Nmap can be divided into the following scanning techniques:
Host discovery
Port scanning
Service enumeration/detection
OS detection
Scriptable interaction with a target service (Nmap Scripting Engine) Scanning Options
-sn# Disables port scanning-Pn# Disables ICMP echo requests-n# Disables DNS resolution -PE# Ping scan by using ICMP echo requests against target--packet-trace# shows all packets sent/received--reason# reason for a specific result--disable-arp-ping# disables ARP ping requests--top-ports=<num># scans specifed top ports that have been defined as most frequent-p-# scan all ports-p22-110# scan ports between 22-110-p22,25#scans only specified ports-F# top 100 ports-sS# TCP SYN-scan-sA# TCP ACK-scan-sU# UDP scan-sV# version scan-sC# script scan-O# OS detection-A# OS/service detection, traceroute-DRND:S# number of random decoys used to scan target-e# network int for scan-s10.10.10.1# source ip for scan-g# source port for scan--dns-server<ns># dns resolution using a specified name server
Output Options
-oAfile# stores results in all avail fmts with name-oNfile# stores results in normal fmt with name-oGfile# stores results in grepable fmt with name-oXfile# stores results in xml fmt with name of file
Performance Options
---max-retries<num># set num of retries for scans on ports--stats-every=5s# display scan status every 5s-vor-vv# verbose output--initial-rtt-timeout50ms# sets specified time value as RTT timeout--max-rtt-timeout100ms# sets time value as max RTT timeout--min-rate300# num of packets sent simultaneously--T<0-5># specifies specific timing template
ICMP echo requests Most effective host discovery method Scan Network Range
Works only if firewalls of hosts allow it
sudonmap10.129.2.0/24-sn-oAtnet|grepfor|cut-d" "-f510.129.2.410.129.2.10-sn# disables port scanning-oAname# stores results in all fmts
Scan IP List: Not uncommon to have an IP list to test: Option of working with lists avail
cathosts.lst10.129.2.410.129.2.10Ifweusethesamescanningtechniqueonthepredefinedlist,thecommandwilllooklikethis:sudonmap-sn-oAtnet-iLhosts.lst|grepfor|cut-d" "-f510.129.2.1810.129.2.19-iL# performs defined scans against targets in hosts.lst list#scan multiple IPssudonmap-sn-oAtnet10.129.2.1810.129.2.19|grepfor|cut-d" "-f510.129.2.1810.129.2.19Ifaddressesarenexttoeachother,wecandefinetherangeintherespectiveoctet.sudonmap-sn-oAtnet10.129.2.18-20|grepfor|cut-d" "-f510.129.2.1810.129.2.1910.129.2.20
-sn Disable port scan
-PE Auto ping scan with ICMP Echo Requests
We usually expect ICMP reply if pinging host is live
Previous scans didn't do that because nmap would send an ARP ping resulting in ARP reply Can confirm with --packet-trace
sudonmap10.129.2.18-sn-oAhost-PE--packet-traceSENT (0.0074s) ARP who-has 10.129.2.18 tell 10.10.14.2RCVD (0.0309s) ARP reply 10.129.2.18 is-at DE:AD:00:00:BE:EFNmapscanreportfor10.129.2.18Hostisup (0.023s latency).-PE# ping scan by using ICMP echo requests--packet-trace# all packets sent/received--reason# another way to determine our target is 'alive'
nmap does detect whether a host is alive/dead through arp request/reply alone
Host and Port Scanning 6 different states for a scanned port we can obtain:
open# Connection to port established: Can be TCP/UDP/SCTPclosed# TCP indicates packet received contains RST flag: Can determine if target live/notfiltered# Can't correctly ID if port is open/closed because no-response/error code unfiltered# Only occurs during TCP-ACK scan: Port is accessible, but can't determine if open/closedopen\|filtered # No response for specific port: A firewall/packet filter may protect portclosed\|filtered # Only in IP ID idle scan: Impossible to determine if port closed/filtered by a firewall
Discovering Open TCP Ports
