lf170, System Administration: Learning with nmap

Learning with nmap

Abstract:

Why are scanners so important for the security of networks? Basically because they are essential tools for those who want to attack a system. The preparation of an attack by a cracker could look as follows:

Scan a target machine or selected network, observe which services are offered and which operating systems runs these services, and work on some well-known vulnerability in any of them.
Scan any network or machine, look for a service or operating system (including the checkup of the version) with a known vulnerability.

For a system administrator who is aware of system security, it is important to carry out a scanning of their own network, and look for vulnerabilities before others do it with not so good intentions.

There are several scanning tools for this purpose, but the article will only look at nmap. Nmap is among the most complete scanners and security tools.

Nmap allows the system administrator to scan the networks in order to know which servers are active and which services they offer. For this purpose, nmap offers several scanning techniques. This article will work on a limited number of them, reviewing (maybe teaching?) some aspects of TCP protocol

The strategy in this article will be to show some of the more common ways to use nmap, to obtain information about systems and, in parallel, show how to find traces of scanning on the target side.

The nmap can be obtained from www.insecure.org. After downloading run:

tar zxvf nmap-2.30BETA17.tgz
cd ...../nmap-2.30BETA17/
./configure
make
make install

and it is installed.

The nmap output is usually a list of "interesting" (active) ports on the scanned target machine. These ports provide you with the name of the service, the state and the protocol.

Scanning with TCP, three way handshake of TCP (option -sT)

The simpler form of nmap scanning is done with option -sT. It is based on the method of establishing a connection in the TCP protocol, known as a three way handshake. The sequence [1] is roughly described below

The server must be ready to receive a connection (usually using the socket, bind and listen functions)
The client starts an active connection - a call to connect (). This sends a SYN segment to the server to inform about the initial sequence number of the data that client will send during connection. The SYN usually contains an IP Header - a TCP Header and maybe some TCP option.
The server should acknowledge the SYN sending with an ACK and a SYN with its sequence number (within the same TCP package).
The client should acknowledge the server SYN with an ACK

This way of scanning has two advantages:

it is fast (nmap even has options that we will not analyze to make it faster on slow connections)
special privileges are not needed on the machine that launches the scanning

but it has a big disadvantage. It is very simple to detect and easy to filter.

We will follow the procedure used by nmap option -sT, running tcpdump in the target machine. nmap is executed on machine 192.168.255.20 and points toward machine house2.xxx.xxx.xxx, through an Ethernet network.

1) 08:24:18.393108 192.168.255.20.1024 house2.xxx.xxx.xxx.653: S 2632227152:2632227152(0) win 16060 < mss 1460,sackOK,timestamp 232602[|tcp] (DF)
2) 08:24:18.393167 house2.xxx.xxx.xxx.653 192.168.255.20.1024: R 0:0(0) ack 2632227153 win 0
3) 08:24:18.393227 192.168.255.20.1025 house2.xxx.xxx.xxx.6141: S 2644226118:2644226118(0) win 16060 < mss 1460,sackOK,timestamp 232602[|tcp] (DF)
4) 08:24:18.393258 house2.xxx.xxx.xxx.6141 192.168.255.20.1025: R 0:0(0) ack 2644226119 win 0
5) 08:24:18.453343 192.168.255.20.1298 house2.xxx.xxx.xxx.pop3: S 2640612362:2640612362(0) win 16060 < mss 1460,sackOK,timestamp 232608[|tcp] (DF)
6) 08:24:18.453542 house2.xxx.xxx.xxx.pop3 192.168.255.20.1298: S 1658259980:1658259980(0) ack 2640612363 win 16060 < mss 1460,sackOK,timestamp 243353[|tcp] (DF)
7) 08:24:18.458667 192.168.255.20.1298 house2.xxx.xxx.xxx.pop3:. ack 1 win16060<nop,nop,timestamp 232609 243353 (DF)
8) 08:24:18.461280 192.168.255.20.1298 house2.xxx.xxx.xxx.pop3: F 1:1(0) ack 1 win 16060 < nop,nop,timestamp 232609 243353 (DF)

