -P0 -sX -p 80,81 10.5.1.10 # nmap -n -T5 -p 0-65535 10.5.1.10
End of the exercise "Port Scanning With Nmap".