SlideShare a Scribd company logo

Recon with Nmap

Download as PPTX, PDF
OWASP Delhi
OWASP Delhi

Feb 2019 - "Recon with Nmap" Session by Nikhil Raj and Jayvardhan Singh

Presentations & Public Speaking
1 of 32
Recon with Nmap - Network scanning for noobs & ninjas
Who we are? Jayvardhan Singh @Silent_Screamr - Web and Mobile Security researcher - Bugbounty and Hall of Fame - Microsoft | Apple | Nokia | Barracuda | Blackberry | Olark | Heroku | Nikhil Raj @0xn1k5 - Web, Network and Wireless pentesting - RHCSA, RHCE & CEH - Dump my tools at github.com/0xn1k5
Home Network 192.168.0.1 192.168.0.102192.168.0.101 192.168.0.103 192.168.0.104
Enterprise Network Firewall Router Switch Hosts Private IP Class A : 10.0.0.0 – 10.255.255.255 Class B : 172.16.0.0 – 172.31.255.255 Class C : 192.168.0.0 – 192.168.255.255 Public IP Internet NAT/PAT
Find your own IP Public IP Just Google What is my ip address Or, visit http://whatismyip address.com Private IP Open the cmd/terminal and type: # ipconfig (windows) # ifconfig (Unix/Linux)
Private IP
Public IP
Who else is on the network? # ping <target ip>
What Services are available? - Each hosts needs to perform multiple networking operations as web, instant messenger, file transfer, video streaming and remote management using RDP or SSH - Can either be TCP or UDP based service associated with unique port number
Port Numbers ● Port no exists at Transport Layer ● Size: 16 bits unsigned integer ● Range: 0 – 65535 (Both TCP & UDP) – Well known port ( 0 – 1023 ) – Reserved port ( 1024 – 49151 ) – Dynamic or Private port ( 49152 – 65535 )
Common Services & Ports ● Web Services – tcp/80, tcp/8080, tcp/443 ● FTP – tcp/20 & 21 ● SSH – tcp/22 ● Mail – tcp/25 ● Database – Mysql (tcp/3306), Oracle (tcp/1521) ● DNS - udp/53 ● SNMP –udp/161
TCP vs UDP • Transmission Control Protocol • Reliable • Connection-oriented (3-way handshake) • Flow control, sequencing and acknowledgement • User Datagram Protocol • Unreliable • Connection less • No retransmission and acknowledgement
TCP 3 Way Handshake SYN SYN + ACK ACK Service is listening (Open ) DATA
TCP 3 Way Handshake SYN RST Service is listening (Closed)
Demo Time
Demo with Netcat Start Netcat Listener (Server) # nc -l -p <port> Use Netcat as client # nc <ip> <port> & Inspect traffic in Wireshark
Nmap ● Open Source ● Fast and efficient ● Supports multiple platforms ● Active community support ● Popular...Featured in Movies as well :-) ● Can be extended by using its Nmap Scripting Engine
Specifying Input Targets # nmap scanme.nmap.org # nmap 192.168.0.1 # nmap 192.168.0.1-200 # nmap 192.168.0.1/24 # nmap –sn –iL <ip_list>
Specifying port range # nmap -p 80 192.168.0.1 # nmap –p 21,22,80 192.168.0.1/24 # nmap –p 1-65535 192.168.0.1/24 # nmap --top-ports 200 192.168.0.1/24 # nmap –top-ports 10 192.168.0.1 --reason PS: By default nmap scans only top 1000 most widely used ports which can be changed using –top-ports
Nmap – Common Scan Types TCP Connect Scan ( -sT ) - Complete 3-way handshake # nmap -sT <target> TCP SYN Scan ( -sS ) [Default] - Also known as Half-open scan # nmap -sS <target> UDP Scan ( -sU ) - Scan UDP ports, Runs Slow # nmap -sU <target>
Nmap Options - If host is not responding to ping probes! # nmap -Pn <target> - Version Detection # nmap -sS -sV <ip> - OS Detection # nmap -sS -O <ip> - Use Timing template for faster scan (noisy) # nmap –sS –T4 <ip> - Aggressive Scan ( version, os and script scan ) # nmap –sS –A <ip>
Nmap – Saving Output - Output Format supported: - Normal ( -oN ) - XML ( -oX ) - Grepable ( -oG ) - All Formats ( -oA ) # nmap -sS -sV -p- <ip> -oA <output_file>
Nmap scan I − TCP Services # nmap –sS –p- –sV –O –Pn <target> -oA <out_file> - UDP Services # nmap –sU –p U:1-65535 –sV –Pn <target> -oA <out_file> - Combining TCP and UDP Scan # nmap –sU –sS –p U:53,111,137,T:21- 25,80,139,8080 <target> -oA <out_file>
Nmap Scripting Engine - Script ends with .nse extension - Located at “/usr/share/nmap/scripts” in kali - Invoked using –sC (default) or –-script switch - Categorised as auth, broadcast, brute, default. discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln - Can be used for enumeration, vulnerability detection, exploitation and more.
NSE Scans - Executing Default script scan # nmap –p 21 –sC –sV <ip> - Executing script scan # nmap -p445 –-script=smb-enum-shares <ip> - Execute all smb scripts # nmap –p445 –-script=smb* <ip> - Execute scripts marked as safe and default # nmap –p445 –-script=safe,default <ip>
NSE Scans continued - Enumerating services # nmap -p445 –script=smb-enum-shares <ip> - Brute Force Attacks # nmap -p445 --script smb-brute --script-args userdb=users.txt,passdb=passwords.txt <ip> - Vulnerability Scan # nmap -Pn –script=vuln <ip> # nmap -p445 –script=smb-vuln-ms17-010 <ip>
NSE Scans - Demo
NSE Scans - Demo
Demo Time
Nmap Scan Types II - Not all systems are RFC compliant - Responds differently on receiving certain TCP flags - Mostly used in *nix based system - FIN Scan (-sF) - Sets the TCP FIN bit. - XMAS (-sX) - Sets the FIN, PSH, and URG flags - Null Scan (-sN) - Does not set any flags
Firewalls - Modify source port # nmap –g 80 <ip> - Fragment the packet # nmap –f <ip> -Send packet with bad checksum # nmap –-badsum <ip>
Thanks

