Ethical hacking: identification of services with nmap

In the previous post of ethical hacking we briefly explain various options to get an enumeration of IP addresses and subdomains when performing an ethical hacking process. If you liked that “this is very safe because who is going to know that this subdomain exists” (that although you cannot believe it, it is more common than it seems), do not miss how the “who is going to know that I put this service in this port with such a strange number”…

In short, in this post we will try to see how it is possible to make an inventory of open ports in an IP or range of IPs, and even identify the technology under an open port, when this is possible. Basically this post is going to focus on the use of a fantastic and essential tool, nmap. Although it is a tool typically used in Linux (and of course included in the reference suite that I use in these posts, Kali), compilations for other operating systems can already be found.

Before going to work, we want to warn that nmap is a complex and complete tool, with a huge amount of options, parameters, etc.; This post is not intended as a manual for the use of the tool but again an introduction to it to understand the identification of services as a phase of ethical hacking prior to the detection of vulnerabilities. To learn more about the tool, we recommend reading their manual.

The Open Source nmap tool allows us to perform network and port scans, being able to scan a single destination, a range, a list of IPs… Based on TCP, UDP, ICMP, SCTP requests, etc. and incorporates various scanning techniques. We recommend in general to refresh some knowledge about transport protocols, for example remembering how the establishment of a TCP connection works with the negotiation in three steps: first, SYN type call from the client to a port, RST response if the port is closed or SYN-ACK if it is open, and the ACK from the client to the server to complete the process. Nmap will rely on these types of messages to determine if a port is listening or not at the destination. Sometimes this cannot be used, or is detected by the remote server, and there are other alternatives for scanning.

General syntax


nmap [  ...] [  ] {  }

Our first scan

We can execute the following command:


nmap 45.33.49.119

We are not putting any kind of poll, so use the default poll, TCP SYN. nmap sends a SYN and assumes that the port is open if it receives an ACN SYN. There is also no additional parameter of options, and as a destination there is a single IP. This command will give us a result similar to the following:


Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-01 18:12 CEST
Nmap scan report for ack.nmap.org (45.33.49.119)
Host is up (0.19s latency).
Not shown: 993 filtered ports
PORT      STATE  SERVICE
22/tcp    open   ssh
25/tcp    open   smtp
70/tcp    closed gopher
80/tcp    open   http
113/tcp   closed ident
443/tcp   open   https
31337/tcp closed Elite

Nmap done: 1 IP address (1 host up) scanned in 10.86 seconds

Returning in a few seconds a list of open ports on that IP, including an SSH, an SMTP mail server, a web server, and a possible back orifice (https://www.speedguide.net/port.php?port=31337).

In many cases, this is simply a first point of analysis although, for example, the software behind an FTP server, SSH, etc., is fully updated and there are no known vulnerabilities. You could start, for example, a brute force attack with a dictionary on the SSH or FTP trying to access (there are a huge number of servers of this type with default or insecure credentials).

There are automatic tools (bots) that are basically continuously scanning wide ranges of IPs looking for recognizable open ports, for example database (MongoDB, MySQL, PostgreSQL, etc.), and when they detect an open port, they automatically attempt a login with default credentials. For example, in the case of typical LAMP / WAMP installations, a root / access to the mySQL port. And basically, a huge number of databases have been hacked without prior human intervention. This is viable even if we have it open in another port, since it is possible to identify in many cases that what is in port 5555 “to mislead”, to say something, is a mySQL through the fingerprint of the service, as we will see more ahead.

In short, it is very dangerous to leave credentials by default on web servers, routers, FTPs, SSHs, databases … because no one needs to have a mania, a bot will.

Escanear ips con nmap

A first parameter

If we want to have some information about how nmap has obtained this information, we can increase the traces with the -v (verbose) or -vv parameter, where we can see that nmap has been issuing SYN commands and in some cases receiving RESET (closed port ), in other SYN-ACK (open port) and in others no response (“filtered”), which can make us understand that a firewall is stopping our request:


PORT            STATE           SERVICE         REASON
22/tcp          open            ssh             syn-ack ttl 53
25/tcp          open            smtp            syn-ack ttl 53
70/tcp          closed          gopher          reset ttl 52
80/tcp          open            http            syn-ack ttl 53
113/tcp         closed          ident           reset ttl 52
443/tcp         open            https           syn-ack ttl 53
31337/tcp       closed          Elite           reset ttl 53

Increasing the range of IPs to scan


nmap 192.168.10.0/24 (subred completa)
nmap 192.168.10.1-20 (20 IPs)
nmap 192.168.10.*
nmap 192.168.10.1 192.168.10.2 192.168.10.3

Or for example, imagine that we have been accumulating IPs from our initial enumeration, and we have a file with the different IPs separated by tabs or line breaks (one IP or range per line). We can load the file with the -iL (input list) parameter and thus scan the entire IP inventory. It also allows, for example, to exclude some specific IPs with –exclude or –excludefile.

