Nmap can be divided into the following scanning techniques:
Host discovery
Port scanning
Service enumeration/detection
OS detection
Scriptable interaction with a target service (Nmap Scripting Engine) Scanning Options
-sn # Disables port scanning
-Pn # Disables ICMP echo requests
-n # Disables DNS resolution
-PE # Ping scan by using ICMP echo requests against target
--packet-trace # shows all packets sent/received
--reason # reason for a specific result
--disable-arp-ping # disables ARP ping requests
--top-ports=<num> # scans specifed top ports that have been defined as most frequent
-p- # scan all ports
-p22-110 # scan ports between 22-110
-p22,25 #scans only specified ports
-F # top 100 ports
-sS # TCP SYN-scan
-sA # TCP ACK-scan
-sU # UDP scan
-sV # version scan
-sC # script scan
-O # OS detection
-A # OS/service detection, traceroute
-D RND:S # number of random decoys used to scan target
-e # network int for scan
-s 10.10.10.1 # source ip for scan
-g # source port for scan
--dns-server <ns> # dns resolution using a specified name server
Output Options
-oA file # stores results in all avail fmts with name
-oN file # stores results in normal fmt with name
-oG file # stores results in grepable fmt with name
-oX file # stores results in xml fmt with name of file
Performance Options
---max-retries <num> # set num of retries for scans on ports
--stats-every=5s # display scan status every 5s
-v or -vv # verbose output
--initial-rtt-timeout 50ms # sets specified time value as RTT timeout
--max-rtt-timeout 100ms # sets time value as max RTT timeout
--min-rate 300 # num of packets sent simultaneously
--T <0-5> # specifies specific timing template
Sends 1 packet with SYN flag: Never completes handshake: Results in no full TCP connection to scanned port
If target sends SYN-ACK packet back to scanned port: Detected as open
If packet receives RST: Port is closed
No packet received? Filtered
Depending on firewall config, certain packets may be dropped/ignored
sudo nmap -sS localhost
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
5432/tcp open postgresql
5901/tcp open vnc-1
Host Discovery
ICMP echo requests Most effective host discovery method Scan Network Range
Works only if firewalls of hosts allow it
sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5
10.129.2.4
10.129.2.10
-sn # disables port scanning
-oA name # stores results in all fmts
Scan IP List: Not uncommon to have an IP list to test: Option of working with lists avail
cat hosts.lst
10.129.2.4
10.129.2.10
If we use the same scanning technique on the predefined list, the command will look like this:
sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5
10.129.2.18
10.129.2.19
-iL # performs defined scans against targets in hosts.lst list
#scan multiple IPs
sudo nmap -sn -oA tnet 10.129.2.18 10.129.2.19| grep for | cut -d" " -f5
10.129.2.18
10.129.2.19
If addresses are next to each other, we can define the range in the respective octet.
sudo nmap -sn -oA tnet 10.129.2.18-20| grep for | cut -d" " -f5
10.129.2.18
10.129.2.19
10.129.2.20
-sn Disable port scan
-PE Auto ping scan with ICMP Echo Requests
We usually expect ICMP reply if pinging host is live
Previous scans didn't do that because nmap would send an ARP ping resulting in ARP reply Can confirm with --packet-trace
sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace
SENT (0.0074s) ARP who-has 10.129.2.18 tell 10.10.14.2
RCVD (0.0309s) ARP reply 10.129.2.18 is-at DE:AD:00:00:BE:EF
Nmap scan report for 10.129.2.18
Host is up (0.023s latency).
-PE # ping scan by using ICMP echo requests
--packet-trace # all packets sent/received
--reason # another way to determine our target is 'alive'
nmap does detect whether a host is alive/dead through arp request/reply alone
--disable-arp-ping we can disable arp pings
sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace --disable-arp-ping
SENT (0.0107s) ICMP [10.10.14.2 > 10.129.2.18 Echo request (type=8/code=0) id=13607 seq=0] IP [ttl=255 id=23541 iplen=28 ]
RCVD (0.0152s) ICMP [10.129.2.18 > 10.10.14.2 Echo reply (type=0/code=0) id=13607 seq=0] IP [ttl=128 id=40622 iplen=28 ]
Nmap scan report for 10.129.2.18
Host is up (0.086s latency).
Host and Port Scanning 6 different states for a scanned port we can obtain:
open # Connection to port established: Can be TCP/UDP/SCTP
closed # TCP indicates packet received contains RST flag: Can determine if target live/not
filtered # Can't correctly ID if port is open/closed because no-response/error code
unfiltered # Only occurs during TCP-ACK scan: Port is accessible, but can't determine if open/closed
open\|filtered # No response for specific port: A firewall/packet filter may protect port
closed\|filtered # Only in IP ID idle scan: Impossible to determine if port closed/filtered by a firewall
Discovering Open TCP Ports
-sS Default: Nmap scans top 1000 TCP ports with SYN scan
Set only to default when run as root: Socket perms required to create raw TCP packets
-sT Otherwise TCP scan performed by default
If we don't define ports/scanning methods, params set automatically We can define ports:
One by one -p 22,25,80,139,445
Range -p 22-445
Top ports --top-ports=10
Scanning all ports -p-
By defining a fast port scan -F Trace Packets
sudo nmap 10.129.2.28 -p 21 --packet-trace -Pn -n --disable-arp-ping
SENT (0.0429s) TCP 10.10.14.2:63090 > 10.129.2.28:21 S ttl=56 id=57322 iplen=44 seq=1699105818 win=1024 <mss 1460>
RCVD (0.0573s) TCP 10.129.2.28:21 > 10.10.14.2:63090 RA ttl=64 id=0 iplen=40 seq=0 win=0
Nmap scan report for 10.11.1.28
21/tcp closed ftp
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
--packet-trace # shows all packets sent/received
-n # disables dns resolution
SENT: 10.10.14.2 sent a TCP packet with SYN to target 10.129.2.28
RCVD: Target responds with TCP packet containing RST/ACK flags (RA)
Used to acknowledge receipt of TCP packet (ACK) and to end TCP session (RST) Connect Scan -sT
Uses TCP 3-way handshake to determine if a port is open/closed
Sends SYN packet to port/waits for response
Open if port responds with SYN-ACK
Closed if it responds with RST
Most accurate way to determine the state of a port: Most stealthy
Doesn't leave unfinished connections/unsent packets on target host
Makes it less likely to be detected by IDS/IPS
Useful to map network/not disturb services behind
Useful when host has a firewall that drops packets but allows outgoing
A connect scan can bypass a firewall/accurately determine the state of target ports
Slower than other scan types
Requires scanner to wait for a response from target after each packet sent
sudo nmap 10.129.2.28 -p 443 --packet-trace --disable-arp-ping -Pn -n --reason -sT
CONN (0.0385s) TCP localhost > 10.129.2.28:443 => Operation now in progress
CONN (0.0396s) TCP localhost > 10.129.2.28:443 => Connected
Nmap scan report for 10.129.2.28
PORT STATE SERVICE REASON
443/tcp open https syn-ack
Filtered Ports
Firewalls have certain rules set to handle specific connections
Packets can be dropped/rejected: nmap receives no response from target
--max-retries Default: Set to 1: nmap will resend request to determine if previous packet was mishandled
Example:
Firewall drops TCP packets sent
We scan port 139: Shown as filtered
To track how sent packets handled:
-Pn Deactivate ICMP echo requests
-n DNS resolution
--disable-arp-ping
sudo nmap 10.129.2.28 -p 139 --packet-trace -n --disable-arp-ping -Pn
SENT (0.0381s) TCP 10.10.14.2:60277 > 10.129.2.28:139 S ttl=47 id=14523 iplen=44 seq=4175236769 win=1024 <mss 1460>
SENT (1.0411s) TCP 10.10.14.2:60278 > 10.129.2.28:139 S ttl=45 id=7372 iplen=44 seq=4175171232 win=1024 <mss 1460>
Nmap scan report for 10.129.2.28
PORT STATE SERVICE
139/tcp filtered netbios-ssn
Open UDP Ports -sU
UDP is stateless: Doesn't require 3-way handshake
No acknowledgment
Timeout much longer, making it slower than TCP scans -sS
sudo nmap 10.129.2.28 -F -sU
Host is up (0.059s latency).
