Differences

This shows you the differences between two versions of the page.

--- scan_nmap [2017/09/10 19:19] – Santi
+++ scan_nmap [2019/01/04 13:06] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ===== How to scan computers/network with Nmap =====
+{{ wiki:nmap.png?150}}
+In this tutorial we are going to see different ways to discover computers in a network and how to scan their ports to get some extra information about them. To do that we will use [[http://www.nmap.org|Nmap]], a very powerful tool.
 First of all, we are going to discover some computers in our network (''192.168.0.0'')
@@ Line 70: / Line 74: @@
 </code>
-Because the firewall was disabled we have obtained a lot of information about the remote computer: open ports, services running, MAC address and some extra information about which version of Windows is running and a aproximation about how updated it is (Service Packs installed on remote computer). Now we can see how importat is to enable our Firewall in our computer. If some attacker does not know nothing about our computer it will be more difficult to receive any kind of attack from anyone.
+Because the firewall was disabled we have obtained a lot of information about the remote computer: open ports, services running, MAC address and some extra information about which version of Windows is running and a approximation about how updated it is (Service Packs installed on remote computer). Now we can see how important is to enable our Firewall in our computer. If some attacker does not know nothing about our computer it will be more difficult to receive any kind of attack from anyone.
-<code bash>
+And we can also perform an **intensive scan** to get more information about the remote computer such as which version of some services are installed, the computer name, and more. To see one example of discovering some services in the remote computer, we have installed Filezilla FTP Server in the Windows 7 machine.
-santi@kalibook:$
-</code>
 <code bash>
-santi@kalibook:$
+santi@kalibook:$ nmap -A -T4 192.168.1.40
-</code>
-<code bash>
+Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-09-10 21:11 CEST
-santi@kalibook:$
+Nmap scan report for 192.168.1.40
+Host is up (0.00024s latency).
+Not shown: 989 closed ports
+PORT      STATE SERVICE      VERSION
+/tcp    open  ftp          FileZilla ftpd
+/tcp   open  msrpc        Microsoft Windows RPC
+/tcp   open  netbios-ssn  Microsoft Windows 98 netbios-ssn
+/tcp   open  microsoft-ds (primary domain: WORKGROUP)
+/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-methods: No Allow or Public header in OPTIONS response (status code 503)
+|_http-server-header: Microsoft-HTTPAPI/2.0
+|_http-title: Service Unavailable
+/tcp open  msrpc        Microsoft Windows RPC
+/tcp open  msrpc        Microsoft Windows RPC
+/tcp open  msrpc        Microsoft Windows RPC
+/tcp open  msrpc        Microsoft Windows RPC
+/tcp open  msrpc        Microsoft Windows RPC
+/tcp open  msrpc        Microsoft Windows RPC
+service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+SF-Port445-TCP:V=6.49BETA4%I=7%D=9/10%Time=59B58E9A%P=x86_64-pc-linux-gnu%
+SF:r(SMBProgNeg,7B,"\0\0\0w\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0\0
+SF:\0\0\0@\x06\0\0\x01\0\x11\x07\0\x032\0\x01\0\x04\x11\0\0\0\0\x01\0\0\0\
+SF:0\0\xfc\xe3\x01\0\xc4\x85&\xbah\*\xd3\x01\x88\xff\x082\0\x1a\xe8{\xd6y\
+SF:xe3\xfc\xd3W\0O\0R\0K\0G\0R\0O\0U\0P\0\0\0U\0S\0U\0A\0R\0I\0O\0-\0P\0C\
+SF:0\0\0");
+MAC Address: 08:00:27:5C:0E:94 (Cadmus Computer Systems)
+Device type: general purpose
+Running: Microsoft Windows 2008|10|7|8.1
+OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8
+OS details: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or Windows 8.1 Update 1
+Network Distance: 1 hop
+Service Info: Host: USUARIO-PC; OSs: Windows, Windows 98; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98
+Host script results:
+|_nbstat: NetBIOS name: USUARIO-PC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:5c:0e:94 (Cadmus Computer Systems)
+| smb-os-discovery:
+|   OS: Windows 7 Enterprise N 7600 (Windows 7 Enterprise N 6.1)
+|   OS CPE: cpe:/o:microsoft:windows_7::-
+|   Computer name: Usuario-PC
+|   NetBIOS computer name: USUARIO-PC
+|   Workgroup: WORKGROUP
+|_  System time: 2017-09-10T21:13:16+02:00
+| smb-security-mode:
+|   account_used: guest
+|   authentication_level: user
+|   challenge_response: supported
+|_  message_signing: disabled (dangerous, but default)
+|_smbv2-enabled: Server supports SMBv2 protocol
+TRACEROUTE
+HOP RTT     ADDRESS
+   0.24 ms 192.168.1.40
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 99.23 seconds
 </code>
+From now on we will have to choose a more specific tool depending of the service that we will want to test. Maybe, in this case, because we have found that the remote machine has a FTP service running we could try to discover some vulnerability to check that our system is completely protected.
+===== How to prevent this kind of attack =====
+Maybe scanning ports cannot be consider a kind of attack but sometimes it will be the very first step for preparing an inminent attack in the future. That's why we must protect our computers to not be scanned, and the best way to do that is **enabling our Firewall**. Notice that that simple action can protect your computer against more sophisticated attacks because if the attacker doesn't know nothign about your computer, maybe he never will attack.
+----
+(c) 2017 Hacking Tony