NMAP GUIDE REVISITED – HAKIN9 TUTORIALS

Dear Readers,

Welcome to this very special issue of Hakin9. For the second time we will be touching a very controversial subject – scanning with nmap. Last year we published an issue on nmap which made the whole Internet boil and this time we’re going to do it again. We are going to suprise everyone with plethora of fascinating content that will make your head spin.
In this month’s edition, Aamir Lakhani, Andrew Brooker, Daniel Renaud, Andrey Mosktvitin, Nathan Swaim and Justin Hutchens will show you why nmap is The Right Tool for job.
Andrew Jones, Evan Francen, Jake Wylezek, James Tan and Joshua Cornutt will teach how to use The Swiss Army Knife of Network Discovery and how not to cut yourself with it, while
Branden Paul, Sergio Castro, Tony Lee and Peter Harmsen are going to show you few advanced tricks.
Special mention goes to Antonio Ierano with his outstanding In Depth Guide To Digital Forensic.
Hakin9’s Editorial Team would like to give special thanks to the authors, betatesters and proofreaders.
We hope our effort was worthwhile and the Haking Extra’s BackTrack 5r3 issue will appeal to you. We wish you a nice read.
Most special thanks goes to Gordon „Fyodor” Lyon for creating such amazing, open source tool which to this day still is a bread and butter tool for both hackers and IT security professionals.

The Right Tool

NMAP Kung-Fu
By Aamir Lakhani, DCUCD, DCUCI, CCNP, CCDP, Microsoft Certified Systems Engineer, IBM Cloud Computing Architect, CISSP, HP Open View Professional

Nmap is a popular tool for network reconnaissance It usually one of the first tools a network penetration tester will use to determine the type of system they are targeting, what ports are open on the target system, and what services may be running on the system. Nmap stands for “network mapper” and is used to scan hosts and services on a network. Nmap has advanced features that can detect different applications running on systems as well as services and OS fingerprinting features.

Map and Network
By Andrew Brooker, CISSP, CRISC Director of Operations Assurity River Group

Network Mapper is a network scanner that is used to discover network hosts and their services. The initial driver for Gordon Lyon was to create a utility that could “map the network”, hence nmap. Back in 1997, namp was a Linux only utility, but today is a cross-platform, lightweight network security scanner. Not only can you use nmap on your favorite OS, but you have the option between CLI or GUI.

Introduction to Nmap
By Daniel Renaud, CEO of DJJ Consultants and a Linux specialist since 1994

Nmap (Network Mapper) is a security scanner used to discover information about hosts on a network. To accomplish this, Nmap will send crafted packets to the host and then use the response to get information about it. NMAP can be used to determine the operating system of host, the names and versions of the services, estimated up time, type of device, and presence of a firewall. You are probably thinking that there’s a lot of other scanner that can do that and you’re probably right but Nmap can do it in a different way.

The Bread and Butter of IT Security
By Andrey Mosktvitin, IT Security Professional, Microsoft

Today we are going to talk about bread and butter of every IT security, networking and system professional – Nmap nework scanner.
Initially Nmap was a Linux command-line tool created by Gordon “Fyodor” Lyon in 1997. Nowadays it is a great set of tools with extensible framework, providing opportunity to integrate it with external scripts. There is also a beautiful GUI called ZeNmap and editions for Windows, Mac OS X, most of UNIX OS available. You can get information about all features and a distributive at official www.Nmap.org website.

NMAP Scanning: How a Simple Tool STILL Makes Dramatic Impact
By Nathan Swaim, President, ANRC

In a growing world of network analysis tools to choose from there are a few that remain just as beneficial today as they were when it first came out. NMAP definitely has held its reputation as being a go-to tool when network analyst and security researchers need it. It’s well known that if you don’t at a minimum scan your network defense posture using NMAP at least once after major production changes you are taking an unnecessary gamble and risk by not doing so. While the NMAP tool hasn’t significantly changed in its development lifecycle the emphasis on using it certainly has. In this article we’ll dive into the basics of doing an NMAP scan and explain some of the ways this incredible tool is able to do what it does.

NMAP: A “HACKER TOOL” FOR SECURITY PROFESSIONALS
By Justin Hutchens, CISSP, CEH , ECSA, CHFI

The notion of the “ethical hacker” has always been an ironic one. The developing trends of ethical hacking and offensive security have transformed the information security industry into one of the most self-perpetuating industries in the world. The software and tools that are used to secure vulnerable information assets are the same tools that can be used to exploit them. But perhaps it’s the other way around. Perhaps the tools that were created for the sole purpose of exploiting information assets are now being used to safeguard them. I suppose this is a debate that could go on forever and is really just another instance of “what came first…the chicken or the egg?”

The Swiss Army Knife

Discover What Is Inside The Hard Shell
By Andrew Jones, VMTraining, GSEC, GCIH, CVE5, VMTraining Certified Trainer

Nmap was one of the basic tools we would start students on. It’s open source, so free, and reasonably easy to get using right away for basic network scans. I say nmap is relatively easy to get using, but take that with a grain a salt. As you can see in the screen capture below, by running nmap –help, we are presented with a wealth of option flags for our use.