Not shown: 95 closed ports
68/udp open|filtered dhcpc
137/udp open netbios-ns
5353/udp open zeroconf
-F # scan 100 top ports
-sU # udp scan
We often don't get a response back: nmap sends empty datagrams to scanned UDP ports
We don't receive a response: Can't determine if packet arrived or not
We only get a response if the app is configured to do so
sudo nmap 10.129.2.28 -sU -Pn -n --disable-arp-ping --packet-trace -p 137 --reason
SENT (0.0367s) UDP 10.10.14.2:55478 > 10.129.2.28:137 ttl=57 id=9122 iplen=78
RCVD (0.0398s) UDP 10.129.2.28:137 > 10.10.14.2:55478 ttl=64 id=13222 iplen=257
PORT STATE SERVICE REASON
137/udp open netbios-ns udp-response ttl 64
--reason # displays why a port is in a particular state
-Pn # disables ICMP echo requests
-n # disables dns resolution
ICMP response with error code 3? Port closed
Saving Results 3 formats:
-oN Normal: .nmap
oG Greppable: .gnmap
-oX.xml-oA Specify option to save results in all formats
If no path given: Stores in dir scanning in
sudo nmap 10.129.2.28 -p- -oA target
Style sheets
With XML we can create HTML reports
To convert stored results from XML to HTML, we can use a tool xsltproc
xsltproc target.xml -o target.html
Banner Grabbing:
#tcpdump
sudo tcpdump -i eth0 host 10.10.14.2 and 10.129.2.28
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
# tcpdump - Intercepted traffic
18:28:07.255151 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [S.], seq 1130574379, ack 1798872234, win
18:28:07.319306 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [P.], seq 1:36, ack 1, win 510, options [nop,nop,TS val 1800383985 ecr 331260304], length 35: SMTP: 220 inlane ESMTP Postfix (Ubuntu)
# NC
nc -nv 10.129.2.28 25
Connection to 10.129.2.28 port 25 [tcp/*] succeeded!
220 inlane ESMTP Postfix (Ubuntu)
Nmap Scripting Engine
Can create scripts in LUA for interaction with certain services 14 categories of scripts
auth # determine auth creds
broadcast # host discovery by broadcasting/automatically adding to remaining scans
brute
default
discovery # accessible services
dos
exploit
external
fuzzer # id vulns/unexpected packet handling by sending diff fields
intrusive # could negatively affect target
malware # checks if some malware infects target
safe # don't perform intrusive/destructive access
version
vuln
# ways to define desired scripts
sudo nmap <target> -sC # default scripts
sudo nmap <target> --script <category> # specific category script
sudo nmap <target> --script <script-name>,<script-name>,... # defined
#specifying scripts
sudo nmap 10.129.2.28 -p 25 --script banner,smtp-commands
PORT STATE SERVICE
25/tcp open smtp
|_banner: 220 inlane ESMTP Postfix (Ubuntu)
|_smtp-commands: inlane, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
-A # Aggressive option: Scans with multiple options -sV, -O, --traceroute and default NSE scripts -sC
Performance Timeouts
RTT - ROUND-TRIP-TIME When Nmap sends a packet, it takes some time to receive a response from the port
--min-RTT-timeout Nmap starts with a high timeout of 100ms
# default
sudo nmap 10.129.2.0/24 -F
Nmap done: 256 IP addresses (10 hosts up) scanned in 39.44 seconds
# optimized RTT
sudo nmap 10.129.2.0/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms
Nmap done: 256 IP addresses (8 hosts up) scanned in 12.29 seconds
-F # scans top 100 ports
--intial-rtt-timeout 50ms # sets time value as RTT timeout
--max-rtt-timeout 100s # sets time value as max RTT timeout
Max Retries
--max--retries Another way to increase speed is to specify a retry rate of sent packets
Default retry rate: 10
If nmap doesn't receive a response: It won't send any more packets to the port/skips it
Rates If we know the bandwidth, we can work with the rate of packets sent: Speeds up scans
--min-rate <num> Tell nmap to simultaneously send a specified number of packets
#default
sudo nmap 10.129.2.0/24 -F -oN tnet.default
Nmap done: 256 IP addresses (10 hosts up) scanned in 29.83 seconds
#Optimized
