Penetration Testing and Network Defense: Performing Host Reconnaissance

This chapter is from the book

Penetration Testing and Network Defense

Learn More Buy

This chapter is from the book

This chapter is from the book 

Penetration Testing and Network Defense

Learn More Buy

NMap

Now that you have learned of the different scanning options, you will learn how to implement these scans using a tool called NMap.

All penetration testers have a toolbox of software applications frequently used in testing. Included in every penetration tester toolbox should be NMap. NMap, written by Fyodor and available at http://www.insecure.org, is available on both Windows and Linux platforms. Although the Windows version of NMap might be easier to use because of its graphical user interface, this chapter uses the Linux version for explanatory purposes. At press time, the Windows version did not yield as accurate results as its Linux counterpart.

In the man (manual) page, NMap is described as a tool to "allow system administrators and curious individuals to scan large networks <determine> which hosts are up and what services they are offering." (To view more of the man page, type man NMap at the Linux command line.) NMap allows you to perform many of the scans previously covered.

NMap Switches and Techniques

The predominant switches available in NMap as they correspond to the scans covered earlier are as follows::

• -sT—TCP Connect() scan
• -sS—SYN scan
• -sF—FIN scan
• -sX—Xmas-Tree scan
• -sN—NULL scan
• -sI—Dumb scan (also called an idle scan)
• -sA—ACK scan

In addition, other parameters are helpful:

• -P0—Do not try to ping hosts before scanning them.
• -PP—Uses the ICMP timestamp request (ICMP type 13) packet to find listening hosts. Normally, NMap attempts to ping the hosts using ICMP echo request (ICMP type 1) packets to see if the host is there. Some firewalls and routers block echo requests yet still allow other traffic to penetrate. This switch also uses ICMP to determine if the host is live, but it uses a different ICMP packet for this purpose.
• -6—Enables IPv6 support. You can perform a port scan against a host name through DNS (assuming the DNS server has the IPv6 AAAA records) or through the IP address.
• -oN logfilename—Sends the output in human-readable format to the file of your choosing.
• -oX logfilename—Same as –oN, but this time send it to the logfile in XML format.
• -oG logfilename—Same as –oN, but stores all the results on a single line for querying through the Grep program.
• --append_output—Appends the output to your existing log files instead of overwriting them.
• -p—Specifies the port number(s) to scan. TCP and UDP ports total 65,536. This switch lets you specify single ports, ranges, or lists of ports to scan. You can also specify whether you want to ping UDP or TCP ports only. For example, to scan TCP ports 23 (Telnet), 25 (SMTP), and 80 (HTTP), you can type this:

      NMap -p T:23,25,80

• -v—Verbose mode.
• -vv—Very verbose mode. Enable this to see the most detailed output.
• -M max sockets—Sets the maximum number of sockets used by NMap. Limiting this value decreases the scan rate, which is helpful when scanning some hosts that have been known to crash when being scanned. Of course, discovering that these hosts crash is a vulnerability that you should document in your penetration report.
• -T {paranoid | sneaky | polite | normal | aggressive | insane}—Changes the timing policies for scanning. The default is normal, which attempts to scan as quickly as possible. paranoid is helpful to avoid IDS systems and waits five minutes between sending packets. sneaky sends packets every 15 seconds. polite waits every 0.4 seconds and is designed to prevent host crashing. aggressive and insane attempt to speed up the scans, but because accuracy and stealth are important, you should avoid these unless you have a justifiable reason to use them.
• --host_timeout milliseconds—Specifies how long to wait for a response before scanning stops for a single host. If NMap appears to hang, you might want to adjust this timer.
• --scan_delay milliseconds—Similar to –T, this specifies how long to wait between probes. Increasing this value might let you go undetected past IDS systems.
• -O—Attempts to detect the operating system. It also attempts TCP Sequence Predictability Classification to report how difficult it would be to forge a TCP connection against your target. Beware that NMap is not always accurate in detecting the operating system.

In addition to the switches just listed, NMap is capable of performing more advanced techniques, such as changing the source port number, fragmenting packets, performing Identd scanning, and doing FTP bounce scanning:

• --source_port port number—Specify the port number. Firewalls and routers might block your attempts to scan a host if your port number is above 1023. However, many firewalls and routers allow DNS (port 53) or FTP-Data (port 21) packets through. If you are having difficulties getting past a firewall, try changing your port number to 53 or 21.
• -f—Fragment your packets. By breaking up your scans into smaller TCP fragments, you can often go undetected by low-end security devices that do not want to process fragments to see if a scan is taking place.
• -I—Perform an Identd scan. The Identd protocol (RFC 1413) allows for the disclosure of the username associated with a TCP process. This allows you to connect to web servers and find out if it is running with root privileges (full administrator access). If so, cracking the web server enables you full rights to the server that is hosting the site. This scan rarely works, however, because most hosts disable the Identd service for this very reason.
• -b—Perform an FTP bounce scan. This is an older scan that, like the Identd scan, rarely works. It relies on your having access to a proxy FTP server and performing a scan from that FTP server. Again, most administrators have taken necessary precautions to prevent against such scans.

Compiling and Testing NMap

Compiling NMap is similar to compiling other programs in Linux. Follow these steps:

1. Download the latest version from http://www.insecure.org.
2. Unzip NMap using the gzip program.
3. Untar NMap using the tar program.
4. Navigate to the directory containing the NMap files and type ./configure.
5. Type make install.
6. Type ./install.

