Intro to Scanning for the National Cyber League Games


Discovering Hidden Secrets with Nmap

Hello all! And welcome to my next installment to the Player Ambassador training series. This time our topic is nmap scanning: what it does and how to tailor your scans to your competition needs. For some who already have a solid understanding of this topic skip down to Commands for the juicy details. If you’re not using Kali or don’t have nmap installed yet, go to nmap’s official site for the official download and install guide.

Background

When trying to find vulnerabilities on a target server, port scanning the box would be your second step. Step one would be open-source intelligence gathering against your target of course. 😉 Applications or software running on a server will sometimes be listening for traffic from the open internet on different ports. For example: If you’re trying to connect to a web client, your computer will be listening for a connection on either port 80 (HTTP, insecure) or port 443 (HTTPS, secure). If you need to transfer files from a machine you have credentials for, you can connect to port 21 (File Transfer Protocol). Need to remotely execute commands or access files? Try port 22 for authorized SSH (Secure Shell). The above are standard with most computers, but even games you download or software you install might be listening for data at specific ports on your machine. For more info on standard ports, you can review this list.

Why is this important? If an application has any open ports that are unsecured, you might be able to remotely access data with default credentials, or even none at all. Certain business software can be hopelessly outdated as well, and vulnerable to a host of compromising attacks.

Summary

Flags Use Examples
-sS TCP port SYN scan nmap -sS scanme.nmap.org
-sT TCP Connect scan nmap -sT scanme.nmap.org
-sU UDP port scan nmap -sU scanme.nmap.org
-sV Version detection nmap -sV -sU scanme.nmap.org
-Pn Assume all hosts are up nmap -Pn -sS scanme.nmap.org
-T (0-5) Sets the speed of the ping scan nmap -sS -T4 scanme.nmap.org
-p Sets port #’s to scan nmap -p 1-65535 scanme.nmap.org

Pressing control + x while running a command will give you details on approximately how much time the scan has left to complete.

Commands

The general format for Nmap commands is:

nmap [scan type] [options] {target}

There are 3 main ways you can specify targets:

IPv4 45.33.32.156
IPv6 2600:3c01::f03c:91ff:fe18:bb2f
Host Name scanme.nmap.org

There are ways to specify a range of target hosts, but the NCL will generally have you focus on one target host at a time.

Using just the nmap command with an IP address or hostname will scan through the first 1,000 TCP ports on the target. Though this is a good starting point, the competition is looking for a little more than that. The -p flag allows you to specify a range of ports to scan. There are a couple different ways to format it, but your best friend will be -p- which does a scan of all available ports (1-65535).

There are two different types of port connections you will most likely be asked about: TCP and UDP. (If you want to learn about the difference between the two, look here). Nmap will scan for TCP ports by default, but there are two other ways to specify it. -sS will do a TCP SYN scan, which means that it will initiate TCP communication but it will never complete the connection.

TheBog:~ webwitch$ nmap -sS scanme.nmap.org
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-07 13:58 PDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.059s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
9929/tcp  open  nping-echo
31337/tcp open  Elite  
Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds

The other way is the -sT flag, which runs a full connect TCP scan. Targets are more likely to log the connection, but it can be used when the TCP SYN scan isn’t an option. It will, however, give you essentially the same information.

TheBog:~ webwitch$ nmap -sT scanme.nmap.org
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-07 13:58 PDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.054s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
9929/tcp  open  nping-echo
31337/tcp open  Elite  
Nmap done: 1 IP address (1 host up) scanned in 0.94 seconds

We aren’t worried about our target logging the connection in the NCL CTF. If you were to go out into the hacking world on a red-team engagement, scans like these need to be done stealthily— that’s where these options come in handy.

UDP ports are less commonly used in the world, but it’s always possible that they’ll be asked about in competition. If they are, all you have to do is substitute in the -sU flag and you’ll be good to go. Just a note: they will take longer than TCP scans, so try finishing the TCP scan questions first or run TCP and UDP in the same scan to save time.

TheBog:~ webwitch$ nmap -sU scanme.nmap.org
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-07 14:02 PDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.051s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 997 closed ports
PORT    STATE         SERVICE
68/udp  open|filtered dhcpc
123/udp open          ntp
162/udp open|filtered snmptrap  
Nmap done: 1 IP address (1 host up) scanned in 30459.17 seconds

More often than not, there are questions that ask you to identify the program running on a certain port. Thankfully, the -sV flag makes it easy to fingerprint these services.

TheBog:~ webwitch$ nmap -sS -sV scanme.nmap.org
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-07 23:31 PDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.063s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http       Apache httpd 2.4.7 ((Ubuntu))
9929/tcp  open  nping-echo Nping echo
31337/tcp open  tcpwrapped Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel  
Service detection performed.
Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.78 seconds

These four flags will get you through a majority of the scanning challenges. If you want to find ways to spice up your scans, there’s always the SANS nmap cheat sheet  and this blog post I found myself returning to for reference time and time again. However, it’s good to remember that sometimes simpler is better and adding on features might just make your scan take longer for ultimately the same result.

Pro Tips

  • There are sometimes where you try and scan a target and your computer swears up and down that it isn’t active. Some ways to troubleshoot are:
    • Is your computer connecting to the internet properly? Try pinging google (ping 8.8.8.8). If you can’t connect, then you should probably troubleshoot your internet connection.
    • Connected to the internet? Try adding the -Pn flag to your scan. This will make nmap pretend like the host is up even if it is skeptical and send the packets anyway.
    • Is it still not giving you a response? Ask the NCL slack channel. Sometimes the boxes do go down because of how much traffic they are receiving at once. Maybe move on to a different question and come back to try that one later.
  • As always, read the question carefully. I can’t tell you how many times I entered the wrong answer because a question was looking for the software on the highest filtered port and I was answering with the highest open port. Slow and steady will get you to your destination with higher accuracy.

One thought on “Intro to Scanning for the National Cyber League Games

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.