Full Report
We are excited to be presenting our Hands-on-Hacking Fundamentals (HHF) course at this year’s BlackHat USA 2021 conference. In our HHF course we explore the fundamentals required to grow your hacking skills where you can utilise your newly learned skills with practical, real world hacks in our custom lab environment. This blog aims to demonstrate the fundamentals of networking and scanning using the defacto Network Mapper “Nmap” which is one of the many tools utilised in our course.
Analysis Summary
# Tool/Technique: Nmap (Network Mapper)
## Overview
Nmap (Network Mapper) is a foundational, de facto open-source tool used for network discovery and security auditing. It is utilized here to demonstrate fundamental networking and scanning concepts, particularly identifying live hosts, determining open ports, and gathering service information.
## Technical Details
- Type: Tool
- Platform: Cross-platform (implied to be used against various network services/hosts)
- Capabilities: Host discovery (ICMP, DNS), port scanning (TCP Connect, SYN scan), service version detection, script execution.
- First Seen: 1997 (The tool itself predates this article significantly, but the context is the 2021 BlackHat course).
## MITRE ATT&CK Mapping
The techniques described primarily fall under Reconnaissance and Discovery.
- **TA0043 - Reconnaissance**
- **T1046 - Network Service Scanning** (Implied via port scanning activities)
- **TA0007 - Discovery**
- **T1018 - Remote System Discovery** (ICMP echo scan, List scan)
- **T1049 - System Network Connections Discovery** (Service version detection)
## Functionality
### Core Capabilities
- **Host Discovery:** Identifying live hosts on a network segment using ICMP echo scans (`-sn` flag) or utilizing DNS lookups via a list scan (`-sL` flag) without sending network packets.
- **Port Scanning:**
- **TCP Connect Scan (`-sT`):** Performs a full TCP three-way handshake, which is highly detectable.
- **TCP SYN Scan (`-sS`):** The "half-open" or "stealthy" scan (default when running as root). It identifies open ports by observing `SYN/ACK` responses and terminates communication with a `RST` packet.
- **Port State Identification:** Differentiates between Open (reports `SYN/ACK`), Closed (reports `RST`), and Filtered (reports no response).
- **Protocol Handling:** Understanding the differences between connection-oriented (TCP) and datagram-oriented (UDP) protocols.
### Advanced Features
- **Service Version Detection (`-sV`):** Probes open services to fingerprint their specific application and version number by matching responses against a local database.
- **Scripting Engine (`-sC`):** Executes built-in Nmap Scripting Engine (NSE) scripts, tagged by category (e.g., information gathering, vulnerability scanning), to gather more in-depth intelligence or check for known weaknesses. These scripts carry risk scores based on intrusiveness.
## Indicators of Compromise
This tool is used for passive reconnaissance and discovery; therefore, it does not typically generate malware-specific IoCs like file hashes or registry keys.
- File Hashes: N/A (Tool execution)
- File Names: Nmap.exe, nmap (executable)
- Registry Keys: N/A
- Network Indicators:
- **Scanning traffic patterns:** High volume of `SYN` packets destined for various ports, or systematic probing behavior indicative of Nmap TCP Connect or SYN scans.
- Behavioral Indicators:
- Unexpected ICMP Echo Requests to many hosts in a subnet.
- Repeated probes to specific ports followed by `RST` or `SYN/ACK` responses.
## Associated Threat Actors
Nmap is a general-purpose, widespread network utility heavily leveraged by almost all threat actors for initial reconnaissance and internal network mapping.
## Detection Methods
Detection focuses on identifying anomalous network scanning activity originating from an internal or external asset.
- **Signature-based detection:** Network IDS/IPS signatures detecting characteristic Nmap probe packets (e.g., specific timing or packet flags associated with SYN or Connect scans).
- **Behavioral detection:** Monitoring hosts that rapidly attempt connections to a large number of ports across multiple IP addresses within a short timeframe.
- **YARA rules:** Not typically used for detecting the tool itself executing, but rather the environment or scripts it generates if integrated with other analysis platforms.
## Mitigation Strategies
Mitigation centers on limiting the information an external or internal attacker can glean via network scanning.
- **Prevention measures:** Implementing strict firewall rules to only allow necessary inbound and outbound traffic.
- **Hardening recommendations:**
- Configure firewalls to drop unsolicited packets (which helps turn open ports into "filtered") rather than responding with `RST`.
- Limit outbound ICMP traffic to essential levels, as ICMP echo scans are a primary discovery method for Nmap.
- Restrict administrative access sufficient to run stealthier Nmap scans (especially SYN scans, which often require elevated privileges).
## Related Tools/Techniques
- **Scanners/Discovery Tools:** Masscan, ZMap, RustScan.
- **Techniques:** Port Sweep (T1046), Network Service Discovery.