Hacking with Nmap
Nmap, an acronym for “Network Mapper,” is an open source network exploration and network security auditing tool that you can use on Kali Linux. This tool was designed to swiftly scan computers in an extensive network just as efficiently as it does a single host.
It uses raw IP packets to discover details about hosts on a network including services, operating systems and their versions, types of packet filters or firewalls the use and a ton of other technical specifications.
Nmap is most popular among computer network security aficionados and systems and network administrators who use it routinely for tasks such as network inventory, monitoring hosts, and service uptime, and managing service and upgrade schedules.
In this hour, you will learn how you, as a hacker, can leverage Nmap to find vulnerable hosts in a network and hack them.
WARNING: Be very careful when using the aggressive functions of Nmap against hosts you do not have permission to scan. It may be against the terms and conditions of your ISP to use Nmap features.
5.1 Scanning Open Ports and Detecting Host OS with
Nmap
In this section, we will learn how to scan for open ports and detect the operating systems of the target hosts using Nmap. First off, let us start by pinging an IP range to determine which live hosts are available.
Start Kali Linux on your VMware if it is not already running and start the Terminal emulator. Enter the following command:
nmap
The terminal will furnish you with a lot of useful information about this tool. Take some time to read it all because they are answers to questions you will have once you begin getting familiar with the tool.
Next, we will find a host IP or a range of host IPs to scan. In this example, I will use IPs I have permission to scan/hack. You should also find computers you have the authorization to experiment your new skills on. As a placeholder, we will use IP addresses 192.168.0.0 to 192.168.0.100 in this demonstration.
Type the following command, replacing the host IP or IP range with your own: nmap -sP 192.168.0.0-100
We can also start the SYN scan and detect the operating system of the live host using the command:
nmap -sS 192.168.0.0 -O
This command will scan for more open ports and will display the operating system of the target host at 192.168.0.0. If you wish to scan the OS with version detection, you can use the command with these options:
Nmap -sV 192.168.0.0 -A
You can even increase the verbosity of the scan results by adding a -v option thus:
Nmap -sV 192.168.0.0 -A -v
5.2 Heartbleed SSL bug Scanning using Nmap on Kali
Linux
The Heartbleed SSL Bug officially known as the CVE-2014-0160 is a serious vulnerability in computers that you can scan using the Nmap tool. The bug is in the popular OpenSSL cryptographic software library that was released back in 2012. This vulnerability allows an attacker to access and steal information protected by the SSL/TLS encryption, one of the most popular encryptions used to protect connections to the internet today.
Note, however, that since the bug was discovered, a fix has been developed and deployed by many operating system and application vendors. The objective of this section is to scan for computers whose Heartbleed SSL bug has not been patched and is therefore still available for exploitation.
Use the following command to scan a target host IP or a range of IP addresses:. nmap -d –script ssl-heartbleed –script-args vulns.showall -sV [host]
By using the -script-args vulns.showall, you are essentially telling Nmap to show you which scanned targets are vulnerable and which ones are not.
The scanning of Heartbleed typically takes a few seconds, and the results are definitive. However, finding a vulnerability is one thing, exploiting it is another more complicated step.
As a hacker, you now can tell a client whether their computer is vulnerable to exploitation based on whether the systems in the network have been patched to fix the Heartbleed bug vulnerability.
5.3 Finding Live hosts with Nmap
For an ethical hacker, being able to detect hosts that are live is a very important capability that makes your work very easy. The Nmap tool is vital because you can use it to scan a network and find live hosts that you can further probe for vulnerabilities.
We will use Nmap together with ifconfig which will help us determine the range of IP addresses that the tool will scan for live hosts. Nmap will ping each host on the network within the specified range to determine whether it is live or not.
Enter the following command: nmap -sP 192.168.0.0-100
Nmap will return a list of all the hosts detected within the range and whether the host is up or down.
If you would like to increase the verbosity of the ping scan, you can add -v option to return the list of hosts along with their statuses.
nmap -sP 192.168.0.0-100 -v
5.4 Nmap options summary
Nmap is a very powerful tool that you must continuously learn about to make use of fully. In this section, I will summarize the many options available to use with nmap to expand its functionality. 5.4.1 Host discovery options
-sL: (Scan List)- list of targets to scan
-Pn: Will Treat all hosts as online and skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery
-PO[protocol list]: IP Protocol Ping
– dns-servers <serv1,[serv2],…>: Specify custom DNS servers
– system-dns: Use operating system’s DNS resolver
-sn: (Ping Scan) – disables port scan
-PE/PP/PM: ICMP echo, timestamp, and netmask request host discovery probes
-n/-R: Never make DNS resolution, always resolve
– traceroute: Trace hop path to each host
5.4.2 Scan techniques -sU: UDP Scan
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
-p <port ranges>: scan only specified ports
-sY/sZ: scan SCTP INIT/COOKIE-ECHO
– scanflags <flags>: Customize TCP scan flags
-sI <zombie host:[probeport]>: Idle scan
5.4.3 Port specification and scan order:
– exclude-ports <port ranges>: Excludes the specified ports from scanning
-r: Scan ports consecutively not randomized
-F: Fast mode that scans fewer ports than the default scan
– port-ratio <ratio>: Scans ports that are more common than <ratio>
– top-ports <number>: Scan <number> most common ports
5.4.4 Firewall evasion and spoofing -f; –mtu <val>: fragment packets
-e <iface>: Use specified interface
-D <decoy1,decoy2,[ME],…>: mask a scan with decoys
-g/–source-port <portnum>: Use provided port number
-S <IP_Address>: Spoof source address
– data <hex string>: Append a payload to sent packets
– data-string <string>: Append a ASCII string to sent packets
– proxies <url1,[url2],…>: Relay connection through proxies
– ip-options <options>: Send packets with included ip options
– ttl <val>: Set IP time-to-live field
– badsum: Send packets with bogus TCP/UDP/SCTP checksum
– spoof-mac <mac address/prefix/vendor name>: Spoof your computer’s MAC address
– data-length <num>: Append random data to sent packets
5.4.5 Service and Version Detection
– version-intensity <level>: Set from 0 (slight) to 9 (try all probes)
– version-all: Try all probes (intensity 9)
– version-trace: Show detailed version scan activity
-sV: Probe open ports for service/version info
5.4.6 OS detection
– osscan-limit: Limit OS detection to promising targets
-O: Enable OS detection
– osscan-guess: Guess OS more aggressively
Comments
Post a Comment