3. Trigger of this presentation
I wrote the article about
Nmap in Software Design
May,2016 issue.
Today, I will talk about
the things I noticed
during writing that article.
(In this presentation, no
version description means
v7.12.)
3
4. At first
I will introduce 8 hidden options of
Nmap, and only one type of
malware(worm) that Nmap could
detect. And I will also talk about
how to utilize Nmap well.
8 hidden option + 1 type of malware
= 9 truth
4
5. Nmap
One of network scanners. Gordon
Lyon developed it in 1997.
- Portscan
- Searching Hosts
- Detect OS, Services
- Vulnerability Scan
5
6. 8 hidden options
In Nmap, there are hidden options
which are not indicated on
Reference Guide and Help.
6
12. --noninteractive
We can turn on packet tracing with
'p', and also turn on a forgotten
option, turn off a designated option
interactively.
12
13. --noninteractive
Interaction function of Nmap
enables us to confirm that Nmap
runs properly with some options
temporarily in the case of very slow
scanning.
--noninteractive disables it.
13
18. --nogcc
Nmap send packets to the
designated segment(s) all at once.
So scan time will be short.
Average time of 10 scans(/24, SYN Scan)
no option : 9.62sec
with --nogcc : 3.73sec
18
20. --nogcc
Filtered host and the host in which
some service running are not
detected.
no option:9 hosts
With --nogcc:7 hosts
※Because of slow response of arp,
one host is not detected. --send-ip
option resolved the situation. 20
22. --nogcc
scan_engine.cc, line 394-403;
/* In case the user specifically asked for no
group congestion control */
if (o.nogcc) {
if (when)
*when = USI->now;
return true;
}
22
23. --nogcc
Three points of congestion control in
Nmap.
• congestion window
• exponential backoff
• slow start
23
24. --nogcc
• congestion window
→ if detect drop, then reduce
amount of packets
• exponential backoff
→ if detect drop, then slow down
dramatically
• slow start
→ scanning speed up gradually
24
25. --nogcc
With --nogcc option, Nmap sends
scan packets all at once, so possible
to increase load. And, no
consequences of congestion is
provided to lead the precision
reduction, which can lead to false
negative.
The option for naughty people. 25
37. The option for output in HTML
format. If there is a leak in the
escape, it can lead to XSS.
37
-oH
38. -oH
From 2.30BETA16 to 3.93,
} else if
(strcmp(long_options[option_index].name,
"oH") == 0) {
fatal("HTML output is not yet
supported");
※I don't check this in all version.
38
39. -oH
From 3.94ALPHA1 to 7.12
} else if
(strcmp(long_options[option_index].name,
"oH") == 0) {
fatal("HTML output is not directly
supported, though Nmap includes an XSL
for transforming XML output into HTML.
See the man page.");
※ I don't check this in all version.
39
43. --ff
The option for 16 byte fragmentation.
“-f” option in reference is for 8 byte
fragmentation.
43
44. --ff
Both “-f” and “--ff” fragment byte
amount will increase.
} else if
(strcmp(long_options[option_index].
name, "ff") == 0) {
o.fragscan += 16;
44
52. --deprecated-xml-osclass
There are some options include the
symbol like hyphen etc., which
option set can be performed for
specifying the maximum delay time?
① --max-scan-delay
② --max_scan_delay
52
53. --deprecated-xml-osclass
Both can be performed.
All options of Nmap can be spesified
and performed with hyphen or
underscore. But, mix of both is
absolutely bad way.
53
54. --deprecated-xml-osclass
nmap.cc, line 597-598. There are
definitions of hyphen and
underscore.
{"max_scan_delay", required_argument, 0, 0},
{"max-scan-delay", required_argument, 0, 0},
deprecated-xml-osclass has both
definitions, too.
54
55. I introduce the comment of
osscan.cc line 1209, befitting my
feeling at finding this bug.
--deprecated-xml-osclass
55
59. --deprecated-xml-osclass
59
If you use actually this mixed option,
you will watch this.
nmap: unrecognized option '--
max_scan-delay'
See the output of nmap -h for a
summary of options.
60. There is a mistake only in
Japanese reference guide!!
--deprecated-xml-osclass
60
62. --deprecated-xml-osclass
62
There are 11 versions between v3.7
5 and v3.99(2006/1/25). All 11 vers
ions supported only underscore, the
re was no mix.
The fact talks that it is merely typo.
69. Service Scan
Service Scan(-sV option)have
intensity(--version-intensity).
Intensity default is 7, but we can
specify it 0-9.
69
70. Service Scan
There are information about port
number and finger print in nmap-
service-probes. The rarity in this file
is intensity.
70
71. Service Scan
There are 126 patterns in nmap-
service-probes.
71
Num
Rarity
2
6
0
3
8 9
12
5
50
31
0
10
20
30
40
50
60
None 1 2 3 4 5 6 7 8 9
Not be
executed
without
intensity.
72. Service Scan
Only with –sV option, you can only
take advantage of about 30% this
feature. With intensity, we may be
able to detect pc-anywhere or
JavaRMI better.
72
73. Service Scan
This is one of rarity 9.
Probe TCP mydoom q|x0dx0d|
rarity 9
ports 706,3127-3198
match mydoom
m|x04x5b000000| p/MyDoom
virus backdoor/ v/v012604/
73
74. Service Scan
This is one of rarity 9.
Probe TCP mydoom q|x0dx0d|
rarity 9
ports 706,3127-3198
match mydoom
m|x04x5b000000| p/MyDoom
virus backdoor/ v/v012604/
74
77. Mydoom
77
Appeared in 2004. It used e-mail to
extend infection, and made attack to
www.sco.com etc. in a certain
period of time. It listens on a
specific port.
※"cho-kimochiii" that means excellent! by Kosuke
Kitajima, gold medalist in Beijing Olympic, get the
first prize in vogue word prize.
80. Without intensity
80
# nmap -p- -sV IP address
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
25/tcp open smtp Microsoft ESMTP 6.0.2600.5949
80/tcp open http Microsoft IIS httpd 5.1
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
5424/tcp open unknown
81. With intensity
81
# nmap -p- -sV --version-intensity 9 IP address
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
25/tcp open smtp Microsoft ESMTP 6.0.2600.5949
80/tcp open http Microsoft IIS httpd 5.1
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
5424/tcp open mydoom MyDoom virus backdoor v012604
87. 87
Summary
All of 9 truth are useless. It’s
natural that they are not in
Reference Guide or help.
88. Nmap
One of network scanners. Gordon Lyon
developed it in 1997.
- Portscan
- Searching Hosts
- Detect OS, Services
- Vulnerability Scan
- Support for naughty
- Arithmetic lesson
- Detect only one worm
88
New!!
89. At last
Say good bye to all, watching line
845 in service_scan.cc.
89