Nmap/Short Course/Lecture 10 - Revision history

Unknown user at 02:17, 29 May 2025

2025-05-29T02:17:15Z

← Older revision		Revision as of 02:17, 29 May 2025
Line 8:		Line 8:

	Objective: To teach students how to utilize Nmap and the Nmap Scripting Engine (NSE) for security auditing tasks, including verifying compliance with security policies, identifying rogue devices, and testing the efficacy of firewall rules and network segmentation.		Objective: To teach students how to utilize Nmap and the Nmap Scripting Engine (NSE) for security auditing tasks, including verifying compliance with security policies, identifying rogue devices, and testing the efficacy of firewall rules and network segmentation.

			=Notes=

	==Recap & Introduction to Security Auditing with Nmap==		==Recap & Introduction to Security Auditing with Nmap==
Line 171:		Line 173:

	The lab for this lecture would involve setting up basic firewall rules in a virtual environment and having students use Nmap from different "zones" to verify if those rules are working as expected.		The lab for this lecture would involve setting up basic firewall rules in a virtual environment and having students use Nmap from different "zones" to verify if those rules are working as expected.

			In the Corporate Network (Scenario 1), students use Nmap and NSE to check for policy violations (e.g., services running on non-standard ports, weak ciphers on an internal web app). Attempt to identify a "rogue" device planted in the network.

	[[Nmap/Short Course/Lab 10]]		[[Nmap/Short Course/Lab 10]]

Unknown user: /* Notes */

2025-05-29T02:16:42Z

Notes

← Older revision		Revision as of 02:16, 29 May 2025
Line 167:		Line 167:

	Ideally, all probes should time out or be explicitly denied (ports filtered or closed). Any open ports or responsive hosts indicate a segmentation failure.		Ideally, all probes should time out or be explicitly denied (ports filtered or closed). Any open ports or responsive hosts indicate a segmentation failure.

	~~=Notes=~~

	=Lab=		=Lab=

Unknown user: /* Lab */

2025-05-29T01:28:22Z

Lab

← Older revision		Revision as of 01:28, 29 May 2025
Line 171:		Line 171:

	=Lab=		=Lab=

			The lab for this lecture would involve setting up basic firewall rules in a virtual environment and having students use Nmap from different "zones" to verify if those rules are working as expected.

	[[Nmap/Short Course/Lab 10]]		[[Nmap/Short Course/Lab 10]]

Unknown user: /* Using Nmap to Test Firewall Efficacy */

2025-05-29T01:28:09Z

Using Nmap to Test Firewall Efficacy

@@ Line 154: / Line 154: @@
 sudo nmap -sA -Pn <target_IP_in_VLAN_B>
 </pre>
 =Notes=

Unknown user: /* Nmap for Rogue Device Detection */

2025-05-29T01:27:12Z

Nmap for Rogue Device Detection

@@ Line 107: / Line 107: @@
 # Perform Regular Nmap Scans: As discussed in [[Nmap/Short Course/Lecture 9|Lecture 9]], conduct regular, thorough Nmap scans of all network segments (<code>sudo nmap -sn -PR <subnet></code> for local segments, and port scans for active services).
 # Compare Scan Results to Inventory: Use Ndiff or custom scripts to compare Nmap's findings (live IPs and MAC addresses) against the authorized asset inventory. Any device found by Nmap that is not in the authorized list is a potential rogue device and needs immediate investigation.
 =Notes=

Unknown user: /* Checking for Weak Configurations with NSE */

2025-05-29T01:24:56Z

Checking for Weak Configurations with NSE

← Older revision		Revision as of 01:24, 29 May 2025
Line 79:		Line 79:
	</pre>		</pre>

	This output would highlight the presence of TLS_RSA_WITH_RC4_128_SHA as a weak cipher.		This output would highlight the presence of <code>TLS_RSA_WITH_RC4_128_SHA</code> as a weak cipher.

