Embed Size (px)
Citation preview
MIT210 – Information Systems Security and Assurance
Lab #2: Using Nmap for Network Inventory, Asset Management,
Policy Compliance and Auditing
Student Name :
Date Due : June 25, 2011
Professor : Dr. Oliver C. Agustin
Objective: Learn how security tools such as Nmap can be used to perform compliance testing, inventory
and asset management, security auditing and system administration.
Setup Lab Environment This section guides you to setting up your backtrack live DVD with your VirtualBox to facilitate capturing
screenshots which are one of the deliverables in this lab exercise.
1. For this Lab exercise, you can use the previous setup that you have in lab#1, but first you have to
install the Nmap available from the DVD resources provided for you (see How To Run Nmap
Section) , or as another alternative, you can use the BackTrack ISO together with VirtualBox.
The latter method is encouraged.
2. Steps for using the Backtrack ISO is provide below:
1. Launch your VirtualBox software. You should see a window similar to the one shown
below.
2. Click New, in the toolbar to launch the New Virtual Machine Wizard.
3. Enter the following information then click Next:
VM Name and OS Type: Backtrack
OS: Linux
Version: Ubuntu (64-bit) or Ubuntu
4. When asked for the size of memory, select the default value. You may increase this
value if you like. Click Next.
5. You will be asked to specify virtual hard disk, uncheck the selection as shown. Click
Next.
6. A dialog box will be displayed telling you didn’t attached any hard disk. Just ignore this
warning and click Continue.
7. Clicking the Finish button concludes the initial setup. But there is one more thing to do.
8. Highlight the newly created Virtual Machine called Backtrack and click Settings.
9. Backtrack Settings window will be displayed, then select Storage on the left pane.
10. Click the button pointed by the red arrow, and point it to the Backtrack ISO provided for
you. The name of the ISO image is BT5-KDE-64.ISO (not mit210.iso, the iso image BT5-
KDE-64.iso is inside this mit210.iso)
Note: this ISO image is only available when you burned the ISO image (mit210.iso) I
provided for you. You may also access this file if you use virtual CD/DVD manager such
as Daemon Tools, PowerISO, etc.
11. You should be able to boot your Backtrack OS by clicking the start button on the toolbar.
Note: For additional information how to use the Backtrack DVD, you may google some
tutorials from the Internet.
Uses of Nmap
Compliance Testing
Testing for compliance can be one of the most important detective security controls you perform in an
enterprise infrastructure. The purpose of compliance testing is to measure the critical components of
the organization to the policies and controls that govern them. Normally this function falls to either an
internal or external audit team.
Audit team is responsible for staying on top of the latest requirements and also to ensure that
compliance testing is done in both an orderly and timely fashion. Much like designing and maintaining
the policies themselves, compliance testing requires persistent and ongoing attention.
There are many different types of compliance testing where Nmap could be utilized as part of the
solution. Some examples are:
Testing for open ports on the interfaces of a firewall.
Performing scans across workstation IP address ranges to determine if any unauthorized
networking applications are installed.
Determining if the correct version of web service is installed in your De-Militarized Zone (DMZ).
Locating systems with open file sharing ports.
Locating unauthorized File Transfer Protocol (FTP) servers, printers or operating systems.
Any number of needs specific to the controls written around your organization’s policies.
Inventory and Asset Management
Commercial applications exist designed to track assets, manage inventory counts, relay information
about installed services, and monitor system uptime. Luckily for non-commercial application owners,
this is another area where Nmap’s ease of use pays off with excellent results. In a matter of minutes, an
administrator can generate a scan request for a range of IP addresses, an entire subnet, or even re-scan
pre-identified systems. The options for identifying services and Operating System (OS) type come in
handy when you are trying to identify existing desktops or servers in the infrastructure.
Security Auditing
Security auditing can be defined as creating a set of controls specific to the technology or infrastructure
being reviewed and then applying those controls, like a filter, to your environment. Any gaps in or
outside that filter become audit points and could negatively impact the audit’s overall assessment of
your security framework.
Nmap can assist with such audit needs as:
Auditing firewalls by verifying the firewall filters are operating properly.
Searching for open ports on perimeter devices (perimeter being anything from Internet-edge, to
extranet or intranet boundary lines).
Performing reconnaissance for certain versions of services.
Utilizing the OS detection feature to pin-point outdated or unauthorized systems on your
networks.
Discovering unauthorized applications and services.
System Administration
Although it is normally seen as a go-to application for security professionals, its wide-range of port
scanning, service and OS identification capabilities make it perfect for the system administrator. If you
decide to make Nmap available to administrators outside IT Security, keep in mind that this could
increase unwanted scanning activity in your network.
How To Run Nmap Prior to running Nmap, you should have completed the initial setup through VirtualBox. There are
various methods in which you can run Nmap. We assume that our target machine is our desktop. They
are as follows:
1. Running Nmap in the guest Windows XP OS via VirtualBox. You may use this method but there
are some prerequisites:
To use Nmap using this method, you should install the nmap-5.51-setup.exe found in
the DVD image (named mit210.iso) that were provided for you.
You can find the Nmap setup file inside the folder software.
2. Running Nmap through Backtrack ISO image
If you want access to more advanced security tools, this is more preferred because it
allows you to explore other tools that are available in the package.
