Nmap: Scanning the Internet

Similar documents

Nmap: Scanning the Internet

CIT 380: Securing Computer Systems

Nmap Cookbook The fat-free guide to network scanning

Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Host Discovery with nmap

An Introduction to Nmap with a Focus on Information Gathering. Ionuț Ambrosie

Network Security. Network Scanning

Introduction to Network Security Lab 2 - NMap

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Firewall Firewall August, 2003

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Penetration Testing SIP Services

Network Host Discovery and Service Detection Tools

SECURITY TOOLS SOFTWARE IN AN OPEN SOURCE ENVIRONMENT. Napoleon Alexandru SIRETEANU *

Trend Micro Worry- Free Business Security st time setup Tips & Tricks

Penetration Testing Workshop

Codebox 2: simple configuration changes in Apache and PHP configuration files

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Lecture 5: Network Attacks I. Course Admin

Network Penetration Testing and Ethical Hacking Scanning/Penetration Testing. SANS Security Sans Mentor: Daryl Fallin

Solution of Exercise Sheet 5

Introduction of Intrusion Detection Systems

Firewall implementation and testing

Scanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Firewalls. Chapter 3

Host Fingerprinting and Firewalking With hping

How To Set Up Mybpx Security Configuration Guide V1.2.2 (V1.3.2) On A Pc Or Mac)

Attacks and Defense. Phase 1: Reconnaissance

Vulnerability Scan 05 May 2015 at 08:58

Introduction. Nmap from an Ethical Hacker's View Part 1. By Kirby Tucker

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

Network Security. Network Packet Analysis

1 Scope of Assessment

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Installing and Configuring Nessus by Nitesh Dhanjani

60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li

Looking for Trouble: ICMP and IP Statistics to Watch

Virtual Server and DDNS. Virtual Server and DDNS. For BIPAC 741/743GE

1.0 Introduction. 2.0 Data Gathering

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Linux MDS Firewall Supplement

GL550 - Enterprise Linux Security Administration

Lab 2: Secure Network Administration Principles - Log Analysis

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

EXPLORER. TFT Filter CONFIGURATION

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Configure a Microsoft Windows Workstation Internal IP Stateful Firewall

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Chapter 6 Phase 2: Scanning

During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) /24

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Practical Network Forensics

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

Network Security Fundamentals

Network and Services Discovery

Chapter 8 Monitoring and Logging

A Selection of Network Penetration Test Tools

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Website Analysis. foxnews has only one mail server ( foxnewscommail.protection.outlook.com ) North America with 4 IPv4.

Firewalls. Chien-Chung Shen

Payment Card Industry (PCI) Executive Report. Pukka Software

FIREWALL AND NAT Lecture 7a

Linux: 20 Iptables Examples For New SysAdmins

8 steps to protect your Cisco router

Configuring Health Monitoring

IOSMap: TCP and UDP Port Scanning on Cisco IOS Platforms

Firewalls P+S Linux Router & Firewall 2013

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Project 2: Firewall Design (Phase I)

The Nexpose Expert System

CTS2134 Introduction to Networking. Module Network Security

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Remote Network Analysis

TRUSTWAVE VULNERABILITY MANAGEMENT USER GUIDE

I N S T A L L A T I O N M A N U A L

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

How to protect your home/office network?

Technical Support Information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Advanced Network Scanning

Network Security CS 192

Algorithms and Techniques Used for Auto-discovery of Network Topology, Assets and Services

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Vulnerability Scan. January 6, 2015

Data Communication I

Divide and Conquer Real World Distributed Port Scanning

Transcription:

Nmap: Scanning the Internet by Fyodor Black Hat Briefings USA August 6, 2008; 10AM Defcon 16 August 8, 2008; 4PM

Abstract The Nmap Security Scanner was built to efficiently scan large networks, but Nmap's author Fyodor has taken this to a new level by scanning millions of Internet hosts as part of the Worldscan project. He will present the most interesting findings and empirical statistics from these scans, along with practical advice for improving your own scan performance. Additional topics include detecting and subverting firewall and intrusion detection systems, dealing with quirky network configurations, and advanced host discovery and port scanning techniques. A quick overview of new Nmap features will also be provided.

Old Slide Disclaimer These slides were due in June, when I was still running scans and at least a month away from finishing analasys. So while the topic isn't changing, the final slides will differ materially from these. These slides are from the inaugural Black Hat Webcast with Jeff Moss on June 26, 2008. The webcast gives a good overview of the talk and describes some valuable early results of the scanning. The video is scheduled to be posted at http://blackhat.com in early July.

Planning the Big Scan Determining IP addresses to scan P2P Scanning? Legal Issues Firewalls Performance

Scan Results Scans are still running Some tentative results already available, and can improve scan performance.

Best TCP Ports for Host Discovery Echo request, and even Nmap default discovery scans are insufficient for Internet scanning. Adding more TCP SYN and ACK probes can help, but which ports work the best?

