In the previous ethical hacking post, we briefly explained several options to obtain an enumeration of IP addresses and subdomains when performing an ethical hacking process. If you liked that “this is very safe because who will know that this subdomain exists” (although you can not believe it, it is more common than it seems), do not miss how the “who will know that I put this service on this port with such a strange number” ends badly … Let’s talk about service identification with nmap.
In short, in this post we will try to see how it is possible to make an inventory of open ports on an IP or range of IPs, and even identify the technology underneath an open port, when possible.
Basically this post is going to focus on the use of a fantastic and essential tool, nmap. Although it is a tool typically used in Linux (and of course included in the reference suite I use in these posts, Kali), you can already find compilations for other operating systems.
Before getting into the nitty-gritty, we would like to warn you that nmap is a complex and complete tool, with a huge amount of options, parameters, etc.; this post is not intended to be a manual for using the tool but again an introduction to it in order to understand the identification of services as a phase of ethical hacking prior to the detection of vulnerabilities. To learn more about the tool, we recommend reading its manual.
The Open Source tool nmap allows us to perform network and port scans, being able to scan a single destination, a range, a list of IPs… it is based on TCP, UDP, ICMP, SCTP, etc. requests and incorporates several scanning techniques.
We recommend in general to refresh some knowledge about transport protocols, for example by remembering how the establishment of a TCP connection works with negotiation in three steps: first, SYN-type call from the client to a port, RST response if the port is closed or SYN-ACK if it is open, and the ACK from the client to the server to complete the process. nmap will rely on these types of messages to determine whether or not a port is listening on the destination.
Sometimes this cannot be used, or is detected by the remote server, and there are other alternatives for scanning.
General syntax and first scan
General syntax:
nmap [ ...] [ ] { }
Next, we proceed to perform the first scan:
We execute the command:
nmap 45.33.49.119
We are not setting any type of scan, so it uses the default scan, TCP SYN. nmap sends a SYN and assumes the port is open if it receives a SYN ACK. There are also no additional option parameters, and as a destination there is a single IP. This command will give us a result similar to the following:
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-01 18:12 CEST
Nmap scan report for ack.nmap.org (45.33.49.119)
Host is up (0.19s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
70/tcp closed gopher
80/tcp open http
113/tcp closed ident
443/tcp open https
31337/tcp closed Elite
Nmap done: 1 IP address (1 host up) scanned in 10.86 seconds
It returns in a few seconds a list of open ports on that IP, including an SSH, an SMTP mail server, a web server, and a possible back orifice.
In many cases this is simply a first point of analysis even if, for example, the software behind an FTP, SSH, etc. server is fully up-to-date and there are no known vulnerabilities. Already at first you could, for example, launch a brute force dictionary attack on the SSH or FTP server trying to gain access (there are a huge number of such servers with default or insecure credentials).
There are automatic tools (bots) that are basically continuously scanning wide IP ranges for recognizable open ports, for example database ports (MongoDB, MySQL, PostgreSQL, etc.), and when they detect such an open port, they automatically attempt a login with default credentials. For example, in the case of typical LAMP / WAMP installations, a root access / to the mySQL port. And basically this way a huge amount of databases have been hacked without prior human intervention. This is feasible even if we have it open on another port, since it is possible to identify in many cases that what is on port 5555 “to mislead”, to say something, is a mySQL through the fingerprint of the service, as we will see later.
In short, it is very dangerous to leave default credentials on web servers, routers, FTPs, SSHs, databases… because there is no need for anyone to have a bug, a bot will do it.
A first parameter
If we want to have some information about how nmap has obtained this information, we can augment the traces with the -v (verbose) or -vv parameter, where we can see that nmap has been launching SYN commands and in some cases receiving RESET (port closed), in others SYN-ACK (port open) and in others no response (“filtered”), which can make us understand that a firewall is stopping our request:
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 53
25/tcp open smtp syn-ack ttl 53
70/tcp closed gopher reset ttl 52
80/tcp open http syn-ack ttl 53
113/tcp closed ident reset ttl 52
443/tcp open https syn-ack ttl 53
31337/tcp closed Elite reset ttl 53
Increasing the range of IPs to be scanned
nmap allows us to determine IP ranges to scan in several ways (it is recommended to analyze the manual or use –help for more complete information). For example:
nmap 192.168.10.0/24 (subred completa)
nmap 192.168.10.1-20 (20 IPs)
nmap 192.168.10.*
nmap 192.168.10.1 192.168.10.2 192.168.10.3
Or for example, let’s imagine that we have been accumulating IPs since our initial enumeration, and we have a file with the different IPs separated by tabs or line breaks (one IP or range per line). We can load the file with the -iL parameter (input list) and perform the scan of the entire IP inventory. It also allows, for example, to exclude some specific IPs with —exclude or —excludefile.
