2. About Me
Mohammed Akbar Shariff
Cyber Sec Intern – WICS
Graduating M.tech
www.linkedin.com/in/mohammed-akbar-shariff
@akbarshariffak
3. Agenda
• Basics of Network
• Metasploitable II
• Introduction to NMAP
• Port Status
• Scan Types
• Host Discovery
• OS Fingerprinting
• Nmap Scripting Engine
8. Metasploitable II
The Metasploitable virtual machine is an
intentionally vulnerable version of Ubuntu Linux
designed for testing security tools and demonstrating
common vulnerabilities.
9. What is NMAP?
• Network Mapper - Utility used to identify assets and map them in a
network.
• https://github.com/nmap/nmap (Current release is 7.50, 20 year old
project and active)
10. Why NMAP..??
• Perhaps I can ping sweep?
• How to know which IP’s are alive?
• There are only
• 65535(PORTS) *2 (TCP &UDP)*24 ( if class C)
12. NMAP port “Status” - Open
•Open - SYN reached the end system, victim responded with
SYN+ACK and Completes the handshake.
Nmap -n -sT -p 80 192.168.56.104
13. NMAP port “Status” - Closed
• Closed - SYN reached the end system, responded with
RST+ACK. System is accessible and service is still not open
on victim. Nmap -n -sT -p 22 192.168.56.104
14. NMAP port “Status” - Filtered
• Filtered – Observed when a port does not respond on repeated tries.
Nmap -n -sT -p 445 192.168.56.105
16. NMAP Options
-iL <filename>: Pass a list of hosts.
-iR <number of Hosts>: Choose random targets.
Ex: nmap -Pn -sS -p 80 -iR 0 --open
-p <port ranges> : Port scanning, Only scan specified ports…. -p-
Host Discovery
-sL (List Scan): Simply lists each host of the network(s) specified.
-sn : No port scan and only ping scan
-Pn : Skip ping scan and treat all host to be live
-PS <portlist> : TCP SYN Ping
-n : No DNS resolution
-R : DNS resolution for all targets
-PE; -PP; -PM : ICMP Ping Types.
-PA <port list> : TCP ACK ping
-PU <port list> : UDP Ping
17. Nmap Scan Types
• -sP (Ping Sweep) – Performs ARP ping and ICMP echo request to determine system is alive.
• -sS (TCP SYN Scan) – Determines a system/port being alive by sending only SYN and
waiting for SYN-ACK
• -sU (UDP Scan) – Probes UDP detects system/port is alive when there is a UDP response +
ICMP packet Destination unreachable.
• -sT (TCP Connect Scan): Performs connection establishment using system call “connect”
• -sN (Null scan): Does not set any bits (TCP flag header is 0).
• -sF (FIN Scan): Sets just the TCP FIN bit.
• -sX (Xmas scan): Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas
tree.
18. OS Fingerprinting
• Nmap sends a series of TCP and UDP packets to the remote host and
examines practically every bit in the responses.
• Nmap compares the results to its nmap-os-db database of more than 2,600
known OS fingerprints and prints out the OS details if there is a match.
-O (Enable OS detection)
19. Nmap – service Version and Enumeration!
• Nmap-services database is constantly updated with services, finger
printing and banners to identify remote ports and operating systems.
• -sV - runs about ~30 Nmap Script Engine (.nse files) to identify and
enumerate the service that has been detected earlier.
• -sC – runs “default” ~200 Nmap Script Engine (.nse files) to identify
and enumerate the services and provide vulnerabilities identified.
Optionally can use - -script option.
20. Nmap service Enumeration!
• The Difference between the two in Action
TCP scan with Version
-sT + -sV = -sTV
Regular TCP scan
21. Nmap Scripting Engine(NSE) –What and Why?
• Nmap Script Engine, written in Lua.
• Sophisticated Version detection and OS detection.
• Example: smb-os-discovery.nse , http-cisco-anyconnect.nse …
• Vulnerability detection.
• Example: tls-ticketbleed.nse, sslv2-drown.nse,..
• Malware detection.
• Example: http-google-malware.nse..
• Vulnerability Exploitation.
• Example: smb-psexec.nse,..
22. NSE – what? where?
• -sC and --script uses NSE. There is a default set launched when no
option is given. https://nmap.org/nsedoc/categories/default.html