	Default Credentials: Some NSE scripts in the auth category (or specific service scripts) can check for default credentials on devices like routers, printers, or applications. While these can be intrusive (brute category), carefully selected safe or discovery scripts like ftp-anon or those checking for common SNMP community strings (snmp-brute with a list of common strings, or snmp-info which often gets the community string if it's 'public') can identify policy violations regarding default credentials.		Default Credentials: Some NSE scripts in the auth category (or specific service scripts) can check for default credentials on devices like routers, printers, or applications. While these can be intrusive (brute category), carefully selected safe or discovery scripts like ftp-anon or those checking for common SNMP community strings (snmp-brute with a list of common strings, or snmp-info which often gets the community string if it's 'public') can identify policy violations regarding default credentials.

Unknown user: /* Summary and Objective */

2025-05-29T01:23:28Z

Summary and Objective

← Older revision		Revision as of 01:23, 29 May 2025
Line 4:		Line 4:

	=Summary and Objective=		=Summary and Objective=

			This session will focus on how Blue Teams use Nmap to verify security controls and ensure adherence to policies.

			Objective: To teach students how to utilize Nmap and the Nmap Scripting Engine (NSE) for security auditing tasks, including verifying compliance with security policies, identifying rogue devices, and testing the efficacy of firewall rules and network segmentation.

			==Recap & Introduction to Security Auditing with Nmap==

			===Quick Recap of Lecture 9===

			In our last lecture, we initiated our exploration of Nmap for Blue Team operations by focusing on network inventory and asset management. We discussed how to perform comprehensive network discovery, establish asset baselines using Nmap's XML output, and leverage Ndiff to track network changes over time. This foundational knowledge of "what's on the network" is crucial for effective defense.

			===What is Security Auditing?===

			Security auditing is a systematic, measurable technical assessment of how an organization's security policy is being employed on its systems and networks. It's an active process of verifying that security controls are implemented correctly, are functioning as intended, and are adequate to meet security goals. Unlike passive policy reviews, a security audit often involves active testing and probing to confirm configurations.

			===What is Compliance?===

			Compliance refers to adhering to specific laws, regulations, standards, and internal organizational policies. Examples include PCI DSS (Payment Card Industry Data Security Standard) for organizations handling credit card data, HIPAA (Health Insurance Portability and Accountability Act) for healthcare information, or an organization's own internal security policies that dictate, for instance, which services are allowed to run or which cryptographic standards must be used. Non-compliance can lead to fines, legal action, reputational damage, and increased risk of breaches.

			===Nmap's Role in Auditing and Compliance===

			Nmap serves as a powerful tool for security auditors to actively test and verify network-level security configurations and policy adherence. It can help answer questions like:

			* Are there any unauthorized services running on our servers?
			* Are our systems using strong encryption protocols as required by policy?
			* Are firewalls correctly blocking traffic between network segments?
			* Are there any rogue devices connected to our network that violate policy? Nmap provides the means to gather empirical evidence about the state of network security controls.

			==Auditing for Policy Violations with Nmap & NSE==

			Nmap can be used to actively check for common policy violations and weak configurations.

			===Identifying Prohibited Services or Ports===

			Many organizations have policies that restrict or prohibit the use of certain services deemed risky. For example, Telnet (unencrypted remote access), unencrypted FTP, or VNC might be banned. Nmap can be used to scan the network specifically for these forbidden ports.

			<pre>
			# Scan a subnet for Telnet (port 23) and VNC (ports 5900-5903)
			sudo nmap -sS -p T:23,T:5900-5903 --open 192.168.1.0/24 -oN prohibited_services.nmap
			</pre>

			The --open option ensures Nmap only reports hosts where these ports are actually open. Any hits would indicate a policy violation that needs investigation. This can be expanded to include any port or service your organization's policy deems unauthorized.

			===Checking for Weak Configurations with NSE===

			NSE scripts are invaluable for auditing specific configurations against security best practices or policy requirements:

			SSL/TLS Cipher Auditing: The ssl-enum-ciphers script can connect to SSL/TLS enabled services (like HTTPS, SMTPS, IMAPS) and enumerate the supported cipher suites, key exchange methods, and protocol versions. This helps identify services using weak or deprecated ciphers (e.g., SSLv3, RC4) that violate security policies.