Defining the ports to be scanned
We can manually define the ports we want to scan. For example, if we are looking for web servers on ports 80, 443 and 8080 in a subnet we could do it with the -p parameter:
nmap -p 80,443,8080 192.168.10.0/24
We can also ask nmap to scan the “N” (whole number) most common ports; for example, to scan the 25 most common ports in a range of IPs:
nmap --top-ports 25 192.168.10.0/24
Receiving a response like this:
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
23/tcp closed telnet
25/tcp closed smtp
53/tcp open domain
80/tcp open http
110/tcp closed pop3
111/tcp open rpcbind
135/tcp closed msrpc
139/tcp open netbios-ssn
143/tcp closed imap
199/tcp closed smux
443/tcp closed https
445/tcp open microsoft-ds
587/tcp closed submission
993/tcp closed imaps
995/tcp closed pop3s
1025/tcp closed NFS-or-IIS
1720/tcp closed h323q931
1723/tcp closed pptp
3306/tcp closed mysql
3389/tcp closed ms-wbt-server
5900/tcp open vnc
8080/tcp closed http-proxy
8888/tcp closed sun-answerbook
We can ask to scan all TCP, UDP and SCTP ports (slower) with the identifier –p– :
nmap -p- 192.168.10.0/24
Identifying operating systems and services
As we can see, nmap allows us to detect ports that are listening on an IP or a range. Later we will also see how other scanning techniques can be defined. In addition, nmap allows us to try to identify which technology (product, version, etc.) is behind an open port, or even the operating system installed on a server, with the -O and -sV parameters. This detection is based on the “signature” (fingerprint) of the responses given by the service to certain calls.
nmap -O -sV 192.168.10.5
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Raspbian 5+deb8u3 (protocol 2.0)
53/tcp open domain ISC BIND 9.9.5 (Raspbian Linux 8.0 (Jessie based))
80/tcp open http Apache httpd 2.4.10 ((Raspbian))
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
4567/tcp open http Jetty 9.4.8.v20171121
5900/tcp open vnc RealVNC Enterprise 5.3 or later (protocol 5.0)
MAC Address: B8:27:EB:CD:FE:89 (Raspberry Pi Foundation)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: RASPBERRYPI; OS: Linux; CPE: cpe:/o:linux:linux_kernel
In this case, not only do we know that this machine has certain ports open. It also tells us that it is a Raspberry running Raspbian (so, for example, we could do a brute force test with a “pi” user, which is the default user), and the versions of the different ports that are listening, so this information can be used to exploit vulnerabilities on unpatched versions, etc.
Using more probing techniques
By default nmap uses SYN as a scanning technique. It is a fast and not very intrusive / detectable technique, but sometimes , but it supports a total of 12 different techniques that we can define as parameters, as we can see in the tool’s user manual.
For example, if we want to do a scan based on UDP calls, we can make a call of the type:
nmap -sU 192.168.10.5
Searching for vulnerabilities with nmap
Although there are more “comfortable” and specific tools to search for vulnerabilities, such as Nessus, or suites such as Metasploit that consolidates several tools, nmap also allows us to perform vulnerability analysis.
To do this, it uses a series of Lua scripts that are located in a path on our machine (in the case of Kali, in /usr/share/nmap/scripts/ ) and can be invoked with —script or its equivalent -sC.
Scripts can belong to one or several categories, so we can ask nmap to evaluate, for example, all the scripts of a category against a host. There are some particularly interesting categories such as “vuln” (scripts dedicated to detect vulnerabilities in the target), “exploit“, etc.
For example, if we want to scan vulnerability category scripts against a host:
nmap --script vuln scanme.nmap.org
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=scanme.nmap.org
| Found the following possible CSRF vulnerabilities:
|
| Path: http://scanme.nmap.org:80/
| Form id: cse-search-box-sidebar
|_ Form action: https://nmap.org/search.html
|http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /images/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)' | /shared/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. By doing so, it starves the http server's resources causing Denial Of Service.
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
9929/tcp open nping-echo
31337/tcp open Elite
As we can see, the script has detected a potential vulnerability based on the Slowloris denial of service attack. If we analyze the scripts in the aforementioned path, we can see that there is precisely one that exploits this vulnerability, called http-slowloris. If we want more information about the script we can launch the following command:
nmap --script-help http-slowlorisExplaining how the script works, how to launch it (it is also possible to do it with nmap itself with —script and –script-args), etc. We can also get for example a description of all the scripts that search for vulnerabilities:
nmap --script-help vulnWe can also, for example, launch all scripts of a given type. For example, if we want to scan for vulnerabilities on SMB protocol on a given host:
nmap --script smb-* 192.168.10.5We can also, for example, evaluate a vulnerability over our entire network by choosing a specific script against a range. The –script parameter
nmap --script-help vulnnmap --scriptIn short, nmap even includes interesting options for assessing vulnerabilities and even launching exploits, although there are other tools commonly used for this purpose.
Other interesting options
As we have said, nmap has a lot of options and it is impossible to try to cover even a small percentage of them in a post. In fact, there is an official nmap book of almost 500 pages… but in any case we try to comment here some of them that seem interesting.
- The tool allows you to generate the scan result in a processable output file, e.g. in XML format, with -oX or -oN .
- When scanning wide IP ranges, we can disable the DNS reverse resolution attempt with the -n parameter.
- During the execution of a command we can increase the level of information displayed on the console (verbosity) by pressing the “V” key.
- If we have a firewall that cuts us off, we can try –Pn
In short, we have tried to develop a “brief” introduction to nmap as a tool for identifying open ports and services on a host or IP range. In later posts we will see other ways to detect vulnerabilities.