Type : Tutorial
Level : Easy
O.S on network : Windows 2000, Windows XP SP3, Debian 6
Scanner O.S : Backtrack 5 R1
Application version : Nmap 5.59BETA1 (http://nmap.org)
In a few months ahead I will be a little bit busy with my master class, this class become harder because the professor teach me using Chinese 😛 , but don't worry I will still spent time to write tutorial here but not often as usual, you still can catch up with me in my facebook page here and twitter page here for the latest update from this site. I also want to say sorry for you who already wrote in request tutorial page or contact me page about request tutorial or ask a question because there's so many reader wrote there, but i'LL try the best as I can 🙂 .
Today I will write tutorial about How to Know Victim Operating System using Nmap and also how to evade the IDS or firewall to catch our real IP, because there's some readers wrote in my Request Tutorial page that they didn't know how to do that. Maybe for you who already learn about scanning a network or something similar with this, you will feel familiar with this tutorial.
There are 2 version of Nmap, console mode and GUI mode(Zenmap) but do not worry, because the usability and ability was similar and you just choose which one you want to use and most suitable with you(in this tutorial I'LL use the console mode).
What is nmap?
According to its website, Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.
Scanner IP Address : 192.168.8.93
1. Nmap (nmap.org)
1. Open your console (CTRL + ALT + T) and then type nmap command to view the help. Actually from this help page you can read yourself because there's so many options you can use to perform your scanning technique.
2. The simple or basic scanning technique was just run your nmap following with a target IP address.
v4L@bt:~# nmap 192.168.8.91 Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-09-16 21:24 CST Nmap scan report for localhost (192.168.8.91) Host is up (0.00070s latency). Not shown: 995 closed ports PORT STATE SERVICE 21/tcp open ftp 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 2869/tcp open icslap MAC Address: 08:00:27:7E:C9:A3 (Cadmus Computer Systems) Nmap done: 1 IP address (1 host up) scanned in 1.48 seconds
3. Nmap also can scan a whole of your network address to know which host alive or dead (try by yourself).
v4L@bt:~# nmap 192.168.8.0/24
if your IP was 192.168.1.9, then your nmap command should be nmap 192.168.1.0/24 but you can learn more about this CIDR notation in computer networking.
If you see the nmap help, there's so many switch you can use but in this tutorial I will not describe all of that switch because you can read more on nmap official website help page.
-v : Increase verbosity level (use -vv or more for greater effect) -S <IP_Address> : Spoof source address -- used to trick the firewall/IDS -e <iface> : Use specified interface -Pn : Treat all hosts as online -- skip host discovery -sV : Probe open ports to determine service/version info -- very useful to get detailed information about the service -T<0-5> : Set timing template (higher is faster)--see picture below -O : Enable OS detection
