When testing a network, you need to know what hosts are able to be accessed. In this video, learn how to scan a network to detect hosts using a tool called Nmap and how to use Nmap to scan a host to detect the services it's running.
- [Instructor] Let's take a look at how to profile networks to discover what hosts are present and what services are available on those hosts. To do this, I'll use a tool called NMAP. NMAP is standard network administrators utility and runs on many platforms. If you don't have it on your system, you can download and install it from the NMAP.org site. There are binaries for both Windows and Linux. Alternatively for Linux, you can simply use the built in APT-GET installer. Let's load NMAP on Hydra by entering sudo apt-get install nmap. (computer keyboard clicking) NMAP provides a wide range of options to explore networks. NMAP's primary function is to scan a network and probe the host that it detects. It can scan using either of the two main internet protocols, TCP and UDP, and provides a lot of control over how the scanning and probing works. It can access services using a supplied username and password or it can try to brute force its way in by guessing them. Let's check out NMAP's help. (computer keyboard clicking) We can see from the help information that there's quite a lot we can do with NMAP. It takes time to fully understand the power of NMAP, but the basics are a good place to start. As we look down the help, we can see that it's quite flexible at specifying the target or target list. It has a lot of ways to try to discover hosts. It has a number of different scan techniques. It allows various ways of scanning ports and services. It has scripts we can use and more. Let's use NMAP to discover what hosts are on my network. I know the network has up to 254 hosts on it with IP addresses of 10.0.2.1 to 10.0.2.254 I'll ask NMAP to check a subset of the network by entering sudo nmap - sm 10.0.2.1-60. And this will reduce the amount of time needed to wait for the result. NMAP has many functions which are selected by using options on the command line. Here, I'm using the -sm option, which contacts each host in turn with what's known as a ping to see whether it responds. NMAP reports only the hosts that do respond, as we can see, and also provides the network interface level address, known as the MAC address of the host. I'll not use MAC addresses in this course but they can be useful in advanced networking. Here we see six results. We already know that we have 10.0.2.6, 10.0.2.12, and 10.0.2.31. We can also see 10.0.2.1 to three, which our hosts automatically set up by VirtualBox. The allocation of host addresses is usually done based on subnets and the number of hosts is usually a power of two. Two, four, eight, 16, 32, and so on. I can select a subnet to scan by specifying the number of bits, starting at the beginning of the address, which are the same, for example, we could use /26 to select 63 addresses, one to 63. This makes managing the address range for the subnet much easier for the computers because this form of specification enables simple binary masks to be used. You will likely see a mask specified in your home network router as 255.255.255.0. That's a /24 address mask. Let's use this way of specifying subnets. I'll scan again but this time using nmap -sm 10.0.2.0/26 to look at 10.0.2.1 to 10.0.2.63. (computer keyboard clicking) There are number of other options when doing host discovery, such as taking an input file of host names, excluding specific hosts from a subnet scan, and so on. I won't cover these here but you can see the full list of options in the help. Let's now look at one of the targets we've identified on IP address 10.0.2.31, our Scorpio host. We'll drill down deeper into this system using the -PS option. (computer keyboard clicking) NMAP is now checking a thousand of the most common services, there are currently about 2200 in its database, to see if they're open on the host. It does this by starting to open a connection to the service and then closing it down before the connection is complete. This is called a TCP SYN ping and it works by sending an empty TCP packet with the SYN flag set and waiting for the host to respond with a standard SYN/ACK response. While a normal connection would be completed by sending back an ACK, NMAP instead cancels the connection before it completes. We can see in this response that Scorpio has just one service open. Now let's use NMAP to drill down into an individual service on Scorpio, the SSH service. By using the -sp option, NMAP will try to identify the version of software being used for a service. I can limit the testing to just one service with a -p option. I'll type sudo nmap - PS -SV - P 22 10.0.2.31. NMAP comes back within a few seconds and tells us that the service on port 22 is running the open SSH version 7.2p2 software. This is very rich intelligence. If we go to the NIST Vulnerability Database site, we can do a search on open SSH and we can see there are a 114 known vulnerabilities. As a network administrator, I can now review these vulnerabilities to see whether they're relevant and, if so, make sure I have the correct patches applied to this installation of open SSH.
- Hackers and the kill chain
- Viruses, spyware, and adware
- Detecting malware with Windows Defender
- Using Windows Firewall and Linux iptables
- Scanning with Nmap
- Monitoring network communications with Netcat
- Combating application-level threats
- Scanning a website to check for vulnerabilities
- Capturing intruders through packet inspection