Tips for for an Information Security Analyst/Pentester career - Episode 3: Nmap and active recon (part 2)
DISCLAIMER: All the scanning techniques explained here and over the prior episodes were performed either against my Metaploitable 2 virtual machine or against scanme.nmap.org
The latter is a website related to Nmap that provides formal permission to perform a scan.
Don't attempt these techniques against any other websites, unless you're their owner or you're legally authorized/entitled to do so.
Depending on local regulations, portscanning a system without any authorization from its owner can cause you legal troubles, so be advised.
Let's continue with our analysis of some of the most important Nmap scanning techniques and options.
This analysis doesn't in any way pretend to be thorough. In fact, Nmap options and capabilities are so vast that you can write a book about it, as they actually did.
UDP Scans
They can be very important, and beginners often overlook them when performing a pentest.
In fact, some important services run under UDP, rather than TCP, so overlooking to scan UDP ports might mean to miss an important service that could be paramount in allowing for the system to get hacked.
Examples of services running under UDP are RADIUS (in its default configuration, running under port 1812/1813), DNS (for queries, running under port 53) and NTP (port 123).
UDP scans are performed by using the -sU option, as follows:
A UDP scan on scanme.nmap.org reveals the NTP (Network Time Protocol) protocol is running.
This is something you might have otherwise overlooked.
SCTP Scans
They use STCP (Stream Control Transmission Protocol), ruled by RFC 4960.
According to the official guide, SCTP scans: "can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. Like SYN scan, INIT scan is relatively unobtrusive and stealthy, since it never completes SCTP associations. It also allows clear, reliable differentiation between the open, closed, and filtered states".
They use the -sY option, as shown below:
Version detection
It provides a more accurate detection of the services running on the target machine (see here for a thorough analysis) and is performed by using the -sV option, or through the -A option.
Here we detected the installed version for OpenSSH and Apache.
Looking for vulnerabilities related to Open SSH, I came across several of them that could lead to a successful exploitation.
Operating system fingerprinting
Nmap allows to understand what operating system is running on the target machine. The accuracy of this analysis depends on the number of open ports on the target machine. At least one must be open for the analysis to be minimally reliable.
Fingerprinting is performed through the -O option, as follows:
Our results highlight the target system's very likely a Linux machine.
We can confirm this by using www.netcraft.com (under What's this site running?), which highlights it should be a Ubuntu Server machine.
-Pn option
Skips port discovery, as shown below:
Comments
Post a Comment