Total Pageviews

Search: This Blog, Linked From Here, The Web, My fav sites, My Blogroll

05 November 2009

Nmap Network Scanning

➪ (Under editing...)

  • Proactive management can help find issues before they turn into serious problems and cause network downtime or compromise of confidential data.
  • Attackers will not wait a week or month to exploit a newly exposed vulnerability, so I can't wait that long to find and patch it either.
  • ...I had to know whenever a router or firewall access control list was misconfigured or a host was publicly sharing inappropriate content.  
    • It’s worth reiterating that you must remember to only use network scanning if you have permission and the law is on your side. Always make certain you have permission, or use your own private network to experiment with Nmap or any other security tools. Fyodor has granted users permission to scan The permission includes only scanning via Nmap, not exploit testing or Denial of Service (DoS) attacks. Fyodor requests that you limit your scanning to no more than a dozen scans per day.
     "better be safe than sorry"

    Introducing Network Scanning

    About ten years ago I was working as a Network Administrator managing a medium size network. One of my first tasks in this position was to create a network asset database for all network devices. We already had a high-priced, although functionally deficient, network management tool that just wasn’t making the cut.
        Using the output from the management tool as a starting point I began painstakingly connecting to each network device, and documenting them to inventory the network. This also involved a lot of hours physically traversing buildings, basements, and wiring closets. Finally, it seemed that I had visited every nook and cranny and identified every router, bridge, switch, hub, and archaic telecommunications device retrofitted to the network.
        For security, I wrote a UNIX script to connect to the known devices and disable physical ports that weren’t being used and enable security features on the devices. This is when things started to get complicated. Suddenly the help desk phones started ringing and people were complaining of lost network connectivity. Alas, there were even more devices out there that we didn’t know about! Luckily the UNIX script was easily reversible.
        After hearing my woes that evening a “hacker” friend of mine pointed out a new tool for scanning networks that he read about in Phrack magazine. It was a bit controversial, but it was free and it looked like it could do the job. The next day became my first experience with Nmap, a network scanner, and since that day it has been making my life a whole lot easier.

    Windows Operating Systems and nmap

    Although Windows-based operating systems exist on a majority of systems throughout the world, the inner workings of Windows have become somewhat of an irritation for developers of network-related software.
        Microsoft's implementation of the TCP/IP stack is a bit idiosyncratic, and additional operational restrictions related to Microsoft Windows XP's Service Pack 2 have created ongoing challenges for the developers of these powerful applications. Many of the most recent issues are based on Microsoft's implementation of raw sockets.
    Raw sockets are methods built into the operating system that allow a developer to bypass the normal TCP/IP processing of the kernel. This means that programmers can create customized (or raw) TCP/IP frames, a functionality that's critical for security programs.
    Many of nmap's functions make extensive use of these raw sockets. With the implementation of Windows XP Service Pack 2 (SP2), Microsoft has removed the ability to create TCP frames through the raw sockets Application Programming Interface (API). UDP packets with spoofed IP addresses are also prevented with SP2.
        To work around these SP2 raw socket issues, nmap was modified to create raw Ethernet frames instead of raw TCP/IP frames. This fix allows most of the nmap options to work properly, although nmap's raw socket functions can now only create frames on Ethernet networks.
        Microsoft also implemented another TCP/IP stack change to Windows XP SP2 that limits the number of simultaneous outbound TCP connections. This has a chilling effect on nmap's TCP connect() scan (-sT), since this scan normally creates many TCP connections. There is at least one non-Microsoft patch that removes this limitation, but the use of this patch is outside the scope of this text.  The nmap-hackers mailing list archive has more information on Microsoft's changes and some of the workarounds.
        These stack changes were also part of Microsoft patch MS05-019 relating to Microsoft Knowledgebase article KB893066, "Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service." Even if a Windows XP system hasn't installed Service Pack 2 but still performed the normal security updates, it may exhibit these problems with raw sockets because of MS05-019. It seems clear that these stack revisions may change without notice, and it's highly recommended to stay tuned to the nmap-hackers mailing list.
        Creating powerful security tools for Windows-based systems will continue to be an ongoing challenge, but it appears that the nmap developers have worked through many of the current issues.
    From past experiences, it appears that Windows-based operating systems may not be the best choice for applications such as nmap. Other operating systems have some significant advantages over Windows-based environments when unfettered network access is required for the most efficient network scanning.

