Nmap & Metasploit for Computer Network Security, Lecture notes of Computer Networks

The use of Nmap and Metasploit for computer network security. It explains how Nmap uses raw IP packets to determine available hosts, services, operating systems, and packet filters/firewalls. It also covers typical Nmap scans such as Maimon scans, UDP scans, TCP Null, and FIN scans. Additionally, it provides examples of how to scan a target with Nmap and detect remote services version numbers. The document also introduces Metasploit and its related products, including Metasploit Framework, Metasploit Community, Metasploit Express, Metasploit Pro, and Armitage. It explains the Metasploit Framework architecture and terminology such as vulnerability, exploit, and payload.

Typology: Lecture notes

2021/2022

Uploaded on 05/11/2023

dewan
dewan 🇺🇸

4.6

(17)

253 documents

1 / 28

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CSE468/598 Computer Network Security
Arizona State University
Nmap & Metasploit
Chun-Jen (James) Chung
Arizona State University
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c

Partial preview of the text

Download Nmap & Metasploit for Computer Network Security and more Lecture notes Computer Networks in PDF only on Docsity!

Nmap & Metasploit

Chun-Jen (James) Chung

Arizona State University

Nmap recap

• Nmap uses raw IP packets in novel ways to determine

  • what hosts are available on the network
  • What services (application name and version) those hosts

are offering

  • What operating systems (and OS version) they are running
  • What type of packet filters/firewalls are in use

• It was designed to rapidly scan large networks, but

works fine against single hosts.

Typical Nmap Scans (cont.)

- sA : ACK - -sA tells Nmap to send an ACK packet to Nmap’s default port list. - If a RST packet has been received then those ports are marked as unfiltered. This means that there was not a stateful firewall prior to your target. - If some other message is received then Nmap marks those ports are filtered. - sW : Window - -sW tells Nmap to send an ACK packet to Nmap’s default port list just like – sA. - This scan however looks at the TCP Window property. - Open ports have a window size listed. Closed ports will have a 0 window size listed.

Typical Nmap Scans (cont.)

- sM : Maimon scans - -sM tells Nmap to send a Fin/ACK to Nmap’s default port list. - Most systems respond with a RST packet for both opened and closed ports. - However, some BSD systems will drop the packet if the port is opened. - sU : UDP scan - -sU tells Nmap to send an empty UDP packet to Nmap’s default port list. - If an ICMP type 3 code 3 message is returned then the port is marked as closed. - If an ICMP type 3 code 1, 2 , 9, 10, or 13 is returned then the port is labeled as filtered. - If a service responds then the port is open. - If a service responds and then does not respond to a second UPD packet then the port labeled as open filtered.

Scan target with Nmap

  • Scan target to get the open TCP ports and OS version info Nmap – sS – O – V <target IP/Range>
  • Find out if a host/network is protected by a firewall Nmap – sA <target IP/Range>
  • Scan a host when protected by the firewall Nmap – PN <target IP/Range>
  • Detect remote services version numbers Nmap – sV <target IP/Range>
  • Scan a host using TCP ACK (PA) and TCP Syn (PS) ping Nmap – PS 80,21,443 192.168.1.

7

Reference: http://nmap.org/nmap_doc.html http://www.cyberciti.biz/networking/nmap-command-examples-tutorials/

Nmap with Script Scan

8

Reference: http://nmap.org/nsedoc/categories/vuln.html

Metasploit Related Products from

  • Metasploit Framework:
    • A command line tool for free, including third-party import, manual exploitation and manual brute forcing.
  • Metasploit Community
    • Free web-based user interface for Metasploit with a reduced set of features, including network discovery, module browsing and manual exploitation.
  • Metasploit Express
    • A baseline penetration test tool. It offers a GUI, nmap for discovery, and adds smart brute forcing as well as automated evidence collection.
  • Metasploit Pro
    • Advance penetration test tool, includes all features of Metasploit Express and adds web application scanning and exploitation, social engineering campaigns and VPN pivoting.
  • Armitage
    • A free graphical cyber attack management tool for the Metasploit Project. 10

Metasploit Framework Architecture

Metasploit Installation

  • Download and run the installation file
    • wget http://downloads.metasploit.com/data/releases/metasploit-latest- linux-installer.run
    • chmod +x metasploit-latest-linux-installer.run
    • sudo ./metasploit-latest-linux-installer.run
  • Follow the setup procedure in the wizard. (take several minutes)
  • Register as a Metasploit Community user and get an activation

code from Rapid

  • http://www.rapid7.com/products/metasploit/metasploit-community- registration.jsp
  • Using Metasploit
  • From web GUI or “sudo msfconsole”

Using Metasploit

• Show – list modules available (exploits, payloads, etc)

• Use – use a specific exploit module

• Set – set specific variables (Case sensitive)

  • RHOST – remote host (who we’re attacking)
  • PAYLOAD – the payload to carry
  • LHOST – local host (attacker or reverse shell)

• Exploit – run the exploit

14

Gain root on a vulnerable VM

• Scan the host

– nmap – sS – Pn – A 172.16.3.

16

  • Search for vulnerabilities using Nessus

17

Run the smb detector program

19

Search available exploits

20