Host Enumeration With Nmap

09 Nov 2019

TL;DR

Find the IP of the VM with either netdiscover -r <CIDR> or nmap -sn <CIDR> (ARP vs ICMP respectively)
Perform a TCP connection scan on all ports with nmap -sS -p- -T4 -Pn --open <target>
Perform an intense Nmap scan on TCP services found listening with nmap -sS -sV -sC -O -p<ports> -T4 -Pn <target>
Repeat for UDP
Target VM is Stapler from VulnHub

Purpose of This Blog Post

The primary audience for this blog post is people who are new to capture the flag (CTF) challenges and are keen to learn but struggle with the question of “where do I get started?”.

This post will cover my personal enumeration process that I like to use when first starting a capture the flag (CTF) challenge that involves a deliberately vulnerable virtual machine (VM), such as those available on VulnHub and HackTheBox. Otherwise known as Boot2Root VMs.

Now I said before that this is my personal enumeration process but that doesn’t mean it’s all that special. There’s a million ways to perform network enumeration on a VM but they’ll generally all end up in the same place - a list of listening services as well as some information about them.

If you’re new to CTFs and Boot2Root VMs in general I encourage you to check out the WebPwnized YouTube channel as well as the excellent walkthroughs provided by Ippsec. I would also recommend checking out the different switches available to Nmap and learning what enumeration process best works for you. If nothing else it’s a great learning exercise.

Initial Reconnaissance

When you first fire up a Boot2Root VM and connect it to your virtual network (VirtualBox instructions here), you won’t even know the IP address that was assigned via DHCP. So lets do that first.

ARP Scans with Netdiscover

Address Resolution Protocol (ARP) is a network protocol used to map the physical (MAC) address of a device to an IP address. Using netdiscover we can send ARP requests to every IP address within a given network range (colloquially referred to as a CIDR - Classless inter-domain routing) and log the responses.

# netdiscover -P -L -i eth1 -r 10.1.1.0/24

_____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 10.1.1.1        00:50:56:c0:00:01      1      60  VMware, Inc.
 10.1.1.129      00:0c:29:9d:60:45      1      60  VMware, Inc.
 10.1.1.254      00:50:56:e2:11:be      1      60  VMware, Inc.

-- Active scan completed, 3 Hosts found. Continuing to listen passively.

First we’ll break down the command we ran and then the output.

Netdiscover Command

# netdiscover -P

-P: print results in a format suitable for parsing by another program and stop after active scan

Using -P allows me to pipe the output of netdiscover to a file rather than running it in interactive mode.

# netdiscover -P -L

-L: similar to -P but continue listening after the active scan is completed

Using -P means that if I was impatient and didn’t wait for the network interface of my target VM to come up then I don’t need to run netdiscover again as once the VM comes online it will send out ARP requests/responses to other devices on the network in order to discover its neighbours.

# netdiscover -P -L -i eth1

-i: device: your network device

My Kali VM is configured with two network interfaces - a NAT interface that allows my VM to route through my host to the internet; and a Host-Only interface that allows my Kali VM to communicate with the target VM. The target VM does not have internet access.

# netdiscover -P -L -i eth1 -r 10.1.1.0/24

-r: range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8

The network address I have configured within the VMware Hypervisor settings is 10.1.1.0 with a subnet mask of 255.255.255.0. Which can be represented as 10.1.1.0/24

Netdiscover Output

10.1.1.1 00:50:56:c0:00:01 1 60 VMware, Inc.

This is the first IP address within my predefined network range and is the default gateway for this network interface.

10.1.1.129 00:0c:29:9d:60:45 1 60 VMware, Inc.

This is my target VM. We know this because it’s the only other device on my Host-Only network, but we’ll confirm it’s our target VM later anyway.

10.1.1.254 00:50:56:e2:11:be 1 60 VMware, Inc.

This is the VMware DHCP server.

You may be wondering how netdiscover knows that these are VMware IP addresses, with the MAC Vendor field displaying VMware, Inc..

This is possible due to the fact that the first three bytes of a six byte MAC address are based on the vendor of particular network device. This is called an organizationally unique identifier (OUI). You can use the Wireshark OUI Lookup Tool to manually discover the vendor for a given network device.

Ping Sweeps with Nmap

Instead of ARP, it is also possible to use Nmap to send an Internet Control Message Protocol (ICMP) (echo request)[https://en.wikipedia.org/wiki/Ping_(networking_utility)] packet (also known as ping) to every IP address within a given network range.

