Tag Archives: Nmap

14Dec/13

How to use Nmap to identify what a server is running

Whether you are attacking a computer or protecting it, proper intelligence about a computer is important.  A very powerful option for learning about a given system is Nmap.  According to Nmap’s website:

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

I would like to take a look at a few of the things you can do with Nmap.  For these examples, my target is going to be jastreich.com (a server run by a friend and former coworker) .  This is definitely not a comprehensive guide but it will cover some high points.

 

Determine what domain names use that server (without pinging anything)

This scan does not ping the server in any way.  It simply does a reverse-DNS lookup.  The nmap website says that this scan is a “good sanity check” since it lets you verify the identity of your target.  I would have to agree.

nmap -sL [Insert Host Here]

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-14 03:55 UTC

Nmap scan report for jastreich.com (192.81.210.134)

rDNS record for 192.81.210.134: piggyandmoo.com

Nmap done: 1 IP address (0 hosts up) scanned in 0.05 seconds

 

Trace path to the server (traceroute)

This sends packets to the server with decrementing TTL, in an attempt to elicit ICMP time-exceeded messages.  The goal is to identify every computer between you and your target.  This could help to identify alternate attack vectors.  Beware: traceroute requires root on your local machine.

nmap –traceroute [Insert Host Here]

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-14 04:37 UTC

Nmap scan report for jastreich.com (192.81.210.134)

Host is up (0.00092s latency).

rDNS record for 192.81.210.134: piggyandmoo.com

Not shown: 998 closed ports

PORT   STATE SERVICE

25/tcp open  smtp

80/tcp open  http

TRACEROUTE (using port 554/tcp)

HOP RTT      ADDRESS

1   11.49 ms 192.81.212.1

2   0.95 ms  piggyandmoo.com (192.81.210.134)

Nmap done: 1 IP address (1 host up) scanned in 2.60 seconds

 

Application Version Detection

So, you know where your target is.  Next, you probably want to know what services your target is running.  This will tell you exactly what it is running (to the best of it’s ability).  Once you know what daemons are running and what versions are running, you can start looking for exploits that can be leveraged.

nmap -A [Insert Host Here]

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-14 04:43 UTC

Nmap scan report for jastreich.com (192.81.210.134)

Host is up (0.00061s latency).

rDNS record for 192.81.210.133: piggyandmoo.com

Not shown: 998 closed ports

PORT   STATE SERVICE VERSION

25/tcp open  smtp    Postfix smtpd

|_smtp-commands: localhost, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,

| ssl-cert: Subject: commonName=stkfactory

| Not valid before: 2012-10-17 21:47:37

|_Not valid after:  2022-10-15 21:47:37

80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))

|_http-title: J. A. Streich Home Page

No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=6.00%E=4%D=12/14%OT=25%CT=1%CU=44180%PV=N%DS=2%DC=T%G=Y%TM=52ABE1

OS:FA%P=i686-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=104%TI=Z%CI=Z%II=I%TS=8)OPS(O

OS:1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B4ST11N

OS:W6%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R

OS:=Y%DF=Y%T=41%W=3908%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=41%S=O%A=S+%F=AS%

OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y

OS:%DF=Y%T=41%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R

OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=41%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=

OS:41%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=41%CD=S

OS:)

Network Distance: 2 hops

Service Info: Host:  localhost

TRACEROUTE (using port 80/tcp)

HOP RTT     ADDRESS

1   0.82 ms 192.81.212.1

2   1.01 ms piggyandmoo.com (192.81.210.134)

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 20.82 seconds

 

TCP SYN Scan

This is a good first scan when analyzing a server.  It is fast and stealthy because it never completes a TCP connection.  It uses something called a half-open scan.

nmap -sS [Insert Host Here]

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-14 04:57 UTC

Nmap scan report for jastreich.com (192.81.210.134)

Host is up (0.00031s latency).

rDNS record for 192.81.210.134: piggyandmoo.com

Not shown: 998 closed ports

PORT   STATE SERVICE

25/tcp open  smtp

80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds