Hak5
Save 10% at GoDaddy.com with coupon code HAK

Analog5:000 Article 007

From Hak5

Jump to: navigation, search

Exploring Networks

By: Nickisgod1
Published: January 20th, 2007

A Very Condensed Guide to Nmap and Other Networking Tools.

Have you just started that new job, you're beginning at a new school, or you just got that new Internet connection? Then you probably don't want to keep a connection without knowing something about the other computers on the network. Would you move into a new house, and not check out the neighborhood? I know I wouldn't. So lets take a look at some simple tools used to analyze your network neighbors. This article assumes the installation of the following programs, links to their source or binaries will be provided at the end of this article.

  • The Linux operating system, or a live cd
  • nmap
  • nessus
  • traceroute
  • nc
  • sing
  • tcpdump
  • wireshark(ethereal)

(I may or may not use all these specifically in this article, however they are great programs, and thus the reader is advised to install them and read their respective manuals.) In trying to be as distro neutral as possible, no installation instructions will be provided. However as a note to those using some form of ubuntu this tutorial assumes the use of su -, and will not explicitly say sudo, so either set a password for your root user with 

	$sudo passwd root

and switch your user to root with "su -", or remember to use sudo wherever I issue a command as root.(to note all root command prompts will be noted with # and user prompts with a $).

Now that that is out of the way lets start gathering information. First lets find out our IP on this network 

	#ifconfig

This will show us a lot of information, right now what we are interested in is the label for "inet addr:" probably under eth0, or whatever NIC you are currently using to connect to the network. Note this address, it will be quite useful. Most likely it will be in one of the following ranges. 

	10.0.0.0 - 10.255.255.255
	172.16.0.0 - 172.31.255.255
	192.168.0.0 - 192.168.255.255

For the sake of this example we will assume your IP is 192.168.0.103, with a subnet mask of 255.255.255.0. Lets start by seeing what hosts are up on our subnet with a ping sweep.

#nmap -sP 192.168.0.0/24

You should get back a list of hosts up, as well as some of the mac addresses, and possibly some info about the computers. 

	Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-01-10
         15:29 EST
        Host 192.168.0.1 appears to be up.
        MAC Address: 00:17:9A:24:E6:88 (D-Link)
        Host 192.168.0.100 appears to be up.
        MAC Address: 00:0C:6E:74:BD:B9 (Asustek Computer)
        Host 192.168.0.101 appears to be up.
        MAC Address: 00:15:E9:2C:36:3B (D-Link)
        Host 192.168.0.102 appears to be up.
        MAC Address: 00:15:E9:2C:85:DA (D-Link)
        Host 192.168.0.103 appears to be up.
        Nmap finished: 256 IP addresses (5 hosts up) scanned in 9.789 second

So now we have some information. We know that there are 5 hosts up on our subnet including our own. Taking a look at the IP addresses, 192.168.0.1 is a good candidate for a router. especially in relation to the other IPs. When we trace the packets route to Google with traceroute, it confirms that the packets are indeed routed through this IP.

#traceroute www.google.com (output omitted to avoid redundancy)

You are now ready to start looking at individual hosts on your network. First lets take a look at some of nmap's functions. There are two main types of scans that nmap can perform (as well as several others not discussed here). The first is a simple tcp connect(-sT), which uses the connect() syscall to actually attempt to make a tcp connection, then immediately breaking it off. This easily allows nmap to see what ports are open on a host, because they are the ones it is able to connect to. However you will almost certainly be logged by the host, as even the crappiest Detection software is going to notice that many connections in a row. You do not need root privileges to run this scan.

The second most common scan nmap performs is known as the tcp SYN scan(-sS). The way this works is nmap sends a tcp SYN(Synchronize) flagged packet to a port. If a port is closed, the host will respond with a reset flag. if the port is filtered nmap will get no response, and finally if the port is open the host will return an acknowledged flagged packet, at which point nmap will immediately respond with a reset flagged packet before a full TCP connection occurs. This will often prevent the scan from showing in the application logs, however most modern firewalls will pick up on the scan attempt, although this can normally be avoided by changing nmap's timing and utilizing other options we will discuss later. The syn scan does require root access to the machine.