    Is nmap Good or Evil?
    The bad guys are already using nmap for reconnaissance, because a single scan can tell you a lot about the open doors and windows in a computer's house. What the bad guys do once they have this information is why they are called the "bad guys."
    The good guys are using nmap to make their network safer.
    • The network management team uses nmap to identify unknown IP addresses that appear in reports or in a network analysis trace.
    • The security team uses nmap to scan the internal network for a specific open port that might help to identify the extent of a spyware infestation.
    • The client desktop team uses nmap to inventory a remote location to ensure that all known systems are identified and properly patched against future security concerns.
        Nmap is a powerful tool, and its power brings responsibility. Some of nmap's scanning techniques can disable or disrupt production applications. I've personally crashed previously stable applications with a single nmap scan. Many security managers tend to frown on unauthorized users poking around on their network.
    If you employ nmap, be sure to use it with the knowledge and permission of the network owners.
        Fyodor's nmap man page states that he's used nmap to scan hundreds of thousands of machines, and he's only received one complaint during that time. If the network management and security world has a problem with nmap, they appear to be uncharacteristically quiet regarding its use. It seems that the industry feels that nmap does far more to promote better security than to harm the network.
         This text was written from the perspective of the security team, because it is the security team that is managing some of the largest technological responsibilities that our industry has ever experienced. Our networks really are a Wild West. The security group is always scrambling for methods to combat these constantly increasing and evolving threats.

    What is Network Scanning?
    Network scanning is the process of discovering:
    1. active hosts on the network and 
    2. information about the hosts  such as:
      1. operating system
      2. active ports
      3. services and applications running on the hosts.
    Network scanning is comprised of the following four basic techniques:
    • Network Mapping Sending messages to a host that will generate a response if the host is active
    • Port Scanning Sending messages to a specified port to determine if it is active
    • Service and Version Detection Sending specially crafted messages to active ports to generate responses that will indicate the type and version of service running
    • OS Detection Sending specially crafted messages to an active host to generate certain responses that will indicate the type of operating system running on the host
    In addition to these basic techniques, advanced network scanners can perform other (evading, reporting) techniques such as:
    • masking the origin of the scanning
    • enabling timing features for stealthy scans
    • evading perimeter defenses such as firewalls, and
    • providing reporting options.
    The following is an example of the type of output you would expect from a network scan:

    Host is responding
    Open ports include:
    135/tcp open msrpc
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds
    3389/tcp open ms-term-serv
    8081/tcp open blackice-icecap
    The operating system is Windows XP SP2

    The terms device, host, and system may be used interchangeably in this context.

    Networking and Protocol Fundamentals

    Now i provide a little of background information on how networks and protocols work. However, there are many other excellent resources available (like TCP/IP Illustrated, Vol. 1–3 written by Richard Stevens)

    Explaining Ethernet
    Ethernet is the most popular protocol standard used to enable computers to communicate. Ethernet was built around the principle of a shared medium where all computers on the local network segment share the same cable. It is known as a broadcast protocol because it sends that data to all other computers on the same network segment. This information is divided up into manageable chunks called packets, and each packet has a header containing the addresses of both the 
    • destination and 
    • source computers.
        Even though this information is sent out to all computers on a segment, only the computer with the matching destination address responds. All of the other computers on the network still see the packet, but if they are not the intended receiver they disregard it.

