CS 378: Nmap Packet Captures

--- title: week2 tags: eh --- <center> <h1>CS 378: Nmap Packet Captures</h1> <i>Pranav Arora (pa7658)</i> </center> ## Home Network Footprint ### Discovery Using `arp-scan` to discover hosts on the local network: ``` ➜ ~ arp-scan --localnet Interface: en0, datalink type: EN10MB (Ethernet) Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-sca n) 192.168.254.11 00:17:88:a5:77:44 Philips Lighting BV 192.168.254.10 14:5b:d1:6b:f2:3d ARRIS Group, Inc. 192.168.254.12 90:6e:bb:73:69:e9 Hon Hai Precision Ind. Co.,Ltd. 192.168.254.16 18:b4:30:7b:82:a0 Nest Labs Inc. 192.168.254.14 00:71:47:e9:e4:13 (Unknown) 192.168.254.25 c4:9d:ed:45:47:5d (Unknown) 192.168.254.30 00:90:a9:e9:7c:d0 WESTERN DIGITAL 192.168.254.29 44:65:0d:9c:e6:4d Amazon Technologies Inc. 192.168.254.37 50:c7:bf:6a:64:9a TP-LINK TECHNOLOGIES CO.,LTD. 192.168.254.39 00:05:cd:90:82:4d D&M Holdings Inc. 192.168.254.52 c4:1c:ff:af:4d:76 Vizio, Inc 192.168.254.71 08:a6:bc:c3:ed:8f (Unknown) 192.168.254.20 50:f5:da:c7:46:86 Amazon Technologies Inc. 192.168.254.23 d0:4f:7e:10:3b:d6 Apple, Inc. 192.168.254.254 10:56:11:e5:fd:c0 (Unknown) 192.168.254.73 e4:e7:49:dd:56:6a (Unknown) 559 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.5: 256 hosts scanned in 1.886 seconds (135.74 hosts/sec ). 16 responded ``` We can see that the Arris router for this network has IP `192.168.254.10`. ### Footprint Using `nmap` to do a portscan of these hosts with banner grabbing and OS guessing: ``` ➜ ~ sudo nmap -sV -O 192.168.254.11,10,12,16,14,25,30,29,37,39,52,71,20,23 ,254,73 Password: Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-09 15:43 CDT Nmap scan report for 192.168.254.10 Host is up (0.0064s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 8082/tcp open soap gSOAP 2.7 MAC Address: 14:5B:D1:6B:F2:3D (Arris Group) Device type: media device Running: Motorola embedded OS CPE: cpe:/h:motorola:qip2708 OS details: Motorola QIP2708 set top box Network Distance: 1 hop Nmap scan report for 192.168.254.11 Host is up (0.0032s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 80/tcp open http nginx 443/tcp open ssl/http nginx 8080/tcp open http Web-Based Enterprise Management CIM serverOpenPegas us WBEM httpd MAC Address: 00:17:88:A5:77:44 (Philips Lighting BV) No exact OS matches for host (If you know what OS is running on it, see htt ps://nmap.org/submit/ ). Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Nmap scan report for 192.168.254.12 Host is up (0.0058s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 10000/tcp closed snet-sensor-mgmt MAC Address: 90:6E:BB:73:69:E9 (Hon Hai Precision Ind.) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop Nmap scan report for 192.168.254.14 Host is up (0.015s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 8009/tcp open http Amazon Whisperplay DIAL REST service MAC Address: 00:71:47:E9:E4:13 (Amazon Technologies) Device type: phone Running: Google Android 5.X|7.X, Linux 3.X OS CPE: cpe:/o:google:android:5.1 cpe:/o:google:android:7.1.2 cpe:/o:linux: linux_kernel:3.4 OS details: Android 5.1, Android 7.1.2 (Linux 3.4) Network Distance: 1 hop Service Info: Device: media device Nmap scan report for 192.168.254.16 Host is up (0.077s latency). All 1000 scanned ports on 192.168.254.16 are filtered MAC Address: 18:B4:30:7B:82:A0 (Nest Labs) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop Nmap scan report for 192.168.254.20 Host is up (0.0073s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 8009/tcp open ajp13? MAC Address: 50:F5:DA:C7:46:86 (Amazon Technologies) Device type: firewall Running (JUST GUESSING): Fortinet embedded (87%) OS CPE: cpe:/h:fortinet:fortigate_100d Aggressive OS guesses: Fortinet FortiGate 100D firewall (87%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Nmap scan report for 192.168.254.23 Host is up (0.012s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 3689/tcp open daap Apple iTunes DAAP 11.1b37 5000/tcp open rtsp AirTunes rtspd 220.68 7000/tcp open rtsp AirTunes rtspd 220.68 7100/tcp open http Apple AirPlay httpd 62078/tcp open tcpwrapped MAC Address: D0:4F:7E:10:3B:D6 (Apple) OS details: Apple Mac OS X 10.7.0 (Lion) - 10.12 (Sierra) or iOS 4.1 - 9.3. 