Skip to main content

Let’s start today a new section called “Cybersec to Sysadmin”, in which we will analyze some tools used in cybersec and penetration test to improve our knowledge as Sysadmin and Backups Administrator. Almost all of the tools we will see will be Open Source, so you can build your own testing lab without any economic impact, while some will be licensed Github.

DISCLAIMER:
Everything we see will be solely and exclusively for study purposes and with ethical behavior. All tools can cause problems on real world machines and should be used IF and ONLY IF you have permission to do so. Scanning one or more servers without authorization can create both technical and legal problems, with criminal consequences depending on the laws of your state. Additionally all information in these topics are presented on an "as-is" basis. No warranty or guarantee is provided and the author shall not be held liable for any loss or damage.

 

The first tool we look at is NMAP.

NMAP, created by Gordon Fyodor Lyon and released for the community for free under the GNU license, is the standard when it comes to hosts scans, network audits and troubleshooting. The current version 7.94 was released in May 2023 and can be downloaded from the official website (https://nmap.org/) for both Windows OS, Linux and Mac OSX. We will not analyze the GUI version, but only the terminal version from Windows/Linux environment that remind you to be case sensitive and for some flags you need to have administrator privileges.

One of the key features of NMAP is to scan ports on a host, identifying which ports are open, which are filtered and which are closed on a host on the network. This makes it possible to understand services and applications running on a system. For example, you can identify whether a web server, FTP server, or email server are active on a host.

The main command is

nmap dIP Address]

but to get help and a list of switchs, we can type:

nmap -h

To scan a set of specific ports

nmap -p80,443 pIP Address]

In addition to ports and services you can also detect the operating system running on the host, any version with vulnerabilities present or network share with guest/anonymous access. This is achieved by using the Aggressive scan, which, as the name says, proceeds with a deep analysis of the host, resulting however invasive and creating a flood of logs on prevention systems such as firewalls, identifying it as a potential attack. Therefore, it is important to use the "-A" option only in situations where it is strictly necessary and with the consent of the system owner or network analyzed. Intensive scanning should always be carried out with the aim of improving security and not endangering it. See: Causing BSOD to legacy machines.

Aggressive scan:

nmap -A nIP Address]

And why can you help us manage Veeam hosts? Let’s take an example.

We know that at 192.168.30.201 responds a Windows Server 2012 R2 with Veeam Backup and Replication 11 installed on board. So, we just type "nmap 192.168.30.201" and hit enter.

We got nothing. But why? Windows firewall’s fault: it blocks ICMP packets.

Then we must bypass the live hosts discovery phase and go straight to analyze open ports, with command:

nmap -Pn cIP Address]

Definitely more interesting, but the information doesn’t seem complete. In fact by design NMAP scans quickly only the most used 1000 ports. To get info about all ports on that host we need to use:

nmap -Pn -p- dIP Address]

Wow, that’s a lot. And as you can see, in the previous screen I used:

sudo nmap -Pn -sS -p-  IP Address]

That is known as "SYN Stealth Scan" or "Half-Open Scan.": NMAP sends a TCP SYN connection request to the destination host, but never completes the connection by sending the TCP ACK packet. So how it works? If the destination host responds with a TCP SYN/ACK packet, the port is open. If the host responds with a TCP (RST) reset packet, the port is closed. If there is no answer, the port could be filtered by a firewall or the target system could be configured to ignore invalid requests. Another important thing, you must be Local Administrator to run the command.

Now let’s take another IP address, 192.168.30.202, and see the difference. Oh, first let me say it’s a Windows Server 2022.

Can you spot the difference? I’m talking about port 6185. In a standard installation, that port correspond to

6185

Port on the SP backup server used for communication with the Veeam CDP Coordinator Service.

https://helpcenter.veeam.com/docs/backup/cloud/ports.html?ver=120

That port, checking on HelpCenter, isn’t in use by design on ver 10 or 11.

So installed on that VM there’s a Veeam Backup and Replication version 12, and we got this without get any type of access.

Now let’s try the Aggressive mode on the first IP of this example, and check the result.

As you can see, NMAP show more and more infos about that host.

The command I used is:

nmap -Pn -p{previously ports we found} -sV -A -sC vIP Address]

The "-sv" and "-sc" options in NMAP are used to scan ports for services and applications running on those ports, as well as to run a series of automation scripts to detect potential vulnerabilities.

-sv: Version Detection Scan

The "-sv" option in NMAP is used to detect and identify versions of services and applications running on the open ports of the target host. This is useful for getting detailed information about specific services, including version numbers and applied patches. WARNING: the versions do not always correspond to the truth, as NMAP crosses the results with its internal DB and not only to the response banner.

In fact, there’s no Exchange 2010 server on that test machine. 

-sc: Scanning for Scripts

The "-sc" option enables the execution of automation scripts integrated into NMAP, known as "NMAP Scripting Engine" (NSE). These scripts are designed to perform a variety of tests, including security testing, vulnerability detection, and collecting additional information. Using this option, you can automate the process of detecting common services and vulnerabilities.

Before we finish, what about UDP ports? Scanning UDP ports is often put to second place, as the scanning time is way long more than TCP scan.

NMAP is useful for getting information, but the important part is what we Sysadmin do with this information.

I hope it will be useful, in CyberSec I use this tool everyday.
For any questions, ask! : )

Just to add a +1 information, on Reddit I found a way to use NMAP to check Veeam vulnerability.

https://www.reddit.com/r/msp/comments/133s7kz/hackers_target_vulnerable_veeam_backup_servers/

https://www.reddit.com/r/msp/comments/133s7kz/comment/jifawgx/?context=3

I didn’t had time to try/check that code, so please be caerful.


Very interesting to see these differences based on different options, thank you Marco!


Nice to see you back Marco and posting more security stuff.  😎


Nice to see you back Marco and posting more security stuff.  😎

Thanks Chris!! I had some stuff in life I had to solve, but now I’m definitely back!! :)


Nice to see you back Marco and posting more security stuff.  😎

Thanks Chris!! I had some stuff in life I had to solve, but now I’m definitely back!! :)

Yes, family and life come first.  IT and communities can always wait.  😁


Comment