Differences

This shows you the differences between two versions of the page.

--- scan_nmap [2017/09/10 19:07] – created Santi
+++ scan_nmap [2019/01/04 13:06] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ===== How to scan computers/network with Nmap =====
+{{ wiki:nmap.png?150}}
+In this tutorial we are going to see different ways to discover computers in a network and how to scan their ports to get some extra information about them. To do that we will use [[http://www.nmap.org|Nmap]], a very powerful tool.
+First of all, we are going to discover some computers in our network (''192.168.0.0'')
 <code bash>
@@ Line 18: / Line 24: @@
 </code>
-How to detect the operating system of a remote computer (in this case it is a Windows 7)
+Imagine that you want to guess which operating system is running in some of the computers you have scanned. In this case we will do with a computer that is running a Windows 7 OS). We know the IP address of this computer because it is a Virtual Machine that it is running in this moment. It does not appears in the list of remote computers because its Firewall is enabled. If we disabled the Firewall and we try again to scan our network, this computer will appear in the list of connected computers.
+Now, we are going to scan this computer to try to guess which kind of OS is running and some extra information. First, we will try with the Firewall enabled (the IP address is 192.168.1.40):
 <code bash>
 santi@kalibook:$ sudo nmap -O 192.168.1.40
-</code>
+Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-09-10 20:05 CEST
+Nmap scan report for 192.168.1.40
+Host is up (0.00018s latency).
+All 1000 scanned ports on 192.168.1.40 are filtered
+MAC Address: 08:00:27:5C:0E:94 (Cadmus Computer Systems)
+Too many fingerprints match this host to give specific OS details
+Network Distance: 1 hop
-<code bash>
+OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
-santi@kalibook:$
+Nmap done: 1 IP address (1 host up) scanned in 30.73 seconds
 </code>
-<code bash>
+We can see that we did not obtain any information abut the remote computer. Then, we will disabled the default Firewall and we will try again with the same nmap options:
-santi@kalibook:$
-</code>
 <code bash>
-santi@kalibook:$
+santi@kalibook:$ nmap -O 192.168.1.40
+Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-09-10 20:07 CEST
+Nmap scan report for 192.168.1.40
+Host is up (0.00016s latency).
+Not shown: 990 closed ports
+PORT      STATE SERVICE
+/tcp   open  msrpc
+/tcp   open  netbios-ssn
+/tcp   open  microsoft-ds
+/tcp  open  wsdapi
+/tcp open  unknown
+/tcp open  unknown
+/tcp open  unknown
+/tcp open  unknown
+/tcp open  unknown
+/tcp open  unknown
+MAC Address: 08:00:27:5C:0E:94 (Cadmus Computer Systems)
+Device type: general purpose
+Running: Microsoft Windows 2008|10|7|8.1
+OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8
+OS details: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or Windows 8.1 Update 1
+Network Distance: 1 hop
+OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 103.30 seconds
 </code>
+Because the firewall was disabled we have obtained a lot of information about the remote computer: open ports, services running, MAC address and some extra information about which version of Windows is running and a approximation about how updated it is (Service Packs installed on remote computer). Now we can see how important is to enable our Firewall in our computer. If some attacker does not know nothing about our computer it will be more difficult to receive any kind of attack from anyone.
+And we can also perform an **intensive scan** to get more information about the remote computer such as which version of some services are installed, the computer name, and more. To see one example of discovering some services in the remote computer, we have installed Filezilla FTP Server in the Windows 7 machine.
 <code bash>
-santi@kalibook:$
+santi@kalibook:$ nmap -A -T4 192.168.1.40
+Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-09-10 21:11 CEST
+Nmap scan report for 192.168.1.40
+Host is up (0.00024s latency).
+Not shown: 989 closed ports
+PORT      STATE SERVICE      VERSION
+/tcp    open  ftp          FileZilla ftpd
+/tcp   open  msrpc        Microsoft Windows RPC
+/tcp   open  netbios-ssn  Microsoft Windows 98 netbios-ssn
+/tcp   open  microsoft-ds (primary domain: WORKGROUP)
+/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-methods: No Allow or Public header in OPTIONS response (status code 503)
+|_http-server-header: Microsoft-HTTPAPI/2.0
+|_http-title: Service Unavailable
+/tcp open  msrpc        Microsoft Windows RPC
+/tcp open  msrpc        Microsoft Windows RPC
+/tcp open  msrpc        Microsoft Windows RPC
+/tcp open  msrpc        Microsoft Windows RPC
+/tcp open  msrpc        Microsoft Windows RPC
+/tcp open  msrpc        Microsoft Windows RPC
+service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+SF-Port445-TCP:V=6.49BETA4%I=7%D=9/10%Time=59B58E9A%P=x86_64-pc-linux-gnu%
+SF:r(SMBProgNeg,7B,"\0\0\0w\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0\0
+SF:\0\0\0@\x06\0\0\x01\0\x11\x07\0\x032\0\x01\0\x04\x11\0\0\0\0\x01\0\0\0\
+SF:0\0\xfc\xe3\x01\0\xc4\x85&\xbah\*\xd3\x01\x88\xff\x082\0\x1a\xe8{\xd6y\
+SF:xe3\xfc\xd3W\0O\0R\0K\0G\0R\0O\0U\0P\0\0\0U\0S\0U\0A\0R\0I\0O\0-\0P\0C\
+SF:0\0\0");
+MAC Address: 08:00:27:5C:0E:94 (Cadmus Computer Systems)
+Device type: general purpose
+Running: Microsoft Windows 2008|10|7|8.1
+OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8
+OS details: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or Windows 8.1 Update 1
+Network Distance: 1 hop
+Service Info: Host: USUARIO-PC; OSs: Windows, Windows 98; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98
+Host script results:
+|_nbstat: NetBIOS name: USUARIO-PC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:5c:0e:94 (Cadmus Computer Systems)
+| smb-os-discovery:
+|   OS: Windows 7 Enterprise N 7600 (Windows 7 Enterprise N 6.1)
+|   OS CPE: cpe:/o:microsoft:windows_7::-
+|   Computer name: Usuario-PC
+|   NetBIOS computer name: USUARIO-PC
+|   Workgroup: WORKGROUP
+|_  System time: 2017-09-10T21:13:16+02:00
+| smb-security-mode:
+|   account_used: guest
+|   authentication_level: user
+|   challenge_response: supported
+|_  message_signing: disabled (dangerous, but default)
+|_smbv2-enabled: Server supports SMBv2 protocol
+TRACEROUTE
+HOP RTT     ADDRESS
+   0.24 ms 192.168.1.40
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 99.23 seconds
 </code>
+From now on we will have to choose a more specific tool depending of the service that we will want to test. Maybe, in this case, because we have found that the remote machine has a FTP service running we could try to discover some vulnerability to check that our system is completely protected.
+===== How to prevent this kind of attack =====
+Maybe scanning ports cannot be consider a kind of attack but sometimes it will be the very first step for preparing an inminent attack in the future. That's why we must protect our computers to not be scanned, and the best way to do that is **enabling our Firewall**. Notice that that simple action can protect your computer against more sophisticated attacks because if the attacker doesn't know nothign about your computer, maybe he never will attack.
+----
+(c) 2017 Hacking Tony