Vulnerability analysis part 2: Host discovery using nmap
I know IP address on my attacking machine is 192.168.238.137, and I know the subnet mask is 255.255.255.0. In CIDR notation, this means the subnet is /24. This tells me which part of my IP address is the network prefix (192.168.238), and which part is the host number (.137).
We can list out all the IP addresses in this range by using a list scan (-sP). This scan sends no packets to listed IP addresses, but it will attempt a reverse DNS resolution on each host.
# nmap -sL 192.168.238.0/24
Since there are 256 addresses outputted by this command, I will not paste them here.
Let’s explore other machines with ping sweep. This scan does not scan any ports, but only reports on which hosts are up by pinging them. Older versions of nmap us -sP. Newer versions will use -sn
# nmap -sn 192.168.238.0/24 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-06 18:49 EDT Nmap scan report for 192.168.238.1 Host is up (0.00039s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.238.2 Host is up (0.00012s latency). MAC Address: 00:50:56:EA:8D:7F (VMware) Nmap scan report for 192.168.238.137 Host is up (-0.10s latency). MAC Address: 00:0C:29:54:6E:48 (VMware) Nmap scan report for 192.168.238.254 Host is up (0.00011s latency). MAC Address: 00:50:56:EF:B0:9E (VMware) Nmap scan report for 192.168.238.136 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 2.28 seconds
I know the 192.168.238.2 addresses is my default gateway, and 192.168.238.136 is my local machine. What are those other three addresses? One of them is the Metasploitable machine. I’m not sure what the other two are.
A little digging, and I find out what these addresses are.
192.168.238.1: Host machines
192.168.238.2: Default gateway
192.168.238.254: VMware DHCP server
192.168.238.136: Kali machine
192.168.238.137 must be our Metasploitable VM.
The ping scan will ping the host, send a TCP SYN, a TCP ACK, and request an ICMP timestamp. If any of these requests receive a response, we know the host is alive. If there was a firewall or other device blocking these requests, the ping scan might show that no host is up at an IP address, and you will need to use a different method of host discovery. The -Pn scan will attempt a port scan on every IP address in the given range. We’ll speed it up with the -F flag to only scan 100 ports.
# nmap -F -Pn 192.168.238.0/24 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-07 17:12 EDT Nmap scan report for 192.168.238.1 Host is up (0.00032s latency). Not shown: 97 filtered ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.238.2 Host is up (0.00011s latency). Not shown: 99 closed ports PORT STATE SERVICE 53/tcp open domain MAC Address: 00:50:56:EA:8D:7F (VMware) Nmap scan report for 192.168.238.137 Host is up (0.00018s latency). Not shown: 82 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 513/tcp open login 514/tcp open shell 2049/tcp open nfs 2121/tcp open ccproxy-ftp 3306/tcp open mysql 5432/tcp open postgresql 5900/tcp open vnc 6000/tcp open X11 8009/tcp open ajp13 MAC Address: 00:0C:29:54:6E:48 (VMware) Nmap scan report for 192.168.238.254 Host is up (-0.10s latency). All 100 scanned ports on 192.168.238.254 are filtered MAC Address: 00:50:56:F7:A6:AC (VMware) Nmap scan report for 192.168.238.136 Host is up (0.0000020s latency). All 100 scanned ports on 192.168.238.136 are closed Nmap done: 256 IP addresses (5 hosts up) scanned in 16.43 seconds
Some additional scan types:
TCP SYN pings initiate the first step in the TCP handshake on a given port. If the host responds with TCP ACK, we know the host is alive, and we close the handshake with a RST packet.
TCP ACK pings send the ACK to a host, making the host think a handshake was initiated. Since the host knows it didn’t send a SYN, it will respond with a RST packet to stop the handshake, letting us know the host is alive.
UDP pings send a UDP packet to a certain port. It receives an ICMP port unreachable packet if the port is closed, but that lets us know the host is alive.
Up next: Port scanning