IV Needle Injecting Tech into the Vein

Nmap OS Fingerprinting

Active OS Fingerprinting (Gen1) - Nmap versions <>TCP Sequence Prediction

Nmap Gen2 Active OS Fingerprinting (> 30 different methods/tests, invoked with -O or -O2)

• TCP ISN greatest common denominator (GCD)
• TCP ISN counter rate (ISR)
• TCP IP ID sequence generation algorithm (TI)
• ICMP IP ID sequence generation algorithm (II)
• Shared IP ID sequence boolean (SS)
• TCP timestamp option algorithm (TS)
• TCP initial window size (W, W1 - W6)
• IP don’t fragment bit (DF)
• IP initial time-to-live guess (TG)
• Explicit congestion notification (CC)

Posted by: Heavymeddler

Nmap Top Port Scan Performance Options

• --host-timeout: (Asks Nmap to give up on hosts that take more than the given amount of time to scan)
• --max-retries: (Specifies the maximum number of port scan probe retransmissions to a single port)
• --min_rtt_timeout:, --max_rtt_timeout:, --initial_rtt_timeout: (Amount of time that Nmap will wait for a port scan probe response)
• --min-rate, --max-rate (The min and max number of probe packets Nmap sends per second
• --min_parallelism:, --max_parallelism: (Number of port scan probes (across all hosts scanned concurrently) that Nmap may have outstanding)
• --scan_delay:, --max-scan-delay: (Amount of time between sending probes to any individual host (the scan delay can grow as Nmap detects packet loss, so a maximum may be specified)

Posted by: Heavymeddler

Nmap Version Scanning (-sV)

• When Nmap identifies an open port, it displays the default service commonly associated with that port (Based on list of about 2,200 services in nmap-services file)
• What about services not on the list?
• What about services on unexpected ports?(i.e. HTTP on T:90 or sshd on T:3322)
• --version-trace (option shows probe details in real time)

Nmap Version Scanning Technique

• NULL probe
• - If port is TCP, Nmap connects to it and listens for roughly 5 seconds for initial welcome banner
• - If data is received, it is compared to signatures in nmap-services-probes
• Probable Port probes (share connection from 1.)
• - All UDP ports and TCP ports that failed (or soft-matched) NULL probing
• - Every probe has a list of probable port numbers
• - Probes that match the port send a probe string to the port
• - Responses are compared to regular expressions
• Sequential Probes
• - New connection for each probe (to avoid corrupting next probe)
• - Uses ‘rarity’ metric to avoid trying probes that are extremely unlikely
• SSL probes
• - If Sequential Probes determine the target port is running SSL and if OpenSSL is available, Nmap connects back via SSL and restarts scan
• Nmap RPC Grinder
• - If generic probe identifies RPC-based service, Grinder brute-forces the RPC program number/name and supported version numbers

Posted by: Heavymeddler

Nmap UDP Scans (-sU)

• Scans generally slower and more difficult than TCP
• Sends empty (no data) UDP header to target ports
• ICMP response rate-limiting detection
• - Closed ports typically respond ICMP Port Unreachable
• - OS limits ICMP responses (Linux limits to 1/sec)
• - Nmap slows down to avoid wasting packets
• - 65,536-ports @ 1/sec > 18 hours for one host

Posted by: Heavymeddler

Nmap Runtime Interaction

• p = turn on packet tracing
• v = increase verbosity
• d = increase debugging level
• Shift + [p,v,d] inverts
• AnyOtherKey = print status message
• - Elapsed time, # of hosts completed, # of hosts up, # of hosts currently being scanned
• - % done, ETA remaining

Posted by: Heavymeddler

Nmap Timing Options (-T)

• Paranoid (0) - scan serially, wait 5min between packets
• Sneaky (1) - scan serially, wait 15 seconds between packets
• Polite (2) - scan serially, wait .4 seconds between packets
• Normal (3) [def] - parallel scan, multiple packets to multiple ports at once
• Aggressive (4) - parallel scan, max time per host 5 min, 1.25 seconds response time-out
• Insane (5) - parallel scan, max time per host 75 seconds, 0.3 seconds response time-ou

Posted by: Heavymeddler

TCP Idle Scan

• 1998…Security researcher Antirez (who also wrote hping2) posted to the Bugtraq mailing list
• One way to determine whether a TCP port is open is to send a SYN packet to the port. The target machine will respond with a SYN/ACK packet if the port is open, and RST if the port is closed.
• A machine that receives an unsolicited SYN/ACK packet will respond with a RST. An unsolicited RST will be ignored.
• Every IP packet on the Internet has a fragment identification number (IPID). Since many operating systems simply increment this number for each packet they send, probing for the IPID can tell an attacker how many packets have been sent since the last probe.
• Three cases ‘open’, ‘closed’, and ‘filtered’ port
• The actors:
• - The Attacker
• - The Zombie
• - The Target

Nmap Idle Scans (-sI)

• Find a suitable Zombie
• - We didn't just choose a printer icon to represent a zombie in our illustrations to be funny—simple network devices often make great zombies because they are commonly both underused (idle) and built with simple network stacks which are vulnerable to IPID traffic detection.
• Execute the scan
• - Once a suitable zombie has been found, performing a scan is easy. Simply specify the zombie hostname to the -sI option and Nmap does the rest.

