قالب وردپرس درنا توس
Home / Tips and Tricks / Tactical Nmap for Beginners Network Search «Null Byte :: WonderHowTo

Tactical Nmap for Beginners Network Search «Null Byte :: WonderHowTo



When attacking devices on a network, you can not hit what you can not see. With Nmap, you can browse all devices connected to a network and find out how the operating system the device is running on and which applications are monitoring open ports. With this information, a hacker can design an attack that is perfectly tailored to the target environment.

Beginner Network Education

After accessing a Wi-Fi network, an Ethernet, or a remote network, most hackers must first complete the reconnaissance to explore the network and learn more about available destinations. You may be familiar with some devices that log in to a network, like other computers that promote file sharing. Although this is a useful way to discover devices on the same network as you, most devices do not advertise their presence on the network in that obvious way.

The solution to the problem of exploring a network is scanning the network possible through programs such as Nmap and Arp-Scan. We are only interested in the former. Here you can investigate and map local and remote networks in great detail. However, we can use Nmap to perform an ARP scan, as you will see later. With Nmap, you can see who is on the network, which applications or operating systems a target is running, and what attack surface is available.

Using Nmap for Local Area Networks

Running a Nmap scan is often the best way to determine the size of the network and the number of devices attached to it. Performing a "fast" Nmap scan ( -F ) in a network pane can create a list of all IP addresses that are active hosts on the network and some additional information.

  sudo nmap - F 192.168.0.0/24

Start Nmap 7.70 (https://nmap.org) at 2018-11-10 22:55 PST
Nmap scan report for 192.168.0.1
Host is active (0.048s latency).
Not shown: 96 closed ports
PORT STATE SERVICE
80 / tcp open http
443 / tcp open https
5000 / tcp open upnp
8081 / tcp-filtered blackice-icecap
MAC Address: AC: EC: 80: 00: EA: 17 (Arris Group)

Nmap scan report for 192.168.0.35
Host is active (0.065s latency).
Not shown: 93 closed ports
PORT STATE SERVICE
21 / tcp open ftp
23 / tcp open telnet
80 / tcp open http
443 / tcp open https
Open 515 / tcp printer
631 / tcp open ipp
9100 / tcp open jetdirect
MAC Address: C4: 8E: 8F: 38: 61: 93 (Hon Hai Precision Ind.)

Nmap scan report for 192.168.0.232
Host is active (0.032s latency).
All 100 scanned ports on 192.168.0.232 are closed
MAC Address: 60: A3: 7D: 30: 24: 60 (Apple) 

The provided data, along with some basic information about the services performed by one device, can be used as a list of targets for other hacking tools However, Nmap goes well beyond simple host discovery.

The amount of information on a local network that can detect an Nmap scan is impressive, including the MAC address and the manufacturer of the attached devices, the operating system that uses a device, and the version of all the services that use it on the device. Once you know how many devices are in the network and what they are like, the next step is to scan and examine interesting devices on the network.

Another key feature of Nmap is to enable scanning of individual devices or ports, including IP address ranges, including many devices. In this way, an attacker can discover the meticulous details of a device he has found on a network, including information about open ports and running services. Ports are gateways that another device can connect to. Finding a number of services running on open ports can be of great benefit to a hacker, especially if one of them has an outdated and vulnerable version.

Using Nmap for Remote Networks

In addition to scanning local networks, Nmap can also display information about remote networks. In fact, you can run Nmap on a web site that you want to examine, and it will parse and get the IP address associated with that web domain.

  nmap -F wonderhowto.com

Starting Nmap 7.60 (https://nmap.org) at 2018-11-11 23:20 PST
Nmap scan report for wonderhowto.com (104.193.19.59)
Host is active (latency 0.14s).
Not shown: 95 closed ports
PORT STATE SERVICE
53 / tcp-filtered domain
80 / tcp open http
139 / tcp-filtered netbios-ssn
443 / tcp open https
445 / tcp-filtered microsoft-ds

