Revision as of 01:24, 29 May 2025

Summary and Objective

This session will focus on how Blue Teams use Nmap to verify security controls and ensure adherence to policies.

Objective: To teach students how to utilize Nmap and the Nmap Scripting Engine (NSE) for security auditing tasks, including verifying compliance with security policies, identifying rogue devices, and testing the efficacy of firewall rules and network segmentation.

Recap & Introduction to Security Auditing with Nmap

Quick Recap of Lecture 9

In our last lecture, we initiated our exploration of Nmap for Blue Team operations by focusing on network inventory and asset management. We discussed how to perform comprehensive network discovery, establish asset baselines using Nmap's XML output, and leverage Ndiff to track network changes over time. This foundational knowledge of "what's on the network" is crucial for effective defense.

What is Security Auditing?

Security auditing is a systematic, measurable technical assessment of how an organization's security policy is being employed on its systems and networks. It's an active process of verifying that security controls are implemented correctly, are functioning as intended, and are adequate to meet security goals. Unlike passive policy reviews, a security audit often involves active testing and probing to confirm configurations.

What is Compliance?

Compliance refers to adhering to specific laws, regulations, standards, and internal organizational policies. Examples include PCI DSS (Payment Card Industry Data Security Standard) for organizations handling credit card data, HIPAA (Health Insurance Portability and Accountability Act) for healthcare information, or an organization's own internal security policies that dictate, for instance, which services are allowed to run or which cryptographic standards must be used. Non-compliance can lead to fines, legal action, reputational damage, and increased risk of breaches.

Nmap's Role in Auditing and Compliance

Nmap serves as a powerful tool for security auditors to actively test and verify network-level security configurations and policy adherence. It can help answer questions like:

Are there any unauthorized services running on our servers?
Are our systems using strong encryption protocols as required by policy?
Are firewalls correctly blocking traffic between network segments?
Are there any rogue devices connected to our network that violate policy? Nmap provides the means to gather empirical evidence about the state of network security controls.

Auditing for Policy Violations with Nmap & NSE

Nmap can be used to actively check for common policy violations and weak configurations.

Identifying Prohibited Services or Ports

Many organizations have policies that restrict or prohibit the use of certain services deemed risky. For example, Telnet (unencrypted remote access), unencrypted FTP, or VNC might be banned. Nmap can be used to scan the network specifically for these forbidden ports.

# Scan a subnet for Telnet (port 23) and VNC (ports 5900-5903)
sudo nmap -sS -p T:23,T:5900-5903 --open 192.168.1.0/24 -oN prohibited_services.nmap

The --open option ensures Nmap only reports hosts where these ports are actually open. Any hits would indicate a policy violation that needs investigation. This can be expanded to include any port or service your organization's policy deems unauthorized.

Checking for Weak Configurations with NSE

NSE scripts are invaluable for auditing specific configurations against security best practices or policy requirements:

SSL/TLS Cipher Auditing: The ssl-enum-ciphers script can connect to SSL/TLS enabled services (like HTTPS, SMTPS, IMAPS) and enumerate the supported cipher suites, key exchange methods, and protocol versions. This helps identify services using weak or deprecated ciphers (e.g., SSLv3, RC4) that violate security policies.

sudo nmap -sV -p 443 --script ssl-enum-ciphers <target_IP_or_range>

[Instructor: Run 'sudo nmap -sV -p 443 --script ssl-enum-ciphers <your_lab_web_server_IP>' and show an example where some weak ciphers or SSLv3 might be enabled.]
PORT    STATE SERVICE VERSION
443/tcp open  ssl/http Apache httpd 2.4.x
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_RC4_128_SHA (weak)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (strong)
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (strong)
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (strong)
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: C

This output would highlight the presence of TLS_RSA_WITH_RC4_128_SHA as a weak cipher.

Default Credentials: Some NSE scripts in the auth category (or specific service scripts) can check for default credentials on devices like routers, printers, or applications. While these can be intrusive (brute category), carefully selected safe or discovery scripts like ftp-anon or those checking for common SNMP community strings (snmp-brute with a list of common strings, or snmp-info which often gets the community string if it's 'public') can identify policy violations regarding default credentials.

# Check for anonymous FTP
sudo nmap -p 21 --script ftp-anon <target_IP>
# Attempt to get SNMP info with common community strings
sudo nmap -sU -p 161 --script snmp-info --script-args snmpcommunity=public <target_IP>

Regularly running such checks helps ensure that systems are configured according to security policies and best practices.

Identifying Rogue Devices and Unauthorized Access Points

Unauthorized devices on the network pose a significant security risk as they are often unmanaged, unpatched, and can bypass security controls.

What are Rogue Devices?

A rogue device is any unauthorized piece of hardware connected to the corporate network. This could be an employee's personal laptop or phone, an unauthorized wireless access point, an IoT device brought from home, or even a malicious device planted by an attacker. These devices are outside the scope of IT management and can introduce vulnerabilities or become pivot points for attackers.

Nmap for Rogue Device Detection

Nmap helps detect rogue devices primarily through comprehensive network inventory and comparison:

Maintain an Authorized Asset Inventory: This is a database or list of all legitimate, known devices on the network, including their IP and MAC addresses.
Perform Regular Nmap Scans: As discussed in Lecture 9, conduct regular, thorough Nmap scans of all network segments (sudo nmap -sn -PR <subnet> for local segments, and port scans for active services).
Compare Scan Results to Inventory: Use Ndiff or custom scripts to compare Nmap's findings (live IPs and MAC addresses) against the authorized asset inventory. Any device found by Nmap that is not in the authorized list is a potential rogue device and needs immediate investigation.

Notes

Lab

Nmap/Short Course/Lab 10

Flags

@@ Line 79: / Line 79: @@
 </pre>
-This output would highlight the presence of TLS_RSA_WITH_RC4_128_SHA as a weak cipher.
+This output would highlight the presence of <code>TLS_RSA_WITH_RC4_128_SHA</code> as a weak cipher.
 Default Credentials: Some NSE scripts in the auth category (or specific service scripts) can check for default credentials on devices like routers, printers, or applications. While these can be intrusive (brute category), carefully selected safe or discovery scripts like ftp-anon or those checking for common SNMP community strings (snmp-brute with a list of common strings, or snmp-info which often gets the community string if it's 'public') can identify policy violations regarding default credentials.

Nmap/Short Course/Lecture 10: Difference between revisions

From charlesreid1