Once you have
Companion Web Site
There are a variety of
This section is not
The Nmap tool, as we mentioned earlier, is a robust port scanner that is capable of performing a
TCP SYN scan
A TCP SYN packet is sent to a specific port as if to set up a TCP connection with the target host. A returned SYN/ACK-flagged TCP packet indicates the port is
A UDP scan typically involves sending an empty UDP header to each UDP port on the target. If a port responds with a UDP packet, an active service is listening.
As an example, let's focus on one of the actual Internet-exposed Cisco CallManager systems we identified in Chapter 1 through Google hacking. Here is what a simple TCP SYN scan looks like (this is the default scan type for Nmap):
% nmap [X.X.X.X] Starting Nmap 4.01 (http://www.insecure.org/nmap/) at 2006-02-24 09:12 CST Interesting ports on [X.X.X.X]: (The 1662 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 22/tcp closed ssh 23/tcp closed telnet 80/tcp open http 443/tcp open https 1720/tcp open H.323/Q.931 2000/tcp open callbook 2001/tcp open dc 2002/tcp open globe
A Cisco CallManager system that employs Cisco's proprietary SCCP protocol will typically respond on TCP ports 20002002. By using the -sV option for service detection in Nmap, we can find out more about the target services and confirm our guess that this is a Windows host running Cisco CallManager:
% nmap -sV [X.X.X.X] Starting Nmap 4.01 (http://www.insecure.org/nmap/) at 2006-02-30 15:13 CST Interesting ports on [X.X.X.X]: (The 1662 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION 22/tcp closed ssh 23/tcp closed telnet 80/tcp open http Microsoft IIS webserver 5.0 443/tcp open ssl/http Microsoft IIS webserver 5.0 1720/tcp open tcpwrapped 2000/tcp open callbook? 2001/tcp open dc? 2002/tcp open globe? Service Info: OS: Windows Nmap finished: 1 IP address (1 host up) scanned in 112.869 seconds
The definitions of the following
Open An application is actively accepting TCP connections or UDP packets on this port.
Closed A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it.
Nmap cannot determine whether or not the port is open because packet filtering
openfiltered Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response.
closedfiltered This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IPID Idle scan.
TCP Wrapper is a public domain computer program that provides firewall services for UNIX servers and
Let's go back to our internal SIP test bed and scan our SIP Asterisk server (192.168.1.103). Using Nmap scans with just the default options can often leave
[root@attacker]# nmap P0 -sV 192.168.1.103 Starting Nmap 4.01 (http://www.insecure.org/nmap/) at 2006-02-19 21:49 CST Interesting ports on 192.168.1.103: (The 1666 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 1.2.1 22/tcp open ssh OpenSSH 3.6.1p2 (protocol 1.99) 80/tcp open http Apache httpd 2.0.46 ((CentOS)) 111/tcp open rpcbind 2 (rpc #100000) 113/tcp open ident authd 3306/tcp open mysql MySQL (unauthorized) MAC Address: 00:09:7A:44:15:DB (Louis Design Labs.) Service Info: OS: Unix Nmap finished: 1 IP address (1 host up) scanned in 6.437 seconds
Now let's try a UDP scan with Nmap to see what other ports we can find:
Starting Nmap 4.01 (http://www.insecure.org/nmap/) at 2006-02-20 05:26 EST Interesting ports on asterisk1 (192.168.1.103): (The 1473 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 67/udp openfiltered dhcpserver 69/udp openfiltered tftp 111/udp openfiltered rpcbind 123/udp openfiltered ntp 784/udp openfiltered unknown 5060/udp openfiltered sip 32768/udp openfiltered omad Nmap finished: 1 IP address (1 host up) scanned in 1.491 seconds
Notice that with our UDP scan we just found that this server supports both DCHP and TFTP services (UDP ports 67 and 69, respectively)this will come in handy in the next chapter once we start to enumerate these types of critical VoIP support services.
Even though we also see an open UDP 5060 port (SIP), there really is not enough information in these scans to truly determine the exact type of VoIP device. Now you can start to see the need for further investigation, otherwise known as
which is covered in the next chapter. In a
As a interesting aside, for some reason, several
Using a non-Internet-addressable IP address scheme (a la RFC 1918Address Allocation for Private Internets) will prevent many types of incoming Internet probes; however, as we stressed in the first chapter, obtaining internal access to your network is often a trivial task to the attacker.
From a network perspective, the first step in preventing internal scanning of your infrastructure is to apply appropriate firewall rules according to your security policy. Logically separating your network through VLANs can, for example, help prevent contractors from being able to scan your
From a host-based perspective, fine-tuning firewall access control rules and disabling unnecessary services is the best defense against scanning, as well as enumeration, which we'll talk about in the next chapter.