$ nmap -sn -T4 10.1.1.0/24

Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-09 11:44 AEDT
Nmap scan report for 10.1.1.1
Host is up (0.0017s latency).
Nmap scan report for 10.1.1.129
Host is up (0.0011s latency).
Nmap scan report for 10.1.1.255
Host is up (0.00032s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 14.64 seconds

First we’ll break down the command we ran and then the output.

Ping Sweep Command

$ nmap -sn

Ping Scan - disable port scan

This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a “ping scan”, but you can also request that traceroute and NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name.

Systems administrators often find this option valuable as well. It can easily be used to count available machines on a network or monitor server availability. This is often called a ping sweep, and is more reliable than pinging the broadcast address because many hosts do not reply to broadcast queries.

The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default. When executed by an unprivileged user, only SYN packets are sent (using a connect call) to ports 80 and 443 on the target. When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless –send-ip was specified. The -sn option can be combined with any of the discovery probe types (the -P* options, excluding -Pn) for greater flexibility. If any of those probe type and port number options are used, the default probes are overridden. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended. Otherwise hosts could be missed when the firewall drops probes or their responses.

In previous releases of Nmap, -sn was known as -sP.

From the Nmap man page

So I didn’t actually realise that a -sP/-sn scan sends TCP packets as well as ICMP until I read the above as part of putting this post together. Who knew blogging could be educational!

Anyway the above is a pretty good explanation, Nmap does a ping of all of the hosts, and then for the ones that respond to the ping, it will perform additional TCP connection attempts to further validate that the host is online.

$ nmap -sn -T4

-T<0-5>: Set timing template (higher is faster)

-T4 is generally a good balance between reliability and speed when performing enumeration on locally hosted VMs. When scanning VMs hosted in other countries you may need to reduce it to -T3 due to the wonders of Australian internet.

$ nmap -sn -T4 10.1.1.0/24

The network address I have configured within the VMware Hypervisor settings is 10.1.1.0 with a subnet mask of 255.255.255.0. Which can be represented as 10.1.1.0/24

Ping Sweep Output

Nmap scan report for 10.1.1.129
Host is up (0.0011s latency).

The output from Nmap is pretty self explanatory - this snippet is saying that the host with the IP address 10.1.1.129 is online.

TCP Service Discovery With Nmap

Now that we know the IP address of our target VM, we need to figure out which services are running on network interfaces we can access. Services we’d expect to find listening on an external interface include web servers such as Apache and Nginx or SSH servers such as OpenSSH.

# nmap -sS -p- -T4 -Pn --open 10.1.1.129

Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-09 12:47 AEDT
Nmap scan report for 10.1.1.129
Host is up (0.00025s latency).
Not shown: 65523 filtered ports, 4 closed ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
139/tcp   open  netbios-ssn
666/tcp   open  doom
3306/tcp  open  mysql
12380/tcp open  unknown
MAC Address: 00:0C:29:9D:60:45 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 101.14 seconds

As before, we’ll first breakdown the command and then the output.

TCP Service Discovery Command

# nmap -sS

-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

The -sS switch instructs Nmap to perform a TCP SYN scan. Rather than performing the complete TCP three-way handshake (SYN/SYN-ACK/ACK), Nmap will only send a TCP SYN request to the port.

# nmap -sS -p-

-p : Only scan specified ports The next switch, `-p-` instructs Nmap to scan *all* 65,535 possible TCP ports. It is synonymous with `-p1-65535`

# nmap -sS -p- -T4

-T<0-5>: Set timing template (higher is faster)

# nmap -sS -p- -T4 -Pn

Treat all hosts as online – skip host discovery

As we already established that the host we are scanning is online in the Initial Reconnaissance section, we can safely skip host discovery here and save a bit of time.

# nmap -sS -p- -T4 -Pn --open

Only show open (or possibly open) ports

We’re only interested in the open ports that Nmap discovers so we can instruct Nmap to exclude closed or filtered ports from the scan output.

# nmap -sS -p- -T4 -Pn 10.1.1.129

The final argument passed to Nmap is simply the IP address of our target VM.

TCP Service Discovery Output

PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
139/tcp   open  netbios-ssn
666/tcp   open  doom
3306/tcp  open  mysql
12380/tcp open  unknown

The above output is relatively self explanatory and is simply a list of open ports found listening on the target VM as well as the default service that uses that port.

It is important to note however that at this point Nmap has not interrogated the service(s) listening on these ports, and there is no reason why a systems administrator can’t configure their SSH server to listen on port 80.

In the next stage we will instruct Nmap to interrogate each of the listening services and provide us with additional information that may be of use.

TCP Service Enumeration with Nmap

Now we have the IP address of our target VM, as well as a list of open TCP ports with something listening but no idea what that something could be.

