Categories


Authors

Network Scanning With Nmap

Network Scanning With Nmap

Need help with implementation or an upcoming security project? We offer professional security services at reasonable rates to help you take a fresh look at your network, meet compliance standards, develop secure networks, and more. Click here to find out more.

Preface

Regardless of whether you're scanning your own networks or not, someone else almost certainly is. It's a given that devices on the Internet are exposed to an active and ever-changing threat environment, and you're a part of it. Hackers, security research organizations, governments, and others regularly run port scans on large swaths of public IP space. Websites like Shodan.io index the results of network scans and make the results searchable for their customers. It's a given now that almost everyone on the internet is being scanned and targetted if they are determined to be a "soft target".

Given the current threat landscape the best thing to do is take an active role in the process - it's time to scan your own networks. One of the best tools to do it with is Nmap, which has been the standard in port scanning for quite a long time. The following sections will take you through downloading Nmap to running basic scans, and interpreting the results.

  1. Authority to Scan
  2. Install Nmap
    1. Windows Installation
    2. Linux Installation
  3. Types of Scans
    1. Ping Sweep
    2. Port Scan
    3. Service Scan
  4. Compliance Scan

Authority to Scan

Before doing any network scanning it's important to first verify that you have the authority and permission to scan the network(s) that you're targetting. Oftentimes the only difference between a hacker and an auditor running network scans is how they are getting paid - the targets, tools, and techniques are often the same. If someone had no idea you were running network scans and you begin triggering IPS alerts across the network it will look like an attack, and someone working in IT Security or Information Assurance would be correct to isolate the source of the scans and begin investigating.

If you are scanning your own organization's networks be sure the rest of your team is aware it's happening so they can deconflict your "friendly fire" scans from real network incidents. If you are an auditor and scanning a customer's networks be sure that you have permission to do so in writing, and make sure that someone has your contact information so they can also deconflict your network scans from a possible network intrusion. If you are doing a Red Team assessment with a client make sure that there is an open line of communication from your point of contact, because the IT or IS department shouldn't know you're doing this, and they will most likely react as though it's a real-world intrusion if your port scans trigger IPS alerts.

Install Nmap

Installing Nmap is very straightforward and should only take a minute or two. There are two components: Nmap is the port scanner, and Zenmap is a GUI over the top of it. You don't have to use Zenmap, but it's included in the Windows installer and is easily installed on Linux as well. Ensure that you only download Nmap from the Nmap.org website or via official Linux software repositories.

Windows Installation

For Windows platforms visit the Nmap Windows download page and run the installer.

Linux Installation

Nmap is available via pretty much every software repository in mainstream Linux distributions:

APT

Install Nmap from the official software repository via APT:

apt-get install nmap

Yum

Install Nmap from the official software repository via Yum:

yum install nmap

Types of Scans

There are a few different kinds of network scans, each tailored to a specific purpose. Each different scan has a varying level of activity and rigor, and many times one scan helps define the scope of the next. Each kind of scan is shown in the table below, with the Nmap command to run it in the respective sections.

Type Rigor Speed Host-based IPS Trigger
Ping Sweep Low Fast Unlikely
Port Scan Moderate Quick to Slow Possible
Service Scan Moderate Quick to Slow Probable
Compliance Scan High Slow Likely

All port scan commands are shown in command-line format, because they will work both at the command line without Zenmap, and you can copy-paste them into the "Command" field as well inside the GUI. It's important you learn how to use both the command line and the GUI if you're doing port scans often.

Ping Sweep

A Ping sweep is the simplest kind of scan, and has a very low impact on network performance. This kind of sweep simply sends an ICMP echo (ping) to each IP on the network and listens for a reply. This is great for determining which IPs are active in a network, and how many total hosts there are. Ping sweeps typically complete in fairly short times, and are unlikely to trigger a host-based IPS product because single pings don't normally appear malicious.

Unfortunately a ping sweep doesn't tell you anything about the devices responding to the echos, and if the hosts are running a host-based firewall that blocks pings they will appear to be offline (even though they aren't).

Nmap Ping sweep command:

nmap -sn 192.168.88.0/24

Example scan:

tyler@manitonetworks.com:~$ nmap -sn 192.168.88.0/24

Starting Nmap 7.12 ( https://nmap.org ) at 2016-11-26 06:10 UTC
Nmap scan report for router (192.168.88.1)
Host is up (0.0011s latency).
Nmap scan report for 192.168.88.183
Host is up (0.0019s latency).
Nmap scan report for 192.168.88.184
Host is up (0.0063s latency).
Nmap scan report for ubuntu (192.168.88.196)
Host is up (0.00047s latency).
Nmap scan report for 192.168.88.253
Host is up (0.0042s latency).

Nmap done: 256 IP addresses (5 hosts up) scanned in 8.81 seconds

We now know that five devices are online, but we know nothing about them. This can help define the scope of future scans though.

Port Scan

A port scan is the typical scan for when you need to go a bit deeper than seeing just who is online. The typical port scan has a very low impact on network performance, though if you're scannning a lot of ports on multiple hosts in parallel it could have an impact if the network is already busy. A port scan could trigger a host-based IPS depending on the product, how quickly you're hitting ports, and how many ports are being scanned at once. TCP and UDP port scans have a fairly well-defined signature, and because hackers use port scans for reconnaisance they are flagged as malicious.

Port scans tell you what ports are open for each protocol, e.g. TCP port 80 would be found open on a web server. UDP port 123 discovered open means that NTP is running on a server. Normally in a port scan only open ports are reported, and ports that are closed are omitted in scan results. Filtered ports are shown because how a device responds on a filtered port can help fingerprint it.

