 Hello, my name is Swapnil and I will walk you through today with the functionalities of the Nmap tool. So Nmap is a security tool which is mainly using the reconnaissance phase of the attack. Recognize means we gather the information of the victim, what vulnerabilities are present in it, what ports are open and all such things. So Nmap is an open source tool for network exploration and security auditing. It is it can be used to rapidly scan large networks. We can give entire subnets range of IPs to the Nmap and it can scan them sequentially. The various uses of Nmap are whether we can discover which hosts are alive, we can scan the open ports services, we can know the versions of the services which are running, operating systems which are running and etcetera. Few things to keep in mind while using Nmap is like there are security devices like firewalls which can skew the result of the Nmap scan. They can interfere with the scanning packets of the Nmap and thus we cannot get the exactly correct result. And some of the functions of Nmap requires root level privileges in the machine. For example, for checking whether a host is alive using ARP, it requires a pseudo level permission. Scanning the networks or machines which you do not have permission to do can get you in the trouble with authorities and the last thing is that aggressively scanning some systems which have low resources may cause them to crash. So we have to use this tool with very caution and finally, so these are the various ways of input which we provide to Nmap. We can give a single IP, we can give multiple IPs separated by space, we can give a range using a dash, we can even give IPs from a file as we are given here. Sometimes if you are giving a range of IPs or if you are giving a subnet of IPs, you might want to exclude some of them. So we exclude those IPs using these options. The minus minus exclude option accepts all the specifications given before here and the exclude file option accepts the IPs in a text file. These are the various discovery options using which we can identify whether a host is alive or not. We will see some of these options in the demo. Like there is one option using which we can we can ARP the remote host and see whether it is alive or not. We can send at ECPC, we can use an ICMP ping and etc. These are the various scanning options which we will see. Some of these I will demonstrate in the video. When we scan the TCB ports, we may get the status of the ports as one of these four. Usually we will be interested in the ports which are open or unfiltered. So the open ports means the service is running and the port is listening and it is accepting connections. And unfiltered ports are classified as such when Nmap is able to probe them but we cannot determine whether they are open or closed. So Nmap has a help menu which will list all the options which I just showed you in the slide. You can even view the man page of Nmap using man space Nmap. Now I will log in as a route on this machine so that I can use all the features of Nmap. This minus SP options tells the Nmap to only check whether the host is alive or not and not to scan any further. So I am giving it a range of IPs. These are 11 IPs and it will scan all of them sequentially and check whether they are alive or not. This range is say in the same submit as the machine on which I am using Nmap. So it has identified that 4 hosts are up currently out of the 11 IP address and it will give MAC address and IP address of those hosts. Out of these the first host is a vulnerable machine which I have purposefully set up for us to scan. So all the commands from here on I will perform only on this machine and not all of them. We can give the range of IPs like we are given here in all the commands. So note here that the Nmap has send an ARP query which is a broadcast message. This 10.129.28.236 is my IP address and this 10.129.26.170 is the remote IP address of the vulnerable machine. So it has replied its own MAC address over here. But notice that after this ARP request and reply my machine is doing a DNS reverse query over here of that machine and the DNS server is responding that it has no such recording it. But this can be a very serious issue. I just scanned 11 IP addresses and the DNS server has received the reverse DNS query of all these 11 addresses. If someone is monitoring the DNS server or logging it then they will know that a scan is being performed. In this wire shock I will only be showing the packets which are going to the vulnerable machine. So I will give a minus N option over here which will tell the Nmap not to make a reverse DNS query. See now the ARP request and reply has come over here but there is no reverse DNS query. I just told Nmap to do a host discovery using the minus SP option and it selected the ARP to scan whether the host is alive or not. But I can specifically give an option as minus PR. This tells Nmap to use the ARP to scan the host whether it is alive or not. So again the result here is same as before. Now I will put a minus N option and so it will not perform a reverse DNS query. So what we saw here is when the remote machine is in the same subnet as ours Nmap will by default use an ARP protocol to discover whether the machine is alive or not. If we want to use some other protocol explicitly then we have to provide other options. Again minus SP means I am only trying to discover whether the host is alive. Since PE means I am trying to use an ICMP echo protocol the ICMP ping which we use normally. But even though I have told it to use an ICMP ping it has done an ARP query over here. This is because Nmap does not take our choice into consideration when the remote host is in the same subnet. So we have to explicitly tell it not to use an ARP in case we want to use some other protocol. So now it has done an ICMP request and reply and we have come to know that one host is up. See by far the ARP is the safest method to scan whether host is alive or not. So because if there is a security device in the network may consider that ARP request and reply is something normal. But the security devices can block the ICMP request and reply. If the remote host is on some other subnet then there may be a security device in between. So it is possible that ICMP can be blocked. So there are various other ways to check whether a host is alive