This section will focus on performing more in-depth enumeration with Nmap so as to discover more information about these listening services.

# nmap -sS -sV -sC -O -p21,22,53,80,139,666,3306,12380 -T4 -Pn 10.1.1.129

Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-09 12:55 AEDT
Nmap scan report for 10.1.1.129
Host is up (0.00032s latency).

PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.1.1.128
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open  ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp    open  domain      dnsmasq 2.75
| dns-nsid: 
|_  bind.version: dnsmasq-2.75
80/tcp    open  http        PHP cli server 5.5 or later
|_http-title: 404 Not Found
139/tcp   open  netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp   open  doom?
| fingerprint-strings: 
|   NULL: 
|     message2.jpgUT 
|     QWux
|     "DL[E
|     #;3[
|     \xf6
|     u([r
|     qYQq
|     Y_?n2
|     3&M~{
|     9-a)T
|     L}AJ
|_    .npy.9
3306/tcp  open  mysql       MySQL 5.7.12-0ubuntu1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1
|   Thread ID: 9
|   Capabilities flags: 63487
|   Some Capabilities: IgnoreSigpipes, InteractiveClient, DontAllowDatabaseTableColumn, FoundRows, ODBCClient, SupportsTransactions, LongColumnFlag, Speaks41ProtocolOld, Speaks41ProtocolNew, Support41Auth, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, LongPassword, SupportsCompression, SupportsLoadDataLocal, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: gJq:\x1F\x1C9et<\x12hId|#k(\x11~
|_  Auth Plugin Name: mysql_native_password
12380/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:[...snip...]
MAC Address: 00:0C:29:9D:60:45 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 10h00m00s, deviation: 0s, median: 9h59m59s
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED\x00
|   Domain name: \x00
|   FQDN: red
|_  System time: 2019-11-09T11:55:55+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-11-09T11:56:15
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.94 seconds

TCP Service Enumeration Command

As before, first we’ll break down the command we executed and then the output.

# nmap -sS

-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans The -sS switch instructs Nmap to perform a TCP SYN scan. Rather than performing the complete TCP three-way handshake (SYN/SYN-ACK/ACK), Nmap will only send a TCP SYN request to the port.

# nmap -sS -sV

-sV: Probe open ports to determine service/version info Nmap will actually interact with the service discovered and attempt to determine both what service is listening as well as which version.

# nmap -sS -sV -sC

-sC: equivalent to –script=default Performs a script scan using the default set of scripts. It is equivalent to –script=default. Some of the scripts in this category are considered intrusive and should not be run against a target network without permission. (From the Nmap man page)

Nmap contains a built in scripting engine (Nmap Scripting Engine or NSE) with hundreds of scripts bundled in the default install that allow for a huge range of information discovery features. Including vulnerability scanning, brute forcing, interaction with services such as FTP to determine if anonymous logins are allowed, and much, much more.

The -sC switch simply runs the default set of scripts against the services. Detailing the functionality of all of the available NSE scripts would take an eternity and is out of scope for this blog post.

# nmap -sS -sV -sC -O

-O: Enable OS detection The -O switch instructs Nmap to attempt to identify which Operating System the target VM is running. For example which version of the Linux Kernel or if it is Windows 7/8/10.

# nmap -sS -sV -sC -O -p21,22,53,80,139,666,3306,12380

-p : Only scan specified ports The next switch, `-p-` instructs Nmap to scan *just* the ports we found with the first (faster) scan.

# nmap -sS -sV -sC -O -p21,22,53,80,139,666,3306,12380 -T4

-T<0-5>: Set timing template (higher is faster)

# nmap -sS -sV -sC -O -p21,22,53,80,139,666,3306,12380 -T4 -Pn

Treat all hosts as online – skip host discovery

As we already established that the host we are scanning is online in the Initial Reconnaissance section, we can safely skip host discovery here and save a bit of time.

# nmap -sS -sV -sC -O -p21,22,53,80,139,666,3306,12380 -T4 -Pn 10.1.1.129

The final argument passed to Nmap is simply the IP address of our target VM.

TCP Service Enumeration Output

We’ll break up each section of the output of Nmap in to more manageable chunks and review each of them below.

Port 21/FTP

PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.1.1.128
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status

Reviewing the above output we now know the following information:

Port 21 is running vsFTPd 3.0.3
vsFTPd is configured to allow anonymous logins

Nmap is able to fingerprint the service as vsftpd 2.0.8 or later based on the network traffic, but due to the Nmap scripts that were executed thanks to the -sC parameter being passed, we can see from the banner information that it is in fact vsFTPd 3.0.3.

Port 22/SSH

PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)