-sS Default: Nmap scans top 1000 TCP ports with SYN scan
Set only to default when run as root: Socket perms required to create raw TCP packets
-sT Otherwise TCP scan performed by default
If we don't define ports/scanning methods, params set automatically We can define ports:
One by one -p 22,25,80,139,445
Range -p 22-445
Top ports --top-ports=10
Scanning all ports -p-
By defining a fast port scan -F Trace Packets
sudonmap10.129.2.28-p21--packet-trace-Pn-n--disable-arp-pingSENT (0.0429s) TCP 10.10.14.2:63090 > 10.129.2.28:21 S ttl=56 id=57322 iplen=44 seq=1699105818 win=1024 <mss 1460>RCVD (0.0573s) TCP 10.129.2.28:21 > 10.10.14.2:63090 RA ttl=64 id=0 iplen=40 seq=0 win=0Nmapscanreportfor10.11.1.2821/tcpclosedftpMACAddress:DE:AD:00:00:BE:EF (Intel Corporate)--packet-trace# shows all packets sent/received-n# disables dns resolution
SENT: 10.10.14.2 sent a TCP packet with SYN to target 10.129.2.28
RCVD: Target responds with TCP packet containing RST/ACK flags (RA)
Used to acknowledge receipt of TCP packet (ACK) and to end TCP session (RST) Connect Scan -sT
Uses TCP 3-way handshake to determine if a port is open/closed
Sends SYN packet to port/waits for response
Open if port responds with SYN-ACK
Closed if it responds with RST
Most accurate way to determine the state of a port: Most stealthy
Doesn't leave unfinished connections/unsent packets on target host
Makes it less likely to be detected by IDS/IPS
Useful to map network/not disturb services behind
Useful when host has a firewall that drops packets but allows outgoing
A connect scan can bypass a firewall/accurately determine the state of target ports
Slower than other scan types
Requires scanner to wait for a response from target after each packet sent
sudonmap10.129.2.28-p443--packet-trace--disable-arp-ping-Pn-n--reason-sTCONN (0.0385s) TCP localhost > 10.129.2.28:443 => Operation now in progressCONN (0.0396s) TCP localhost > 10.129.2.28:443 => ConnectedNmapscanreportfor10.129.2.28PORTSTATESERVICEREASON443/tcpopenhttpssyn-ack
Filtered Ports
Firewalls have certain rules set to handle specific connections
Packets can be dropped/rejected: nmap receives no response from target
--max-retries Default: Set to 1: nmap will resend request to determine if previous packet was mishandled
Can create scripts in LUA for interaction with certain services 14 categories of scripts
auth# determine auth creds broadcast# host discovery by broadcasting/automatically adding to remaining scansbrutedefaultdiscovery# accessible servicesdosexploitexternalfuzzer# id vulns/unexpected packet handling by sending diff fieldsintrusive# could negatively affect targetmalware# checks if some malware infects targetsafe# don't perform intrusive/destructive accessversionvuln
# ways to define desired scripts sudonmap<target>-sC# default scriptssudonmap<target>--script<category># specific category scriptsudonmap<target>--script<script-name>,<script-name>,...# defined#specifying scripts sudonmap10.129.2.28-p25--scriptbanner,smtp-commandsPORTSTATESERVICE25/tcpopensmtp|_banner:220inlaneESMTPPostfix (Ubuntu)|_smtp-commands:inlane,PIPELINING,SIZE10240000,VRFY,ETRN,STARTTLS,ENHANCEDSTATUSCODES,8BITMIME,DSN,SMTPUTF8,-A# Aggressive option: Scans with multiple options -sV, -O, --traceroute and default NSE scripts -sC
Performance Timeouts
RTT - ROUND-TRIP-TIME When Nmap sends a packet, it takes some time to receive a response from the port
--min-RTT-timeout Nmap starts with a high timeout of 100ms
# default sudonmap10.129.2.0/24-FNmapdone:256IPaddresses (10 hostsup) scanned in 39.44 seconds# optimized RTT sudonmap10.129.2.0/24-F--initial-rtt-timeout50ms--max-rtt-timeout100msNmapdone:256IPaddresses (8 hostsup) scanned in 12.29 seconds-F# scans top 100 ports--intial-rtt-timeout50ms# sets time value as RTT timeout--max-rtt-timeout100s# sets time value as max RTT timeout
Max Retries