Recommended

NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 
NMap
NMapNMap
NMapPritesh Raka
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 

Recommended

NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 
NMap
NMapNMap
NMapPritesh Raka
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
Scanning with nmap
Scanning with nmapScanning with nmap
Scanning with nmapcommiebstrd
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitableMohammed Akbar Shariff
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Nmap
NmapNmap
NmapSreekanth Narendran
 
Nmap commands
Nmap commandsNmap commands
Nmap commandsKailash Kumar
 
Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"abend_cve_9999_0001
 
Nmap
NmapNmap
NmapMegha Sahu
 
N map presentation
N map presentationN map presentation
N map presentationulirraptor
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basicsamiable_indian
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)shwetha mk
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to SnortHossein Yavari
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting enginen|u - The Open Security Community
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Network scanning
Network scanningNetwork scanning
Network scanningMD SAQUIB KHAN
 
Dns security
Dns securityDns security
Dns securityDhaval Kapil
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Zen map
Zen mapZen map
Zen mapharisnaved
 
SNMP(Simple Network Management Protocol)
SNMP(Simple Network Management Protocol)SNMP(Simple Network Management Protocol)
SNMP(Simple Network Management Protocol)Mohammad Awais Javaid
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 

More Related Content

What's hot

Scanning with nmap
Scanning with nmapScanning with nmap
Scanning with nmapcommiebstrd
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"abend_cve_9999_0001
 
N map presentation
N map presentationN map presentation
N map presentationulirraptor
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)shwetha mk
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
SNMP(Simple Network Management Protocol)
SNMP(Simple Network Management Protocol)SNMP(Simple Network Management Protocol)
SNMP(Simple Network Management Protocol)Mohammad Awais Javaid
 

What's hot (20)

