Nothing to say any more

Nmap 9 truth

Profile小河　哲之Twitter ： abend

ISOG-WG1Burp Suite Japan User GroupProsit

2

Trigger of this presentation

I wrote the article about Nmap in Software Design May,2016 issue.Today, I will talk about the things I noticed during writing that article.(In this presentation, no version description means v7.12.) 3

At firstI will introduce 8 hidden options of Nmap, and only one type of malware(worm) that Nmap could detect. And I will also talk about how to utilize Nmap well.

8 hidden option + 1 type of malware = 9 truth

4

NmapOne of network scanners. Gordon Lyon developed it in 1997.

- Portscan- Searching Hosts- Detect OS, Services- Vulnerability Scan

5

8 hidden optionsIn Nmap, there are hidden options which are not indicated on Reference Guide and Help.

6

--noninteractive

7

--noninteractiveNmap is the interactive application.

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-07-30 23:38 JSTStats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth ScanSYN Stealth Scan Timing: About 0.10% done

8

--noninteractiveWith this option, we CAN stop interaction with enter-key for watching scan progress.

9

--noninteractivenmap_tty.cc, line 336-342;"Interactive keyboard commands:\n""? Display this information\n""v/V Increase/decrease verbosity\n""d/D Increase/decrease debugging\n""p/P Enable/disable packet tracing\n""anything else Print status\n" "More help: https://nmap.org/book/man-runtime-interaction.html\n");

10

--noninteractiveStarting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-07-30 23:39 JSTPacket Tracing enabled.SENT (1.6510s) TCP 192.168.217.130:45411 > 192.168.217.131:8888 S ttl=41 id=54162 iplen=44 seq=1659576208 win=1024 <mss 1460>RCVD (1.6509s) TCP 192.168.217.131:8888 > 192.168.217.130:45411 RA ttl=64 id=0 iplen=40 seq=0 win=0Packet Tracing disabled.

11

Press ‘p’

Press ‘P’

--noninteractiveWe can turn on packet tracing with 'p', and also turn on a forgotten option, turn off a designated option interactively.

12

--noninteractiveInteraction function of Nmap enables us to confirm that Nmap runs properly with some options temporarily in the case of very slow scanning.

--noninteractive 　 disables it.

13

--noninteractiveIn Japanese reference guide,

14

This option is still not built in Nmap. This item need to be added some contents or deleted.

--noninteractiveThis option was added to Nmap at v4.00(2006/1/31), so I guess that Japanese reference guide was written before that version.

15

16

--noninteractive

Conclusion:Useless

--nogcc

17

--nogccNmap send packets to the designated segment(s) all at once. So scan time will be short.

Average time of 10 scans(/24, SYN Scan)no option : 9.62secwith --nogcc : 3.73sec

18

--nogcc

19

0 0.42 0.84 1.26 1.68 2.1 2.52 2.94 3.36 3.78 4.2 4.62 5.04 5.46 5.88 6.3 6.72 7.14 7.56 7.98 8.4 8.82 9.24 9.6610.0810.510.920

50

100

150

200

250

300

350

pack

et

second

nogcc 1.65secno option 11.06sec

--nogccFiltered host and the host in which some service running are not detected.

no option ： 9 hostsWith --nogcc ： 7 hosts※Because of slow response of arp, one host is not detected. --send-ip option resolved the situation. 20

--nogccNmap control congestion, but --nogcc make the control off, so all packets will be sent at once.

21

--nogccscan_engine.cc, line 394-403;

/* In case the user specifically asked for no group congestion control */ if (o.nogcc) { if (when) *when = USI->now; return true; }

22

--nogccThree points of congestion control in Nmap.

• congestion window• exponential backoff• slow start

23

--nogcc• congestion window→ 　 if detect drop, then reduce amount of packets• exponential backoff→ 　 if detect drop, then slow down dramatically• slow start→ 　 scanning speed up gradually

24

--nogccWith --nogcc option, Nmap sends scan packets all at once, so possible to increase load. And, no consequences of congestion is provided to lead the precision reduction, which can lead to false negative.