Defining the ports to scan

We can manually define the ports we want to scan. For example, if we look for web servers on ports 80, 443 and 8080 in a subnet, we could do so with the -p parameter:


nmap -p 80,443,8080 192.168.10.0/24

We can also ask nmap to scan the “N” (integer) most common ports; For example, to scan the 25 most common ports in a range of IPs:


nmap --top-ports 25 192.168.10.0/24

Receiving an answer like this:


PORT     STATE     SERVICE
21/tcp    closed   ftp
22/tcp    open     ssh
23/tcp    closed   telnet
25/tcp    closed   smtp
53/tcp    open     domain
80/tcp    open     http
110/tcp   closed   pop3
111/tcp   open     rpcbind
135/tcp   closed   msrpc
139/tcp   open     netbios-ssn
143/tcp   closed   imap
199/tcp   closed   smux
443/tcp   closed   https
445/tcp   open     microsoft-ds
587/tcp   closed   submission
993/tcp   closed   imaps
995/tcp   closed   pop3s
1025/tcp  closed   NFS-or-IIS
1720/tcp  closed   h323q931
1723/tcp  closed   pptp
3306/tcp  closed   mysql
3389/tcp  closed   ms-wbt-server
5900/tcp  open     vnc
8080/tcp  closed   http-proxy
8888/tcp  closed   sun-answerbook

We can ask that all TCP, UDP and SCTP ports (slower) with the identifier -p- be scanned:


nmap -p- 192.168.10.0/24

Identifying operating systems and services

As we see, nmap allows us to detect ports that are listening on an IP or a range. Later we will also see how other survey techniques can be defined. In addition, nmap allows us to try to identify what technology (product, version, etc.) is behind an open port, or even the operating system installed on a server, with the -O and -sV parameters. This detection is based on the “signature” (fingerprint) of the answers that the service gives to certain calls.


nmap -O -sV 192.168.10.5

PORT         STATE         SERVICE       VERSION
22/tcp       open          ssh           OpenSSH 6.7p1 Raspbian 5+deb8u3 (protocol 2.0)
53/tcp       open          domain        ISC BIND 9.9.5 (Raspbian Linux 8.0 (Jessie based))
80/tcp       open          http          Apache httpd 2.4.10 ((Raspbian))
111/tcp      open          rpcbind       2-4 (RPC #100000)
139/tcp      open          netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp      open          netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
4567/tcp     open          http          Jetty 9.4.8.v20171121
5900/tcp     open          vnc           RealVNC Enterprise 5.3 or later (protocol 5.0)
MAC Address: B8:27:EB:CD:FE:89 (Raspberry Pi Foundation)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: RASPBERRYPI; OS: Linux; CPE: cpe:/o:linux:linux_kernel

In this case, we not only know that this machine has certain open ports. It also tells us that it is a Raspberry running Raspbian (with which, for example, we could do a brute force test with a user “pi”, who is the default user), and the versions of the different ports that are listening, so that this information can be used to exploit vulnerabilities over unpatched versions, etc.

Using more polling techniques

By default nmap uses SYN as a polling technique. It is a fast and not very intrusive / detectable technique, but sometimes, but it supports a total of 12 different techniques that we can define as parameters, as we can see in the tool’s user manual.

For example, if we want to do a scan based on UDP calls, we can make a call of the type:


nmap  -sU 192.168.10.5

Searching for vulnerabilities with nmap

Although there are more “comfortable” and specific tools for the search for vulnerabilities, such as Nessus, or suites such as Metasploit that consolidates various tools, nmap also allows us to perform vulnerability analysis.

To do this, it uses a series of Lua scripts that are located in a path of our machine (in the case of Kali, in / usr / share / nmap / scripts /) and that can be invoked with –script or its equivalent -sC .

Scripts can belong to one or several categories, so we can ask nmap to evaluate, for example, all scripts in a category against a host. There are some especially interesting categories such as “vuln” (scripts dedicated to detecting vulnerabilities at the destination), “exploit”, etc.

For example, if we want to scan the vulnerability category scripts against a host:


nmap --script vuln scanme.nmap.org

PORT       STATE      SERVICE
22/tcp     open       ssh
80/tcp     open       http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=scanme.nmap.org
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://scanme.nmap.org:80/
|     Form id: cse-search-box-sidebar
|_    Form action: https://nmap.org/search.html
|http-dombased-xss: Couldn't find any DOM based XSS. | http-enum:  |   /images/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)' |  /shared/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold them open as long as possible.  It accomplishes this by opening connections to the target web server and sending a partial request. By doing so, it starves the http server's resources causing Denial Of Service.
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
9929/tcp  open  nping-echo
31337/tcp open  Elite

As we can see, the script has detected a potential vulnerability based on the Slowloris denial of service attack. If we analyze the scripts that are in the route mentioned above, we see that there is precisely one that exploits this vulnerability, called http-slowloris. If we want more information about the script we can launch the following command:

nmap --script-help http-slowloris

Explaining how the script works, how to launch it (it is also possible to do it with the nmap itself with –script and –script-args), etc. We can also obtain for example a description of all scripts that look for vulnerabilities:

nmap --script-help vuln

We can also for example launch all scripts of a certain type. For example, if we want to scan vulnerabilities over SMB protocol on a given host:

nmap --script smb-* 192.168.10.5

We can also, for example, assess a vulnerability over our entire network, choosing a specific script against a range. The –script parameter

nmap --script-help vuln
nmap --script

In short, nmap even includes interesting options to assess vulnerabilities and even launch exploits, although there are other tools commonly used for this purpose.

Empleada contectándose a la VPN para poder teletrabajar

Other interesting options

As we have commented, nmap has many options and it is impossible to try to cover even a small percentage in a post. In fact, there is an official nmap book of almost 500 pages… But in any case we try to comment here some that seem interesting.

As we have commented, nmap has many options and it is impossible to try to cover even a small percentage in a post. In fact, there is an official nmap book of almost 500 pages… But in any case we try to comment here some that seem interesting.

  • The tool allows you to generate the scan result in a processable output file, for example, in XML format, with -oX or -oN .
  • When we scan wide ranges of IPs, we can disable the DNS reverse resolution attempt with the -n parameter.
  • During the execution of a command we can increase the level of information displayed on the console (verbosity) by pressing the “V” key.
  • If we have a firewall that cuts us, we can try -Pn.

In short, we have tried to develop a “brief” introduction to nmap as a tool for identifying open ports and services on a host or range of IPs. In later posts we will see other ways to detect vulnerabilities.