4. I will use the above switch to perform a scanning in my network.
v4L@bt:~# nmap -S 192.168.8.123 -e eth0 -Pn -sV -T4 -v -O 192.168.8.0/24 Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-09-16 20:46 CST NSE: Loaded 9 scripts for scanning. Initiating ARP Ping Scan at 20:46 Scanning 256 hosts [1 port/host] Completed ARP Ping Scan at 20:46, 1.55s elapsed (256 total hosts) Initiating Parallel DNS resolution of 256 hosts. at 20:46 Completed Parallel DNS resolution of 256 hosts. at 20:46, 0.00s elapsed Nmap scan report for 192.168.8.0 [host down] --CODE SNIP IT'S TOO LONG-- Nmap scan report for localhost (192.168.8.88) Host is up (0.0012s latency). All 1000 scanned ports on localhost (192.168.8.88) are filtered MAC Address: 12:34:56:78:90:12 (Unknown) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop Nmap scan report for localhost (192.168.8.90) Host is up (0.021s latency). Not shown: 993 filtered ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open netbios-ssn 554/tcp open rtsp? 2869/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 10243/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) MAC Address: 00:21:5D:F4:3A:D8 (Intel Corporate) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 1 hop Service Info: OS: Windows Nmap scan report for localhost (192.168.8.91) Host is up (0.0020s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp? 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 2869/tcp open http Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP) MAC Address: 08:00:27:7E:C9:A3 (Cadmus Computer Systems) No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=5.59BETA1%D=9/16%OT=21%CT=1%CU=32221%PV=Y%DS=1%DC=D%G=Y%M=080027% OS:TM=4E73458A%P=i686-pc-linux-gnu)SEQ(CI=I%II=I%TS=0)SEQ(CI=I%II=I)OPS(O1= OS:M5B4NW0NNT00NNS%O2=%O3=%O4=%O5=%O6=)OPS(O1=NNT11%O2=%O3=%O4=%O5=%O6=)WIN OS:(W1=FAF0%W2=0%W3=0%W4=0%W5=0%W6=0)ECN(R=Y%DF=N%T=80%W=0%O=%CC=N%Q=)T1(R= OS:Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T1(R=Y%DF=Y%T=80%S=O%A=O%F=AS%RD=0%Q=) OS:T1(R=Y%DF=Y%T=80%S=O%A=O%F=A%RD=0%Q=)T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR%O OS:=%RD=0%Q=)T3(R=Y%DF=N%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=N%T=80% OS:W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q= OS:)T6(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=80%W=0%S=Z%A= OS:S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=B0%UN=0%RIPL=G%RID=G%RIPCK=G%RUC OS:K=G%RUD=G)IE(R=Y%DFI=S%T=80%CD=Z) Network Distance: 1 hop Service Info: OS: Windows Nmap scan report for localhost (192.168.8.92) Host is up (0.0014s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.16 ((Debian)) 111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000) MAC Address: 08:00:27:8E:01:56 (Cadmus Computer Systems) OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU No OS matches for host Network Distance: 1 hop Nmap scan report for localhost (192.168.8.94) Host is up (0.0026s latency). Not shown: 990 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 5.0 23/tcp open telnet Microsoft Windows 2000 telnetd 25/tcp open smtp Microsoft ESMTP 5.0.2195.2966 80/tcp open http Microsoft IIS httpd 5.0 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 443/tcp open https? 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1025/tcp open NFS-or-IIS? 1026/tcp open LSA-or-nterm? MAC Address: 08:00:27:33:FD:68 (Cadmus Computer Systems) Device type: general purpose Running: Microsoft Windows 2000 OS details: Microsoft Windows 2000 SP0 Network Distance: 1 hop Service Info: Host: 2000sp2; OS: Windows Read data files from: /usr/local/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 256 IP addresses (6 hosts up) scanned in 127.68 seconds Raw packets sent: 9126 (410.968KB) | Rcvd: 4191 (169.016KB)
5. I give different color in nmap scan result. As you can see, in my subnet there's 5 hosts marked as up and alive. The first host(blue color) was my O.S with firewall installed. Below was the picture when my firewall detected some alert in my PC.
As you can see from the alert above, the firewall detected that connection came from IP Address 192.168.8.123 but the real scanner IP address was 192.168.8.93 that's because the -S, -e and -Pn switch I've used in scanning method.
6. When you do a scan, and you get some open port in 135 or 139 or 445 that machine should be a Windows machine.
Because nmap was also an application and created by human, so maybe there's some inaccurate result when this program scans the network especially when guess the Operating System.
7. If there's no open port 135 or 139 or 445, it should be another Operating System, maybe Linux or Mac OSX, Solaris, etc(see the brown color – 192.168.8.92). To know what operating system, actually there's many ways but here I will try simple banner grabbing by telnet to the opening port of that host.
There it is…that host was running a Debian Operating System. 🙂
1. Install a firewall to block requests from scanner
2. If you have some service running and there's an open port, mask or delete the server information when an error triggered.
Hope you enjoyed 🙂