Nmap in Depth by Nathaniel Fernandes

Transcript

1. DIVING INTO NMAP blog.wehost.co.in

2. NATHANIE L FERNAND ES Got CISSP at the age of

   23 DIVING DEEP INTO NMAP Telperium Labs Interviewed by John Hammond

3. PURPOSE OF SESSION DIVING DEEP INTO NMAP

4. DIVING DEEP INTO NMAP

5. WINDOWS ICMP DIVING DEEP INTO NMAP

6. LINUX ICMP DIVING DEEP INTO NMAP

7. NMAP ICMP DIVING DEEP INTO NMAP

8. DIVING DEEP INTO NMAP EXTRACTIN G DATA WITH ICMP

9. NMAP -PN FLAG PROBLEM? DIVING DEEP INTO NMAP

10. HOW IS NMAP MADE DIVING DEEP INTO NMAP • EXTRACTING

    OS DATA FROM NETWORK PACKETS • THINK LIKE A DEVELOPER

11. NMAP FINGERPRINTI NG

12. NMAP OS DB https://svn.nmap.org/nmap/nmap-os-db

13. NMAP OS DB

14. TEST EXPRESSIONS

15. Probes Sent Sequence generation (`SEQ`, `OPS`, `WIN`, and `T1`) ICMP

    echo (`IE`) TCP explicit congestion notification (`ECN`) UDP (`U1`) TCP (`T2`–`T7`)

16. • series of six TCP probes is sent • probes

    are sent exactly 100 milliseconds apart ⚬ the total time taken is 500 ms. • probe is a TCP SYN packet ⚬ to a detected open port • packets vary in the TCP options they use and the TCP window field value Sequence generation

17. • TCP ISN greatest common divisor (`GCD`) • TCP ISN

    counter rate (`ISR`) • TCP timestamp option algorithm (`TS`) • TCP initial window size (`W`, `W1`–`W6`) • IP don't fragment bit (`DF`) • IP initial time-to-live (`T`) • TCP miscellaneous quirks (`Q`) • TCP sequence number (`S`) • TCP acknowledgment number (`A`) • TCP flags (`F`) • TCP RST data checksum (`RD`) • IP total length (`IPL`) • Unused port unreachable field nonzero (`UN`) Response Tests

18. Value Description Z Both code values are zero S Both

    code values are the same as in the corresponding probe. _`<NN>`_ When they both use the same non-zero number, it is shown here. O Any other combination. ICMP response code (`CD`)

19. Returned probe IP ID value (RID) • THE `U1` PROBE

    HAS A STATIC IP IDENTIFIER VALUE OF 0X1042 (4162) • DATA IS GOT FROM CLOSED PORTS • SOME SYSTEMS, SUCH AS SOLARIS, MANIPULATE IP ID VALUES FOR RAW IP PACKETS THAT NMAP SENDS.

20. Returned probe IP total length value (RIPL) If the correct

    value of is returned, the value `G` (for good) is stored else of the actual value This test simply records the returned IP total length value

21. Unused port unreachable field nonzero (UN) ICMP port unreachable message

    header is eight bytes long, but only the first four are used. A few implementations has its own data in it Mostly ethernet switches and some specialized embedded devices The value of those last four bytes is recorded in this field.

22. • Some operating systems return ASCII data ⚬ such as

    error messages ￭ in reset packets • When there is no data, `RD` is set to zero ⚬ few operating systems that may return data in their reset packets ￭ the data is stored TCP RST data checksum (RD)

23. TCP sequence number (`S`) Value Description Z Sequence number is

    zero. A Sequence number is the same as the acknowledgment number in the probe. A+ Sequence number is the same as the acknowledgment number in the probe plus one. O Sequence number is something else (other).

24. Value Description Z Acknowledgment number is zero. A Acknowledgment number

    is the same as the sequence number in the probe. A+ Acknowledgment number is the same as the sequence number in the probe plus one. O Acknowledgment number is something else (other). TCP acknowledgment number (`A`)

25. IP initial time-to- live (T)

26. TCP initial window size (W, W1–W6)

27. Shared IP ID sequence Boolean (SS) • IS THE IP

    IDENTIFIERS SEQUENCE BETWEEN THE TCP AND ICMP IPROTOCOLS SHARED?

28. Connect with me