The option for naughty people.25

26

--nogcc

Conclusion:Useless, expect for naughty people

--route-dst

27

--route-dstOption to confirm the IP routing destination specified for each interface# nmap –e eth0 --route-dst 8.8.8.8Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-20 12:41 JST8.8.8.8eth0 eth0 srcaddr 192.168.1.209 nexthop 192.168.1.254

28

29

--route-dst

Conclusion:Useless

-I(uppercase i)

30

-I(uppercase i)ident scan seems not been originally implemented.case 'I': error("WARNING: identscan (-I) no longer supported. Ignoring -I"); break; // o.identscan++; break;

31

32

-I

Conclusion:Useless

-thc

33

-thc# nmap -thc!!Greets to Van Hauser, Plasmoid, Skyper and the rest of THC!!

It means “Congratulation!”

34

35

-thc

Conclusion:Useless

-oH

36

The option for output in HTML format. If there is a leak in the escape, it can lead to XSS.

37

-oH

-oH From 2.30BETA16 to 3.93,

} else if (strcmp(long_options[option_index].name, "oH") == 0) {

fatal("HTML output is not yet supported");

※I don't check this in all version.

38

-oH From 3.94ALPHA1 to 7.12} else if (strcmp(long_options[option_index].name, "oH") == 0) { fatal("HTML output is not directly supported, though Nmap includes an XSL for transforming XML output into HTML. See the man page.");※ I don't check this in all version.

39

-oHThis option perhaps have not been implemented yet. I wanted to see XSS of Nmap.

40

41

-oH

Conclusion:Useless

--ff

42

--ffThe option for 16 byte fragmentation. “-f” option in reference is for 8 byte fragmentation.

43

--ffBoth “-f” and “--ff” fragment byte amount will increase.

} else if (strcmp(long_options[option_index].name, "ff") == 0) { o.fragscan += 16;

44

--ffWhat happens in this case.

45

nmap -f -f --ff --ff 192.168.1.1

--ff"-f" equals 8 x 2 byte + "--ff" 16 x 2 byte = 48 byte fragmentation. Same as -v -vv.

46

--ffYou can learn about "How many bytes the fragmentation is?" as elementary school level ;-p

nmap -f -f --ff 192.168.1.1

47

--ffIf you want to fragment more simply, you’ve better to use “-mtu XX” option than “-f” or “--ff”.

nmap -mtu 24 192.168.1.1

48

49

--ff

Conclusion:Useless, expect for elementary school 　children

--deprecated-xml-osclass

50

--deprecated-xml-osclass

This seems to be option for osclass to become child-tag of osmatch of -oX. Unknown option.

51

--deprecated-xml-osclass

There are some options include the symbol like hyphen etc., which option set can be performed for specifying the maximum delay time?① 　 --max-scan-delay② 　 --max_scan_delay

52

--deprecated-xml-osclass

Both can be performed.

All options of Nmap can be spesified and performed with hyphen or underscore. But, mix of both is absolutely bad way.

53

--deprecated-xml-osclass

nmap.cc, line 597-598. There are definitions of hyphen and underscore. {"max_scan_delay", required_argument, 0, 0}, {"max-scan-delay", required_argument, 0, 0},

deprecated-xml-osclass has both definitions, too.

54

I introduce the comment of osscan.cc line 1209, befitting my feeling at finding this bug.

--deprecated-xml-osclass

55

char *p, *q; /* OH YEAH!!!! */

--deprecated-xml-osclass

56

Well, let's read Japanese reference guide.

--deprecated-xml-osclass

57

--deprecated-xml-osclass

58

The mix.

--deprecated-xml-osclass

59

If you use actually this mixed option, you will watch this.

nmap: unrecognized option '--max_scan-delay'See the output of nmap -h for a summary of options.

There is a mistake only in Japanese reference guide!!

--deprecated-xml-osclass

60

--deprecated-xml-osclass

61

max_scan_delay option is ...

• Added in v3.75(2004/10/18)• Both hyphen and underscore

have been possible to use from v3.99(2006/1/25)

--deprecated-xml-osclass

62

There are 11 versions between v3.75 and v3.99(2006/1/25). All 11 versions supported only under-score, there was no mix.

