MIT210 Information Systems Security and Assurance Lab #2: Using Nmap for Network Inventory, Asset Management,

, Policy Compliance and Auditing

Student Name Date Due Professor

: : June 25, 2011 : Dr. Oliver C. Agustin

Objective: Learn how security tools such as Nmap can be used to perform compliance testing, inventory and asset management, security auditing and system administration.

Setup Lab Environment

This section guides you to setting up your backtrack live DVD with your VirtualBox to facilitate capturing screenshots which are one of the deliverables in this lab exercise. 1. For this Lab exercise, you can use the previous setup that you have in lab#1, but first you have to install the Nmap available from the DVD resources provided for you (see How To Run Nmap Section) , or as another alternative, you can use the BackTrack ISO together with VirtualBox. The latter method is encouraged. 2. Steps for using the Backtrack ISO is provide below: 1. Launch your VirtualBox software. You should see a window similar to the one shown below.

2. Click New, in the toolbar to launch the New Virtual Machine Wizard. 3. Enter the following information then click Next:

 VM Name and OS Type: Backtrack OS: Linux Version: Ubuntu (64-bit) or Ubuntu 4. When asked for the size of memory, select the default value. You may increase this value if you like. Click Next. 5. You will be asked to specify virtual hard disk, uncheck the selection as shown. Click Next.

6. A dialog box will be displayed telling you didnt attached any hard disk. Just ignore this warning and click Continue. 7. Clicking the Finish button concludes the initial setup. But there is one more thing to do. 8. Highlight the newly created Virtual Machine called Backtrack and click Settings. 9. Backtrack Settings window will be displayed, then select Storage on the left pane.

10. Click the button pointed by the red arrow, and point it to the Backtrack ISO provided for you. The name of the ISO image is BT5-KDE-64.ISO (not mit210.iso, the iso image BT5KDE-64.iso is inside this mit210.iso) Note: this ISO image is only available when you burned the ISO image (mit210.iso) I provided for you. You may also access this file if you use virtual CD/DVD manager such as Daemon Tools, PowerISO, etc. 11. You should be able to boot your Backtrack OS by clicking the start button on the toolbar. Note: For additional information how to use the Backtrack DVD, you may google some tutorials from the Internet.

Uses of Nmap
Compliance Testing Testing for compliance can be one of the most important detective security controls you perform in an enterprise infrastructure. The purpose of compliance testing is to measure the critical components of the organization to the policies and controls that govern them. Normally this function falls to either an internal or external audit team. Audit team is responsible for staying on top of the latest requirements and also to ensure that compliance testing is done in both an orderly and timely fashion. Much like designing and maintaining the policies themselves, compliance testing requires persistent and ongoing attention. There are many different types of compliance testing where Nmap could be utilized as part of the solution. Some examples are: Testing for open ports on the interfaces of a firewall.

Performing scans across workstation IP address ranges to determine if any unauthorized networking applications are installed. Determining if the correct version of web service is installed in your De-Militarized Zone (DMZ). Locating systems with open file sharing ports. Locating unauthorized File Transfer Protocol (FTP) servers, printers or operating systems. Any number of needs specific to the controls written around your organizations policies.

Inventory and Asset Management Commercial applications exist designed to track assets, manage inventory counts, relay information about installed services, and monitor system uptime. Luckily for non-commercial application owners, this is another area where Nmaps ease of use pays off with excellent results. In a matter of minutes, an administrator can generate a scan request for a range of IP addresses, an entire subnet, or even re-scan pre-identified systems. The options for identifying services and Operating System (OS) type come in handy when you are trying to identify existing desktops or servers in the infrastructure. Security Auditing Security auditing can be defined as creating a set of controls specific to the technology or infrastructure being reviewed and then applying those controls, like a filter, to your environment. Any gaps in or outside that filter become audit points and could negatively impact the audits overall assessment of your security framework. Nmap can assist with such audit needs as: Auditing firewalls by verifying the firewall filters are operating properly. Searching for open ports on perimeter devices (perimeter being anything from Internet-edge, to extranet or intranet boundary lines). Performing reconnaissance for certain versions of services. Utilizing the OS detection feature to pin-point outdated or unauthorized systems on your networks. Discovering unauthorized applications and services.

System Administration Although it is normally seen as a go-to application for security professionals, its wide-range of port scanning, service and OS identification capabilities make it perfect for the system administrator. If you decide to make Nmap available to administrators outside IT Security, keep in mind that this could increase unwanted scanning activity in your network.

How To Run Nmap

Prior to running Nmap, you should have completed the initial setup through VirtualBox. There are various methods in which you can run Nmap. We assume that our target machine is our desktop. They are as follows: 1. Running Nmap in the guest Windows XP OS via VirtualBox. You may use this method but there are some prerequisites: To use Nmap using this method, you should install the nmap-5.51-setup.exe found in the DVD image (named mit210.iso) that were provided for you.

 You can find the Nmap setup file inside the folder software. 2. Running Nmap through Backtrack ISO image If you want access to more advanced security tools, this is more preferred because it allows you to explore other tools that are available in the package. 3. Run Nmap in a different machine that is connected in the same network. Visit http://insecure.org/nmap/nmap_doc.html for additional more information on Nmap.

