This section was added as an extra to the original tutorial as it became popular and some questions were asked about particular aspects of an nmap scan. I’ll use this part of the tutorial to merge some of those into the main tutorial itself.
17.1 I tried a scan and it appeared in firewall logs oralerts. What else can I do to help hide my scan?
This question assumes you used a scan command along the lines of:
1 nmap -sS -P0 -p 1-140 -O -D xxx.xxx.xxx.xxx,
2 xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx -sV xxx.xx.xxx.xxxNote: Each xxx corresponds to an octet of the IP address/addresses. This isinstructing NMAP to run a Stealth scan (-sS) without pinging (-P0) on ports 1to 140 (-p 1-140), to use OS Detection (-O) and to use Decoys (-D). The threecomma-separated IPs are the decoy IPs to use. It also specifies to use versionscanning (-sV) which attempts to determine precisely which program is runningon a port.
Now, heres the analysis of this command: A stealth scan (-sS) is often pickedup by most firewalls and IDS systems nowdays. It was originally designed toprevent logging of a scan in the logs for whatever server is running on the portthe scanner connects to. In other words, if the scan connects to port 80 to testif its open, Apache (or whatever other webserver they may be using) will log theconnection in its logfiles.
The -sS scan option doesn’t make a full TCP connect (which can be achievedwith the -sT option, or by not running as root) but resets the connection beforeit can be fully established. As such, most servers will not log the connection, butan IDS or firewall will recognise this behaviour (in repeated cases) as typical ofa port scan. This will mean that the scan shows up in firewall or IDS logs andalerts. There are few ways around this, to be honest. Most firewall/IDS softwarenowdays is quite good at detecting these things; particularly if its running on thesame host as the victim (the system you are scanning).
18
Note also, that decoys will not prevent your IP showing entirely; it just liststhe others as well. A particularly well designed IDS may even be able to figureout which is the real source of the scans.
Where speed of scan isn’t essential, the -P0 option is a good idea. Nmapgains timing information from pinging the host, and can often complete its scansfaster with this information, but the ping packets will be sent to the victim fromyour IP, and any IDS worth its CPU cycles will pick up on the pattern of afew pings followed by connects to a variety of ports. -P0 also allows scanning ofhosts which do not respond to pings (i.e. if ICMP is blocked by a firewall or byin-kernel settings).
I mentioned timing in the above paragraph. You can use the -T timing optionto slow the scan down. The slower a scan is, the less likely it is to be detected byan IDS. There are bound to be occasional random connects occurring, people typean IP in wrong or try to connect and their computer crashes half way throughthe connect. These things happen, and unless an IDS is configured extremelystrictly, they generally aren’t reported (at least, not in the main alert logs, theymay be logged if logging of all traffic is enabled, but typically these kind of logsare only checked if theres evidence of something going on). Setting the timing to-T 0 or -T 1 (Paranoid or Sneaky) should help avoid detection. As mentioned inmy main tutorial, you can also set timing options for each aspect of a scan,Timings for individual aspects of a scan can also be set using the –host timeout, –max rtt timeout, –min rtt timeout, –initial rtt timeout,–max parallelism, –min parallelism, and –scan delay options. See theNmap manual for details.
The final note I will add to this answer is that use of the Idle scan method(-sI) means that not a single packet is sent to the victim from your IP (providedyou also use the -P0 option to turn off pings). This is the ultimate in stealth asthere is absolutely no way the victim can determine that your IP is responsiblefor the scan (short of obtaining log information from the host you used as partof your idle scan).
17.2 NMAP seems to have stopped, or my scan is takinga very long while. Why is this?
The timing options can make it take a very long time. I believe the -T Paranoid( -T 0 )option waits up to 5 minutes between packets... now, for 65000 ports,thats 65000 x 5 = 325000 minutes = 225 days!!
-T Sneaky ( -T 1 ) waits up to 15 seconds between scans, and is thereforemore useful; but scans will still take a long while! You can use -v to get moreverbose output, which will alert you as to the progress of the scan. Using -v twicemakes the output even more verbose.
19
17.3 Will -sN -sX and -sF work against any host, or justWindows hosts?
-sN -sX and -sF scans will work against any host, but Windows computers donot respond correctly to them, so scanning a Windows machine with these scansresults in all ports appearing closed. Scanning a *nix or other system should workjust fine, though. As I said in the main tutorial, -sX -sF and -sN are commonlyused to determine if you’re scanning a Windows host or not, without using the-O fingerprinting option.
The Nmap manual page should help to determine which scans work alongsidewhich options, and on which target systems they are most effective.
17.4 How do I find a dummy host for the Idle Scan (-sI)?
You simply have to scan for hosts using sequential IPID sequences, these are(often) suitable for use as a dummy host for the -sI Idle Scan.
17.5 What does ”Host seems down. If it is really up, butblocking our ping probes, try -P0” mean?
When Nmap starts, it tries to ping the host to check that it is online. Nmap alsogains timing information from this ping. If the remote host, or a system on thepath between you and the remote host, is blocking pings, this ping will not bereplied to, and Nmap will not start scanning. Using the -P0 option, you can turnoff ping-on-start and have Nmap try to scan anyway.
