Friday, February 22, 2013

Conducting an Nmap Scan and Exporting The Findings As An XML Report


Nmap is a multifaceted application used for network reconnaissance.  Whether it be a white hat, grey hat or black hat, NMAP is often considered a very essential tool.  According to Nmap.orgs's official website the application is described as "a free and open source utility for network discovery and security auditing."  The website also explains that "Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics."  If you are interested in more official information on Nmap, visit their website here.

This tutorial is a demonstration on how a user can conduct moderately advanced Nmap scan.  Once we've completed the Nmap scan, the findings will be exported to an XML report for our review.  Let's get started.
 

1.  Start Metasploitable as a virtual machine.  Metasploitable will be the target host.  If you are unfamiliar Metasploitable, a basic configuration guide can be found here.


I first logged into Metasploitable and discovered it's local IP address.  I did this by running ifconfig.  The IP address of Metasploitable is 10.0.0.21.  I did this to spare myself a wild goose chase on my local area network.


2.  Start a Backtrack virtual machine and log in.  Backtrack will be the host conducting the Nmap scan.  Nmap scans can be conducted from many different operating systems, but this tutorial is heavily based on Backtrack (Linux).  

3.  Click the small black square towards the top of the screen in Backtrack.  This will open a new terminal.

 
4.  When the console opens, type nmap and hit enter.  Doing this shows Nmaps's usage, options and arguments.  The official guide explaining these options can be found here.


5.  Let's do a quick Nmap scan by typing: nmap 10.0.0.21 (Metasploitable).  Hit enter.  Without any arguments or options, Nmap with conducts a default SYN scan of the target. Congratulations.  If you are new, you've conducted your first network scan.


The default Nmap scan revealed that there are many ports and services open.  This would be detrimental to a business server because it broadens the attack surface for possible malicious intruders.  Whenever possible, disable any non-essential services.


6.  Now that we've observed a basic port scan, let's conduct something a little more customized.  Run the following command:

nmap -O -sS -p 1-65535 -T3 -oX /root/Desktop/scan_report.xml --stylesheet=nmap.xsl 10.0.0.21

Now that the command has been issued, let's break down what it did.

[nmap] We just ran this command, this is the Nmap application.
[-O]  OS detection.  Nmap will make it's best attempt to identify the OS is being used.
[-sS] SYN scan.  This is a half open method of scanning.
[-p 1-65535] - Manually specify to Nmap that we want to scan ports  1-65535.
[-T3] - Slower than normal scan time.  Important if you are Pentesting a fragile network.
[-oX  /root/Desktop/scan_report.xml] - Exports an XML report of findings to a specified directory.
[--stylesheet=nmap.xsl] - Formats the XML file so that it is readable by a web browser.
[10.0.0.21] - Metasploitable / Target Host



7.  It is necessary to have the nmap.xsl file in the same directory as the newly created scan_report.xml file that we placed on our desktop.  To copy this file to the desktop run the following command:  cp /usr/local/share/nmap/nmap.xsl /root/Desktop/nmap.xsl


8.  Now that the nmap.xsl file is on our desktop, we can simply double click the scan_report.xml.  This should automatically open the report in your web browser.  Below are screenshots of the said report.


Scan_report.xml continued...




Final Thoughts:


Nmap is an very important tool that is used by both security professionals and malicious attackers. 
To defend an asset from Nmap scans, disable all non-essential services.   Doing this limits the attack surface and "hardens" the target against malicious attackers.  Another way of defending an asset from network reconnaissance is to implement a finely tuned firewall.  

I'm done with this blog post...  It was more daunting than I previously thought.  If you have any questions, please feel free to ask in the comment section below.

No comments:

Post a Comment