NMAP - A Stealth Port Scanner--reference
|
Now,onto 10.0.0.5... 1 [chaos]# nmap -sS -P0 -A -v 10.0.0.5 2 3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) 4 at 2006-07-14 14:35 BST 5 Initiating ARP Ping Scan against 10.0.0.5 [1 port] at 14:35 6 The ARP Ping Scan took 0.01s to scan 1 total hosts. 7 DNS resolution of 1 IPs took 0.02s. Mode: Async 8 [#: 2,CN: 0] 9 Initiating SYN Stealth Scan against 10.0.0.5 [1672 ports] at 14:35 10 The SYN Stealth Scan took 35.72s to scan 1672 total ports. 11 Warning: OS detection will be MUCH less reliable because we did 12 not find at least 1 open and 1 closed TCP port 13 Host 10.0.0.5 appears to be up ... good. 14 All 1672 scanned ports on 10.0.0.5 are: filtered 15 MAC Address: 00:14:2A:B1:1E:2E (Elitegroup Computer System Co.) 16 Too many fingerprints match this host to give specific OS details 17 TCP/IP fingerprint: 18 SInfo(V=4.01%P=i686-pc-linux-gnu%D=7/14%Tm=44B79DC6%O=-1%C=-1%M=00142A) 19 T5(Resp=N) 20 T6(Resp=N) 21 T7(Resp=N) 22 PU(Resp=N) 23 24 Nmap finished: 1 IP address (1 host up) scanned in 43.855 seconds 25 Raw packets sent: 3369 (150KB) | Rcvd: 1 (42B) No open ports,and Nmap couldn’t detect the OS. This suggests that it is a firewalled or otherwise protected system,with no services running (and yet it responded to ping sweeps). We now have rather more information about this network than we did when we started,and can guess at several other things based on these results. Using that information,and the more advanced Nmap scans,we can obtain further scan results which will help to plan an attack,or to fix weaknesses,in this network. This section was added as an extra to the original tutorial as it became popular and some questions were asked about particular aspects of an nmap scan. I’ll use this part of the tutorial to merge some of those into the main tutorial itself. This question assumes you used a scan command along the lines of: 1 nmap -sS -P0 -p 1-140 -O -D xxx.xxx.xxx.xxx,2 xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx -sV xxx.xx.xxx.xxx Note: Each xxx corresponds to an octet of the IP address/addresses. This is instructing NMAP to run a Stealth scan (-sS) without pinging (-P0) on ports 1 to 140 (-p 1-140),to use OS Detection (-O) and to use Decoys (-D). The three comma-separated IPs are the decoy IPs to use. It also specifies to use version scanning (-sV) which attempts to determine precisely which program is running on a port. Now,heres the analysis of this command: A stealth scan (-sS) is often picked up by most firewalls and IDS systems nowdays. It was originally designed to prevent logging of a scan in the logs for whatever server is running on the port the scanner connects to. In other words,if the scan connects to port 80 to test if its open,Apache (or whatever other webserver they may be using) will log the connection in its logfiles. The -sS scan option doesn’t make a full TCP connect (which can be achieved with the -sT option,or by not running as root) but resets the connection before it can be fully established. As such,most servers will not log the connection,but an IDS or firewall will recognise this behaviour (in repeated cases) as typical of a port scan. This will mean that the scan shows up in firewall or IDS logs and alerts. There are few ways around this,to be honest. Most firewall/IDS software nowdays is quite good at detecting these things; particularly if its running on the same host as the victim (the system you are scanning). Note also,that decoys will not prevent your IP showing entirely; it just lists the others as well. A particularly well designed IDS may even be able to figure out which is the real source of the scans. Where speed of scan isn’t essential,the -P0 option is a good idea. Nmap gains timing information from pinging the host,and can often complete its scans faster with this information,but the ping packets will be sent to the victim from your IP,and any IDS worth its CPU cycles will pick up on the pattern of a few pings followed by connects to a variety of ports. -P0 also allows scanning of hosts which do not respond to pings (i.e. if ICMP is blocked by a firewall or by in-kernel settings). I mentioned timing in the above paragraph. You can use the -T timing option to slow the scan down. The slower a scan is,the less likely it is to be detected by an IDS. There are bound to be occasional random connects occurring,people type an IP in wrong or try to connect and their computer crashes half way through the connect. These things happen,and unless an IDS is configured extremely strictly,they generally aren’t reported (at least,not in the main alert logs,they may be logged if logging of all traffic is enabled,but typically these kind of logs are only checked if theres evidence of something going on). Setting the timing to -T 0 or -T 1 (Paranoid or Sneaky) should help avoid detection. As mentioned in my main tutorial,you can also set timing options for each aspect of a scan,
|