The fact talks that it is merely typo.

--deprecated-xml-osclass

63

Japanese reference guide is not only old but also has a mistake. I intro-duce the comment of netutil.cc line 4478, befitting my feeling at finding this.

continue; /* D'oh! */In Japanese ：おいおい、なんてこった

--deprecated-xml-osclass

64

65

--deprecated-xml-osclass

Conclusion:Useless

66

～ Progress on the way～

All 8 option are useless.

The only one malware that can be detected

67

One malware(worm)Nmap can find only one malware(and infected host) by service scan.

68

Service ScanService Scan(-sV option)have intensity(--version-intensity). Intensity default is 7, but we can specify it 0-9.

69

Service ScanThere are information about port number and finger print in nmap-service-probes. The rarity in this file is intensity.

70

Service ScanThere are 126 patterns in nmap-service-probes.

71

Num

Rarity0

10

20

30

40

50

60

26

03

8 912

5

50

31

None1 2 3 4 5 6 7 8 9

Not be executed without intensity.

Service ScanOnly with –sV option, you can only take advantage of about 30% this feature. With intensity, we may be able to detect pc-anywhere or JavaRMI better.

72

Service ScanThis is one of rarity 9.

Probe TCP mydoom q|\x0d\x0d|rarity 9ports 706,3127-3198match mydoom m|\x04\x5b\0\0\0\0\0\0| p/MyDoom virus backdoor/ v/v012604/

73

Service ScanThis is one of rarity 9.

Probe TCP mydoom q|\x0d\x0d|rarity 9ports 706,3127-3198match mydoom m|\x04\x5b\0\0\0\0\0\0| p/MyDoom virus backdoor/ v/v012604/

74

＿人人人人人人人人人＿＞　　　 mydoom !? 　＜￣ Y^Y^Y^Y^Y^Y^Y ￣

75

Mydoom

76

https://www.ipa.go.jp/security/topics/newvirus/mydoom.html

Mydoom

77

Appeared in 2004. It used e-mail to extend infection, and made attack to www.sco.com etc. in a certain period of time. It listens on a specific port.

※"cho-kimochiii" that means excellent! by Kosuke Kitajima, gold medalist in Beijing Olympic, get the first prize in vogue word prize.

I tried

78

Infection in Windows XP SP3.

WORM_MYDOOM.BR

79

Without intensity

80

# nmap -p- -sV IP addressPORT STATE SERVICE VERSION21/tcp open ftp Microsoft ftpd25/tcp open smtp Microsoft ESMTP 6.0.2600.594980/tcp open http Microsoft IIS httpd 5.1135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn443/tcp open https?445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds1025/tcp open msrpc Microsoft Windows RPC5424/tcp open unknown

With intensity

81

# nmap -p- -sV --version-intensity 9 IP addressPORT STATE SERVICE VERSION21/tcp open ftp Microsoft ftpd25/tcp open smtp Microsoft ESMTP 6.0.2600.594980/tcp open http Microsoft IIS httpd 5.1135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn443/tcp open https?445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds1025/tcp open msrpc Microsoft Windows RPC5424/tcp open mydoom MyDoom virus backdoor v012604

Nmap covered Mydoom!!

82

In Nmap 4.00(released in 31/1/2006), the new probe for Mydoom added over 2 years!!

Not afraid Mydoom with this probe

83

Only with one option, we can find Mydoom!

84

Nothing to say any more

85

The only one malware that can be detected

Conclusion:Useless, except for the people in trouble with Mydoom

86

Summary

87

SummaryAll of 9 truth are useless. It’s natural that they are not in Reference Guide or help.

NmapOne of network scanners. Gordon Lyon developed it in 1997.- Portscan- Searching Hosts- Detect OS, Services- Vulnerability Scan- Support for naughty- Arithmetic lesson- Detect only one worm

88

New!!

At lastSay good bye to all, watching line 845 in service_scan.cc.

89

if (newstrlen < 3) return -1; // Have a nice day!

90