--max--retries Another way to increase speed is to specify a retry rate of sent packets
Default retry rate: 10
If nmap doesn't receive a response: It won't send any more packets to the port/skips it
Rates If we know the bandwidth, we can work with the rate of packets sent: Speeds up scans
--min-rate <num> Tell nmap to simultaneously send a specified number of packets
#default sudonmap10.129.2.0/24-F-oNtnet.defaultNmapdone:256IPaddresses (10 hostsup) scanned in 29.83 seconds#Optimized sudonmap10.129.2.0/24-F-oNtnet.minrate300--min-rate300Nmapdone:256IPaddresses (10 hostsup) scanned in 8.67 seconds-F# top 100 ports-oNtnet.minrate300# saves results in normal fmts starting specified name--min-rate300# sets min number of packets sent per second
Timing 6 timing templates -T <0-5>
Values 0-5 determine the aggressiveness of scans
Can have negative effects if too aggressive and security systems may block
Spoofed packets are often filtered out by ISPs/routers
We can also specify our VPS servers' IP's/use them in combination with IP ID manipulation in headers
Another scenario: Only individual subnets would not have access to server's specific services
Can manually specify source IP -S to test if we get better results
Decoys can be used for SYN, ACK, ICMP scans and OS detection
# Testing firewall rule moo@htb[/htb]$sudonmap10.129.2.28-n-Pn-p445-OPORTSTATESERVICE445/tcpfilteredmicrosoft-dsMACAddress:DE:AD:00:00:BE:EF (Intel Corporate)ToomanyfingerprintsmatchthishosttogivespecificOSdetailsNetworkDistance:1hop# Scan by Using Different Source IPsudonmap10.129.2.28-n-Pn-p445-O-S10.129.2.200-etun0PORTSTATESERVICE445/tcpopenmicrosoft-dsMACAddress:DE:AD:00:00:BE:EF (Intel Corporate)Warning:OSScanresultsmaybeunreliablebecausewecouldnotfindatleast1openand1closedportAggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 3.4 - 3.10 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Synology DiskStation Manager 5.2-5644 (94%), Linux 2.6.32 - 2.6.35 (94%), Linux 2.6.32 - 3.5 (94%)
NoexactOSmatchesforhost (test conditionsnon-ideal).NetworkDistance:1hop-n# disable dns resolution-Pn# disable icmp echo requests-O# OS detection-S# scans target using diff source IP-etun0# sends all requests through specified int
DNS Proxying
Default: nmap performs reverse DNS resolution unless otherwise specified
DNS queries passed in most cases because the given web server is supposed to be found/visited
Made over UDP port 53
TCP port 53: Previously only used for Zone transfers between DNS servers/data xfer larger than 512 bytes
This is changing due to IPv6/DNSSEC
--dns-server <ns>,<ns>
Method of specifying our own DNS: Could be fundamental if in a DMZ: Demilitarized Zone
Company DNS servers are usually more trusted than those from the Internet
# SYN-scan of a filtered portsudonmap10.129.2.28-p50000-sS-Pn-n--disable-arp-ping--packet-traceSENT (0.0417s) TCP 10.10.14.2:33436 > 10.129.2.28:50000 S ttl=41 id=21939 iplen=44 seq=736533153 win=1024 <mss 1460>SENT (1.0481s) TCP 10.10.14.2:33437 > 10.129.2.28:50000 S ttl=46 id=6446 iplen=44 seq=736598688 win=1024 <mss 1460>PORTSTATESERVICE50000/tcpfilteredibm-db2# SYN-Scan From DNS Portsudonmap10.129.2.28-p50000-sS-Pn-n--disable-arp-ping--packet-trace--source-port53SENT (0.0482s) TCP 10.10.14.2:53 > 10.129.2.28:50000 S ttl=58 id=27470 iplen=44 seq=4003923435 win=1024 <mss 1460>RCVD (0.0608s) TCP 10.129.2.28:50000 > 10.10.14.2:53 SA ttl=64 id=0 iplen=44 seq=540635485 win=64240 <mss 1460>PORTSTATESERVICE50000/tcpopenibm-db2--source-port53# performs scans on specified source port# Connect to filtered port ncat-nv--source-port5310.129.2.2850000Ncat:Version7.80 ( https://nmap.org/ncat )Ncat:Connectedto10.129.2.28:50000.220ProFTPd