Nmap finished: 1 IP address (1 host up) scanned in 3.21 seconds 

After the IP address has been collected and the opened port numbers noted, more Nmap scans can show the operating system ( -O [19459021)]) to host a remote website.

  sudo nmap -O 104.193.19.59

Starting Nmap 7.70 (https://nmap.org) at 2018-11-10 23:00 PST
Nmap scan report for wonderhowto.com (104.193.19.59)
Host is active (0.036s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80 / tcp open http
443 / tcp open https
Device Type: Load Balancer
Running (JUST GUESSING): Citrix embedded (95%)
Aggressive Operating System Guesses: Citrix NetScaler Load Balancer (95%), Citrix NetScaler VPX Load Balancer (88%)
No exact OS matches for the host (test conditions not ideal).
Network distance: 17 hops

Operating system detection performed. Please report incorrect results at https://nmap.org/submit/.
Nmap finished: 1 IP address (1 host up) scanned in 8.69 seconds 

Finally, we can even see the software versions running on the ports that are open. Seeing an attack prone to a known attack can greatly facilitate our work on the network. With the previously discovered IP address, we can perform another scan with -sV which indicates that httpd 2.0 is being used on the target computer.

  sudo nmap -sV 104.193.19.59

Starting Nmap 7.70 (https://nmap.org) at 2018-11-10 23:02 PST
Nmap scan report for wonderhowto.com (104.193.19.59)
Host is active (0.053s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80 / tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP / UPnP)
443 / tcp open ssl / http Microsoft HTTPAPI httpd 2.0 (SSDP / UPnP)
Service Info: Operating System: Windows; CPE: cpe: / o: microsoft: windows

Service detection performed. Please report incorrect results at https://nmap.org/submit/.
Nmap finished: 1 IP address (1 host up) scanned in 29.27 seconds 

This information together – the IP address of a remote website or a remote server, the operating system running on the device and the version of all applications That's what a hacker needs to attack devices on a network.

What you need

To use Nmap, you need a system that supports this. Fortunately, Nmap is cross-platform and works on Windows, Linux, and macOS. Nmap is already preinstalled on many systems. If you do not have it, it's easy to install.

You also need a network to connect and scan to try out these techniques. Note, however, that scanning is often seen as the prelude to an attack and may be considered offensive. This means that if you have a job that monitors suspicious behavior, scanning the entire network is a good way to get attention.

Step 1: Configure Nmap to scan a single target

To perform a basic scan, we can identify an IP address of interest against which to scan. One of the most basic but informative scans is to run Nmap, specify a destination IP address, and then enter -A to enable OS detection, version detection, script scanning, and traceroute.

  sudo nmap 104.193 .19.59 -A

Starting Nmap 7.70 (https://nmap.org) at 2018-11-10 23:12 PST
Nmap scan report for wonderhowto.com (104.193.19.59)
Host is active (0.038s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80 / tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP / UPnP)
| _http-server-header: WonderHowTo
| _http-title: The redirect to https://wonderhowto.com/ did not follow
443 / tcp open ssl / http Microsoft HTTPAPI httpd 2.0 (SSDP / UPnP)
| _http-server-header: WonderHowTo
| _http-title: The redirect to https://www.wonderhowto.com/ did not follow
| ssl-cert: subject: commonName = wonderhowto.com
| Alternative subject name: DNS: wonderhowto.com, DNS: *. Driverless.id, DNS: *. Gadgethacks.com, DNS: *. Invisiverse.com, DNS: *. Null-byte.com, DNS: * .reality. Messages, DNS: *. wonderhowto.com, DNS: driverless.id, DNS: gadgethacks.com, DNS: invisiverse.com, DNS: null-byte.com, DNS: reality.news
| Not valid before: 2017-01-25T00: 00: 00
| _Not valid after: 2019-01-25T23: 59: 59
Date: 2018-11-11T07: 12: 53 + 00: 00; 0s from the scanner time.
Device Type: Load Balancer
Running (JUST GUESSING): Citrix embedded (90%)
Aggressive operating system estimates: Citrix NetScaler Load Balancer (90%), Citrix NetScaler VPX Load Balancer (88%)
No exact OS matches for the host (test conditions not ideal).
Network distance: 17 hops
Service Info: Operating System: Windows; CPE: cpe: / o: microsoft: windows

