Reconnaissance and IP Discovery using Nmap
Introduction
What is Reconnaissance?
Reconnaissance, also identified as ‘cyber reconnaissance, is the process of collecting information about potential targets, vulnerabilities, assets in the digital domain, and attack vectors, which is a critical phase in the cyberattack lifecycle. The information gathered in this phase is used to plan and execute cyberattacks with greater effectiveness. In the early days, reconnaissance was initially employed for legitimate purposes such as system analysis and network management. But as networks expanded and security measures advanced, this process is used for malicious activities by cybercriminals. Now, cyber reconnaissance has become an integral part of cyber warfare and cybercrime.
Cyber reconnaissance consists of two types of components, which are Passive Reconnaissance and Active Reconnaissance. Passive reconnaissance involves collecting data about targets without actively engaging with them. Gathering information about DNS records and IP addresses is an example of passive reconnaissance. Active reconnaissance involves probing the targets directly. Common techniques involved in active reconnaissance are port scanning, vulnerability scanning, and enumeration.
What is IP Discovery?
IP discovery is the process of identifying and mapping IP addresses within a network. This is part of active reconnaissance, where network administrators, cybersecurity professionals and cybercriminals gain visibility into all devices and systems connected to the network. IP discovery can be done using various techniques.
Which includes,
1. ARP scanning is used to discover devices on LAN by mapping IP addresses to MAC addresses.
2. SNMP: used to query network devices for their IP addresses and other information.
3. Port Scanning: used to gather information about ports on a targeted device. Tools like Nmap, Angry IP Scanner, Masscan, and ZMap are used to scan target networks, identify open ports, and discover services running on those ports.
4. DHCP Logs: used to identify assigned IP addresses and their corresponding devices.
What is Nmap?
Nmap (Network Mapper) is a free and open-source tool for IP discovery (especially port scanning). Nmap is written by Gordan Lyon using C, C++, Python and Lua. Nmap provides features like identifying what hosts are available on the network, what services (application name and version) those hosts are running, what OS they are running, etc. It is designed to rapidly scan large networks and runs on all major operating systems. Nmap is commonly used for security auditing, network inventory, network mapping, maintenance and asset management, finding and exploiting vulnerabilities in a network, DNS queries, subdomain search and more.
Features included in Nmap:
· Host discovery: identifying hosts on a network (hosts responds to TCP and/or ICMP requests)
· Port Scanning: enumerating the open ports on target hosts.
· Ping Scan: check host using ping request.
· TCP/IP stack fingerprinting: determining the operating system and hardware characteristics of network devices.
· Scriptable interaction: using Nmap Scripting Engine (NSE) and Lua programming language.
Before using Nmap
Before using Nmap for IP discovery, it needs to be installed on our operating system. Installation can be done by building from source or using pre-built binaries for specific OS.
1. Built using source (https://github.com/nmap/nmap):
clone the Nmap repository in any directory.
git clone https://github.com/nmap/nmap
cd into repository folder and type below commands in shell
cd nmap
make
make install
2. Using pre-built binaries:
· For Windows: comes with Windows self-installer. Simply run the installer file and let it walk you through panels for choosing an install path and installing Npcap. (Also, you can use the Nmap zip binaries). Windows installer comes with Zenmap GUI as an additional feature for command line Nmap tool. (https://nmap.org/dist/nmap-7.95-setup.exe)
· For Mac OS: Nmap binaries for Apple macOS are distributed as a disk image file containing an installer. It will install Nmap, Zenmap, Ncat and NDiff. (https://nmap.org/dist/nmap-7.95.dmg)
· For Linux: If you are using Kali Linux, Nmap is already installed, so there is no need to install it separately.
If you are using Debian or Ubuntu based systems, you can install Nmap directly using APT. To do this, you need a user with sudo privileges.
sudo apt-get install nmap
If you’re using Red Hat or Fedora based systems, Yum can be used to install Nmap, as shown below.
sudo yum install nmap
Finally, verify the installation was successful and determine the current Nmap version:
nmap --version
Now, you are good to go!!!
