The starting point for a penetration test is research: probing the target system to discover anything that can be useful. This includes the type of operating system and particularly what services it exposes through its firewall, and what server applications it is running – both in terms of protocol and software implementation.
Just as ping is surely the first point of call when troubleshooting a network, so too its underlying protocol – ICMP – is where research must start, to determine the host in question is up and on the network. According to Internet RFC 1122 every TCP/IP host must implement the ICMP echo request and respond to it. Thus, try using ping to elicit a response from your target.
In all likelihood, you won’t get a response. Although the RFC says one thing, practically, it is not so; external ICMP requests are routinely blocked by firewalls – both to deter probing by malicious forces and to defend against the ping flood denial of service (DoS) attack.
That’s no problem: a TCP ping can be used. Instead of relying on low-level ICMP messages, an ordinary TCP acknowledgement (“ACK”) packet of data can be sent. The same RFC specifies that unsolicited ACK packets should receive a TCP reset (“RST”) response. So, if such a packet is sent to the server on, say, port 25 (SMTP e-mail) or port 80 (HTTP) – two common services which may be available on the target machine – there’s a probability of getting an RST response which indicates the host exists, is running and is online.
Combining the ICMP and TCP pings over a range of addresses is known as a ping sweep and can help detect a range of computers that your target site has available.
The best known piece of software to achieve this is nmap, a free open-source application available from www.insecure.org. If nmap is not presently installed on your system, you can download it without any difficulty.
Use nmap –sP host to perform a ping sweep, where host is the individual hostname or IP address you wish to target or a range of addresses by writing in CIDR-style format with /numbits appended to an address. You can even list multiple IP addresses or hosts, separated by spaces. Check the nmap web site for information on the raft of addressing options. A clever idea here is to send the output from nmap’s ping sweep results to a text file as a list of IP addresses, one to a line, and then use this later as the input to subsequent nmap commands.
Fine-tune –sP by adding optional flags –P0 to disable ICMP ping, and –PS to enable TCP ping.
With some rudimentary information now under our belt, it’s time to step things up a notch. Port scanning tries to reveal any entry points into a system. A web server, for example, must have port 80 open. Even if a firewall protects all else on the machine, by necessity of its function in delivering web pages it must have this port unlocked. Maybe it also has some form of remote access available or more. Port scanning attempts to make these matters known.
Port scanning is a noisy process; it effectively knocks on each port seeking a response. You might be concerned this would show in log files but the most common method of scanning takes advantage of more low-level TCP/IP protocol stack fundamentals. Specifically, when TCP/IP tries to connect two computers it begins with a flag known as SYN. This attempts to initiate handshaking. If the remote server is prepared to handle the request it responses with SYN/ACK. The port scanning application gets this reply then discontinues the handshaking. Because this doesn’t proceed, it doesn’t register with the service on the target machine and consequently is not logged.
To perform such “stealth” scanning with nmap, use the –sS flag. This attempts a SYN scan and lists as output the open ports found on the target, along with the service name usually associated with those ports.
Note that nmap won’t automatically try every single port – all 65,535 of them – because this would take a very long time. Instead, it works on a list of almost 2,000 common services. The problem here is an admin may well be running a service on a non-standard port so as to hide it by obscurity. The –p flag accepts a range of ports for nmap to try; use –p1-65535 to scan every single port from port 1 through to port 65535. This may potentially take a very long time to complete, especially if you are probing over the Internet rather than a LAN.
The services discovered may give insight into the target host’s operating system because certain services either alone or in conjunction with others are only found in particular OS’s. Although you could try and figure this out, nmap will again help by using built-in heuristics. Use the –O flag, followed as always by the target hosts in whichever input format you choose, to have nmap try this.
It’s also worth gleaning more data about the services discovered to be open; after all, knowing a remote host has port 80 open gives some information but knowing it is running a specific version of Apache gives far more information. And knowing port 3000 (say) is open gives some basic information, but knowing that SSH is listening on that port yields far more information.
Here’s where nmap’s version-scan comes in: run nmap again using the –sV flag. This time nmap makes a telnet-like connection to each port and reads the banner presented. To illustrate, consider manually testing port 25:
[dave@bebop ~]$ telnet localhost 25
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 bebop.local ESMTP Sendmail 8.13.8/8.13.8; Mon 13 Aug 2007 23:17:59 +1000
221 2.0.0 bebop.local closing connection
Here, you can see sendmail identifies itself and gives its version number. This is valuable information; exploits can now be searched for that are appropriate for this target.
Where to from here
That’s the basics of beginning penetration testing by using nmap to perform research. There are many options to nmap and it is a very versatile tool. It is definitely worthwhile reading the documentation on insecure.org to understand other ways it can be used as well as good tips for successful stealthy probing.
One such tip is to space out the scanning over a period of time. Despite best attempts to be quiet, diligent admins may notice unusual network activity especially if this has a pattern to it like incrementing through a series of ports. In this case, nmap offers a –T0 flag to spread its scans over some considerable time. This means it will take a long time to return results but with the benefit of reducing the possibility of notice. By contrast, timing can be sped up greatly with –T5. This may be useful if the target system is on a high-speed network like a LAN and you only have a very small window of time to capture data. Other timings are possible through –T1 through –T4.
Another good nmap flag for beginners is –v which gives additional, verbose, output. With this set nmap will provide extra text explaining its actions and results.
Flags can be combined to perform more work in one run and speed up the gathering of results. An example is the single command nmap –v –sS –O –sV –T1 host.
You might also like to explore other open-source tools which can add more detail to the results obtained from nmap. Popular penetration testing programs include amap, scanrand and ike-scan. Good luck!