Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Nmap in Depth by Nathaniel Fernandes

Nmap in Depth by Nathaniel Fernandes

Title: Nmap in Depth
Presenter: Nathaniel Fernandes
Event: BreachForce CyberSecurity Cohort
Talk Date: 11-August-2024

Key Takeaways: A deep dive into the functionalities and applications of Nmap, a versatile network scanning and security auditing tool.

BreachForce

August 11, 2024
Tweet

More Decks by BreachForce

Other Decks in Technology

Transcript

  1. NATHANIE L FERNAND ES Got CISSP at the age of

    23 DIVING DEEP INTO NMAP Telperium Labs Interviewed by John Hammond
  2. HOW IS NMAP MADE DIVING DEEP INTO NMAP • EXTRACTING

    OS DATA FROM NETWORK PACKETS • THINK LIKE A DEVELOPER
  3. Probes Sent Sequence generation (`SEQ`, `OPS`, `WIN`, and `T1`) ICMP

    echo (`IE`) TCP explicit congestion notification (`ECN`) UDP (`U1`) TCP (`T2`–`T7`)
  4. • series of six TCP probes is sent • probes

    are sent exactly 100 milliseconds apart ⚬ the total time taken is 500 ms. • probe is a TCP SYN packet ⚬ to a detected open port • packets vary in the TCP options they use and the TCP window field value Sequence generation
  5. • TCP ISN greatest common divisor (`GCD`) • TCP ISN

    counter rate (`ISR`) • TCP timestamp option algorithm (`TS`) • TCP initial window size (`W`, `W1`–`W6`) • IP don't fragment bit (`DF`) • IP initial time-to-live (`T`) • TCP miscellaneous quirks (`Q`) • TCP sequence number (`S`) • TCP acknowledgment number (`A`) • TCP flags (`F`) • TCP RST data checksum (`RD`) • IP total length (`IPL`) • Unused port unreachable field nonzero (`UN`) Response Tests
  6. Value Description Z Both code values are zero S Both

    code values are the same as in the corresponding probe. _`<NN>`_ When they both use the same non-zero number, it is shown here. O Any other combination. ICMP response code (`CD`)
  7. Returned probe IP ID value (RID) • THE `U1` PROBE

    HAS A STATIC IP IDENTIFIER VALUE OF 0X1042 (4162) • DATA IS GOT FROM CLOSED PORTS • SOME SYSTEMS, SUCH AS SOLARIS, MANIPULATE IP ID VALUES FOR RAW IP PACKETS THAT NMAP SENDS.
  8. Returned probe IP total length value (RIPL) If the correct

    value of is returned, the value `G` (for good) is stored else of the actual value This test simply records the returned IP total length value
  9. Unused port unreachable field nonzero (UN) ICMP port unreachable message

    header is eight bytes long, but only the first four are used. A few implementations has its own data in it Mostly ethernet switches and some specialized embedded devices The value of those last four bytes is recorded in this field.
  10. • Some operating systems return ASCII data ⚬ such as

    error messages ■ in reset packets • When there is no data, `RD` is set to zero ⚬ few operating systems that may return data in their reset packets ■ the data is stored TCP RST data checksum (RD)
  11. TCP sequence number (`S`) Value Description Z Sequence number is

    zero. A Sequence number is the same as the acknowledgment number in the probe. A+ Sequence number is the same as the acknowledgment number in the probe plus one. O Sequence number is something else (other).
  12. Value Description Z Acknowledgment number is zero. A Acknowledgment number

    is the same as the sequence number in the probe. A+ Acknowledgment number is the same as the sequence number in the probe plus one. O Acknowledgment number is something else (other). TCP acknowledgment number (`A`)
  13. Shared IP ID sequence Boolean (SS) • IS THE IP

    IDENTIFIERS SEQUENCE BETWEEN THE TCP AND ICMP IPROTOCOLS SHARED?