Tips for an Information Security Analyst/Pentester career - Episode 2: Nmap and active recon (part 1)
DISCLAIMER: All the scanning techniques explained here were performed either against my Metaploitable 2 virtual machine or against scanme.nmap.org, and the latter is a website related to Nmap that provides formal permission to perform a scan.
Don’t attempt these techniques against any other websites, unless you’re their owner or you’re legally authorized/entitled to do so.
Depending on local regulations, portscanning a system without any authorization from its owner can cause you legal troubles, so be advised.
 |
| Click to enlarge |
In my previous post, I had promised you more hands-on posts and I like keeping my word.
Is this episode, I'm going to talk about active reconnaissance and the difference between vulnerability assessment and penetration testing.
Reconnaissance is the most important part of a pentest, because it's when information about the target gets gathered.
We can perform reconnaissance in two ways:
- active reconnaissance (like in this case, by interacting with the target, such as going to the victim's website, port scanning the target system for open ports and services, etc.)
- passive reconnaissance (without interaction with the target, for example finding information from public registries, social media, job postings or search results but without opening the links, etc.)
In this post, I'm focusing on active reconnaissance.
We want to know what software and operating system that target network computers are running, what services are enabled and what ports are open to define the potential attack surface.
This allows you to determine what vulnerabilities are present on the target system.
Vulnerability assessments determine what potential and critical vulnerabilities can be exploited (both using port scanners and vulnerability scanners like Nessus) and that's about it.
They end up with a report that lists the vulnerabilities found, sorted according to their threat level.
The important point about that is these vulnerabilities might be or not used to perform actual attacks.
In other words, it's like when you sign up for a home insurance. You know your house could catch fire but that doesn't necessarily mean it's gonna catch fire for real.
It simply allows you to know a risk exists for you to get covered.
A penetration test (a.k.a. pentest) uses the detected vulnerabilities in order to perform a series of attacks against the target system, based on a prior authorization from the system's owner.
In this first part, I'm going to perform active reconnaissance by using Nmap (short for Network Mapper) to define what ports are open and what services are running on the target machine.
In a coming post, I'm going to actually exploit the vulnerabilities I could find based on the reconnaissance performed over this stage.
Stage 1- Network configuration
I created two virtual machines using VMware Fusion.
To make all this work, I first created a custom network adapter (vmnet3), by going to VMware Fusion/Preferences/Network and clicking the +, as shown below.
I've designed the following network configuration:
Attacking/analysis machine: I'm using a pre-built Kali Linux 1 2017 image downloaded from the official website, with two network adapters:
- Network adapter 1: NAT (Share with my Mac, for VMware Fusion)
- Network adapter 2: Custom network (vmnet3). Static IP configuration (IP address: 172.16.137.1, subnet mask: 255.255.255.0).
Target machine: I'm using an intentionally vulnerable Linux machine, called Metasploitable, based on Ubuntu. It's an example of how you should not configure an operating system. Metasploitable can't be exposed to the Internet, as it would get immediately hacked. I configured it with a custom network adapter, so it can only be reached from inside my local network, as follows:
- Network adapter 1: Custom network (vmnet3). Static IP configuration (IP address: 172.16.137.2, subnet mask: 255.255.255.0).
This configuration allows to reach the vulnerable machine from Kali without exposing it to the Internet.
To test our configuration, if we run a ping command from the Kali VM to Metasploitable, it works like a charm, because the two machines are on the same subnet, but I'm using my Mac's connectivity on Kali VM to reach the Internet.
This is safer than using a bridged adapter, because my VM will not show up as an independent system on the Internet, but only my physical system will. On the other hand, the whole thing doesn't work with a bridged adapter, as I tested.
The only downside to this configuration is you can't run commands on hostnames, because the Kali VM is sharing the same DNS as your physical system. In my case, I had to perform the ping command on my Mac terminal first, in order to get the IP address for scanme.nmap.org.
Stage 2- Port scanning with Nmap
Nmap allows to perform a port scanning on the target machine and that's what it's known for, but it can also do much more than that.
If correctly used, it can return information on the operating system (fingerprinting) and about the services running on the target machine. The tool supports advanced functionalities through a scripting engine, but we'll have a look at them in another episode.
But now, let's get our hands dirty and let's perform some scans.
In this series of posts, I'm referring to Nmap official website, that you can consult for any doubts or for delving further into what I am humbly trying to explain here.
Scan types
Basic scan
The most basic Nmap scan is simply the command nmap ip_address, where ip_address is the IP of our target machine, as shown below:
The command returns a bunch of open ports and services, clarifying emblematically why Metasploitable can't be exposed to the Internet.
Open FTP and Telnet ports are a real invitation for any hackers around.
Let's start by analyzing the options (or switches) that allow for more powerful scans with Nmap.
TCP Connect scan
Scans the target machine by performing the whole three-way handshake process, so it sends more information about your machine to the target system.
The TCP Connect scan can be performed by adding the -sT option to the command, as follows:
If we observe the related network traffic in Wireshark, we'll see that both the SYN and the ACK TCP flags are on.
TCP SYN scan, aka Stealth scan
A stealth scan is so called because it allows you to be a little stealthier, as it doesn't perform the whole 3-way handshake process. After receiving the SYN/ACK from the target machine, our machine won't be sending an ACK, as it would normally happen, but will reset the connection by sending an RST packet. Back in the day, the reset was enough for firewalls not to log the connection but nowadays this no longer holds valid.
This will leave a half-open connection, and this method can be exploited to cause denial of service or other malicious attacks.
This method, which is also the default method Nmap runs with, uses the -sS parameter, as shown below:
Having a look at these packets with Wireshark, we see the reset flag is turned on.
In a real world target, we can have both open and filtered ports.
Filtered ports, quoting Nmap official website, are ports for which: "Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically".
Filtered ports, quoting Nmap official website, are ports for which: "Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically".
This problem can be solved by different scanning options, described below.
Xmas scan
Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
It uses the -sX option.
Within Wireshark, it shows up as follows:
We didn't have any luck with our Xmas scan, so we can try a different type of scan, called ACK scan. This type of scan "is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered. The ACK scan probe packet has only the ACK flag set (unless you use --scanflags). When scanning unfiltered systems, open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don't respond, or send certain ICMP error messages back (type 3, code 0, 1, 2, 3, 9, 10, or 13), are labeled filtered".
It returns all ports as unfiltered.
Other useful options (more to come in the following posts):
a) The -p- option
By default, Nmap only scans the well-known ports, but we can get it to scan all 65,535 ports on a system with the -p- option. This switch can allow to discover additional ports used by services not normally included in a standard scan, because they run on dynamic ports.
b) The -v option:
Increases the verbosity level of the command.
c) The -T option
Sets timing templates, allowing to make your scan faster.
You can see the same scan was performed much faster by adding this option.
Comments
Post a Comment