Scanning with nmap
Scanning with nmapScanning with nmap
Scanning with nmap
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
Nmap
NmapNmap
Nmap
 
Nmap commands
Nmap commandsNmap commands
Nmap commands
 
Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"
 
Nmap
NmapNmap
Nmap
 
N map presentation
N map presentationN map presentation
N map presentation
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
Dns security
Dns securityDns security
Dns security
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Zen map
Zen mapZen map
Zen map
 
SNMP(Simple Network Management Protocol)
SNMP(Simple Network Management Protocol)SNMP(Simple Network Management Protocol)
SNMP(Simple Network Management Protocol)
 

Similar to Recon with Nmap

Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)KHNOG
 
Network Test Automation - Net Ops Coding 2015
Network Test Automation - Net Ops Coding 2015Network Test Automation - Net Ops Coding 2015
Network Test Automation - Net Ops Coding 2015Hiroshi Ota
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaRaghunath G
 
NMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge AcademyNMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge Academycyberforgeacademy
 
8c21da14 1c9c-44ee-8e24-9a1ddd64ca82-150211062639-conversion-gate02
8c21da14 1c9c-44ee-8e24-9a1ddd64ca82-150211062639-conversion-gate028c21da14 1c9c-44ee-8e24-9a1ddd64ca82-150211062639-conversion-gate02
8c21da14 1c9c-44ee-8e24-9a1ddd64ca82-150211062639-conversion-gate02Anand Nandani
 
Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Harsh Desai
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsJoseph Bugeja
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemSneha Inguva
 

Similar to Recon with Nmap (20)

Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
NMAP1.ppt
NMAP1.pptNMAP1.ppt
NMAP1.ppt
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)
 
Contents namp
Contents nampContents namp
Contents namp
 
Contents namp
Contents nampContents namp
Contents namp
 
Network Test Automation - Net Ops Coding 2015
Network Test Automation - Net Ops Coding 2015Network Test Automation - Net Ops Coding 2015
Network Test Automation - Net Ops Coding 2015
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
 
Netcat - 101 Swiss Army Knife
Netcat - 101 Swiss Army KnifeNetcat - 101 Swiss Army Knife
Netcat - 101 Swiss Army Knife
 
NMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge AcademyNMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge Academy
 
8c21da14 1c9c-44ee-8e24-9a1ddd64ca82-150211062639-conversion-gate02
8c21da14 1c9c-44ee-8e24-9a1ddd64ca82-150211062639-conversion-gate028c21da14 1c9c-44ee-8e24-9a1ddd64ca82-150211062639-conversion-gate02
8c21da14 1c9c-44ee-8e24-9a1ddd64ca82-150211062639-conversion-gate02
 
Netcat
NetcatNetcat
Netcat
 
Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
RAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LISTRAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LIST
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
 

More from OWASP Delhi

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeoverOWASP Delhi
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report WritingOWASP Delhi
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air GapOWASP Delhi
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container EscapesOWASP Delhi
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using TerraformOWASP Delhi
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat IntelligenceOWASP Delhi
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriOWASP Delhi
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelOWASP Delhi
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraOWASP Delhi
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraOWASP Delhi
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraOWASP Delhi
 
Hostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekOWASP Delhi
 

More from OWASP Delhi (20)

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
 
UDP Hunter
UDP HunterUDP Hunter
UDP Hunter
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
 
Hostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit Prateek
 

Recently uploaded

Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRsarwankumar4524
 
Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Escort Service
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMQuality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMCharmi13
 
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comSaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comsaastr
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRachelAnnTenibroAmaz
 
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...university
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxaryanv1753
 
proposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerproposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerkumenegertelayegrama
 
Internship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SEInternship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SESaleh Ibne Omar
 
Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸mathanramanathan2005
 
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxEngaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxAsifArshad8
 
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.KathleenAnnCordero2
 
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...漢銘 謝
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationNathan Young
 
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...Henrik Hanke
 
Application of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxApplication of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxRoquia Salam
 
Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxChizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxogubuikealex
 
