This week on HakTip Shannon is using NMap to find open ports that can be accessed on the network.
NMap can be used to obtain a much more aggressive scan than the ones we have seen so far. It’s very simple to do this too, by simply adding the -A command, like this:
nmap -A 10.73.31.64
Aggressive scans simply put together some of the most popularly used commands in Nmap, into one command for you to type. It uses commands such as -O, -sC –traceroute and others. We’ll go over these in more detail soon. For now, simply know that -O works for operating system detection, and -sC runs several scripts inside nmap at once such as speed and verbosity. When running this scan, which will take longer because of the extra scripts involved, you’ll receive back a bunch of strange looking fingerprint information. I tried running this on our printer, which doesn’t give us much information. But running this against our NAS gives us some interesting facts, such as the name of our NAS (Synology Diskstation), the open ports with more information, even the SSH hostkey with DSA and RSA encryptions.
If I nmap our network… This is what I find.
nmap 10.73.31.0/24 —- we found .64 which is an HP printer with telnet open on port 23. So now I’ll open netcat in another window and connect to it.
nc 10.73.31.64 23
We’ve just telnetted into our HP printer. Now we can ls and see what directories are available, change directories, etc.
What would you like to see next about NMAP? Send me a comment below or email us at firstname.lastname@example.org. If you like NMap, perhaps you’ll enjoy our new show, Metasploit Minute with Mubix, airing every Monday at hak5.wpengine.com. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.