Top 10 TCP Host Discovery Port Table 80/http 25/smtp 22/ssh 443/https 21/ftp 113/auth 23/telnet 53/domain 554/rtsp 3389/ms-term-server

Default Host Discovery Effectiveness # nmap -n -sl -ir 50000 -on - grep "not scanned" awk '{print $2}' sort -n > 50K_IPs # nmap -sp -T4 -il 50K_IPs Starting Nmap ( http://nmap.org ) Host dialup-4.177.9.75.dial1.sandiego1.level3.net (4.177.9.75) appears to be up. Host dialup-4.181.100.97.dial1.sanjose1.level3.net (4.181.100.97) appears to be up. Host firewall2.baymountain.com (8.7.97.2) appears to be up. [thousands of lines cut] Host 222.91.121.22 appears to be up. Host 105.237.91.222.broad.ak.sn.dynamic. 163data.com.cn (222.91.237.105) appears to be up. Nmap done: 50000 IP addresses (3348 hosts up) scanned in 1598.067 seconds

Enhanced Host Discovery Effectiveness # nmap -sp -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 --source-port 53 -T4 -il 50K_IPs Starting Nmap 4.65 ( http://nmap.org ) at 2008-06-22 19:07 PDT Host sim7124.agni.lindenlab.com (8.10.144.126) appears to be up. Host firewall2.baymountain.com (8.7.97.2) appears to be up. Host 12.1.6.201 appears to be up. Host psor.inshealth.com (12.130.143.43) appears to be up. [thousands of hosts cut] Host ZM088019.ppp.dion.ne.jp (222.8.88.19) appears to be up. Host 105.237.91.222.broad.ak.sn.dynamic. 163data.com.cn (222.91.237.105) appears to be up. Host 222.92.136.102 appears to be up. Nmap done: 50000 IP addresses (4473 hosts up) scanned in 4259.281 seconds

Enhanced Discovery Results Enhanced discovery: took 71 minutes vs. 27 (up 167%) Found 1,125 more live hosts (up 34%)

Top Open TCP & UDP Ports Will be available by Black Hat USA Substantial reduction of current default 1703 TCP ports, 1480 UDP --top-ports feature available now, but no data to use it.

Nmap News! Insecure.Org

Nmap Scripting Engine (NSE) # nmap -A -T4 scanme.nmap.org Starting Nmap ( http://nmap.org ) Interesting ports on scanme.nmap.org (64.13.134.52): Not shown: 1709 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 25/tcp closed smtp 53/tcp open domain ISC BIND 9.3.4 70/tcp closed gopher 80/tcp open http Apache httpd 2.2.2 ((Fedora)) _ HTML title: Site doesn't have a title. 113/tcp closed auth Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.20-1 (Fedora Core 5) Uptime: 40.425 days (since Tue May 13 12:46:59 2008) Nmap done: 1 IP address scanned in 30.567 seconds Raw packets sent: 3464 (154KB) Rcvd: 60 (3KB)

Fixed-rate packet sending nmap min-rate 500 scanme.nmap.org

Zenmap GUI Insecure.Org

2 nd Generation OS Detection # nmap -A -T4 scanme.nmap.org [...] Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.20-1 (Fedora Core 5) More info: http://nmap.org/book/osdetect.html

Version Detection # nmap -A -T4 scanme.nmap.org Starting Nmap ( http://nmap.org ) Interesting ports on scanme.nmap.org (64.13.134.52): Not shown: 1709 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 25/tcp closed smtp 53/tcp open domain ISC BIND 9.3.4 70/tcp closed gopher 80/tcp open http Apache httpd 2.2.2 ((Fedora)) _ HTML title: Site doesn't have a title. 113/tcp closed auth Device type: general purpose Running: Linux 2.6.X Now has 4,803 signatures More info: http://nmap.org/book/vscan.html OS details: Linux 2.6.20-1 (Fedora Core 5) Uptime: 40.425 days (since Tue May 13 12:46:59 2008) Nmap done: 1 IP address scanned in 30.567 seconds Raw packets sent: 3464 (154KB) Rcvd: 60 (3KB)

--reason # nmap --reason -T4 scanme.nmap.org [...] Interesting ports on scanme.nmap.org (205.217.153.62): Not shown: 1709 filtered ports Reason: 1709 no-responses PORT STATE SERVICE REASON 22/tcp open ssh syn-ack 25/tcp closed smtp reset 53/tcp open domain syn-ack 70/tcp closed gopher reset 80/tcp open http syn-ack 113/tcp closed auth reset

Advanced Traceroute # nmap traceroute scanme.nmap.org [...] TRACEROUTE (using port 22/tcp) HOP RTT ADDRESS 1 0.60 wap.nmap-int.org (192.168.0.6) [...] 6 9.74 151.164.251.42 7 10.89 so-1-0-0.mpr1.sjc2.us.above.net (64.125.30.174) 8 10.52 so-4-2-0.mpr3.pao1.us.above.net (64.125.28.142) 9 14.25 metro0.sv.svcolo.com (208.185.168.173) 10 12.80 scanme.nmap.org (64.13.134.52)

Performance and Accuracy # nmap -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 -- min_hostgroup 512 max_retries 0 -n -P0 -p80 -og pb3.gnmap 216.163.128.0/20 Starting Nmap [...] Nmap run completed -- 4096 IP addresses (4096 hosts up) scanned in 46.052 seconds

TCP and IP Header Options # nmap -vv -n -ss -P0 -p 445 -- ip-options "L 10.4.2.1" 10.5.2.1

Learn More Download Nmap from http://nmap.org Download these slides from: http://insecure.org/presentations/bhdc08/