Scanning using Nmap, Observations and Results
For demonstration purposes, I will use both a Kali Linux machine and Windows machine. All the scanning involves against the author’s local area network. Does not include any public IP addresses scanning
Basic Scanning
- Scanning a single target with no command line options
Command:
nmap [Target IP Address]
Example:
nmap localhost
Observations and results:
Nmap scanned the first 1000 ports on the target device and identified 3 open ports running services, with the remaining 997 ports being closed.
Identified services:
· ftp — PORT 21
· http — PORT 80
· postgresql — PORT 5432
2. Scanning multiple targets at once
Command:
nmap [target IP Address 1] [target IP Address 2] … [target IP Address n]
Example:
nmap 10.0.2.15 192.168.8.146 192.168.8.1
Observations and results:
Nmap has identified 2 out of 3 IP addresses as being up and running. It has also listed the open ports and their corresponding services on these hosts, all of which are running on TCP. Furthermore, the host with IP address 10.0.2.15 has 998 closed TCP ports, while the host with 192.168.8.1 has 995 filtered ports.
3. Scanning open ports of IP addresses of a subnet
Command:
nmap [Network Address/CIDR]
Example:
nmap 192.168.8.0/24
Observations and results:
Nmap has scanned the entire /24 subnet and identified three hosts that are up and running in the specified subnet. However, only 2 hosts have open TCP ports. Nmap has also identified the MAC addresses of these devices’ interfaces. Nmap has listed the services running on the open ports of those hosts.
Identified services on 192.168.8.1
· domain (DNS)—PORT 53
· http — PORT 80
· https — PORT 443
· sip — PORT 5060
· sun-answerbook — PORT 8888
Identified services on 192.168.8.146
- msrpc — PORT 135
- netbios-ssn — PORT 139
- microsoft-ds — PORT 445
- iss-realsecure — PORT 902
- apex-mesh — PORT 912
- mysql — PORT 3306
- wsdapi — PORT 5357
- postgresql — PORT 5432
- realserver — PORT 7070
- http-proxy — PORT 8080
Option Fine-Tuning
- Scanning all ports on a single target
Command:
sudo nmap -p "*" [Target IP Address]
Example:
sudo nmap -p "*" 192.168.8.146
Observations and results:
Scan all the ports of the target device and identify 14 services running on those open TCP ports up to 33060.
Identified services:
· msrpc — PORT 135
· netbiod-ssn — PORT 139
· microsoft-ds — PORT 445
· iss-realsecure — PORT 902
· apex-mesh — PORT 912
· mysql — PORT 3306
· opsession-prxy — PORT 3307
· wsdapi — PORT 5357
· postgresql — PORT 5432
· realserver — PORT 7070
· pando-pub — PORT 7680
· http-proxy — PORT 8080
· mysqlx — PORT 33060
2. OS detection of a single target
Command:
nmap -O [Target IP Address]
Example:
nmap -O 192.168.8.1
Observations and results:
Nmap scanned the target device and detected that it was running a Linux-based operating system. Nmap also found that the Linux kernel version is 3. * and the device is only one hop away from the source device. Additionally, Nmap retrieved the MAC address of the device and the technology used in the network interface, which is ‘Shenzhen Tozed Technologies’.
3. Service version detection & OS detection
Command:
sudo nmap -O -sV [Target IP Address]
Example:
sudo nmap -O -sV 192.168.8.146
Observations and results:
The Nmap scan output for the IP address 192.168.8.146 shows detailed information about open ports, services, and potential device characteristics.
There are 990 filtered TCP ports.
Also, identify that the device is either bridge, general purpose device, or a switch.
The operating system is like Windows, as indicated by various Microsoft-related services.
