NMap 101: Scanning Networks For Open Ports To Access, HakTip 94

NMap can be used to obtain a much more aggressive scan than the ones we have seen so far. It's very simple to do this too, by simply adding the -A command, like this: nmap -A 10.73.31.64

Aggressive scans simply put together some of the most popularly used commands in Nmap, into one command for you to type. It uses commands such as -O, -sC --traceroute and others. We'll go over these in more detail soon. For now, simply know that -O works for operating system detection, and -sC runs several scripts inside nmap at once such as speed and verbosity. When running this scan, which will take longer because of the extra scripts involved, you'll receive back a bunch of strange looking fingerprint information. I tried running this on our printer, which doesn't give us much information. But running this against our NAS gives us some interesting facts, such as the name of our NAS (Synology Diskstation), the open ports with more information, even the SSH hostkey with DSA and RSA encryptions.

If I nmap our network... This is what I find. nmap 10.73.31.0/24 ---- we found .64 which is an HP printer with telnet open on port 23. So now I'll open netcat in another window and connect to it. nc 10.73.31.64 23 We've just telnetted into our HP printer. Now we can ls and see what directories are available, change directories, etc.

What would you like to see next about NMAP? Send me a comment below or email us at tips@hak5.org. If you like NMap, perhaps you'll enjoy our new show, Metasploit Minute with Mubix, airing every Monday at hak5.org. And be sure to check out our sister show, Hak5 for more great stuff just like this. I'll be there, reminding you to trust your technolust.

---

Closed Caption:

this hat tip is brought to you by hak5
and viewers like you support us directly
at HACC shop.com welcome back to the
show we break down concepts tools and
techniques for hackers gurus and IT
ninjas
I'm Shannon Morse and today we are
performing aggressive scans and even
more now first off and map it can be
used to obtain a much more aggressive
scan the ones that we've seen so far in
our previous hack tips
it's very very simple to do this to you
simply add an extra little script and
you're good to go so let's go ahead and
try this out on my computer i'll go
ahead and pull up one of my terminals I
have to running and I'll show you why in
just a few moments but first off let's
go ahead and do this aggressive skin to
do this you type an nmap tak capital a
progressive and then whatever you're
wanting to scan so I'm going to scan 10
. 73 . 31 . 64 and i'm going to go ahead
and run it so while this is running in
the background let me go ahead and tell
you a little bit about what an
aggressive scan is so these simply put
together some of the most popularly used
commands in nmap into one command for
you to type so it just makes it easier
it uses commands such as tacho tech s
capital C tak tak trace route and some
others will go into all of these very
soon on hacked it but for now just
simply know that
Oh works for operating system detection
which is pretty cool
tak s capital C run several scripts
inside of and map once such as speed and
velocity and then trace route is just
that it is a traceroute now when running
the scan which will take a lot longer
and you can tell in the background
because of the extra scripts involved
you'll receive back a whole bunch of
strange-looking fingerprint information
let's go ahead and wait for this to go
ahead and finish once that's done it'll
pull up a bunch of information about the
thing that I'm trying to skin and it
does take about like to
three minutes for it to finish there we
go
ok so if you're watching this you see
that Iran to commands the first one look
like this
it was nmap tech a 10 . 73 . 31 . 64 and
the second one Iran was 74 so the reason
for that is I wanted to show you the
difference between the two first one
Iran was a printer which really doesn't
give us a lot of information if i scroll
up and look at that command right here
okay so we see a whole bunch of
fingerprinting information but otherwise
we just get what we normally would with
a regular nmap scan if i scroll back
down to this one . 74 this one is
running our own ass and it gives us some
really interesting facts such as the
name of our own ass which is the
synology diskstation and if I scroll
down you can see that there is HTML
title technologies dissipation and we
can also see these things such as the
open ports with a little bit more
information so you can see right here we
have openssh voice 5.8 running on this
open port 2222 as well as the printer
work work a work group and whatnot
you can even see that's really
interesting part down a little bit
further we see if i can find it for you
it's kind of funny
oh there they are right here I've
highlighted it for you the ssh host key
with DSA and RSA encryption that's
really funny
I just enjoy being able to see all those
interesting facts about different things
on the network it can really help if
you're worried about somebody breaking
in from externally into your network and
trying to make sure that things are you
know secure like they should be
now after the break i'm going to go
ahead and jump over to netcat yeah we're
bringing back netcat we're gonna have
some fun with that but first let's go
ahead and think our sponsor
the hat shop is hak5 premier store for
all of your pen testing needs including
one of my favorites the USB rubber ducky
which looks like a flash drive and types
like a keyboard it can type scripts into
a computer
crazy crazy fast like this week's pick
from water pistol in the forums so this
very very simple script is used to
change the wallpaper on it and OS x
mavericks computer it's very very easy
to use and it's short so it's a really
great one to start off on also congrats
to water pistol on your first script
excellent written now of course we gonna
do the show without your support so we
would like to thank you with something
very special
you can use the coupon code snubs with
any order in the hack shop for your very
own pack tip sticker
isn't that cute and I even signed it for
you thank you so much for supporting the
show will be right back
we're back and we promise to bring you
some netcat action so here goes
if I nmap our network obviously we
already know how to use this so i'm
going to go ahead and type it in its
nmap 10 . 73 . there you want on . 0 /
24 that's the cider cidr notation so I'm
going to let this run in the background
basically what it's going to find is .
64 so 10 that 73 . 31 . 64 which just
happens to be an HP printer with telnet
open on port 23 here we go
alright so it's updated for us i'm going
to scroll up so I can look through here
and see all sorts of fun things so here
it is a look at that tone it's open on
for 23 hmm what can I do now so let's
think in netcat we learned how to log
into a port so if I open that cat on my
computer i'll just type nc10 . 7331 .
and that was 64 and the port which is 23
and click enter
i am now in telnet debugging we just
tell melted into our HP computer so fun
so now i can just type in all sorts of
different things that I can do and tell
that so I could try
PWD and I see nothing alright that's
boring
let's try LS ok so we have some folders
let's see what what are these
directories cloudy print I ppt that's
interesting
let's try ePrint actually CD ePrint and
if ILS now I can see let's see
ok so we have debug settings area codes
cloud config i can show setting so i'm
going to type shows settings so i can
see the settings of the computer if I CD
. . get back to home
LS again let's see i'll go into cloud /
well LS and here i get a whole bunch of
fun things I can do let's see i can set
cloud cert validation custom settings I
can set the serial number that's fun
print print and step instruction page ok
so if i had this printer installed on my
computer instruction page see this
printer is not registered but if you do
have it registered you can pretty much
print from the terminal because why not
this is so fun i got so excited when I
figured that out that i could easily do
this with two programs that i just
recently learned and researched how to
use its super-exciting and I love being
able to integrate what I've learned into
a hack tip like this so yay i learned
something fun and I want to see what you
guys have been doing with nmap as well
because this is really cool i love being
able to take that cat and use my example
within map and just you know have some
enjoyment out of it seems you can always
send me a comment below or you can email
us over at tips at hak5 . word we check
tomorrow we may not be able to reply but
you know you're busy so if you like and
Matt perhaps you will also enjoy our new
show with muvek switch is called
metasploit minute it's over at
youtube.com slash hak5 and hak5 . board
and be sure of course to check out our
sister show hack five four beeping
having a lot of
with antennas definitely check that out
i'll be reminding you over there to
trust your titleist see you next week
ramble ramble ramble ramble ramble