Hacking Tony

Cyber security tutorials

User Tools

Site Tools

Trace: scan_nmap
scan_nmap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
scan_nmap [2017/09/10 19:12] Santiscan_nmap [2019/01/04 13:06] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ===== How to scan computers/network with Nmap ===== ===== How to scan computers/network with Nmap =====
 +
 +{{ wiki:nmap.png?150}}
 +
 +In this tutorial we are going to see different ways to discover computers in a network and how to scan their ports to get some extra information about them. To do that we will use [[http://www.nmap.org|Nmap]], a very powerful tool.
 +
 +First of all, we are going to discover some computers in our network (''192.168.0.0'')
  
 <code bash> <code bash>
Line 18: Line 24:
 </code> </code>
  
-How to detect the operating system of a remote computer (in this case it is a Windows 7).+Imagine that you want to guess which operating system is running in some of the computers you have scanned. In this case we will do with a computer that is running a Windows 7 OS). We know the IP address of this computer because it is a Virtual Machine that it is running in this moment. It does not appears in the list of remote computers because its Firewall is enabled. If we disabled the Firewall and we try again to scan our network, this computer will appear in the list of connected computers.
  
-First, we will try with the Firewall enabled:+Now, we are going to scan this computer to try to guess which kind of OS is running and some extra information. First, we will try with the Firewall enabled (the IP address is 192.168.1.40):
  
 <code bash> <code bash>
Line 37: Line 43:
 </code> </code>
  
-We can see that we don'obtain any information abut the remote computer. Then, we will disabled the default Firewall and we will try again with the same nmap options:+We can see that we did not obtain any information abut the remote computer. Then, we will disabled the default Firewall and we will try again with the same nmap options:
  
 <code bash> <code bash>
Line 68: Line 74:
 </code> </code>
  
-Because the firewall was disabled we have obtained a lot of information about the remote computer: open ports, services running, MAC address and some extra information about which version of Windows is running and a aproximation about how updated it is (Service Packs installed on remote computer)+Because the firewall was disabled we have obtained a lot of information about the remote computer: open ports, services running, MAC address and some extra information about which version of Windows is running and a approximation about how updated it is (Service Packs installed on remote computer). Now we can see how important is to enable our Firewall in our computer. If some attacker does not know nothing about our computer it will be more difficult to receive any kind of attack from anyone.
  
-<code bash> +And we can also perform an **intensive scan** to get more information about the remote computer such as which version of some services are installed, the computer name, and more. To see one example of discovering some services in the remote computer, we have installed Filezilla FTP Server in the Windows 7 machine.
-santi@kalibook:$  +
-</code>+
  
 <code bash> <code bash>
-santi@kalibook: +santi@kalibook:nmap -A -T4 192.168.1.40
-</code>+
  
-<code bash> +Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-09-10 21:11 CEST 
-santi@kalibook:+Nmap scan report for 192.168.1.40 
 +Host is up (0.00024s latency). 
 +Not shown: 989 closed ports 
 +PORT      STATE SERVICE      VERSION 
 +21/tcp    open  ftp          FileZilla ftpd 
 +135/tcp   open  msrpc        Microsoft Windows RPC 
 +139/tcp   open  netbios-ssn  Microsoft Windows 98 netbios-ssn 
 +445/tcp   open  microsoft-ds (primary domain: WORKGROUP) 
 +5357/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 
 +|_http-methods: No Allow or Public header in OPTIONS response (status code 503) 
 +|_http-server-header: Microsoft-HTTPAPI/2.0 
 +|_http-title: Service Unavailable 
 +49152/tcp open  msrpc        Microsoft Windows RPC 
 +49153/tcp open  msrpc        Microsoft Windows RPC 
 +49154/tcp open  msrpc        Microsoft Windows RPC 
 +49155/tcp open  msrpc        Microsoft Windows RPC 
 +49156/tcp open  msrpc        Microsoft Windows RPC 
 +49157/tcp open  msrpc        Microsoft Windows RPC 
 +1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : 
 +SF-Port445-TCP:V=6.49BETA4%I=7%D=9/10%Time=59B58E9A%P=x86_64-pc-linux-gnu% 
 +SF:r(SMBProgNeg,7B,"\0\0\0w\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0\0 
 +SF:\0\0\0@\x06\0\0\x01\0\x11\x07\0\x032\0\x01\0\x04\x11\0\0\0\0\x01\0\0\0\ 
 +SF:0\0\xfc\xe3\x01\0\xc4\x85&\xbah\*\xd3\x01\x88\xff\x082\0\x1a\xe8{\xd6y\ 
 +SF:xe3\xfc\xd3W\0O\0R\0K\0G\0R\0O\0U\0P\0\0\0U\0S\0U\0A\0R\0I\0O\0-\0P\0C\ 
 +SF:0\0\0"); 
 +MAC Address: 08:00:27:5C:0E:94 (Cadmus Computer Systems) 
 +Device type: general purpose 
 +Running: Microsoft Windows 2008|10|7|8.1 
 +OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8 
 +OS details: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or Windows 8.1 Update 1 
 +Network Distance: 1 hop 
 +Service Info: Host: USUARIO-PC; OSs: Windows, Windows 98; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98 
 + 
 +Host script results: 
 +|_nbstat: NetBIOS name: USUARIO-PC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:5c:0e:94 (Cadmus Computer Systems) 
 +| smb-os-discovery:  
 +|   OS: Windows 7 Enterprise N 7600 (Windows 7 Enterprise N 6.1) 
 +|   OS CPE: cpe:/o:microsoft:windows_7::
 +|   Computer name: Usuario-PC 
 +|   NetBIOS computer name: USUARIO-PC 
 +|   Workgroup: WORKGROUP 
 +|_  System time: 2017-09-10T21:13:16+02:00 
 +| smb-security-mode:  
 +|   account_used: guest 
 +|   authentication_level: user 
 +|   challenge_response: supported 
 +|_  message_signing: disabled (dangerous, but default) 
 +|_smbv2-enabled: Server supports SMBv2 protocol 
 + 
 +TRACEROUTE 
 +HOP RTT     ADDRESS 
 +1   0.24 ms 192.168.1.40 
 + 
 +OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/
 +Nmap done1 IP address (1 host up) scanned in 99.23 seconds
 </code> </code>
 +
 +From now on we will have to choose a more specific tool depending of the service that we will want to test. Maybe, in this case, because we have found that the remote machine has a FTP service running we could try to discover some vulnerability to check that our system is completely protected.
 +
 +===== How to prevent this kind of attack =====
 +
 +Maybe scanning ports cannot be consider a kind of attack but sometimes it will be the very first step for preparing an inminent attack in the future. That's why we must protect our computers to not be scanned, and the best way to do that is **enabling our Firewall**. Notice that that simple action can protect your computer against more sophisticated attacks because if the attacker doesn't know nothign about your computer, maybe he never will attack.
 +
 +----
 +
 +(c) 2017 Hacking Tony
scan_nmap.1505070725.txt.gz · Last modified: 2019/01/04 13:06 (external edit)