Early Modern Spain. All about this period
Early Modern Spain. All about this periodEarly Modern Spain. All about this period
Early Modern Spain. All about this periodSaraIsabelJimenez
 

Recently uploaded (19)

Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
 
Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMQuality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEM
 
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comSaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
 
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptx
 
proposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerproposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeeger
 
Internship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SEInternship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SE
 
Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸
 
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxEngaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
 
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
 
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism Presentation
 
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
 
Application of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxApplication of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptx
 
Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxChizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptx
 
Early Modern Spain. All about this period
Early Modern Spain. All about this periodEarly Modern Spain. All about this period
Early Modern Spain. All about this period
 

Recon with Nmap

  • 1. Recon with Nmap - Network scanning for noobs & ninjas
  • 2. Who we are? Jayvardhan Singh @Silent_Screamr - Web and Mobile Security researcher - Bugbounty and Hall of Fame - Microsoft | Apple | Nokia | Barracuda | Blackberry | Olark | Heroku | Nikhil Raj @0xn1k5 - Web, Network and Wireless pentesting - RHCSA, RHCE & CEH - Dump my tools at github.com/0xn1k5
  • 4. Enterprise Network Firewall Router Switch Hosts Private IP Class A : 10.0.0.0 – 10.255.255.255 Class B : 172.16.0.0 – 172.31.255.255 Class C : 192.168.0.0 – 192.168.255.255 Public IP Internet NAT/PAT
  • 5. Find your own IP Public IP Just Google What is my ip address Or, visit http://whatismyip address.com Private IP Open the cmd/terminal and type: # ipconfig (windows) # ifconfig (Unix/Linux)
  • 8. Who else is on the network? # ping <target ip>
  • 9. What Services are available? - Each hosts needs to perform multiple networking operations as web, instant messenger, file transfer, video streaming and remote management using RDP or SSH - Can either be TCP or UDP based service associated with unique port number
  • 10. Port Numbers ● Port no exists at Transport Layer ● Size: 16 bits unsigned integer ● Range: 0 – 65535 (Both TCP & UDP) – Well known port ( 0 – 1023 ) – Reserved port ( 1024 – 49151 ) – Dynamic or Private port ( 49152 – 65535 )
  • 11. Common Services & Ports ● Web Services – tcp/80, tcp/8080, tcp/443 ● FTP – tcp/20 & 21 ● SSH – tcp/22 ● Mail – tcp/25 ● Database – Mysql (tcp/3306), Oracle (tcp/1521) ● DNS - udp/53 ● SNMP –udp/161
  • 12. TCP vs UDP • Transmission Control Protocol • Reliable • Connection-oriented (3-way handshake) • Flow control, sequencing and acknowledgement • User Datagram Protocol • Unreliable • Connection less • No retransmission and acknowledgement
  • 13. TCP 3 Way Handshake SYN SYN + ACK ACK Service is listening (Open ) DATA
  • 14. TCP 3 Way Handshake SYN RST Service is listening (Closed)
  • 16. Demo with Netcat Start Netcat Listener (Server) # nc -l -p <port> Use Netcat as client # nc <ip> <port> & Inspect traffic in Wireshark
  • 17. Nmap ● Open Source ● Fast and efficient ● Supports multiple platforms ● Active community support ● Popular...Featured in Movies as well :-) ● Can be extended by using its Nmap Scripting Engine
  • 18. Specifying Input Targets # nmap scanme.nmap.org # nmap 192.168.0.1 # nmap 192.168.0.1-200 # nmap 192.168.0.1/24 # nmap –sn –iL <ip_list>
  • 19. Specifying port range # nmap -p 80 192.168.0.1 # nmap –p 21,22,80 192.168.0.1/24 # nmap –p 1-65535 192.168.0.1/24 # nmap --top-ports 200 192.168.0.1/24 # nmap –top-ports 10 192.168.0.1 --reason PS: By default nmap scans only top 1000 most widely used ports which can be changed using –top-ports
  • 20. Nmap – Common Scan Types TCP Connect Scan ( -sT ) - Complete 3-way handshake # nmap -sT <target> TCP SYN Scan ( -sS ) [Default] - Also known as Half-open scan # nmap -sS <target> UDP Scan ( -sU ) - Scan UDP ports, Runs Slow # nmap -sU <target>
  • 21. Nmap Options - If host is not responding to ping probes! # nmap -Pn <target> - Version Detection # nmap -sS -sV <ip> - OS Detection # nmap -sS -O <ip> - Use Timing template for faster scan (noisy) # nmap –sS –T4 <ip> - Aggressive Scan ( version, os and script scan ) # nmap –sS –A <ip>
  • 22. Nmap – Saving Output - Output Format supported: - Normal ( -oN ) - XML ( -oX ) - Grepable ( -oG ) - All Formats ( -oA ) # nmap -sS -sV -p- <ip> -oA <output_file>
  • 23. Nmap scan I − TCP Services # nmap –sS –p- –sV –O –Pn <target> -oA <out_file> - UDP Services # nmap –sU –p U:1-65535 –sV –Pn <target> -oA <out_file> - Combining TCP and UDP Scan # nmap –sU –sS –p U:53,111,137,T:21- 25,80,139,8080 <target> -oA <out_file>
  • 24. Nmap Scripting Engine - Script ends with .nse extension - Located at “/usr/share/nmap/scripts” in kali - Invoked using –sC (default) or –-script switch - Categorised as auth, broadcast, brute, default. discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln - Can be used for enumeration, vulnerability detection, exploitation and more.
  • 25. NSE Scans - Executing Default script scan # nmap –p 21 –sC –sV <ip> - Executing script scan # nmap -p445 –-script=smb-enum-shares <ip> - Execute all smb scripts # nmap –p445 –-script=smb* <ip> - Execute scripts marked as safe and default # nmap –p445 –-script=safe,default <ip>
  • 26. NSE Scans continued - Enumerating services # nmap -p445 –script=smb-enum-shares <ip> - Brute Force Attacks # nmap -p445 --script smb-brute --script-args userdb=users.txt,passdb=passwords.txt <ip> - Vulnerability Scan # nmap -Pn –script=vuln <ip> # nmap -p445 –script=smb-vuln-ms17-010 <ip>
  • 27. NSE Scans - Demo
  • 28. NSE Scans - Demo
  • 30. Nmap Scan Types II - Not all systems are RFC compliant - Responds differently on receiving certain TCP flags - Mostly used in *nix based system - FIN Scan (-sF) - Sets the TCP FIN bit. - XMAS (-sX) - Sets the FIN, PSH, and URG flags - Null Scan (-sN) - Does not set any flags
  • 31. Firewalls - Modify source port # nmap –g 80 <ip> - Fragment the packet # nmap –f <ip> -Send packet with bad checksum # nmap –-badsum <ip>

