Professional Documents
Culture Documents
9 Network Discovery and Network Security
9 Network Discovery and Network Security
Security
Network Discovery & IP Network Scanning
• TCP Header & Handshake
• Tools: Nmap and Zenmap
Unit 9
• Scan types in nmap
Network Discovery and • Initial Network scanning using nmap
• Vulnerability Scanning with NSE
IP Network Scanning
• Firewall and IDS evasion and
spoofing
• Bulk Vulnerability scanning using
nessus
2
TCP Header Format
3
Source Port: 16 bits
The source port number.
4
Reserved: 6 bits
Reserved for future use. Must be zero.
Checksum: 16 bits
To detect corruption of packets
5
TCP 3 Way Handshake
6
Nmap (“Network Mapper”) is a free and open source utility for
network discovery and security auditing.
Many systems and network administrators also find it useful for tasks
such as:
● network inventory,
● managing service upgrade schedules, and
● monitoring host or service uptime
7
SCAN TYPES:
SYN SCAN:
● It works by sending a single TCP SYN packet to each possible
port.
● If it gets a SYN ACK packet back, then Nmap knows there is a
service running there.
● The SYN scan does not complete the TCP handshake by sending
an ACK back to the machine
PING SWEEP:
● If you don’t really care about what services are running and you
just want to know which IP addresses are up, this is a lot faster
than a full port scan.
● Some machines may be configured not to respond to a ping, but
still have services running on them
● A ping sweep is not as accurate as a full port scan.
SCAN TYPES:
UDP SCAN:
● This scan checks to see if there are any UDP ports listening.
● UDP does not respond with a positive acknowledgment like TCP
● Only responds to an incoming UDP packet when the port is closed
● This scan can sometimes show false positives.
FIN SCAN:
● This is a stealthy scan, like the SYN scan
Nmap and ZenMap ● Sends a TCP FIN packet
● Most but not all computers will send a RST packet back if they get
this input, so the FIN scan can show false positives and negatives
● May get under the radar of some IDS programs and other
countermeasures.
NULL SCAN:
● Sets all the TCP header flags to off or NULL
● Not a valid packet.
● Gets unreliable results. Windows system are in this group
SCAN TYPES:
XMAS SCAN:
● All TCP header flags are set to on
● Windows machine will not respond to this
RPC SCAN:
● looks for machines answering to RPC (Remote Procedure Call)
services.
● RPC, which allows remote commands to be run on the machine
Nmap and ZenMap under certain conditions
WINDOWS SCAN:
● Relies on an anomaly in the responses to ACK packets in some
operating systems to reveal ports that are supposed to be filtered.
● Some OS are known to be vulnerable to this kind of scan.
IDLE SCAN:
● Discover open host through zombie computer
1
0
nmap 10.0.0.1
Scan a single host IP
nmap 192.168.10.0/24
Scan a Class C subnet range
nmap 10.1.1.5-100
Scan the range of IPs between 10.1.1.5 up to 10.1.1.100
nmap www.somedomain.com
First resolve the IP of the domain and then scan its IP address
nmap -p80 10.1.1.1
Scan only port 80 for specified host
-sS: This sends only a TCP SYN packet and waits for a TCP ACK. If it
receives an ACK on the specific probed port, it means the port exist
on the machine. This is fast and pretty accurate.
-sT: This creates a full TCP connection with the host (full TCP
handshake). This is considered more accurate than SYN scan but
slower and noisier.
-sP: This is for fast checking which hosts reply to ICMP ping packets
(useful if you are on the same subnet as the scanned range and want
a fast result about how many live hosts are connected).
nmap -sV 10.1.1.1
Version detection scan of open ports (services)
nmap -O 10.1.1.1
Identify Operating System version
nmap -A 10.1.1.1
This combines OS detection, service version detection, script
scanning and traceroute.
Example:
To detect heartbleed vulnerability
nmap -sV -p 443 --script=ssl-heartbleed 192.168.1.0/24
auth
NSE scripts related to user authentication.
brute
A category for scripts that help conduct brute-force password
auditing.
default
Scripts executed when a script scan is executed (-sC).
discovery
Scripts related to host and service discovery.
dos
Scripts related to denial-of-service attacks.
exploit
Scripts used to exploit security vulnerabilities.
external
This category is for scripts depending on a third-party service.
fuzzer
NSE scripts focused on fuzzing.
intrusive
A category for scripts that might crash something or generate a lot of
network noise. Scripts that system administrators may consider
Nmap: NSE Scripts intrusive go here.
malware
A category for scripts related to malware detection.
safe
Scripts that are considered safe in all situations.
version
Scripts for advanced version detection.
vuln
Scripts related to detecting and exploiting security vulnerabilities.
-f (fragment packets); --mtu (using the specified MTU)
● spoof the scan to make the targets think that someone else is
scanning them.
--source-port <portnumber>; -g <portnumber> (Spoof source
port number)
Ex:
--data-string "Scan conducted by Lucideus Security, extension 7192"
● TCP packets are generally 40 bytes and ICMP echo requests are
just 28.
● Some UDP ports and IP protocols get a custom payload by
default.
● This option tells Nmap to append the given number of random
bytes to most of the packets it sends, and not to use any
protocol-specific payloads.
● Slows things down a little, but can make a scan slightly less
conspicuous
--ttl <value> (Set IP time-to-live field)
Sets the IPv4 time-to-live field in sent packets to the given value.
Firewall/ IDS Evasion --proxies <Comma-separated list of proxy URLs> (Relay TCP
connections through a chain of proxies)
Nessus
Nessus Scanner
/etc/init.d/nessusd start
Thank you