TCP Port Scan:

A TCP port scan probes TCP ports, sending packets and waiting for a reply to confirm if the port is online or not. This method of testing if a port is online is fairly reliable due to TCP's connection-oriented nature, though it does create a lot of open connections that never fully complete. The -sT flag sets up a TCP scan in Nmap.

nmap -sT 192.168.88.0/24

Example scan:

tyler@manitonetworks.com:~$ nmap -sT 192.168.88.1

Starting Nmap 7.12 ( https://nmap.org ) at 2016-11-26 06:27 UTC
Nmap scan report for router (192.168.88.1)
Host is up (0.0098s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
23/tcp   open  telnet
53/tcp   open  domain
80/tcp   open  http
2000/tcp open  cisco-sccp
8291/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

UDP Port Scan:

A UDP port scan sends packets to UDP services like DNS and waits for a reply to confirm if the port is online or not. Probing UDP ports is hit-and-miss due to UDP's connectionless nature - if a service doesn't actively reply on an otherwise open UDP port then it won't appear online. Probing TCP ports is easy because all that has to be done to get a response is sending a SYN packet, but UDP has no such handshake mechanism. The -sU flag sets up a UDP scan in Nmap.

nmap -sU 192.168.88.0/24

Example output for this scan is omitted, because it looks much like the output of the TCP scan.

Combined Port Scan:

It's possible to combine protocol scans and specify ports to be checked. This scan specifically targets the Top 10 ports for each host on TCP and UDP protocols:

nmap -sT -sU --top-ports 10 192.168.88.0/24

Scan results:

The output of this scan only includes two hosts for brevity.

tyler@manitonetworks.com:~$ sudo nmap -sT -sU --top-ports 10 192.168.88.0/24

Starting Nmap 7.12 ( https://nmap.org ) at 2016-11-26 06:41 UTC
Nmap scan report for router (192.168.88.1)
Host is up (0.0024s latency).
PORT     STATE         SERVICE
21/tcp   closed        ftp
22/tcp   open          ssh
23/tcp   open          telnet
25/tcp   closed        smtp
80/tcp   open          http
110/tcp  closed        pop3
139/tcp  closed        netbios-ssn
443/tcp  closed        https
445/tcp  closed        microsoft-ds
3389/tcp closed        ms-wbt-server
53/udp   open          domain
67/udp   open|filtered dhcps
123/udp  closed        ntp
135/udp  closed        msrpc
137/udp  closed        netbios-ns
138/udp  closed        netbios-dgm
161/udp  closed        snmp
445/udp  closed        microsoft-ds
631/udp  closed        ipp
1434/udp closed        ms-sql-m
MAC Address: 6C:3B:6B:05:CB:BF (Unknown)

Nmap scan report for 192.168.88.183
Host is up (-0.0076s latency).
PORT     STATE         SERVICE
21/tcp   closed        ftp
22/tcp   closed        ssh
23/tcp   closed        telnet
25/tcp   closed        smtp
80/tcp   closed        http
110/tcp  closed        pop3
139/tcp  closed        netbios-ssn
443/tcp  closed        https
445/tcp  closed        microsoft-ds
3389/tcp closed        ms-wbt-server
53/udp   closed        domain
67/udp   closed        dhcps
123/udp  closed        ntp
135/udp  open|filtered msrpc
137/udp  closed        netbios-ns
138/udp  open|filtered netbios-dgm
161/udp  closed        snmp
445/udp  closed        microsoft-ds
631/udp  open|filtered ipp
1434/udp closed        ms-sql-m
MAC Address: 00:6B:9E:85:C7:14 (Vizio)

Service Scan:

This type of scan builds on TCP and UDP port scans, discovering the service versions running on individual ports. Finding the service versions and the daemons running them helps fingerprint a device, and is done through "banner grabbing" and scripts. Once we know the service versions it's easy to determine if any of them have vulnerabilities that have been disclosed. Hackers use this information to prioritize targets, which is why port scans are considered malicious unless done by a trusted insider or external auditor. The -sV flag specifies a service scan.

nmap -sT -sV 192.168.88.1

Scan results, with some output omitted because it is shown above already:

tyler@manitonetworks.com:~$ nmap -sT 192.168.88.1

Nmap scan report for router (192.168.88.1)
Host is up (0.0093s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE        VERSION
22/tcp   open  ssh            MikroTik RouterOS sshd (protocol 2.0)
23/tcp   open  telnet         Linux telnetd
53/tcp   open  domain         MikroTik RouterOS named or OpenDNS Updater
80/tcp   open  http           MikroTik router config httpd
2000/tcp open  bandwidth-test MikroTik bandwidth-test server
8291/tcp open  unknown
Service Info: OSs: Linux, RouterOS; Device: router; CPE: cpe:/o:mikrotik:routeros, cpe:/o:linux:linux_kernel

In this case we get a lot of output to digest. First, we're able to tell that the device is a router because it's running Mikrotik RouterOS. Secondly, we know that it's probably still running a stock configuration because all ports are open and all default services are running - no one has followed the Mikrotik Router Hardening Guide. Third, we can infer that the factory default credentials (admin:no password) are probably still in place because nothing else appears to have been tuned for security.

Compliance Scan

The next step after doing port and service scans is to run compliance scans for deeper insight into your security. In order to run these kinds of scans you'll need additional software - we recommend Nessus by Tenable Network Security. This software is able to run port and service scans, as well as log into your devices and enumerating patches and configurations. It can check against published vulnerability lists like OSVDB and Mitre's CVE list to determine if your hosts have vulnerabilities, and provide dashboards and reports to help you remediate systems.

Nessus is what Manito Networks uses for our clients, and it's also used by a number of defense organizations to help secure their networks.

Check for Virtualization Environments in Metasploit