17.6 Where can I find NmapFE?
NmapFE is a graphical front-end for Nmap.NmapFE for UNIX/Linux is included in the Nmap source. NmapFE for OSXis available at http://faktory.org/m/software/nmap/ NmapFE for Windowsis under development as part of NmapFE++, a new frontend for Linux, OSXand Windows. Information is available at http://www.insecure.org/nmap/SoC/NmapFE.html
This question assumes you used a scan command along the lines of:
1 nmap -sS -P0 -p 1-140 -O -D xxx.xxx.xxx.xxx,
2 xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx -sV xxx.xx.xxx.xxxNote: Each xxx corresponds to an octet of the IP address/addresses. This isinstructing NMAP to run a Stealth scan (-sS) without pinging (-P0) on ports 1to 140 (-p 1-140), to use OS Detection (-O) and to use Decoys (-D). The threecomma-separated IPs are the decoy IPs to use. It also specifies to use versionscanning (-sV) which attempts to determine precisely which program is runningon a port.
Now, heres the analysis of this command: A stealth scan (-sS) is often pickedup by most firewalls and IDS systems nowdays. It was originally designed toprevent logging of a scan in the logs for whatever server is running on the portthe scanner connects to. In other words, if the scan connects to port 80 to testif its open, Apache (or whatever other webserver they may be using) will log theconnection in its logfiles.
The -sS scan option doesn’t make a full TCP connect (which can be achievedwith the -sT option, or by not running as root) but resets the connection beforeit can be fully established. As such, most servers will not log the connection, butan IDS or firewall will recognise this behaviour (in repeated cases) as typical ofa port scan. This will mean that the scan shows up in firewall or IDS logs andalerts. There are few ways around this, to be honest. Most firewall/IDS softwarenowdays is quite good at detecting these things; particularly if its running on thesame host as the victim (the system you are scanning).
18
Note also, that decoys will not prevent your IP showing entirely; it just liststhe others as well. A particularly well designed IDS may even be able to figureout which is the real source of the scans.
Where speed of scan isn’t essential, the -P0 option is a good idea. Nmapgains timing information from pinging the host, and can often complete its scansfaster with this information, but the ping packets will be sent to the victim fromyour IP, and any IDS worth its CPU cycles will pick up on the pattern of afew pings followed by connects to a variety of ports. -P0 also allows scanning ofhosts which do not respond to pings (i.e. if ICMP is blocked by a firewall or byin-kernel settings).
I mentioned timing in the above paragraph. You can use the -T timing optionto slow the scan down. The slower a scan is, the less likely it is to be detected byan IDS. There are bound to be occasional random connects occurring, people typean IP in wrong or try to connect and their computer crashes half way throughthe connect. These things happen, and unless an IDS is configured extremelystrictly, they generally aren’t reported (at least, not in the main alert logs, theymay be logged if logging of all traffic is enabled, but typically these kind of logsare only checked if theres evidence of something going on). Setting the timing to-T 0 or -T 1 (Paranoid or Sneaky) should help avoid detection. As mentioned inmy main tutorial, you can also set timing options for each aspect of a scan,Timings for individual aspects of a scan can also be set using the –host timeout, –max rtt timeout, –min rtt timeout, –initial rtt timeout,–max parallelism, –min parallelism, and –scan delay options. See theNmap manual for details.
The final note I will add to this answer is that use of the Idle scan method(-sI) means that not a single packet is sent to the victim from your IP (providedyou also use the -P0 option to turn off pings). This is the ultimate in stealth asthere is absolutely no way the victim can determine that your IP is responsiblefor the scan (short of obtaining log information from the host you used as partof your idle scan).
17.2 NMAP seems to have stopped, or my scan is takinga very long while. Why is this?
The timing options can make it take a very long time. I believe the -T Paranoid( -T 0 )option waits up to 5 minutes between packets... now, for 65000 ports,thats 65000 x 5 = 325000 minutes = 225 days!!
-T Sneaky ( -T 1 ) waits up to 15 seconds between scans, and is thereforemore useful; but scans will still take a long while! You can use -v to get moreverbose output, which will alert you as to the progress of the scan. Using -v twicemakes the output even more verbose.
19
17.3 Will -sN -sX and -sF work against any host, or justWindows hosts?
-sN -sX and -sF scans will work against any host, but Windows computers donot respond correctly to them, so scanning a Windows machine with these scansresults in all ports appearing closed. Scanning a *nix or other system should workjust fine, though. As I said in the main tutorial, -sX -sF and -sN are commonlyused to determine if you’re scanning a Windows host or not, without using the-O fingerprinting option.
The Nmap manual page should help to determine which scans work alongsidewhich options, and on which target systems they are most effective.
17.4 How do I find a dummy host for the Idle Scan (-sI)?
You simply have to scan for hosts using sequential IPID sequences, these are(often) suitable for use as a dummy host for the -sI Idle Scan.
17.5 What does ”Host seems down. If it is really up, butblocking our ping probes, try -P0” mean?
When Nmap starts, it tries to ping the host to check that it is online. Nmap alsogains timing information from this ping. If the remote host, or a system on thepath between you and the remote host, is blocking pings, this ping will not bereplied to, and Nmap will not start scanning. Using the -P0 option, you can turnoff ping-on-start and have Nmap try to scan anyway.
17.6 Where can I find NmapFE?
NmapFE is a graphical front-end for Nmap.NmapFE for UNIX/Linux is included in the Nmap source. NmapFE for OSXis available at http://faktory.org/m/software/nmap/ NmapFE for Windowsis under development as part of NmapFE++, a new frontend for Linux, OSXand Windows. Information is available at http://www.insecure.org/nmap/SoC/NmapFE.html
Comments :
Post a Comment