Now let’s say that zone transfers fail. There may still be a way to dis- cover all of the hosts known within DNS. Similar to our harvesting tech- nique of “guessing” potential names to get the DNS addresses, we can provide the IP ranges and see if DNS records exist. This can be done us- ing nmap, without actually performing any scan activity.
[bash]# nmap -sL 192.168.1.1-254
Starting nmap 3.20 ( www.insecure.org/nmap/ ) Host target1.domain.com (192.168.1.1) not scanned Host 192.168.1.2 not scanned
Host target3.domain.com (192.168.1.3) not scanned
Now that you have built a list of resolved IP addresses, these should be considered as targets. Keep in mind that filtering may prevent you from seeing them directly, but with enough tactical exercises you may be able to confirm their existence.
ICMP Scan
The simple ICMP or “ping” sweep against the network is the quickest way to identify live addresses. If your network does not employ any bor- der filtering, then a picture of what exists can be quickly and easily discov- ered. By default a ping sweep is performed by using an ICMP echo request. If a host does not respond to echo requests they may still be alive, but the request may be filtered at a router or firewall. For this reason we also recommend utilizing an ICMP timestamp request, which may not be specifically filtered by the less-aware network engineers.
The following examples illustrate the result of both scans, with Nmap utilizing an ICMP echo request and Scanline (sl) utilizing both an echo and timestamp requests.
[bash]# nmap -sP –n 192.168.1.230
Starting nmap 3.20 ( www.insecure.org/nmap/ ) Host 192.168.1.230 appears to be up.
Nmap run completed -- 1 IP address (1 host up)
C:\>sl -nij 192.168.1.230
ScanLine (TM) 1.00
Copyright (c) Foundstone, Inc. 2002 http://www.foundstone.com
Scan of 1 IP started at Wed Apr 02 22:11:54 2003 192.168.1.230
Responded in 80 ms. 16 hops away|
Scan finished at Wed Apr 02 09:47:02 2003
1 IP and 0 ports scanned in 0 hours 0 mins 0.13 secs
Nmap can perform a similar scan by using the –PP (echo request) or –PE (timestamp). For the remainder of this chapter the syntax for both commands will be provided where techniques can be performed using either tool, but for brevity, the output display will be limited to only one tool.
[bash]# nmap –PE 192.168.1.230
[bash]# nmap –PP 192.168.1.230
Responding hosts are then set aside in a live list to be used later. Of course, if both ICMP echo requests and timestamps are filtered, you may not have identified all of the hosts. To assess only these hosts may very well leave exposures on hosts that you are unaware of on the net- work; therefore, other methods should be used.
TCP Scan
The next step is to perform limited TCP scanning against potential IP addresses. This scanning can be done by utilizing a TCP ACK packet a la TCP ping style, or by selecting specific TCP ports against services typi- cally available on a network. We will go through each of these areas.
TCP Ping
When a TCP ACK packet is sent to a host that is alive, an RST packet will be sent back. This method can be used to scan machines that block ICMP echo requests. Default use of nmap with no arguments uses ICMP and this technique on port 80; live hosts are then scanned using nmap services. If you already know ICMP is blocked, you can specify the –PT option fol- lowed by the port you want for the destination. With this option you are instructing nmap to perform only the TCP ping, and you can specify an optional port to decrease the time taken for scanning. However, at this point you still may not be ready to perform a full enumeration for services. For that reason combine the command with a –sP option, to prevent nmap from performing a service scan. For example:
[bash]# nmap –PT25 –sP 192.168.1.230-231
Starting nmap 3.20 ( www.insecure.org/nmap/ ) Host 192.168.1.230 appears to be up.
Nmap run completed -- 2 IP address (1 host up)
In cases where filtering may exist on specific ports it is helpful to specify a variety of different TCP port pings. The –PT option can be combined with a comma-separated list to do multiple TCP ping scans. [bash]# nmap –PT80,22,443 –sP 192.168.1.230-231
Chapter 4: Reconnaissance
55
TCP Sweep
While TCP ping is effective, it doesn’t necessarily identify all the hosts, depending on the filtering in place. We recommend adding another TCP scan, using a small number of services, typically FTP (21), SSH (22), MAIL (25), DNS (53), and Web (80,443), and others as you see fit based on deployed technology, for example, high RPC services if you are a UNIX shop, or application ports such as PPTP, Exchange, Citrix, Lotus, Remote Services, or other ports you know are in use within the enter- prise. Because these application ports are normally higher than 1024, there may be the slight chance that filtering is improperly being per- formed on the network allowing connections to them from the Internet.
In this example you will utilize Scanline for its speed and efficiency. Use the following syntax to instruct Scanline to perform only a limited scan. It is important to use the –p, disabling the ICMP requirement be- fore it scans, otherwise only ICMP discovered hosts will be scanned. [C:\ >sl -pt 21,25,53,80,1433,3389 192.168.1.236
ScanLine (TM) 1.00
Copyright (c) Foundstone, Inc. 2002 http://www.foundstone.com
Scan of 1 IP started at Wed Apr 02 10:30:45 2003 192.168.1.236
Responds with ICMP unreachable: No TCP ports: 1433
Scan finished at Wed Apr 02 10:30:50 2003
1 IP and 6 ports scanned in 0 hours 0 mins 4.14 sec Or
[bash]# nmap –P0 –p 21,25,53,80,1433,3389 192.168.1.236
Now that you have completed the TCP scans, take all the respond- ing hosts from the TCP ping and the TCP limited scans and add them to your live list for later use during the enumeration.
UDP Scan
As a last scan technique, UDP comes into play. While both Nmap and Scanline can accomplish these scans, both can deliver a degree of false positives. By default these scanners send out a 0 byte UDP packet. The port is considered closed if an “ICMP port unreachable” message is re- turned; if no return is received, the tool considers the port open. How- ever, routers and firewalls filtering ICMP-unreachable packets will cause ports to appear open that are actually closed.
Chapter 4: Reconnaissance