3. Run Nmap in a different machine that is connected in the same network.
Visit http://insecure.org/nmap/nmap_doc.html for additional more information on Nmap.
Exercises The first step in any penetration test or attack is to locate targets. There is no better tool for this than
Nmap. We will use Nmap for three different scans: ping, port, version. The ping sweep allows us to
locate computers that are alive, the port scan provides information about open ports on a system and
the version scan tells us specifics about the services that are listening on those ports. The beauty of
Nmap is that we have so much flexibility in the range of IP addresses you want to look at.
In the following tasks, you are not limited to the number of IP addresses to scan. It could be a private
network or public network.
Opening Backtrack
1. Launch virtualbox by selecting Backtrack and clicking Start.
2. You will be presented with the following, simply press Enter key.
3. After that, another boot options will be displayed, select the third option, Backtrack Forensics
and press Enter.
4. Your Backtrack Live DVD has successfully booted up, you can choose the command line
approach of Nmap, or you could choose the XWindows and launch Zenmap. Zenmap is the GUI
version of Nmap. Type startx to proceed.
5. Ignore any popup dialog box that might be displayed (such as audio, etc)
Note: Before you proceed, make sure that you are able to ping your host. How?
Click the Backtrack Icon (Start Menu) -> System -> Konsole
Run “ping 192.168.10.1”, 192.168.10.1 is the IP address of the computer from which
virtualbox is running.
If the host is unreachable, make sure your host is connected to a network in which a
DHCP server is available (for example, wireless router or win2k/2k3/2k8 server) and
change the setting of the virtual machine (Setting->Network) from NAT to BRIDGE.
However, you should have no problem with your setup whether the virtual machine is
configured to use BRIDGE or NAT.
If your problem is not resolved, Google for the solution.
6. Identify Live Hosts. Identify an IP address subnet or specific IP addresses ,e.g. 10.146.150.1-10
for range of IP addresses, or 192.168.0.10 for single IP.
To perform a ping sweep on addresses in the range 10.146.150.15 10.146.150.25,
perform the following:
nmap -T4 -n -sn 192.168.43.1-254
The -n switch tells Nmap not to resolve host names making the scan much faster.
The -sn tells Nmap to perform a ping sweep.
In Backtrack, Click the Backtrack icon on the lower left -> Backtrack -> Information
Gathering -> Network Analysis -> Identify Live Hosts -> Zenmap
In the example below, a range of IP addresses 192.168.43.1-254 was scanned.
7. Determine open ports and services. Once you have located systems that are alive, the next step
is to see what services (and potential holes for exploit) exist on these systems. To do this
perform a port scan via the command, in this example, we choose 192.168.43.135, in the above
screenshot, this host is alive:
nmap -n -sT 192.168.43.135
This will perform a full TCP connection port scan on 192.168.43.135.
The -sT switch tells Nmap to perform a full TCP connection (i.e. SYN, SYN-ACK, ACK, RESET)
on ports deemed “interesting” per the Nmap build you are using.
By default the ports included are 1-1025 plus ports above 1025 that are in the network-
services configuration file.
In some instances you may want to be a little stealthier and would use the -sS port scan.
This tells Nmap to perform a SYN scan using SYN-SYNACK-RESET. This scan doesn’t create a
full TCP connection and as such usually doesn’t get “logged”.
Please note that you can also perform a port scan against a range of targets using the range
IP address range options in Nmap. For example if we want to perform a port scan across the
IP addresses from 10.75.0.1 to 10.75.0.10 you would call:
nmap -n -sT 192.168.43.1-254
The following screenshot shows open ports and running services on the target machine with
IP 192.168.43.135
8. Identify version of running services. In reality a port scan will only take you so far. It tells you
that a host is listening on a specific port but it doesn’t give you any defaults beyond the
“default” for that port.
For example port 80 is by default HTTP but what is the specific server that is providing that
access (IIS, Apache, etc). To get these details we perform a version scan via the following
command:
nmap -n –sV 192.168.43.135
In the previous step, we have identified open ports and running services. This step provides
us with more detailed information on version number.
In second screenshot, take note of the Microsoft SQL Server 2008. Version number says
10.0.2531:SP1. If vulnerabilities exist for this version of SQL Server then it could be exploited
to run malicious code on the target computer or worst, gain full access to the server itself.
9. A final scan is to perform an OS fingerprinting via:
nmap -n -sV -O 192.168.43.135
This will tell you the OS and version with very reliable accuracy. Now with the information
provided by Nmap we can do the research to know how to exploit the target system.
This is an OS Fingerprint of a jailbroken iPhone OS version 3.2.2
Deliverables:
1. The above processes in the exercises must be performed using your own range of IP addresses.
From detected live hosts, identify a single target. Screenshot should be attached for this single
target only. For each steps mentioned in the previous section, get a screenshot. Feel free to
experiment on additional syntax and options.
2. Answer the following questions:
If you are to perform auditing in your network, how are you going to apply the concept
and ideas mentioned in this lab? For what specific purposes do you intend to use this
acquired knowledge.
In your own LAN, Make a report summarizing the following information.
IP Addresses
Hostname
Operating System
Running Services
Send to me via email at [email protected]
Enjoy!