TRACEROUTE (over port 995 / TCP)
HOP RTT ADDRESS
1 31.75 ms 192.168.0.1
2 26.02 ms 142,254,236,193
3 35.17 ms agg60.lsaicaev01h.socal.rr.com (24.30.168.25)
4 30.78 ms agg11.lsaicaev01r.socal.rr.com (72.129.18.192)
5 26.19 ms agg26.lsancarc01r.socal.rr.com (72.129.17.0)
6 34.58 ms bu-ether16.atlngamq46w-bcr00.tbone.rr.com (66.109.6.92)
7 30.20 ms ae2.lsancarc0yw-bpr01.tbone.rr.com (66.109.1.41)
8 35.04 ms ix-ae-24-0.tcore1.lvw-los-angeles.as6453.net (66.110.59.81)
9 35.01 ms if-ae-8-2.tcore1.sv1-santa-clara.as6453.net (66.110.59.9)
10 35.11 ms if-ae-0-2.tcore2.sv1-santa-clara.as6453.net (63.243.251.2)
11 38,80 ms if-ae-18-2.tcore1.sqn-san-jose.as6453.net (63.243.205.12)
12 34.39 ms if-ae-1-2.tcore2.sqn-san-jose.as6453.net (63.243.205.2)
13 34.05 ms 64.86, 21.62
14 31.16 ms xe-0-0-3.cr6-lax2.ip4.gtt.net (89.149.180.253)
15 63.54 ms 72.37,158.50
16 ...
17 34.34 ms wonderhowto.com (104.193.19.59)

Operating system and service detection performed. Please report incorrect results at https://nmap.org/submit/.
Nmap finished: 1 IP address (1 host up) scanned in 38.60 seconds 

Even with a single target, a simple scan can provide much information. Here we just did a scan of the IP address for WonderHowTo.com. This can be done with a device on your local network (such as a router or a remote server) that has WonderHowTo.com.

Step 2: Calculate the Subnet and Scan an Area to Detect Devices

In order To identify other devices on a local area network, it is helpful to calculate the subnet range. This is the range of possible IP addresses assigned to devices on a network, and the knowledge that you can search all possible IP addresses a device can have on the network.

A handy tool that can do this for you is IPcalc. This tool takes your IP address (which can easily be found by typing ifconfig or ip a in a terminal window) and then calculates the subnet range. This will give you a number like "192.168.0.0/24" that specifies a range of IP addresses. The following example computes the subnet as 127.0.0.0/24. [19659007 $ ipcalc 127.0.0.1

Address: 127.0.0.1 01111111.00000000.00000000. 00000001
Netmark: 255.255.255.0 = 24 11111111.11111111.11111111. 00000000
Wildcard: 0.0.0.255 00000000.00000000.00000000. 11111111
=>
Network: 127.0.0.0/24 01111111.00000000.00000000. 00000000
HostMin: 127.0.0.1 01111111.00000000.00000000. 00000001
HostMax: 127.0.0.254 01111111.00000000.00000000. 11111110
Transmission: 127.0.0.255 01111111.00000000.00000000. 11111111
Hosts / Net: 254 Class A, Loopback

To perform a scan with information about the services running on the devices we found, we can open a terminal window and enter the following command and add the network range in which I am use. 172.16.42.0/24 "as an example The scan is a bit slow so instead of the -A you can also use a -F flag to perform a faster scan of the most common ports

  nmap 172.16. 42.0 / 24 -A

Start Nmap 7.60 (https://nmap.org) at 2018-11-11 23:26 PST
Nmap scan report for 172.16.42.1
Host is active (0.0029s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
53 / tcp open domain?