			<pre>
			sudo nmap -sV -p 443 --script ssl-enum-ciphers <target_IP_or_range>
			</pre>

			<pre>
			[Instructor: Run 'sudo nmap -sV -p 443 --script ssl-enum-ciphers <your_lab_web_server_IP>' and show an example where some weak ciphers or SSLv3 might be enabled.]
			PORT STATE SERVICE VERSION
			443/tcp open ssl/http Apache httpd 2.4.x
			\| ssl-enum-ciphers:
			\| TLSv1.0:
			\| ciphers:
			\| TLS_RSA_WITH_RC4_128_SHA (weak)
			\| TLS_RSA_WITH_3DES_EDE_CBC_SHA (strong)
			\| compressors:
			\| NULL
			\| cipher preference: server
			\| TLSv1.2:
			\| ciphers:
			\| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (strong)
			\| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (strong)
			\| compressors:
			\| NULL
			\| cipher preference: server
			\|_ least strength: C
			</pre>

			This output would highlight the presence of TLS_RSA_WITH_RC4_128_SHA as a weak cipher.

			Default Credentials: Some NSE scripts in the auth category (or specific service scripts) can check for default credentials on devices like routers, printers, or applications. While these can be intrusive (brute category), carefully selected safe or discovery scripts like ftp-anon or those checking for common SNMP community strings (snmp-brute with a list of common strings, or snmp-info which often gets the community string if it's 'public') can identify policy violations regarding default credentials.

			<pre>
			# Check for anonymous FTP
			sudo nmap -p 21 --script ftp-anon <target_IP>
			# Attempt to get SNMP info with common community strings
			sudo nmap -sU -p 161 --script snmp-info --script-args snmpcommunity=public <target_IP>
			</pre>

			Regularly running such checks helps ensure that systems are configured according to security policies and best practices.

			==Identifying Rogue Devices and Unauthorized Access Points==

			Unauthorized devices on the network pose a significant security risk as they are often unmanaged, unpatched, and can bypass security controls.

			===What are Rogue Devices?===

			A rogue device is any unauthorized piece of hardware connected to the corporate network. This could be an employee's personal laptop or phone, an unauthorized wireless access point, an IoT device brought from home, or even a malicious device planted by an attacker. These devices are outside the scope of IT management and can introduce vulnerabilities or become pivot points for attackers.

			===Nmap for Rogue Device Detection===

			Nmap helps detect rogue devices primarily through comprehensive network inventory and comparison:

			# Maintain an Authorized Asset Inventory: This is a database or list of all legitimate, known devices on the network, including their IP and MAC addresses.
			# Perform Regular Nmap Scans: As discussed in [[Nmap/Short Course/Lecture 9\|Lecture 9]], conduct regular, thorough Nmap scans of all network segments (<code>sudo nmap -sn -PR <subnet></code> for local segments, and port scans for active services).
			# Compare Scan Results to Inventory: Use Ndiff or custom scripts to compare Nmap's findings (live IPs and MAC addresses) against the authorized asset inventory. Any device found by Nmap that is not in the authorized list is a potential rogue device and needs immediate investigation.

	=Notes=		=Notes=

Unknown user: Created page with "Main page: Nmap/Short Course Lab: Nmap/Short Course/Lab 10 =Summary and Objective= =Notes= =Lab= Nmap/Short Course/Lab 10 =Flags= {{NmapShortCourseFlag}}"

2025-05-29T00:48:59Z

Created page with "Main page: Nmap/Short Course Lab: Nmap/Short Course/Lab 10 =Summary and Objective= =Notes= =Lab= Nmap/Short Course/Lab 10 =Flags= {{NmapShortCourseFlag}}"

New page

Main page: [[Nmap/Short Course]]

Lab: [[Nmap/Short Course/Lab 10]]

=Summary and Objective=

=Notes=

=Lab=

[[Nmap/Short Course/Lab 10]]

=Flags=

{{NmapShortCourseFlag}}