Line numbering was added to ease the explanation. Line 1 shows the "attacking" machine 192.168.255.20 sending a SYN segment from port 1024 to port 653 on the target machine house2.xxx.xxx.xxx. We can recognize it as a SYN segment thanks to the S after the port number (653). This covers the point 2) of the three way handshake as explained above.
In line 2 we see the target machine responding with a RESET package (notice the R after the 1024) indicating that there is no process listening on port 653.
Lines 3 and 4 are similar to the first ones, but checking if there is a process on port 6141 of target machine. As there is nothing again, it also answers with a RESET
Line 5 shows how the machine 192.168.255.20 sends a SYN segment to POP3 port of target machine (number 110), and the target machine answers with an ACK accepting the SYN and the sequence number (It sends the sequence number from target machine, 1658259980 in this case, and the sequence number sent by the host 192.168.255.20, adding 1, that is 2640612363). Notice that the packet sent from house2 has the control bits SYN and ACK activated. This is seen in line 6 and is the step 3) of the three way handshake above.
Line 7 shows the recognition of the last packet received on host 192.168.255.20 with an ACK segment, reaching the point 4) of the handshake.
Line 8 is the connection closing from 192.168.255.20, which is done sending a FIN segment (notice the F after pop3)

This run allowed nmap to detect that port 110 (pop3) of house2 is an active one on this machine.

As stated above, this way of scanning is easy to detect, using the prints left in file /var/log/messages (although this depends on the way that syslog.conf was configured) the connection seen in lines 5 to 8 produced:

May 6 08:24:01 house2 in.pop3d[205]: connect
from root@192.168.255.20

Scanning using SYN segments (half open, option -sS)

This scanning type is performed by executing nmap with option -sS. The technique used is to open a "half connection": we send a SYN segment and, if an ACK is received then we have detected an active port on the target machine, and we sent a RESET to close the connection promptly. If we receive an RST instead of an ACK, then the scanned port is not active. This scanning procedure has the drawback that root privileges are needed to execute it. But it has the advantage that is difficult to detect in the scanned machine.

Let's see a similar analysis of the actions done by nmap with this option, analyzing it with tcpdump (with lines numbered again for easier description)

1) 22:25:45.856936 192.168.255.20.40175 house2.tau.org.ar.946: S 1292785825:1292785825(0) win 3072
2) 22:25:45.857078 house2.tau.org.ar.946 192.168.255.20.40175: R 0:0(0) ack 1292785826 win 0

Lines 1 and 2 are quite close to lines 1 and 2 of the previous section, except that a SYN segment is seen, sent by host 192.168.255.20 to port 946 of host house2 and we get the answer with a RESET because it is not an active port.

3) 22:25:45.970365 192.168.255.20.40175 house2.tau.org.ar.pop3: S 1292785825:1292785825(0) win 3072
4) 22:25:45.976022 house2.tau.org.ar.pop3 192.168.255.20.40175: S 185944428:185944428(0) ack 1292785826 win 16080 < mss 536 (DF)
5) 22:25:45.979578 192.168.255.20.40175 house2.tau.org.ar.pop3: R 1292785826:1292785826(0) win 0

Lines 3, 4 and 5 are produced by the successful discovery of a service (pop3) at port 110 from host house2. As mentioned, the three way handshake it is not completed but when nmap receives the recognition of its SYN segment (by means of the ACK segment sent by house2 in line 4), it sends a RESET segment that forces the communication to interrupt.

This scanning over house2 didn't leave any trace in the file /var/log/messages, as stated earlier.

Scanning using the FIN segments

This scanning is based on the fact that inactive ports on the target machine respond to a FIN package with a RST package. On the other hand, active ports simply ignore those packets. Therefore the list of interesting active ports is obtained by observing which are those that have not answered. Hosts running Microsoft operating systems can not be scanned with this method since they have a non standards-conforming implementation of the TCP protocol.