Nmap scan report for 172.16.42.20
Host is active (0.0053s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
62078 / tcp open tcp wrapped

Nmap scan report for 172.16.42.32
Host is active (0.0057s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
62078 / tcp open tcp wrapped

Nmap scan report for 172.16.42.36
Host is active (0.011s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
62078 / tcp open tcp wrapped

Nmap scan report for 172.16.42.49
Host is active (0.0063s latency).
All 1000 scanned ports at 172.16.42.49 are closed

Nmap scan report for 172.16.42.53
Host is active (0.0059s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
Open 62078 / tcp iphone-sync?

Nmap scan report for 172.16.42.57
Host is active (latency 0.013 s).
All 1000 scanned ports on 172.16.42.57 are closed

Nmap scan report for 172.16.42.63
Host is up and running (latency 0.00020s).
All 1000 scanned ports on 172.16.42.63 are closed

Nmap scan report for 172.16.42.65
Host is active (0.0077s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
631 / tcp open ipp CUPS 2.2
| HTTP methods:
| _ Potentially risky methods: PUT
_http-server-header: CUPS / 2.2 IPP / 2.1
| _http-title: Home - CUPS 2.2.0

Nmap scan report for 172.16.42.119
Host is active (latency of 0.012 s).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
898 / tcp filtered sunshade console
1862 / tcp filtered mysql cm agent
1971 / tcp-filtered netop-school
62078 / tcp open tcp wrapped

Service detection performed. Please report incorrect results at https://nmap.org/submit/.
Nmap finished: 256 IP addresses (starting from 10 hosts) were scanned in 219.68 seconds 

We basically execute Nmap without arguments, with the exception of the flag -A . We should expect an issue like the one above, which shows the devices found and the services running on them.

Another handy tool for network discovery is arp-scan, which can sometimes display devices that Nmap misses. We can use Nmap to perform an ARP scan with the request -PR which is quite fast and aggressive to bring back online hosts.

  nmap -PR 192.168.0.0/24

Start Nmap 7.60 (https://nmap.org) at 2018-11-12 06:10 PST
Nmap scan report for 192.168.0.1
Host is active (0.019s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
53 / tcp-filtered domain
80 / tcp open http
443 / tcp open https
5000 / tcp open upnp
8081 / tcp-filtered blackice-icecap
8082 / tcp-filtered Blackice Alerts 

Step 3: Creating a Target List of Active Hosts

Now we can calculate all possible IP addresses in the local network and find them using either -F . (faster) scan by running Nmap without arguments, but the flag -A for a slower scan with more information or with a scan -PR to quickly search a local area network can active hosts.

If you want to create a TXT file of detected hosts, you can use the command below to create a list to prevent the entire network from having to be scanned each time you scan it. For example, if you are looking for open port 80 devices and want to store them in a list, you can use some Linux tools and the "greppable output" -oG flag to ease the output that Nmap provides ,

By running nmap -p 80 -oG – 192.168.0.0/24 – with the network range being replaced by yours – you can use | add awk? / 80 / open / {print $ 2} & # 39; >> port80.txt to output the IP addresses associated with the detected devices to a TXT file named "port80.txt"

  nmap -p 80 -oG - 192.168.0.1 | awk # / 80  / open / {print $ 2} & # 39; >> port80.txt
cat port80.txt 

Here, the awk command looks for lines containing the port number and the result "open", with the second string stored in each line (in this case, the IP address) by cat Command to a new file called port80.txt

Step 4: Identify the Operating System on Detected Devices

One of the most helpful things we know about a device that we discover The operating system is running in a network. Here we can use the TXT target list populated in the previous step and run an operating system scan that requires root privileges. We can use the -O flag to run an operating system scan, and flag -lL to tell Nmap that we want to read from a TXT file of target hosts.

  sudo nmap -O-iL port80.txt

Password:

Start Nmap 7.60 (https://nmap.org) at 2018-11-12 07:07 PST
Nmap scan report for 192.168.0.1
Host is active (0.033s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
53 / tcp-filtered domain
80 / tcp open http
443 / tcp open https
5000 / tcp open upnp
8081 / tcp-filtered blackice-icecap
8082 / tcp-filtered Blackice alarms
No exact operating system matches for the host (If you know what operating system it will run, see https://nmap.org/submit/).
TCP / IP fingerprint:
OS: SCAN (V = 7.60% E = 4% D = 11/12% OT = 80% CT = 1% CU = 33278% PV = Y% DS = 1% DC = D% G = Y% M = 407 009%
OS: TM = 5BE99771% P = x86_64-apple-Darwin.3.3) SEQ (SP = CB% GCD = 1% ISR = CD% TI = Z% Cl = Z
OS:% II = I% TS = 7) SEQ (SP = CE% GCD = 1% ISR = CE% TI = Z% CI = Z% TS = 7) OPS (O1 = M5B4ST11NW2% O2 = M
OS: 5B4ST11NW2% O3 = M5B4NNT11NW2% O4 = M5B4ST11NW2% O5 = M5B4ST11NW2% O6 = M5B4ST11) WIN
OS: (W1 = 3890% W2 = 3890% W3 = 3890% W4 = 3890% W5 = 3890% W6 = 3890) ECN (R = Y% DF = Y% T = 40% W = 390
OS: 8% O = M5B4NNSNW2% CC = N% Q =) T1 (R = Y% DF = Y% T = 40% S = O% A = S +% F = AS% RD = 0% Q =) T2 (R = N) T3 (
OS: R = Y% DF = Y% T = 40% W = 3890% S = O% A = S +% F = AS% O = M5B4ST11NW2% RD = 0% Q =) T4 (R = Y% DF = Y% T = 4
OS: 0% W = 0% S = A% A = Z% F = R% O =% RD = 0% Q =) T5 (R = Y% DF = Y% T = 40% W = 0% S = Z% A = S +% F = AR% O =% RD = 0%
OS: Q =) T6 (R = Y% DF = Y% T = 40% W = 0% S = A% A = Z% F = R% O =% RD = 0% Q =) T7 (R = Y % DF = Y% T = 40% W = 0% S = Z%
OS: A = S +% F = AR% O =% RD = 0% Q =) U1 (R = Y% DF = N% T = 40% IPL = 164% UN = 0% RIPL = G% RID = G % RIPCK = G%
OS: RUCK = G% RUD = G) IE (R = Y% DFI = N% T = 40% CD = S)

Network removal: 1 jump

Nmap scan report for 192.168.0.2
Host is active (0.019s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53 / tcp-filtered domain
80 / tcp open http
8888 / tcp open sun reply book
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe: / o: linux: linux_kernel: 2.6
Details about the operating system: Linux 2.6.17 - 2.6.36
Network removal: 1 jump

Nmap scan report for 192.168.0.5
Host is active (0.064s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
80 / tcp open http
8080 / tcp open http proxy
8085 / tcp open unknown
8086 / tcp open d-s-n
8087 / tcp open simplifymedia
8088 / tcp open radan-http
8089 / tcp open unknown
Warning: OSScan results may be unreliable because at least 1 open and 1 closed port could not be found
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe: / o: linux: linux_kernel: 3
Details about the operating system: Linux 3.2 - 3.8
Network removal: 1 jump

Operating system detection performed. Please report incorrect results at https://nmap.org/submit/.
Nmap finished: 3 IP addresses (3 hosts up) scanned in 67.32 seconds 

This tactic allows us to get as much OS information as possible from the list of targets we want to run it with, whether internal network destinations or a list of the IP addresses of the website.

The next step is to determine the versions of the applications running on open ports. This can show us a port that is running software that is outdated and has a known vulnerability. To run this scan, you can use the flag -sV against a target.

  sudo nmap -sV 192.168.0.2 -D 192.168.0.1.192.168.0.2,192.168.0.3

Start Nmap 7.60 (https://nmap.org) at 2018-11-12 07:29 PST
Nmap scan report for 192.168.0.2
Host is active (0.030s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
53 / tcp-filtered domain
80 / TCP open http?
8888 / tcp open upnp MiniUPnP 1.6 (WiFi Range Extender from Linksys / Belkin; SDK 4.1.2.0; UPnP 1.0; MTK 2.001)
MAC Address: 83: 23: 98: 43: 23: 3D (Dobus International)

Service detection performed. Please report incorrect results at https://nmap.org/submit/.
Nmap finished: scanned 1 IP address (1 host up) in 26.24 seconds 

Here we found some very specific information about our host that might allow us to identify an attack on the software behind the port.