    Ethernet addresses are also known as Media Access Control (MAC) addresses or hardware addresses. Because many computers may share a single Ethernet segment, each one must have an individual identifier hard-coded onto the network interface card (NIC) (or network adapters). The following steps allow you to view your NIC’s MAC address:
    • Windows 9x/ME Access Start | Run and type winipcfg.exe. The MAC address will be listed as the “Adapter Address.”
    • Windows NT, 2000, XP, and 2003 Access the command line and type ipconfig /all. The MAC address will be listed as the “Physical Address.”
    • Linux, Solaris, Macintosh OS X Type ifconfig –a at the command line. The MAC address will be listed as the “HWaddr” on Linux and as “ether”,“Ether” on Solaris and Mac respectivelly.
    You can also view the MAC addresses of other computers that you have recently communicated with, by typing the command arp –a (Display ARP cache). The Address Resolution Protocol (ARP) is responsible for mapping IP addresses to MAC addresses.

    $ arp -a alicegate
    alicegate ( at 00:22:33:64:2e:94 [ether] on eth1

    In the example above i want see alicegate's host MAC address. In that case my host (on eth1 network interface) before  do an explicit arp request to LAN firstly go in the proper arp cache and probe to find the requested MAC there. If don't find it there do the arp request to LAN.

    MAC addresses are unique, and no two computers(almost not in the same segment) should have the same one. However, occasionally a manufacturing error may occur that causes more than one NIC to have the same MAC address. Thus, people may choose to change their MAC addresses intentionally, which can be done with a program (e.g., ifconfig) that allows you to fake your MAC address.
    Faking your MAC address (and other types of addresses) is also known as spoofing.
    Also, some adapters allow you to use a program to reconfigure the runtime MAC address. And lastly, with the right tools and skill you can physically re-burn the address into the NIC.
    NOTE Spoofing is the process of altering network packet information (e.g., the IP source address, the MAC address, or the e-mail address). This is often done to masquerade as another device in order to exploit a trust relationship or to make tracing the source of attacks difficult. Address spoofing is also used in DoS attacks (e.g., Smurf), where the return(destination) addresses of network requests are spoofed to be the IP address of the victim.

    Understanding the Open Systems Interconnection(ISO/OSI) Model

    The International Standards Organization (ISO) developed the Open Systems Interconnection (OSI) model in the early 1980s to describe how network protocols and components work together.
        It divides network functions into seven layers, each layer representing a group of related specifications, functions, and activities (see Figure above). Although complicated at first, the terminology is used extensively in networking, systems, and development communities.
        Understanding what these layers represent and how they work together will facilitate your comprehension of network scanning. The OSI model is not necessarily reflective of the way that applications and OSes are actually written.
         In fact, some security tools use the differences in protocol implementations (Ideally, the processes of all computers using the TCP/IP when initiating network conversations would be identical regardless of operating system, software version, or hardware manufacturer. In the networking world, however, not every system works exactly the same way. Although these minor differences would usually be considered problematic, nmap takes advantage of these anomalies to provide additional information about the remote system) to extract information from computers (including their OSes) and specific patches and services packs that may have been installed.
    Linus Torvalds, project coordinator for the Linux kernel, in an e-mail dated September 29, 2005 says: ”We still talk about the seven layers model, because it’s a convenient model for discussion, but that has absolutely zero to do with any real-life software engineering. In other words, it’s a way to talk about things, not to implement them. And that’s important. Specs are a basis for talking about things. But they are not a basis for implementing software.”