The device is highly likely to be running in a virtualized environment, with the following guesses:
· Oracle VirtualBox (96%)
· QEMU (91%)
· Bay Networks embedded (86%)
Identified services and their versions:
· Microsoft Windows RPC — PORT 135
· Microsoft Windows netbios-ssn — PORT 139
· microsoft-ds — PORT 445
· VMWare Authentication Daemon 1.10 (Uses VNC, SOAP) — PORT 902
· VMWare Authentication Daemon 1.0 (Uses VNC, SOAP) — PORT 912
· MySQL — PORT 3306
· Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) — PORT 5357
· PostgreSQL DB 9.6.0 or later — PORT 5432
· realserver — PORT PORT 7070
· Apache httpd — PORT 8080
4. Verbose aggressive scanning with timing template
Command:
nmap -T4 -v -A [Target IP Address]
Example:
nmap -T4 -v -A 192.168.8.146
Observations and results:
When using the verbose (-v) option, Nmap shows the ongoing task and intermediate results while scanning the target(s). In addition to the usual details like service version and OS identification scan, Nmap also provides some TLS/SSL information about certain services.
The ‘realserver/ssl’ service running on port 7070 uses an SSL certificate with the common name ‘Any Desk Client’, a public key of RSA 2048 bits, and the RSA signature algorithm with SHA-256.
Furthermore, it was found that the HTTP server running on port 8080 only supports the GET, POST, HEAD, OPTIONS, and TRACE HTTP methods. The TRACE method is considered risky.
Script Utilization
General Command:
sudo nmap - script [script 1,script 2,etc|"expression"] [Target IP Address]
- Checks target for commonly exploited vulnerabilities script utilization (‘vlun’ script)
Command:
sudo nmap - script vuln [Target IP Address]
Example:
sudo nmap - script vuln 192.168.8.146
Observations and results:
Vulnerabilities identified:
1. http-slowloris-attack
· Vulnerability: Slowloris DOS attack
· State: likely vulnerable
· Description: Slowloris attempts to keep many connections to the target web server open, starving the server’s resources and causing a Denial of Service.
· CVE ID: CVE-2007-6750
2. http-enum
· Observation: potentially interesting folder ‘/images/’ with directory listing
3. http-trace
· Observation: TRACE method is enabled, which can pose a security risk as it may be used in Cross-Site Tracing Attacks (XST).
Interpretation and Insights about findings
Target with IP address 192.168.8.146
· The presence of open ports like 135, 139, and 445 associated with various Windows services.
Which are,
Port 135: Microsoft Windows RPC — Microsoft’s implementation of the Remote Procedure Calls (RPC) call system
Port 139: NetBIOS Session Service — provides services related to the session layer of the OSI model, allowing applications on separate computers to communicate over a local area network. (vulnerable to Dos and MitM attacks like NetBIOS Spoofing and Poisoning attacks)
Port 445 — Microsoft Directory Service — service that allows direct hosting of file sharing and various network services without need for NetBIOS over TCP/IP. (vulnerable to SMVv1 and RCE attacks)
These services indicate that this target device might be part of a Windows network.
Also, targets could be vulnerable to SMB attacks such as RCE, DoS and SMB information disclosure.
most famous SMB vulnerabilities include EternalBLUE, SMBGhost, SMB Relay Attacks, SMB Null Sessions, etc.
· Open MySQL port (3306) suggests that a database service is running, which could be a potential target if not properly secured, especially since it’s marked as unauthorized.
· Also, PostgreSQL and Apache HTTP server running on ports 5432 and 8080, respectively, indicate additional services that might require security review. Regular security patches and web application firewall (WAF) rules should be applied to secure these services.
· The high confidence in Oracle VirtualBox and QEMU (VMWare Authentication Service) suggests that the host might be running multiple virtual machines.
Vulnerabilities identified:
· HTTP Slowloris vulnerability: Apache server in port 8080 is likely vulnerable to a Slowloris DOS attack. This vulnerability can cause a denial of service by keeping connections open and exhausting system resources. By limiting the number of simultaneous connections from a single IP address and using a firewall to filter malicious traffic, you can prevent this kind of attack.
· TRACE method enabled: enabling the TRACE method could be exploited in XSY attacks. Disabling the TRACE method in the configuration is recommended.
· Directory listing: The ‘/images’/ directory on the server is accessible and lists its contents, which could expose sensitive information or serve as a vector for further attacks. Directory listing should be disabled.
Target with IP address 192.168.8.1
· DNS Service running on open port 53 suggests that target could be a router or DNS server.
Security implication: ensure the DNS server is configured securely to prevent DNS spoofing, cache poisoning and other DNS attacks.