There are three forms of operation of nmap using similar techniques, achieved through options -sF, -sX and -sN. We will further analyze the behavior of option -sF, performing an analysis similar to the one for the previous sections.

1) 06:50:45.643718 192.168.255.20.35600 casahouse.tau.org.ar.864: F 0:0(0) win 2048
2) 06:50:45.643865 house2.tau.org.ar.864 192.168.255.20.35600: R 0:0(0) ack 0 win 0

In lines 1 and 2 the FIN segment delivery (notice the F after the 864 in line 1) is observed on the target host, which answers with a RST packet (notice the R in line 2 after the 35600). nmap concludes that the 864 in house2 is not active.

3) 06:50:47.933227 192.168.255.20.35600 > house2.tau.org.ar.pop3: F 0:0(0) win 2048
4) 06:50:48.251147 192.168.255.20.35601 > house2.tau.org.ar.pop3: F 0:0(0) win 2048

Lines 3 and 4 take the pop3 port on house2 as an example. In line 3 we see a FIN segment sent, which doesn't get an answer from house2. Line 4 was a surprise, being probably a measure taken by nmap to check the status of that port, sending another FIN segment to ensure that port is not answering. In both cases, house2 ignored the packets, showing to nmap that port pop3 is active.

Functionality of tcpdump that can help

In the section about "the three way handshake scanning" you saw the traces that a scan can leave behind, and in the later sections, you saw the scanning with options -sS and -sF that don't leave any footprints. We can use tcpdump to detect this type of scanning on a host connected to a network which could be a target of attacks. The drawback of tcpdump is that it generates an enormous amount of information and raises difficulties with regards to storage and analysis. Some expressions are shown here that act like filters, such that the information obtained is smaller and simpler to analyze.

To make it easier to understand the expressions, we show below the format of a TCP packet [2].

TCP (RFC 793)

0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Source Port          |        Destination Port       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                         Sequence Number                       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                      Acknowledgement Number                   |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Offset |  Reserver |U|A|P|R|S|F|             Window            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Checksum            |         Urgent Pointer        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                  Options                      |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                              Data                             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

We see that the 13th byte is the one where the flags resides which identifies the kind of packet (SYN, FIN, etc.). With this knowledge and the and (&) operator we can construct masks to detect the active bits, building expressions such as

tcpdump ' tcp[13] & 7 != 0 and dst 192.168.255.20 ' > /tmp/out7

which filters the input leaving the packets with bits R, S or F active (the mask is 00000111) with 192.168.255.20 as destination host (obviously this number IP will be looked at by the machine)

Using

tcpdump ' tcp[13] & 1 != 0 and dst 192.168.255.20 ' > /tmp/out1

we will obtain the packets with an active FIN bit (the mask is 00000001). It can be useful to detect the nmap scanning with option -sF. And with

tcpdump ' tcp[13] & 2 != 0 and dst 192.168.255.20 ' > /tmp/out2

we will get only the packets with an active SYN bit, being useful to detect scans with option -sS

For the last type described (with option -sS) there are specific detection programs available [3].

Conclusion

Programs such as nmap are very useful to improve the system security by looking at networks through the eyes of a potential cracker. We have shown the operation of a rather small part of the options, but hope it helps you to understand the idea of network scanners a bit more.

Bibliography

[1] W. Richard Stevens Unix Network Programming Volume 1
[2] RFC 793
[3] to see nmap documentation

Talkback form for this article

Every article has its own talkback page. On this page you can submit a comment or look at comments from other readers:

talkback page

Webpages maintained by the LinuxFocus Editor team
© Danilo Lujambio, FDL
LinuxFocus.org
Click here to report a fault or send a comment to LinuxFocus

Translation information:

es	->	--	Danilo Lujambio
es	->	en	Iván Rojas Aguilar
es	->	en	Javier Palacios
en	->	en	Lorne Bailey

2001-06-29, generated by lfparser version 2.16