    Layer 1: Physical
    The first layer of the OSI model is the Physical layer, which specifies the electrical and mechanical requirements for transmitting data bits across the transmission medium (cable or airwaves). It involves sending and receiving the data stream on the carrier, whether that carrier uses electrical (cable), light (fiber optic), radio, infrared, or laser (wireless) signals. The Physical layer specifications include:
    • Voltage changes
    • The timing of voltage changes
    • Data rates
    • Maximum transmission distances
    • The physical connectors to the transmission medium (plug)
    • The topology or physical layout of the network
    Many complex issues are addressed at the Physical layer, including
    • digital vs. analog signaling,
    • baseband vs. broadband signaling,
    • whether data is transmitted synchronously or asynchronously,
    • how signals are divided into channels (multiplexing).
    Devices that operate at the Physical layer deal with signaling (e.g., transceivers on the NIC, repeaters, basic hubs, and simple connectors that join segments of cable).
        The data handled by the Physical layer is in bits of 1s (ones) and 0s (zeros), which are represented by pulses of light or voltage changes of electricity, and by the state of those pulses (on generally --it's only a convention-- representing 1 and off generally representing 0).
        How these bits are arranged and managed is a function of the Data Link layer (layer 2) of the OSI model.

    Layer 2: Data Link
    Layer 2 is the Data Link layer, which:
    • is responsible for maintaining the data link between two computers, typically called hosts or nodes.
    • It also defines and manages the ordering of bits to and from packets. Frames contain data arranged in an organized manner, which provides an orderly and consistent method of sending data bits across the medium. Without such control, the data would be sent in random sizes or configurations and the data on one end could not be decoded at the other end.
    • Manages the physical addressing and synchronization of the data packets.
    • It is also responsible for flow control (Flow control is the process of managing the timing of sending and receiving data so that it doesn’t exceed the capacity of the physical connection or host) and  
    • error notification on the Physical layer (Since the Physical layer is only responsible for physically moving the data onto and off of the network medium, the Data Link layer also receives and manages error messaging related to the physical delivery of packets).
    Network devices that operate at this layer include:
    A layer 2 switch decreases network congestion by sending data out only on the port that the destination computer is attached to, instead of sending it out on all ports (as do hubs). Bridges provide a way to segment a network into two parts and filter traffic, by building tables that define which computers are located on each side of the bridge, based on their MAC addresses.
        Conversely, bridges also can be used to join separate networks and allow traffic to pass between them.

    The Data Link layer is divided into two sublayers: the Logical Link Control (LLC) sublayer and the MAC sublayer.
    On Ethernet NICs, the physical or MAC address or hardware address is a 48-bit number, which is also expressed as 12 hexadecimal digits arranged in pairs with colons between each pair (e.g. 12:3A:4D:66:3A:1C). The initial three sets of numbers (the first 24 bits) represent the manufacturer, and the last three sets of numbers (the second 24 bits ) represent a unique serial number made by that manufacturer.

    Layer 3: Network
    Moving up the stack, the next layer is the Network layer (layer 3), which
    • is where packets are sequenced and
    • logical (IP) addressing (Logical addresses are non permanent, software-assigned addresses that can only be changed by administrators) is assigned.
    The IP addresses used by the TCP/IP protocols on the Internet, and the Internet Package Exchange (IPX) addresses used by the IPX/Sequenced Packet Exchange (SPX) protocols on NetWare networks are examples of logical addresses.  
    These protocol stacks are referred to as routable because they include addressing schemes that identify the network or subnet and the particular client on that network or subnet.  
    Other network/transport protocols (e.g., NETBIOS Extended User Interface [NetBEUI]) do not have a sophisticated addressing scheme and thus cannot be routed between different types of networks.
    To understand the difference between physical and logical addresses, consider this analogy: A house has a physical GPS address that identifies exactly where it is located. This is similar to the MAC address on a NIC. A house also has a logical address assigned to it by the post office that consists of a street name and number. The post office occasionally changes the names of streets or renumbers the houses located on them. This is similar to the IP address assigned to a network interface.
    The Network layer is also responsible:
    Routing refers to forwarding packets from one network or subnet to another. Without routing, computers can only communicate with computers on the same network.  

    That's the 2nd post that i loss part of without a plausible reason. Sorry for that but I must redo it when time permits me

    No comments:

    Post a Comment