· An HTTP service running on open port 80 indicates that this could be a router, web server, or web-based management interface.
Security implications: HTTP traffic is not encrypted, making it susceptible to interception and eavesdropping. We should redirect HTTP traffic to HTTPS to secure communications.
· HTTPS service running on port 443 suggests that the target could be a secure web server or router.
Security implications: ensure the SSL/TLS certificates are valid and up-to-date to avoid man-in-the-middle attacks.
· Session Initiation Protocol (SIP) running on port 5060 is used to initiate, maintain, and terminate real-time communication sessions such as voice, video, and messaging applications.
Security implications: SIP can be vulnerable to various attacks, such as SIP flooding, registration hijacking, and eavesdropping. Enabling encryption and rate limiting could prevent these attacks.
· Sun Answerbook, running on open port 8888, is used for online documentation by Sun Microsystems. Less commonly used in modern networks.
Summary and Conclusion
In conclusion, reconnaissance plays a crucial role in the cyberattack lifecycle, and IP discovery is an essential component of active reconnaissance. Nmap, with its robust features for IP discovery and port scanning, serves as an invaluable tool for network administrators, cybersecurity professionals, and even cybercriminals. Understanding these concepts is vital for maintaining network security and mitigating potential cyber threats. As technology continues to evolve, staying informed about reconnaissance techniques and tools like Nmap is essential for safeguarding digital assets and infrastructure.
Nmap is a versatile tool for IP discovery in modern networks that offers numerous features. Its simplicity, portability, and flexibility make it an accessible option for network administration, security assessments, and network monitoring. It provides a command line interface for user interaction and allows for script utilization and option fine-tuning, enabling more powerful scans on target hosts. Moreover, its OS detection and service version detection capabilities are very useful for identifying and fingerprinting target hosts.
Summary of findings:
The Nmap scan for 192.168.8.146 reveals open ports associated with Windows services (135, 139, 445), indicating potential vulnerabilities to SMB attacks like RCE and DoS. The presence of MySQL (3306), PostgreSQL (5432), and an Apache server (8080) suggests a need for security reviews and regular patching. Identified vulnerabilities include a Slowloris DOS risk, the enabled TRACE method (posing XST risks), and accessible directory listings.
For 192.168.8.1, DNS service on port 53 suggests the device might be a router or DNS server, requiring secure configuration. The HTTP service on port 80 should be redirected to HTTPS, and the HTTPS service on port 443 needs valid SSL/TLS certificates. The SIP service on port 5060 indicates real-time communication capabilities that require encryption and rate limiting. The Sun Answerbook service on port 8888 is noted but is less commonly used.
Conclusion of findings:
To enhance security, address SMB vulnerabilities, secure database services, and mitigate HTTP-related risks for 192.168.8.146. For 192.168.8.1, secure DNS configurations, ensure HTTPS usage, and safeguard SIP services. These steps will significantly strengthen the network’s security posture.
References
Marsh, N. (2015). Nmap 6 Cookbook: The Fat-free Guide to Network Scanning. Poland: Amazon Fulfillment.
Official Nmap website: https://nmap.org/
Wikipedia Site: https://www.wikipedia.org/
Disclaimer:
This report provides an analysis of IP discovery and reconnaissance techniques using Nmap (Network Mapper) for informational purposes only. The findings and methodologies presented herein are based on our independent assessment and interpretation of Nmap’s capabilities as of June 2024.
Certain personally identifiable information (PII) has been redacted from this report due to its confidential nature. All reconnaissance processes described herein were conducted exclusively within a controlled local area network environment. No assessments or activities were directed towards any public IP addresses during this assessment.
Ethical Considerations:
The techniques discussed in this report are intended for legitimate network management, security auditing, and educational purposes. Any unauthorized or unethical use of Nmap or similar tools for malicious activities is strongly discouraged and may violate legal and ethical standards.
Usage and Liability:
Readers are advised to exercise caution and adhere to applicable laws and regulations when using Nmap or similar tools for network reconnaissance. The authors and contributors of this report are not liable for any misuse or consequences resulting from the application of the techniques described herein.