Editor's Notes

  1. In a typical home network, all the devices are either connecter by WiFi or Lan to a central router/access point. And a unique IP is assigned to each device.
  2. While enterprise network is a bit complex, and can have many network devices sitting before your traffic leaves the company’s network. Inside the organization it uses Private IP addressing scheme and is converted into public IP at Gateway device (usually a firewall).
  3. Ask the audience to find their own public ip?
  4. Ask the audience to find their own public ip?
  5. The easiest way to check who else is on the network is to ping the ip(s) sequentially, if they respond it is up else it may down or simply isn’t responding
  6. When connected on the network, Users may browse the web, stream video, download/upload files with the help of different services. These services are can run on TCP (reliable) , UDP (unreliable) protocol or both on different port numbers.
  7. TCP – a stable connection must be established before data transfer is initiated via a process known as three-way handshake. UDP is connection less protocol communications are sent without any expectation of a timely confirmation of receipt from the remote end Thus, one has to allow for a longer timeout before it can be assumed that a remote port is closed
  8. On an network pentest engagement, you will receive a list of ip(s) or network subnet. You have to first identify the alive hosts and confirm the same with the client.
  9. On an network pentest engagement, you will receive a list of ip(s) or network subnet. You have to first identify the alive hosts and confirm the same with the client.