As a network security engineer, among tens of other tasks, I run also security assessment and penetration testing projects.
One of the most popular and widely used network scanning tool is NMAP. This is one of the tools that I use at the beginning of a penetration testing engagement and helps tremendously in identifying targets, live hosts, open ports, services (and their version) running on these live hosts, possible vulnerabilities on these hosts (e.g by running various NSE scripts) etc.
When doing network penetration testing, knowing what ports are open and what services are running on the target network is very important as it helps to focus your attack scenarios. After all, if a host or network service is not even “visible” through the network there is not much you can do in terms of remote attacks (of course client-side attacks is another story).
In this post I will describe a methodology (along with some useful NMAP commands) that I use at the beginning stages of a penetration testing project in order to discover targets and then proceed further in the ethical hacking engagement.
This is not a fixed approach by me as it depends on the specific task, what information is known beforehand, if the network under test is internal or external (i.e if the security test is performed from the Internet to public servers or from a LAN inside the corporate network) etc. I’m sure that every professional working in Infosec and security testing will have a different approach but this one has served me well in many engagements.
Host Discovery with NMAP
If the target network is unknown and fairly large (for example several Class C IP subnets), you will need to focus your efforts in discovering live hosts, open ports etc.
The most thorough and comprehensive approach to find all live hosts and all available open ports on the target network is to scan ALL IP addresses and ALL possible ports (65535 ports, both TCP and UDP).
However, the above approach will take considerable amount of time and if you don’t have the luxury to wait for hours or days for the scan to complete then you must execute more efficient host identification scans. Moreover, the approach of scanning everything is not a good idea if you want to be as stealthy as possible. Massive scans usually get blocked by IPS devices, generate lots of alarms and logs etc.
Default Host Discovery with NMAP (not very accurate)
Before talking about how I do host discovery in my own projects, let’s first discuss the default host discovery mechanism used by NMAP.
This uses a “Ping Sweep” with the -sn switch.
Example:
nmap -sn 192.168.10.0/24
The above is the default host discovery by NMAP which sends the following packets to the targets (assuming you are running the tool with administrator or root privileges):
- ICMP echo request (ping)
- TCP Ping (SYN packet) to port 443
- TCP Ping (ACK packet) to port 80
- ICMP timestamp request.
The default host discovery method above might be good in internal networks where there are no firewalls etc. However, it’s very inaccurate in other scenarios (e.g scanning from the Internet to public systems protected by a firewall).
Assume for example there is an SMTP server listening on port 25 and located in a DMZ behind a firewall which allows only port 25 to that server and blocks everything else (whitelist approach).
The above default host discovery by nmap will not identify this server because ICMP packets and ports 80 and 443 are blocked by the firewall. Therefore we will miss an important live server on the target network.
How I perform Host Discovery with NMAP
This is my approach which balances speed and accuracy.
I use the -PS switch which customizes the TCP pings send by nmap. Then I select a range of popular ports which are usually open on remote hosts.
Let’s see an example with Target network range of 100.100.100.0/24 :
nmap -PS21-25,80,110,443,3306,3389,8000,8080,445,139 100.100.100.0/24
The above command will do host discovery by sending TCP SYN packets to ports 21 through 25, 80, 110, 443, 3306, 3389, 8000, 8080, 445, 139
The above covers the most popular services running on machines such as FTP, Telnet, Email services, Databases, Remote Desktop, Web services, Windows SMB services etc.
I always send the results of the scan to a file as shown next:
nmap -PS21-25,80,110,443,3306,3389,8000,8080,445,139 -oA discoveredhosts 100.100.100.0/24
The above will create 3 files (with name “discoveredhosts”) in TEXT format, XML format and GNMAP (Grepable) format.
The GNMAP file above will be used to create a list of live hosts as shown below.
Create a list of Live Hosts
Next I use a powerful linux command (awk) to create a clean list of live IP addresses from the gnmap file created above.
# awk ‘/open/{print $2}’ discoveredhosts.gnmap > liveIPaddresses.txt
The above command will search through the gnmap file for “open” ports (which means the host is alive) and send the IP address of each live host to the text file “liveIPaddresses.txt”. The switch {print $2} sends the 2nd field in the gnmap file which is the IP address of the live host.
The result is a list of live IP addresses (one per line).
Then we will use the list above to perform full port and service scanning.
Perform Full Scan on Live Hosts
Assume that for the Class-C network range 100.100.100.0/24 that we performed host discovery there are 20 live IP addresses. These IPs are stored in the text file liveIPaddresses.txt one by one.
Out next task is to execute full port scan and service scan to the live hosts. The full scan now will run on ALL ports of the hosts so that we’ll discover additional services running on the targets.
Let’s see the complete command below:
nmap -p- -Pn -sS -A -iL liveIPaddresses.txt -oX fullscan.xml -oN fullscan.txt
- -p- = This switch scans all 65535 ports.
- -Pn = Disable host discovery. Port scan only.
- -sS = TCP SYN port scan.
- -A = Detect both Operating Systems and Services.
- -iL = Scan from the list of IP addresses in the text file.
- -oX = write results of scan to XML file (useful for importing into NESSUS).
- -oN = write results of scan to normal TXT file.
Further Analysis
Up to here we will have a good idea of the target network, services running, operating systems etc. Depending on the results I might perform further analysis using NMAP scripts but from now on we are mostly done with nmap.
The XML file of the scan results above (-oX) can be imported into NESSUS which is another excellent tool for vulnerability analysis and much more.
Although NESSUS has its own port scanning functionality, importing NMAP results might be better since nmap is dedicated to port scanning and does a better job in this area in my opinion.
So the above are the beginning stages of a penetration testing engagement. The exciting part starts after that with vulnerability identification, exploitation, gaining access etc, which I will leave for another post.
Related Posts
- How to Scan an IP Network Range with NMAP (and Zenmap)
- What is Cisco Identity Services Engine (ISE)? Use Cases, How it is Used etc
- What is Cisco Umbrella Security Service? Discussion – Use Cases – Features
- 7 Types of Firewalls Technologies (Software/Hardware) Explained
- 10 Best Hardware Firewalls for Home and Small Business Networks