Next, perform a TCP Connect() scan against the IP address 64.202.167.192. At the command line, type the following:

 NMap -sT -vv -p T:1-1023 -P0 -O 64.202.167.192

This performs a TCP Connect() scan with very verbose output. You are scanning TCP ports 1 through 1023 and not pinging the host first to see if it is active. Finally, you have enabled the –O switch to attempt to determine the operating system.

Based on the results, you now know that TCP ports 80 and 443 are available. This tells you that this particular server is running as a web server. NMap is unable to determine the type of operating system, however. Still, if it found ports 137, 138, and 139 open, it would know that the target was most likely running a Windows operating system, because these ports are used with NetBIOS (a service commonly seen on Windows systems). NMap knows more than 500 different operating systems and can detect the operating systems not just of servers, but network devices like routers, firewalls, and others.

Fingerprinting

Determining the operating system of your target is important because many of the exploits are specific to the platform. The process of discovering the underlying operating system is called fingerprinting. Besides using the built-in fingerprinting features of NMap, you can try other techniques such as Telnet or HTTP to get requests.

For example, you would know that your target was running HP-UX if you Telneted to a device and got this response:

 Trying 10.0.0.1...
 Connected to server.hackmynetwork.com
 Escape character is '^]'.

 HP-UX B.10.01 A 9000/715 (ttyp3)

 login:

Because most networks do not allow Telnet access, you might have to try to Telnet to another port, such as TCP port 21 (FTP). You would know your target was running the Sun operating system if you received the following response:

 #telnet 10.0.0.1 21
 220 ftp FTP server (UNIX(r)System V Release 4.0) ready.
 SYST
 215 UNIX Type: L8 Version: SUNOS

You can also try to perform an HTTP get request. Here is the output you might receive if your target is running Microsoft IIS:

 #echo 'GET / HTTP/1.0\n' | grep '^Server'
 Server: Microsoft-IIS/5.0

Another means of detecting the operating system of the target system is through stack fingerprinting. Stack fingerprinting actively sends packets to the target TCP/IP stack and analyzes the response. TCP/IP stacks differ from vendor to vendor, making this a prime means of detecting an operating system. You can do stack fingerprinting through the following methods:

• BOGUS probe— This technique detects older Linux systems. It sets bits 7 and 8 of the TCP header in a SYN packet. Linux systems prior to the 2.0.35 kernel respond with the same bits set. These bits were originally undefined, but now they are used to declare a device as being explicit congestion notification (ECN) capable. Routers utilizing random early detection (RED) can set the congestion experienced (CE) bit on packets to notify end stations that congestion occurred.
• TCP ISN sampling— This technique finds patterns in the initial sequence numbers used in connection requests. Some UNIX systems use 64000 as the sequence number. Newer versions of Solaris and FreeBSD, however, employ random increments. In comparison, Windows computers are incremented by a small fixed amount each time. Finally, some devices always start with the same ISN. 3Com hubs, for example, start with 0x803, and Apple printers start with 0xC7001.
• TCP initial window size —This technique examines the window size on return packets. AIX sends a window size of 16,165; Microsoft, OpenBSD, and FreeBSD use 16,430; Linux uses 32,120.
• RTO delay— Sometimes called temporal response analysis, this is a more complicated technique because it requires the addition of a firewall device. A firewall is configured to deny incoming TCP packets with the SYN and ACK flags set. You send a SYN, but when the target responds with SYN/ACK, it is blocked. You then listen to the delay between transmissions (retransmission time-out) and compare the results with a signature database. A patch to NMAP called NMap-ringv2 uses this technique. Ringv2 has a similar technique that measures the RTO of FIN packets.
• IP ID sampling— Every system uses an ID field in the IP header when data needs to be fragmented across multiple packets. Most increment a value by one, but some do not, giving you the opportunity to detect those operating systems that are an exception to the rule. OpenBSD, for example, uses a random IP. Microsoft has its own style; it increments by 256 each time.
• MSS response— You can examine the maximum segment size (MSS) response to determine whether your target is running the Linux operating system. If you send a packet with a small MSS value to a Linux box, it echoes that MSS value back to you in its response. Other operating systems give you different values.

You can use several different tools for OS fingerprinting. You have already learned about NMap and the patch to NMap, Ringv2. Other tools include the following:

• Xprobe2
• Ettercap
• p0f v2
• Queso
• SS
• CheckOS

Footprinting

The methods described in this chapter are called footprinting a target network. Be careful not to get this confused with fingerprinting. Fingerprinting is the process of determining the operating system on a device, whereas footprinting is the combination of active and passive reconnaissance techniques for the purposes of establishing a strategy of attack.

After you finish footprinting (gathering all the information that is relevant to your target), you can draw out a network map. The network map should contain the following:

• Host names
• IP addresses
• Listening port numbers
• Operating systems

Figure 5-21 shows an example of a network map.

Figure 5-21 Sample Network Map

Assume that you have detected three servers and a firewall. The servers are running Microsoft Windows, either 2000 or 2003 edition. You have discovered that the servers are running IIS and have a SQL database. Although you do not know for certain what type of database application is running, the probability of it running Microsoft SQL server is high because that is the most preferred database system on Windows.

Armed with this valuable information, you can begin to strategize as to what type of attacks to launch against the target network. The attacks will center on the vulnerabilities found in the Windows operating systems and applications. You can also try generic firewall attacks. These types of attacks are covered in subsequent chapters.

All the techniques mentioned so far, although not necessarily intrusive to a company network, can lead to dangerous consequences. Therefore, a company should make every effort to mitigate the risks associated with reconnaissance attacks.