Pentesting 101: Nmap

I worked with a guy who went onsite to install a router with information he was given from the local Internet Service Provider (ISP).  When he arrived onsite and he attempted to install the router, he was unable to connect to the Internet.  He and I went back and forth about the possible issues and after a few minutes, I asked him to text me the information he was given by the ISP.  When I looked at the message, it became immediately clear as to what was causing the problem. 

Not using the actual IP information, this will suffice:

IP Address:  255.255.255.0
Subnet:  192.168.168.10
Gateway:  192.168.168.1

You could look at this information and the problem might be completely obvious to you – or perhaps not.  The point being that to call this post a primer on pentesting would be to ignore the entire foundation where the majority of this work exists – the network. 

The other day, someone asked me how to get into pentesting and I suggested that in order to build a solid foundation, one would want to learn basic networking.  Without that knowledge, one could move forward but a lot of what is discussed could take an abstract form.  Eventually those pieces will sort of fit together but they will solidly interlock if that foundational knowledge of networking already exists.

As I now shift the focus to Nmap, the very first scan we are going to perform references a /24 subnet which means something.  If this were a slightly larger network, we might scan a /23 subnet which means something else.  Lacking this knowledge won’t prevent you from performing the scan, or understanding the output, but I could easily see someone missing an entire set of hosts if the subnet mask was 255.255.254.0 instead of 255.255.255.0

I’m done beating that dead horse.  Moving on…

nmap –sP –PI 192.168.86.0/24

The –sP flag tells Nmap we’re not performing a port scan.
The –PI flag tells Nmap we’re performing an ICMP scan.
192.168.86.0/24 tells Nmap we’re scanning our entire subnet. 

In layman’s terms, we’re scanning our local network using a ping request and when that request is received by a host, it will reply back to us.

The output looks like this:

root@c2:/recon# nmap -sP -PI 192.168.86.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-22 06:50 PDT
Nmap scan report for u18.lan (192.168.86.175)
Host is up (0.00075s latency).

MAC Address: 6D:5E:90:35:25:81 (Unknown)
Nmap scan report for c2.lan (192.168.86.99)
Host is up.

Nmap done: 256 IP addresses (1 hosts u) scanned in 4.11 seconds

In bold, I’ve identified the target.

What we do next is a matter of preference due to the number of flags available to us in Nmap.  The most basic scan we could perform looks like this:

root@c2:/recon# nmap 192.168.86.175
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-22 07:02 PDT
Nmap scan report for u18.lan (192.168.86.175)
Host is up (0.00029s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http              
MAC Address: 6E:5D:90:36:26:82 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

I’ve highlighted the two ports discovered with this basic scan.

If we add some flags, we can dig a little deeper:

root@c2:/recon# nmap -sV -sT -O -A -p- 192.168.86.175 -oN output.txt
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-22 07:03 PDT
Nmap scan report for u18.lan (192.168.86.175)
Host is up (0.00054s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 51:56:ec:6b:c5:cd:ef:ba:5f:fb:00:d4:cf:78:b0:b9 (RSA)
|   256 e8:95:f1:37:fc:6f:62:7a:08:ff:7c:39:2c:87:df:39 (ECDSA)
|_  256 fc:1e:12:5a:76:6c:52:7e:ae:06:31:29:c5:cb:3f:08 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 4.7.13
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: wordpress – Just another WordPress site
MAC Address: 6E:5D:90:36:26:82 (Unknown)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.54 ms u18.lan (192.168.86.175)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.97 seconds

The –sV flag tells Nmap we want to retrieve service and version information.
The –sT flag tells Nmap we want to perform a TCP connect scan.
The –O flag tells Nmap we want to perform OS detection.
The –A flag tells Nmap we want to perform an aggressive scan.  I should also point out that when we view this option in the man pages, we see the following:
“However, because script scanning with the default set is considered intrusive, you should not use -A against target networks without permission.”
The –p option is used for choosing ports or port ranges and the –p- options tells Nmap to scan all ports.
192.168.86.175 is our target.
And finally, the –oN flag tells Nmap we want to save our scan to an output file –> output.txt

It’s worth pointing out that we are ONLY scanning TCP ports. 

If this were a DNS server which runs on UDP port 53, we could scan using the following:

root@c2:/recon# nmap -sU -p 53 192.168.86.175
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-22 07:32 PDT
Nmap scan report for u18.lan (192.168.86.175)
Host is up (0.00085s latency).

PORT   STATE  SERVICE
53/udp closed domain
MAC Address: 6E:5D:90:36:26:82 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

The –sU flag tells Nmap we want to scan UDP ports.

Since this is not a DNS server, the response shows port 53 is closed.  But in our initial scan, we were ignoring UDP ports altogether.

Moving on to what we learned the two separate scans, in our first scan, we see:

80/tcp open  http              

But in our second scan we see:

80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 4.7.13
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: wordpress – Just another WordPress site

By calling those additional flags, we uncover more information and not only do we learn that port 80 is open, we also reveal the following:

Ubuntu Server
OS details: Linux 3.2 - 4.9
Apache server, version 2.4.29
WordPress, version 4.7.13

The next steps we take wouldn’t necessarily be driven by any of this information but I have some ideas in my head as to where I might be headed.  In other words, I’m staring at WordPress but I won’t let it distract me from completely enumerating the web port to gather all of the pieces to this puzzle.