Multipart PortScanning Tutorial Part 2

[Archangel-Amael]

We will now continue with our "scanning journey". In this installment we will take a look at some generic ports scans over TCP using Nmap.
Last time we talked about what port scanning is. If you need to reference it go ahead.


Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!
All IP Address' MAC Address' etc. have been munged!

Lesson 2: We are using Nmap to scan our target network. We will be trying to determine what type of "box" we have and what services are running on it.
So first we are going to run a generic TCP SYN Scan against our target. This is the default in Nmap by the way.
So open a cli or use the Front end if you would like. You could also use the domain name for example: www.yourexampleofadomain.com . It works the same.

Code:

#bt~ nmap 192.168.1.102

And the output should look like:

Code:

bt ~ # nmap 192.168.1.102

Starting Nmap 4.20 ( http://insecure.org ) at 2008-01-05 15:25 GMT
Interesting ports on 192.168.1.102:
Not shown: 1696 closed ports
PORT     STATE SERVICE
20/tcp open ftp
21/tcp open ftp
23/tcp open telnet
80/tcp open  http
MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)

Nmap finished: 1 IP address (1 host up) scanned in 1.527 seconds
bt ~ #

As we can see there is a lot of open ports on our target computer. This is great since now we have several approach vectors too look at, however we will save this for a latter time. So what we have is a simple SYN scan that reports back what ports are open on our target. Note however that this may or may not be true. Also notice that this scan told us only what ports are open NOT what service is actually running. In order to see the service info use the –sV option. This enables version detection interrogation, but a better option is –A which enables both OS detection and version detection. The following uses the nmap-service-probes database to try and determine the service protocol, the application name, the version number, hostname, device type, the OS family, and other miscellaneous details.

Ok now lets look at the same scan only this time we will use the -A option. Again this will give us more info about our targets services.

Code:

bt ~ # nmap -A 192.168.1.102

Starting Nmap 4.20 ( http://insecure.org ) at 2008-01-05 15:46 GMT
Warning:  OS detection for 192.168.1.102 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1697 scanned ports on 192.168.1.102 are closed
MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
Device type: general purpose
Running: Microsoft Windows 2003|XP
OS details: Microsoft Windows 2003 Server SP1, Microsoft Windows Server 2003 Enterprise Edition 64-Bit SP1, Microsoft Windows XP SP2, Microsoft Windows XP SP2 (firewall disabled)
Network Distance: 11 hops

Notice this time all of our ports are closed on our target. However because we used the -A we see that the computer may be running windows xp or so.
This is valuable info for us. This will help us in limiting our attacks on the target. For example we don't have to look at default router passwords as an attack vector.
In the next lesson we will looking at More TCP scan options.
Ok now that we have seen a couple of basic scans its time for you to go and practice. And remember kids don't do anything that is against the law!

Part1
Part2
Part3
Part4

[MaXe Legend]

Part 2 is also good for newbies not knowing how to do proper nmap scans.
One thing i thought was strange that you are not using the newest nmap?
(excuse me but i use 4.50 seeing as it responds faster to me)

[Archangel-Amael]

One thing i thought was strange that you are not using the newest nmap? (excuse me but i use 4.50 seeing as it responds faster to me)

Thats true in this particular case I am not using the latest. For several reasons.
I started with a fresh install of BT2 and that is the default. This makes it easier for others to follow besides between the two version's there is not much difference. The speed thing is relative because I am doing the scans on a local network.
Another reason is probably not that many people who know how to install the latest version of nmap onto their bt box.
Thats another tutorial for another day.

[wallsballs]

Thanks again, much appreciated.

[dapirates1]

For newbies running backtrack 3 who are not sure about Nmap, type zenmap in Konsole you cant go wrong. Although you should really learn to use nmap command line but sometimes its nice to cheat

[yk.han]

****Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: storage-misc
Running (JUST GUESSING) : BlueArc embedded (93%)
Aggressive OS guesses: BlueArc Titan 2100 NAS device (93%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows


Why cant I get the details of the OS?

Thanks.

[Archangel-Amael]

****Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: storage-misc
Running (JUST GUESSING) : BlueArc embedded (93%)
Aggressive OS guesses: BlueArc Titan 2100 NAS device (93%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows

Why cant I get the details of the OS?

Thanks.

Are you serious?
It looks to me like the output that you pasted tells you the answer
look for it in the first line.
I would suggest that you try to learn more about what you are scanning and what scanning does. Then re-try the scan and see if it helps.
Maybe you can give us more info on what you are scanning and the exact command that you used to get the above results.
This will also be useful.

However it appears that you are scanned a NAS box that has an embedded os installed.

Also welcome to the forums.

[0tt0v0nc4t]

Awesome, this has been an amazing learning experience. Great work!

[Archangel-Amael]

Awesome, this has been an amazing learning experience. Great work!

Thank you 0tt0v0nc4t glad that you have enjoyed it and have learned something in the process.

[outletgenie]

Thank you for this Tutorial