Nmap – The Tool of Almost Endless Capabilities
By Evan Francen, President, FRSecure LLC & Information Security Evangelist CISSP, CISM, CCSK

Before we start out and dig in, you need to know that Nmap can be a very powerful tool in the hands of someone who knows how to use it AND has an intimate knowledge of how TCP/IP works. If you don’t know some of the TCP/IP basics like IP addressing, routing, ports, and the structure of a TCP packet, it would be good idea to brush up on these skills first. As you unlock your knowledge of TCP/IP, you’ll embrace the beauty of Nmap that much more.

NMAP – Hollywood’s Hacking Tool of Choice
By Jake Wylezek, Solutions/Systems Engineer at Hewlett-Packard

NMAP is a network scanner but not a security measure. The main aim of this software is to perform host and services discovery and network recognisance. The initial release written by Gordon Lyon also known as Fyodor Vaskovich (if you watch Defcon talks) was back in September of 1997. Fyodor keeps the NMAP project rolling which today gives us version 6.25 thanks to an active user community. If you are reading this article thinking that you don’t know what NMAP is and you have never seen it before there is a great possibility that you already have seen it and there is even greater possibility that people such as your parents have seen it too. The reason behind it being NMAP featured in many movie hits over the years including Matrix Reloaded, Dredd, Bourne Ultimatum (my personal favourite), Die Hard 4 and several more.

Nmap – The Swiss Army Knife of Network Discovery
By James Tan, BSc Psychology, ISO 27001, CISSP, CCSK, CISA, eCPPT, PMP

Nmap is a popular free and open source port scanner if you have not heard of it. It is mentioned frequently in Hakin9 and other online articles, and also featured as the hacker’s choice of tool in several movies. You can use Nmap to scan entire network with a simple line of command or just an individual host. To the casual observer, Nmap is just a network port scanner. However it is a powerful toolkit comprising of many useful utilities (commands and GUI).

Practical NMAP Scanning
By Joshua Cornutt, CompTIA A+ Certified Professional IT Technician

Network Mapper (Nmap) allows for the discovery of live computers/hosts on a network as well as detects running services and supported communication protocols. It’s one of the most essential tools for any systems/network administrator, IT security professional and/or hacker. This instructional will guide you through using Nmap to effectively scan a subnet for live hosts, determine the status of firewall ports, iterate through running services and identify vulnerabilities.

Advanced Approach

Nmap – The Multitool of Network Discovery
By Branden Paul, Network Administrator, Banking Company

Nmap (Network Mapper) is a free-ware utility for Network scanning and security auditing. It was designed for large networks, but works on single hosts as well. It runs on all major Operating Systems and in addition to the classic command-line Nmap executable, it also includes an advanced GUI and results viewer (Zenmap). Now that you have some background information, let’s jump right in!

Using NMAP for Outbound Traffic Analysis
By Sergio Castro, Managing Director, Qualys Latin America

You wouldn´t let your kids talk with strangers in the street, right? But if you are not analyzing the servers your users are connecting to, that´s exactly what you are doing. We all have our firewalls configured to prevent pretty much all inbound traffic (with a few exceptions), and we know what outbound traffic to allow: http, https, ssh, smtp, pop, etc. And you know that when a hacker manages to land a trojan or install a backdoor in your network, the command and control outbound traffic will be via http or https most of the time. Also, if one of your users falls for a phishing scam, his/her outbound traffic will obviously would be http. You should be doing outbound traffic analysis, but you can.

Refining Your Nmap Scan Strategy
By Tony Lee, Principal security consultant at FireEye

The answer we hear most often is option a. While this may work for small networks, it does not scale for larger networks or more thorough assessments. The astute reader will notice that options a, b, and c, operate identically. Option a provides the network range in CIDR notation and since -sS is the default scan type when no options are supplied–option b is identical to option a. Examining option c, reveals that it is the same as options a and b, except that the target is supplied using a network range instead of CIDR notation. The problem with options a, b, and c is that they will not thoroughly scan the remote class c network as they will only scan the top 1000 TCP ports. Option d is close to what we are looking for since it scans all of the TCP ports; however, it lacks efficiency since we will be scanning all ports on all hosts, including dead IP space.

MCSA

Peter Harmsen

A lot of tutorials deal with nmap scanning and OS fingerprinting especially from the attackers pointof view.I would like to enlighten a quick and dirty aproach to get an portscan detectorup and running to add to your defense in depth.In this tutorial we will install the portscan attack detector deamon.Or psad for short. PSAD is capable of automatically add iptables rules in order toblock all traffic to and from one or more portscanning ip-addresses.There are not that many hands-on websites dealing with psad for a specific linux distro.And the ones who exist miss some essential details to get things working.So i thought ,why not write a quick recepy that quickly gives you both

In Depth Guide To Digital Forensics

Forensic Nmap
By Antonio Ierano, Former Cisco European Security Evangelist & Senior Consultant

Writing an article about Digital Forensic is always a challenge, and the reason are multiple: the complexity of the argument, the level of technology involved, the forensic approach itself.
There are a lot of tools and areas where digital forensic can be applied, and thousands of tools that can be used. But a challenge is always a good thing because let us focus and make think clearer so when I’ve been proposed to write an article on Nmap and forensic I accepted.