Posted by: Heavymeddler

FTP Bounce Scan

• RFC 959 October 1985 - File Transfer Protocol
• DATA PORT (PORT)
• “The argument is a HOST-PORT specification for the data port to be used in data connection. There are defaults for both the user and server data ports, and under normal circumstances this command and its reply are not needed. If this command is used, the argument is the concatenation of a 32-bit internet host address and a 16-bit TCP port address. This address information is broken into 8-bit fields and the value of each field is transmitted as a decimal number (in character string representation).
• The fields are separated by commas.
• A port command would be:
• PORT h1,h2,h3,h4,p1,p2
• where h1 is the high order 8 bits of the internet host address.”

FTP Bounce Scan (-b) with Nmap

• -b [][: ]@[: ]
• Most modern FTP servers have fixed this vulnerability, but many modern printers that support FTP have forwarding capabilities turned on by default

Nmap FTP Bounce Scans

• Most common results of FTP bounce scan attempts

# nmap -PN -b ftp.microsoft.com google.com

Starting Nmap ( http://nmap.org )
Your FTP bounce server doesn’t allow privileged ports, skipping them.
Your FTP bounce servers sucks, it won’t let us feed bogs ports!

• Successful FTP bounce scan

# nmap -p 22,25,135 -PN -v -b XXX.YY.111.2 scanme.nmap.org

Starting Nmap ( http://nmap.org )
Attempting connection to ftp://anonymous:-wwwuser@@XXX.YY.111.2:21
Connected:220 JD FTP Server Ready
Login credentials accepted by ftp server!
Initiating TCP ftp bounce scan against scanme.nmap.org (64.13.134.52)
Adding open port 22/tcp
Adding open port 25/tcp
Scanned 3 ports in 12 seconds via the Bounce scan.
Interesting ports on scanme.nmap.org (64.13.134.52):
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
135/tcp filtered msrpc

Nmap done: 1 IP address (1 host up) scanned in 21.79 seconds

Posted by: Heavymeddler

Port Scanning with Nmap

• -sT: Connect TCP scan (aka “polite”)
• -sS: SYN scan (aka “half-open”)
• - Harder to detect
• - Much quicker
• -sF, -sN, -sX: FIN, NULL, and Xmas scans
• - RFC 793 p.65: “if the [destination] port state is CLOSED…an incoming segment not containing a RST causes a RST to be sent in response.” p.66 - regarding packets sent to open ports without the SYN, RST, or ACK bits set: “you are unlikely to get here, but if you do, drop the segment and return.”
• - Compliant systems respond to packets not containing SYN,RST, or ACK bits with RST if closed and no response if port is open
• --scanflags: Custom Scan Types
• - Any combination of URG, ACK, PSH, RST, SYN, and FIN
• - Non-delimited list (URGACKPSHRSTSYNFIN)
• -sA: TCP ACK scan
• - Does not determine port state
• - Useful to map firewall rulesets and whether they are stateful or not
• - ‘open’ and ‘closed’ reachable ports reply RST = ‘unfiltered’
• - ‘filtered’ ports don’t respond or send ICMP errors
• -sW: Window TCP scan
• - Same as ACK scan, however examines TCP Window value of RST
• -sM: Maimon scan (FIN/ACK)
• - Uriel Maimon (Phrack Magazine, Nov. 1996)

Posted by: Heavymeddler

Port Selection Examples (-p | -F)

• -p 22 (Scan a single port)
• -p ssh (Specify port names rather than numbers)
• -p 22,25,80 (Multiple ports seperated with commas (protocol determined by scan))
• -p 80-85,443,8000-8005,8080-8085 (Ranges specified by [-] multiple ranges separated by [,])
• -p -100,60000- (Can omit beginning or ending of range to imply ports 1 & T:65535 | U:255)
• -p- (Omit beginning and end numbers to scan the entire range (excluding 0))
• -pT:21,23,110,U:53,111,137,161 (For scans which include UDP and TCP types, port lists can specify ports for each protocol)
• -p http* (Wildcards may be used to match ports with similar names (may need to shell-escape))
• -p 1-1023,[1024-] (Enclosing a range in brackets causes those port numbers to be scanned only if they are registered in nmap-services)

Posted by: Heavymeddler