Thursday, September 23, 2010

Interpreting Discovery Scan Results

Last time I discussed how to perform an nmap syn scan for host discovery. With the scan complete interpreting the results is the next step. Lets start by discussing the results and how to interpret them, followed by looking at the three output files and what they are can be used for.


The first line in the results shows what options the scan was run with.. One thing to note is the version appears to only be the major release, not the exact version used for the scan. Here is the first line in the filename.nmap showing what scan options were used during the scan.

# Nmap 5.00 scan initiated Sun Sep 19 11:46:59 2010 as: nmap -PN -n -sS -T 1 -p 21-23,25,80,110,143,443,3389 -oA hostdiscovery 192.168.1.0/24

After the scan options the next line shows the IP address of the online host. The following line breaks down the description of the output, the port, the state and the service. After the description line, the number of ports listed will vary based on the scan options. Here is the nmap output of two of the host on the target network:

Interesting ports on 192.168.1.150:
PORT STATE SERVICE
21/tcp closed ftp
22/tcp filtered ssh
23/tcp closed telnet
25/tcp filtered smtp
80/tcp open http
110/tcp closed pop3
143/tcp closed imap
443/tcp open https
3389/tcp closed ms-term-serv

Interesting ports on 192.168.1.151:
PORT STATE SERVICE
21/tcp closed ftp
22/tcp filtered ssh
23/tcp closed telnet
25/tcp filtered smtp
80/tcp open http
110/tcp closed pop3
143/tcp closed imap
443/tcp open https
3389/tcp closed ms-term-serv

The port field (when scanning UDP and TCP protocols) lists the port number protocol that nmap scanned.

The state field is the critical field when determining if a host is online. For nmap there are 6 possible states. The three states from most scans, including a syn scan, is open, closed, and filtered. Be aware three other states may be seen in different types of scans. Here is a brief description of each state, but please visit the nmap website for more detailed explainations.

Open – the port is actively listening and accepting connections.
Closed – the port is not actively listenting
Filtered – the port is being filtered by a packet filtering device

For this example port state let’s focus on ports tcp/22 (ssh), tcp/25 (smtp) and tcp/80 (http) on host 192.168.1.150 (TargetA), and 192.168.1.151(TargetB).

Starting with tcp/22 on TargetA the port state is filtered. So we know that there is a packet filtering device between us and the target network. TargetB tcp/22 port state is open.

Next looking at tcp/25 on TargetA and the port state is filtered. Again it appears there is some of packet filtering device between us and the target network. TargetB tcp/25 port state is closed.

Finally looking at tcp/80 on TargetA and TargetB the port state for each host is open.

It’s important to note the service listed in the scan results uses the nmap-services database to identify the service. Suring this scan no service detection was performed and the results are relying solely on the services database. Remember it’s possible to have another service running on a port on any port. For example a web server could be listening on tcp port 21 (ftp server). During the enumeration scan, version detection should be done to ensure the correct service running on a particular port is identified.

The final line of the scan provides information about the total number of online hosts and how long the scan took to complete. Here is the last line of output from the scan results:

# Nmap done at Sun Sep 19 13:57:06 2010 -- 256 IP addresses (10 hosts up) scanned in 7807.86 seconds

Looking at the scan results a couple of items of interest can be determined. Looking at tcp/22 on the two hosts (TargetA and TargetB), there is a good chance a packet filtering device is being used. Looking at the various port states, with some ports in a filter state while others are in a closed state, it’s probable the packet filtering device policy is default permit.

By performing a discovery scan first, there is a better understanding of which systems are online and how the firewall is configured. When the information gathered during the discovery scan, the enumeration phase can be more targeted resulting in two benefits. The first benefit is time saved by focusing on only hosts online. The second benefit is there is a less likely hood of detection because later phases of the penetration test is more targeted.

With an understanding of how to interpret the results, the three different output files can be used to the testers’ advantage. The three types of output files were the normal, grepable and XML files.

The normal output file (.nmap file extension) is great when looking if looking at the entire scan result or for counting how many ports are open in a scan. If you want to search the results for how many host have a particular port, this simple search can be performed:

host#grep –i ‘80/tcp’ hostdiscovery.nmap | wc -l
10

The results from the grep shows that 10 hosts have tcp/80 open. With this information service detection scans could be used for tcp/80 or a full enumeration scan could be performed. The normal output is good for trying to gather information from an overall perspective (i.e. count all open tcp/80 ports), but if the objective is to know which specific hosts have tcp/80 open other formats should be used. The normal format output is one port per line making more complex searches much more difficult.

Searching for specific information is best done using the grep output file (.gnmap file extension). This format takes the scan results for one host and writes it on one line, making it easier to search with tools from the command line. For example to search for all host with tcp/80 open using grep this command would perform the search:

host# grep -i '80/open' hostdiscovery.gnmap
Host: 192.168.1.150 () Ports: 21/closed/tcp//ftp///, 22/filtered/tcp//ssh///, 23/closed/tcp//telnet///, 25/filtered/tcp//smtp///, 80/open/tcp//http///, 110/closed/tcp//pop3///, 143/closed/tcp//imap///, 443/closed/tcp//https///, 3389/closed/tcp//ms-term-serv///
Host: 192.168.1.151 () Ports: 21/closed/tcp//ftp///, 22/filtered/tcp//ssh///, 23/closed/tcp//telnet///, 25/closed/tcp//smtp///, 80/open/tcp//http///, 110/closed/tcp//pop3///, 143/closed/tcp//imap///, 443/open/tcp//https///, 3389/closed/tcp//ms-term-serv///
< -- output cut for brevity -- >

The results return every host with tcp/80 open but they are difficult to read, especially when looking at large networks. Since the objective is to find hosts with tcp/80 open, the grep command can be combined with awk to find hosts with tcp/80 open as seen here:

grep -i '80/open' hostdiscovery.gnmap | awk '{print $2}'
192.168.1.150
192.168.1.151
192.168.1.152
192.168.1.200

The final format, XML output (.xml file extension) can be read by many different application including scanpnbj. Using scanpnbj the results in the XML file can be imported and stored in a sqlite database. Then using outputpbnj the results can be query using sql statements. Remember many other applications also can import XML formatted output as well.

Performing a discovery scan and properly interpreting the results increases the value of the penetration test for the client. Correctly identify online targets allows the penetration test more time to focus on known live hosts. The customer receives a more accurate understanding of the risk to their organization.

No comments:

Post a Comment

 
Site Meter