Hacking Reconnaissance: Finding Vulnerabilities in Your Target Using Nmap
Remember that scene in The Matrix when Trinity uses a realistic Nmap port scan, followed by an actual SSH exploit (long since patched) to break into a power company? Well, believe it or not, but that scene is not far fetched at all.
If you want to exploit vulnerabilities and root boxes, you'll need to learn how to perform the necessary reconnaissance first. In fact, you will spend far more time researching your target then you will exploiting it. In this article, I am going to show you the first step in doing just that... a security scanner called Nmap.
Any service running on a server, from HTTP to SSH, runs on ports. Think of a port as a door into and out of the computer, that only answers requests relevant to it. An example would be a web server running on port 80 (HTTP), which would have no idea how to handle an FTP connection request sent to it.
Nmap (Network Mapper) scans over those ports telling you everything from what software is running to what version it is. There is even an option to determine the operating system.
Before we get started, I do want to point out something critical. Port mapping, while not illegal on its own, will show up all over the place in targets' server logs. Using a (non-free) VPN or a anonymous network like I2P can help keep you safe and hidden.
If you are running Backtrack, you already have Nmap installed, along with its GUI version, Zenmap. Zenmap is nice, but we will be focusing on the command line options for Nmap in this article. On Debian/Ubuntu, simply use:
$ sudo apt-get install nmap
Any other distributions that do not already include Nmap may download it here.
To get a feel for the software, let's run it with zero options, to see what we can do.
As you can see, there's a lot of options:
While you could write entire books on the full functionality of Nmap (and they have), much of this is beyond the scope of this article. Instead, I will go over some of the more commonly used options. Hopefully this will serve to get your foot in the door with port scanning.
There is no doubting the sheer size of options here. Let's break it down with what scan techniques are the most useful for us right away.
-sU: UDP scan. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run. UDP tends to be slower then TCP scans, but some services are only listening for UDP requests.
-sS: This technique is often referred to as half-open scanning, because you don't open a full TCP connection. You send a SYN packet. A SYN/ACK indicates the port is listening (open), while a RST (reset) means it is not listening on that port.
-O: This technique crafts raw packets attempting to determine the operating system.
-A: This technique tells Nmap to probe for software versions on the target ports AND operating systems.
Here we will run a series of port scans on a target web server, making note of the versions and operating systems. Remember, reconnaissance and patience is key to hacking. Let's take a look at Nmap in action as we port scan a web server configured just for this article.
$ nmap -sS -O 22.214.171.124
Oops! What happened? The -O switch tells Nmap you wish to perform an operating system fingerprint on the target. In order to do that, Nmap needs to be ran with root privileges in order to craft the raw packets needed for the task. In fact, many scan types require it.
$ sudo nmap -sS -O 126.96.36.199
Here we can easily see this looks like a normal web server so far. Notice how Nmap attempts to guess the operating system? That's useful when you are looking for an attack vector to exploit.
Open ports - This server is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Finding these is often the primary goal of port scanning. Security-minded people know that each open port is an avenue for attack. Attackers and pen-testers want to exploit the open ports, while administrators try to close or protect them with firewalls without thwarting legitimate users. Open ports are also interesting for non-security scans because they show services available for use on the network.
Closed ports - A closed port is accessible, but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up.
Let's try another scan, but this time we want to find out what software is running behind those open ports.
$ sudo nmap -sS -A 188.8.131.52
Here you can see what software is running and what version. For an example, my web server here is running OpenSSH 4.3 on port 22. If I knew of a vulnerability in that version, I would know this server is exploitable.
This is by no means an all inclusive listing of everything Nmap has to offer. I tried to pick and choose the highly relevant portions to give you a feel for its capabilities. You can now add another tool to your ever growing arsenal.
Questions? Comments? Concerns? Let's hear 'em!