or not. This minus PS option will tell Nmap to do it TCP SIN scan on any port on the remote machine. We can give PS and then some port number which we want to use otherwise Nmap will use some good port on its own. So we have found that the host is up. In vireshack we can see that a TCP SIN has been sent to the HTTP port 80 and the machine has replied with a SINAC. So now we have known that the machine is up. So we immediately stop the connection by sending a reset. This is a TCP ACS scan. Instead of sending a SIN now we will send an AC packet to the remote host. When we send an AC the remote host will try to find a session based on the source and destination port and IP addresses but it won't find any such session. So it will send a reset back to us. So since it has reacted with a reset we will come to know that the host is up. But we have to note here that if there is a stateful security device in between like a firewall it will also keep a track of all the sessions which are going on. So in this case the firewall may silently drop the AC and we may not ever receive the reply. So Nmap will time out. So this method is not always useful. This is a UDP scan. The Nmap will randomly choose some UDP port and send a packet to that. So we can see here that the message is sent to the remote port 40125 and the remote host has sent us an ICMP port unreachable message. By this we come to know that the machine is alive. Since UDP is sessionless protocol there is a very low chance that some security device can stop this UDP packet. Minus PP option means ICMP timestamp protocol. The ICMP timestamp protocol is used to synchronize the clocks between two servers to measure the latency between them and such things. So when we send an ICMP timestamp the remote machine may reply and we will know whether it is alive or not. Here you can see the machine is replied with a timestamp reply message. So these were the some of the discovery options which I showed you in the slide. There are three to four more options which you can explore on your own. Now we will see how to scan for open ports on the remote machine. The minus SS option is a TCP SIN scan. So notice here that first Nmap will always do a check on whether the host is alive or not only after that it will do the port scan. If somehow we know that the machine is alive but none of the discovery options we get that the machine is alive. Always we scan for discovery and we find that the host is down. So we can use a minus PN option which was there in the slide which will directly start scanning the machine instead of checking whether it is alive or not. So these are all the open ports on that machine. These are the wireshark capture of the scan. We will see that first the Nmap will do a ARP discovery after that it will start sending SIN packets. You can see here that a SIN has been sent and the machine has replied with a SIN and immediately after the SINAC we are sending a reset to it and we know that the port is open. So in this way it will the Nmap will scan a total of 1000 ports, the well known ports if we do not provide any explicitly explicit option to it. Otherwise we can also provide a range of ports to it which can be scanned. The one we saw now was the TCP SIN scan. Now we will see a TCP connect scan. To use the TCP SIN scan we will require the root privileges of the local machine but if we do not have the root privileges we have to work with the TCP connect scan. It will make a full connection with the remote host. Again it has first discovered whether the host is up and it has found the open TCP ports. Now we will see here that a full three way handshake has been done. SINAC has been sent by the remote machine, the SIN has been sent by us, the SINAC has been sent by the host and again we send an act. So a three way handshake has been done of the TCP. So now we know that the port is open and accepting connections and after this we will do send a reset to the remote host to close the connection. If I use the follow TCP SINAC option it will show all the packets of the particular session. So it has, so we have send a reset to the remote host to close the connection. But over here if the sessions are being logged it will get recorded that a scan has been done on all the ports. So that the previous option simply the TCP SIN where we send a SIN and the remote host gives a SINAC and we immediately send a reset is a better choice. Now this is a TCP act scan. This is not used to scan whether the ports are open or not. But this is used to scan whether the ports are filtered by a firewall or not. So first it has done a host discovery and it has given the result that all 1000 ports are unfiltered. Why does it say that the ports are unfiltered? You will see in the wire shack. So we are continuously sending the AC on various remote ports and the machine is replying with RST because it does not have any such session. So this means that there is no security device which is keeping the track of all the sessions and there is no security device to stop this AC scan. So the ports are unfiltered. You can see various AC RST packets over here. First we send an AC and in reply we get an RST. Now this minus A option means the aggressive scan. We have to be very careful with this option because it performs all the tests which are there with Nmap on the remote machine. It will first perform a discovery then it will start scanning for open ports after that it will do the OS fingerprinting and thus it will bombard a lot of packets on the remote machine. So it takes a lot of time. I will just fast forwarded the video here. So it has first checked the host is up. After that it has here we have the host name of the remote machine. We have the version of the remote SMB server. These are the various fingerprints which we have received. Here we have found out which version of my SQL the machine is using. See these are very dangerous things. If we find out some version which is vulnerable then we can exploit it. Here we see that which version of VNC it is using, which version of FTP server is using. The version of open SSH it is using an Apache Tomcat 5.5. So this may also have some vulnerability if we scan if we search in some database. But it has not found any exact OS match because it may not have the fingerprint in the database. So with this I conclude the demonstration of NMAP.