3 (Darwin 10.0.0 - 16.4.0) Network Distance: 1 hop Service Info: OS: OS X; Device: media device Nmap scan report for 192.168.254.25 Host is up (0.019s latency). All 1000 scanned ports on 192.168.254.25 are filtered MAC Address: C4:9D:ED:45:47:5D (Microsoft) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop Nmap scan report for 192.168.254.29 Host is up (0.013s latency). All 1000 scanned ports on 192.168.254.29 are filtered (960) or closed (40) MAC Address: 44:65:0D:9C:E6:4D (Amazon Technologies) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop Nmap scan report for 192.168.254.30 Host is up (0.0047s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd (PHP 5.4.45) 111/tcp open rpcbind 2-4 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 443/tcp open ssl/http Apache httpd (PHP 5.4.45) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 548/tcp open afp Netatalk 3.0.5 (name: WDMyCloud; protocol 3.3) 2049/tcp open nfs_acl 2-3 (RPC #100227) 3306/tcp open mysql MySQL (unauthorized) 3689/tcp open daap mt-daapd DAAP svn-1696 8181/tcp open http Plex Media Server (WD MyCloud) 9000/tcp open upnp TwonkyMedia UPnP (UPnP 1.0; pvConnect SDK 1.0; Twonky SDK 1.1) 49153/tcp open upnp Portable SDK for UPnP devices 1.6.25 (Linux 3.1 0.39; UPnP 1.0) MAC Address: 00:90:A9:E9:7C:D0 (Western Digital) Device type: storage-misc|general purpose Running: Western Digital embedded, Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3.10 OS details: Western Digital My Cloud DL4100 NAS (Linux 3.10) Network Distance: 1 hop Service Info: Host: WDMYCLOUD; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_ke rnel:2, cpe:/o:linux:linux_kernel:3.10.39 Nmap scan report for 192.168.254.37 Host is up (0.0088s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 9999/tcp open abyss? MAC Address: 50:C7:BF:6A:64:9A (Tp-link Technologies) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.17 - 2.6.36 Network Distance: 1 hop Nmap scan report for 192.168.254.39 Host is up (0.0075s latency). Not shown: 992 closed ports PORT STATE SERVICE VERSION 23/tcp open telnet? 80/tcp open http GoAhead WebServer 443/tcp open ssl/https? 1024/tcp open rtsp Apple AirTunes rtspd 190.9 (Apple TV) 5000/tcp open upnp? 5001/tcp open commplex-link? 6666/tcp open tcpwrapped 8080/tcp open http Pioneer VSX-921, Denon DNP-720AE, or Marantz AV7005 AV receiver http config MAC Address: 00:05:CD:90:82:4D (D&M Holdings) Device type: media device Running: Denon embedded, Yamaha embedded OS CPE: cpe:/h:denon:avr-1912 cpe:/h:denon:avr-2312 cpe:/h:yamaha:rx-S600 OS details: Yamaha RX-S600 or Denon AVR-1912 or AVR-2312 audio receiver Network Distance: 1 hop Service Info: OS: Mac OS X; Device: media device; CPE: cpe:/o:apple:mac_os_ x Nmap scan report for 192.168.254.52 Host is up (0.010s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 7000/tcp open rtsp AirTunes rtspd 377.17.24.9 8008/tcp open http? 8009/tcp open ssl/ajp13? 8443/tcp open ssl/https-alt? 9000/tcp open ssl/cslistener? MAC Address: C4:1C:FF:AF:4D:76 (Vizio) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 OS details: Linux 2.6.32 - 3.10 Network Distance: 1 hop Nmap scan report for 192.168.254.71 Host is up (0.0086s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 8009/tcp open http Amazon Whisperplay DIAL REST service MAC Address: 08:A6:BC:C3:ED:8F (Amazon Technologies) Device type: phone Running: Google Android 4.X|5.X|6.X, Linux 3.X OS CPE: cpe:/o:google:android:4 cpe:/o:google:android:5 cpe:/o:google:andro id:6 cpe:/o:linux:linux_kernel:3 OS details: Android 4.1 - 6.0 (Linux 3.4 - 3.14) Network Distance: 1 hop Service Info: Device: media device Nmap scan report for 192.168.254.73 Host is up (0.018s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 80/tcp open http HP DeskJet 3630 series printer http config (Seria l CN9438H38H06BQ) 443/tcp open ssl/http HP DeskJet 3630 series printer http config (Seria l CN9438H38H06BQ) 631/tcp open http HP DeskJet 3630 series printer http config (Seria l CN9438H38H06BQ) 8080/tcp open http HP DeskJet 3630 series printer http config (Seria l CN9438H38H06BQ) 9100/tcp open jetdirect? 9220/tcp open hp-gsg HP Generic Scan Gateway 1.0 MAC Address: E4:E7:49:DD:56:6A (Hewlett Packard) Device type: general purpose Running: Wind River VxWorks OS CPE: cpe:/o:windriver:vxworks OS details: VxWorks Network Distance: 1 hop Service Info: Device: printer; CPE: cpe:/h:hp:deskjet_3630_series Nmap scan report for 192.168.254.254 Host is up (0.0041s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 53/tcp open domain dnsmasq 2.79 80/tcp open http 111/tcp filtered rpcbind 443/tcp open ssl/https 5000/tcp open upnp MiniUPnP MAC Address: 10:56:11:E5:FD:C0 (Arris Group) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 16 IP addresses (16 hosts up) scanned in 373.40 seconds ``` ## Portscan Captures ### Local Subnet Victim Portscan Traffic from command `nmap 192.168.254.52 -p 22,80,443` with capture filter `host 192.168.254.52`: ![](https://i.imgur.com/FlV567W.png) ### Remote Victim Portscan The remote victim used has IP `216.58.194.110`, the result of `nslookup youtube.com`. Traffic from command `nmap 216.58.194.110 -p 22,80,443` with capture filter `host 216.58.194.110`: ![](https://i.imgur.com/fGAzxqj.png) ### Analysis The remote victim portscan does an initial ping of the server since the victim is not on the local subnet, executing a three way TCP handshake before ports 22, 80, and 443 are scanned. Doing a portscan of the victim on the local subnet doesn't require this.