Shopping List
Before we start, make sure you have the following ingredients ready to go:
- Fydor’s nmap – The true king of network scanners
- OpenVAS – The glamor queen of vulnerability assessors
Start Here
The first thing you need to determine is if you will be performing a black box test or a glass box (often referred to as crystal box) test. I will only quickly go over the differences here.
The Fairest Box of All
Black box testing is the "simplest" as you are only provided the IP Addresses in scope of the assessment. That’s it. You are not told how many Windows systems to expect, how many firewalls may be in your way or even if an IPS may shut down your scan if you are too aggressive with your timing options (we’ll touch on that later in this article.) It is difficult to accurately predict how long this may take as the composition of every network is different. An extreme example is if you are scanning through ocean floor fiber it could take quite some time when each packet suffers 250ms+ latency.
Glass box testing is typically much quicker to perform as your client will be providing architectural details of how the network is bolted together. It’s best to ask for network diagrams plus a real live human being to help you decipher them. (I mean seriously, how many UML network diagrams have you seen?) This is important not only because they may use abbreviations unknown to you or how closely the diagram aligns with reality or even all the labels they scribbled on by hand are subject to the lost art that is penmanship. Err, graphmanship.
Scope Up!
Once the transparency of your target environment is agreed upon, you will need to define the scope of which portions of the target organization’s network is within scope for the assessment.
Ask for hosts which must NOT be scanned as they will fall over seizing due to poor IP/TCP stack implementations or other programming bugs. Place into “exclude.list”
Place the authorized IP address ranges and domains you were provided into “inscope.list”
Just a Minor Technicality
Ok, we are now ready to dominate the world with our awesomeness! Or at the very least impress your client with a thorough report...
If you are scanning a class B network (10.10.X.X) or smaller, you will likely want to choose -T4 for your speed setting. If you are attempting to map the Internet, stop now. Fydor has beaten you to it :-)
The Need For Speed
The –n switch will disable DNS lookups, reducing overall start to finish time as you no longer need to wait for all those UDP DNS request / responses to file in.
Setting how fast nmap chucks packets onto the network is controlled with:
-T, --scan-delay and —min-hostgroup
-T5 is balls to the wall and –T0 means you never want it to finish...
A safe choice is –T3 (the default) but again you will likely want to use -T4 to save time.
Top Heavy Servers
Scanning for every in-scope IP Address plus 65,535 port combinations to gather an inventory of live hosts could last longer than your contract engagement. You may need to pick 20 to 30 ports. In a perfect scenario, at least one of these ports will be open on every server that you need to find. Use -p to specify destination ports; a good starting list are the following UDP (U:) and TCP (T:) ports:
-p U:53,111,137,T:21-25,80,135,139,443,445,3389,8080
If your client has no idea what services they expect to find on their network, you now have permission to cry like a baby because they will have problems with your report regardless of what you find. T-T
All seriousness aside, thanks to Fydor’s Internet mapping project I mentioned earlier, you can just substitute the defined list with Fydor’s results by adding:
--top-ports 30 (where 30 is the number of ports you want to scan)
I Know That Look...
nmap is more than just a simple inventory scanner. It can also guess what the target operating system and it's network accessible service names and versions are. It does this by looking at distinguishing features of a packet or connection (such as what the starting TTL value is or how it responds to an unsolicited RST packet sent to a closed port.) This technique is referred to as fingerprinting. If nmap is unsure about a target host, it will guess (and tell you as much) and if it is completely baffled it will politely ask you to submit a fingerprint to add to the nmap database along with what you determine the target to be (by other means.)
-sV will attempt to match the name and version of each open network service that is discovered
-O will attempt to match the operating system of target boxen
New Implants
nmap has received some really neat upgrades since version 4.something such as the ability to run lua scripts during the scan process. An example:
--script smb-os-discovery
Make sure you are using the latest scripts by running:
nmap —script-updatedb
Putting it all Together
Thus far, we have compiled the following nmap command:
nmap –iL inscope.list —excludefile exclude.list –v –sS –n —reason –T4 —script smb-os-discovery –sV –O —top-ports 30
Sweep 1: I highly recommend swapping out –sS with –sL before you run your final scan. Why? A list of hosts to be scanned is a great piece of information to include in your report to PROVE that you only touched systems that you were expressly authorized to touch. Yes, this is just feeding back information they originally provided you... Hey, this is why consultants get paid the big bucks right?
Sweep 2: swap out –sS with –sP to icmp scan for which hosts you are able to receive echo replies from. Consider sending this list to your client immediately to verify that your are in the ballpark prior to the "real" scan. Obviously, this can be skipped if a networking device (such as a router or firewall) is dropping all your icmp echo request probes.
Sweep 3: -sS for the win! This is your traditional half open SYN scan. Nmap will send out a TCP SYN packet to each IP address and port combination as you specified to determine if it returns a SYN+ACK packet, indicating an open port. If it doesn't hear back from the target, it's assumed to be closed. (Yes, this is where the increased timing option pays off.)
Wrapping Up
If you are running up against an IPS blocking your aggressive scans by sending you RSTs or dropping your packets silently, try setting –f to fragment (split up) your packets to a smaller portion of their maximum transmission unit (MTU) or size. This may just be enough to fool (or crash) that pesky IPS into letting them all pass on their merry way for total target box domination. Make sure you have permission to try this from the client first...
This was intended to be a pick up and go article and not dig too deep into how network scanning works nor the intricacies of nmap. If you want WAY more info than I've provided here, I highly recommend buying Fydor's nmap book. If you can't spare a few bucks, it's also available online for free.
Stay tuned for Part 2, which covers OpenVAS.