Exercises
The first step in any penetration test or attack is to locate targets. There is no better tool for this than Nmap. We will use Nmap for three different scans: ping, port, version. The ping sweep allows us to locate computers that are alive, the port scan provides information about open ports on a system and the version scan tells us specifics about the services that are listening on those ports. The beauty of Nmap is that we have so much flexibility in the range of IP addresses you want to look at. In the following tasks, you are not limited to the number of IP addresses to scan. It could be a private network or public network. Opening Backtrack 1. Launch virtualbox by selecting Backtrack and clicking Start.

2. You will be presented with the following, simply press Enter key.

3. After that, another boot options will be displayed, select the third option, Backtrack Forensics and press Enter.

4. Your Backtrack Live DVD has successfully booted up, you can choose the command line approach of Nmap, or you could choose the XWindows and launch Zenmap. Zenmap is the GUI version of Nmap. Type startx to proceed.

5. Ignore any popup dialog box that might be displayed (such as audio, etc) Note: Before you proceed, make sure that you are able to ping your host. How? Click the Backtrack Icon (Start Menu) -> System -> Konsole Run ping 192.168.10.1, 192.168.10.1 is the IP address of the computer from which virtualbox is running. If the host is unreachable, make sure your host is connected to a network in which a DHCP server is available (for example, wireless router or win2k/2k3/2k8 server) and change the setting of the virtual machine (Setting->Network) from NAT to BRIDGE. However, you should have no problem with your setup whether the virtual machine is configured to use BRIDGE or NAT. If your problem is not resolved, Google for the solution. 6. Identify Live Hosts. Identify an IP address subnet or specific IP addresses ,e.g. 10.146.150.1-10 for range of IP addresses, or 192.168.0.10 for single IP. To perform a ping sweep on addresses in the range 10.146.150.15 10.146.150.25, perform the following: nmap -T4 -n -sn 192.168.43.1-254 The -n switch tells Nmap not to resolve host names making the scan much faster. The -sn tells Nmap to perform a ping sweep.

In Backtrack, Click the Backtrack icon on the lower left -> Backtrack -> Information Gathering -> Network Analysis -> Identify Live Hosts -> Zenmap In the example below, a range of IP addresses 192.168.43.1-254 was scanned.

7. Determine open ports and services. Once you have located systems that are alive, the next step is to see what services (and potential holes for exploit) exist on these systems. To do this perform a port scan via the command, in this example, we choose 192.168.43.135, in the above screenshot, this host is alive: nmap -n -sT 192.168.43.135 This will perform a full TCP connection port scan on 192.168.43.135. The -sT switch tells Nmap to perform a full TCP connection (i.e. SYN, SYN-ACK, ACK, RESET) on ports deemed interesting per the Nmap build you are using. By default the ports included are 1-1025 plus ports above 1025 that are in the networkservices configuration file. In some instances you may want to be a little stealthier and would use the -sS port scan. This tells Nmap to perform a SYN scan using SYN-SYNACK-RESET. This scan doesnt create a full TCP connection and as such usually doesnt get logged. Please note that you can also perform a port scan against a range of targets using the range IP address range options in Nmap. For example if we want to perform a port scan across the IP addresses from 10.75.0.1 to 10.75.0.10 you would call:

nmap -n -sT 192.168.43.1-254 The following screenshot shows open ports and running services on the target machine with IP 192.168.43.135

8. Identify version of running services. In reality a port scan will only take you so far. It tells you that a host is listening on a specific port but it doesnt give you any defaults beyond the default for that port. For example port 80 is by default HTTP but what is the specific server that is providing that access (IIS, Apache, etc). To get these details we perform a version scan via the following command: nmap -n sV 192.168.43.135 In the previous step, we have identified open ports and running services. This step provides us with more detailed information on version number.

In second screenshot, take note of the Microsoft SQL Server 2008. Version number says 10.0.2531:SP1. If vulnerabilities exist for this version of SQL Server then it could be exploited to run malicious code on the target computer or worst, gain full access to the server itself.

9. A final scan is to perform an OS fingerprinting via: nmap -n -sV -O 192.168.43.135 This will tell you the OS and version with very reliable accuracy. Now with the information provided by Nmap we can do the research to know how to exploit the target system.

This is an OS Fingerprint of a jailbroken iPhone OS version 3.2.2

Deliverables:
1. The above processes in the exercises must be performed using your own range of IP addresses. From detected live hosts, identify a single target. Screenshot should be attached for this single target only. For each steps mentioned in the previous section, get a screenshot. Feel free to experiment on additional syntax and options. 2. Answer the following questions: If you are to perform auditing in your network, how are you going to apply the concept and ideas mentioned in this lab? For what specific purposes do you intend to use this acquired knowledge. In your own LAN, Make a report summarizing the following information. IP Addresses Hostname Operating System Running Services

Send to me via email at agustin.oliver@auf.edu.ph Enjoy!