Finally before we start exploring hosts lets take a look at a few of the options nmap offers us. First lets look at the timing options. These are useful because a host is less likely to notice a scan if the packets are sent at longer intervals. This is set with the -T flag, the options are 0 to 5, with 0 being around 5 minutes between ports, and 5 being around a .3 second delay, at the 0 time level you are very unlikely to be noticed, however a full scan would take forever, but with the fastest (level 5) data could be lost. I recommend a level between 1 and 3. Next lets look at IP Decoys. Decoying is a fairly effective way of hiding your IP. Basically it does exactly what it sounds like, it sends not only packets with your IP, but also other packets with spoofed IPs. Therefore, to the host, it looks as if several IP's are scanning it. This is done with the -D flag followed by the decoy IPs separated by commas. Nmap will randomly place your IP unless you do so explicitly. I recommend using the IPs of other active hosts, or it will be fairly obvious who is the actual scanner. Nmap can also be set up to use only spoofed IPs with the -S flag, however you would never get an answer since the host does not know your IP address, so for our purposes it is not very useful. For those interested, your mac can also be spoofed using the -spoof-mac flag. Now for some of the more useful scan options, the first is OS detection. Although not always entirely accurate, nmap usually tells you if it is not positive. OS detection is activated with the -O flag. Another useful option is the -sV, which tells nmap to probe for what service and version are listening on a port. This is quite useful when looking for possible exploits. Readers may wish to note that both the -O and -sV flags can be set, by setting the -A flag. On a final note, if the user knows that a host is up, one may want to pass the -P0 flag, which tells nmap not to ping the host, keeping your scan much quieter. One may also want to use the -v option for more verbose information. I encourage everyone to run wireshark and tcpdump while learning to use nmap, seeing exactly what you are doing, is often important to learning, it can be quite interesting as well. Now armed with our new knowledge, lets find some information about a host. 

	    # nmap -sS -sV -O 192.168.0.100

            Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at
             2007-01-10 23:57 EST
            Interesting ports on 192.168.0.100:
            Not shown: 1676 closed ports
            PORT     STATE SERVICE      VERSION
            135/tcp  open  msrpc        Microsoft Windows RPC
            139/tcp  open  netbios-ssn
            445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds
            1026/tcp open  tcpwrapped
            MAC Address: 00:0C:6E:74:BD:B9 (Asustek Computer)
            Device type: general purpose
            Running: Microsoft Windows 2003/.NET|NT/2K/XP
            OS details: Microsoft Windows 2003 Server or XP SP2
            Service Info: OS: Windows

            Nmap finished: 1 IP address (1 host up) scanned in 11.934
             seconds

So what does this tell us, lets have a look. First off it is running either win2k3 or XPsp2. It is running 4 services, with only opened and closed ports, none filtered. This process can be repeated with multiple hosts individually, or nmap can be told to scan a number of hosts.

If one is doing this scanning for the purposes of security audits, and not just curiosity, I recommend several other things. Firstly familiarize yourself with the nmap manual ($man nmap), the are several scans not covered here which can give more information, especially in regards to filtered ports, udp scans, and other interesting stuff. Also a great tool to have in your security arsenal is nessus. When you come across an interesting host in your scans that you wish to audit for security purposes, I strongly suggest starting the nessus service and scanning the host, it is an amazing tool. Just want to remind everyone again to not be afraid to look at wireshark or tcpdump to see what is happening, also take a look at the programs (listed earlier) that I did not get too in this article, sing is also quite useful and a lot more powerful then ping. Happy scanning.

Programs

Check your specific distro most of these programs are probably available though repositories for you package management system, apt-get, yum etcetera.

nmap
nessus
traceroute
sing
netcat
Nick S aka Nickisgod1
nickisgod1@gmail.com

Analog5 Front Page


Retrieved from "http://wiki.hak5.org/wiki/Analog5:000_Article_007"