Step 5: Advanced Scans and Workarounds

Under certain circumstances, scanning a network can be difficult because the ping sent by Nmap is discarded by a firewall of the router. This can result in no devices being available if you know they exist. To avoid this, you can use the -Pn flag, which overrides the ping command and sometimes gives you the ability to connect directly to devices and get a response.

If you are scanning on a network, you can not do this To avoid being detected, you can perform a lock scan with the -D flag to make it difficult to detect the network finder. An example would look like the following command and requires root permissions.

  sudo nmap -sS 192.168.0.2 -D 192.168.0.1,192.168.0.2,192.168.0.3

Password:

Start Nmap 7.60 (https://nmap.org) at 2018-11-12 07:26 PST
Nmap scan report for 192.168.0.2
Host is active (0.036s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53 / tcp-filtered domain
80 / tcp open http
8888 / tcp open sun reply book
MAC Address: 83: 23: 98: 43: 23: 3D (Dobus International)

Nmap finished: 1 IP address (1 host up) scanned in 5.16 seconds 

If you need more information about the operations, you can tap a key during the scan to get information about the operation, or -v to increase the verbosity (how much information the script contains). In general, you can add more v to -v depending on how frustrated or angry you are to get more information about what's happening.

  ARP Ping Scan at 07:18
Scan 192.168.0.1 [1 port]
Completed ARP ping scan at 07:18, 0.12 seconds elapsed (1 total host)
Initiate parallel DNS resolution of a host. at 07:18
Parallel DNS resolution completed by 1 host. at 07:18 passed 0.09 s
The DNS resolution of 1 IP took 0.10 seconds. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiate SYN stealth scan at 07:18
Scan 192.168.0.1 [1 port]
Detected open port 80 / tcp at 192.168.0.1
SYN stealth scan completed at 07:18, 0.04 seconds passed (1 port total)
Nmap scan report for 192.168.0.1
The host is running, it has received a response (0.11s latency).
Scanned on 2018-11-12 07:18:34 PST for 0s

PORT STATE SERVICE REASON
80 / tcp open http syn-ack ttl 64
MAC address: 23: 78: 32: 76: 34: 90 (Dobis group)

Read data files from: /usr/local/bin/../share/nmap
Nmap finished: 1 IP address (1 host high) scanned in 0.33 seconds
Sent raw packages: 2 (72B) | Rcvd: 2 (72B) 

Here we can see the reason for port 80 being active, so we can delve deeper into the parts of a scan that a device might answer or ignore. Be forewarned, you'll see what the scan is doing, and this can produce a lot of output on a complicated scan.

Nmap Lights the Dark

Getting started on a network Be a shocking experience for beginners, whether you're new to network usage or just trying out your router for the first time to find.

Remember, while network scans are suitable for your computer (and are a great idea) to see a network connected to what can be that kind of scan in your work network or another network you do not own , not to be desired. If your employer is looking for suspicious behavior in their networks, comprehensive scanning can easily be interpreted as threatening behavior if you do not have a valid reason for doing the scan.

One of Nmap's key features is that it provides scriptable options such as -oG and can be used to feed into other tools. So if you've ever created a tool that needs to know other devices on the same network, Nmap is exactly what you are looking for.

I hope you liked this tutorial on using Nmap for mapping and exploring devices on a network! If you have questions about this network scanning tutorial or have a comment, feel free to contact me via Twitter @KodyKinzie .

Do not Miss: Hack Wi-Fi & Networks Reach Lighter with Lazy Script

Cover Picture by Kody / Null Byte




Source link