sudo nmap 10.129.2.0/24 -F -oN tnet.minrate300 --min-rate 300
Nmap done: 256 IP addresses (10 hosts up) scanned in 8.67 seconds
-F # top 100 ports
-oN tnet.minrate300 # saves results in normal fmts starting specified name
--min-rate 300 # sets min number of packets sent per second
Timing 6 timing templates -T <0-5>
Values 0-5 determine the aggressiveness of scans
Can have negative effects if too aggressive and security systems may block
Firewall and IDS/IPS Evasion Determine Firewalls and Their Rules
We already know when a port is filtered, it can have several reasons
Firewalls have certain rules set to handle specific connections
Packets can be dropped/rejected: Dropped packets ignored/no response returned
Rejected packets: Returned RST flag: Contain diff types of ICMP error codes Such errors can be:
- Net Unreachable
- Net Prohibited
- Host Unreachable
- Host Prohibited
- Port Unreachable
- Proto Unreachable
-sA TCP ACK scan method is harder to filter for firewalls and IDS/IPS systems than regular SYN -sS/connect scans sT
They only send TCP packets with ACK flag
When a port is closed/open: Host must respond with RST
Packets with ACK are often passed by firewalls because they can't determine if the connection was external/internal Detect IDS/IPS
Unlike firewalls: IDS/IPS systems is more difficult because they are passive traffic monitoring
IDS: Examine all connections between hosts
IPS: Take measures config by admin to prevent potential attacks automatically
IPS serves as a complement to IDS Decoys
Cases where admins block specific subnets from diff regions
Prevents any access
-D Decoy scanning method
nmap generates various random IP's in the IP header to disguise the origin of the packet sent
We can generate random RND a specific number for example: 5 of IP's separated by a colon :
Our real IP is randomly placed between the generated ones
Decoys must be alive
# scan using decoys=
sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5
SENT (0.0378s) TCP 102.52.161.59:59289 > 10.129.2.28:80 S ttl=42 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
SENT (0.0378s) TCP 10.10.14.2:59289 > 10.129.2.28:80 S ttl=59 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
SENT (0.0379s) TCP 210.120.38.29:59289 > 10.129.2.28:80 S ttl=37 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
PORT STATE SERVICE
80/tcp open http
Spoofed packets are often filtered out by ISPs/routers
We can also specify our VPS servers' IP's/use them in combination with IP ID manipulation in headers
Another scenario: Only individual subnets would not have access to server's specific services
Can manually specify source IP -S to test if we get better results
Decoys can be used for SYN, ACK, ICMP scans and OS detection
# Testing firewall rule
moo@htb[/htb]$ sudo nmap 10.129.2.28 -n -Pn -p445 -O
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
# Scan by Using Different Source IP
sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 3.4 - 3.10 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Synology DiskStation Manager 5.2-5644 (94%), Linux 2.6.32 - 2.6.35 (94%), Linux 2.6.32 - 3.5 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
-n # disable dns resolution
-Pn # disable icmp echo requests
-O # OS detection
-S # scans target using diff source IP
-e tun0 # sends all requests through specified int
DNS Proxying
Default: nmap performs reverse DNS resolution unless otherwise specified
DNS queries passed in most cases because the given web server is supposed to be found/visited
Made over UDP port 53
TCP port 53: Previously only used for Zone transfers between DNS servers/data xfer larger than 512 bytes
This is changing due to IPv6/DNSSEC
--dns-server <ns>,<ns>
Method of specifying our own DNS: Could be fundamental if in a DMZ: Demilitarized Zone
Company DNS servers are usually more trusted than those from the Internet
# SYN-scan of a filtered port
sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace
SENT (0.0417s) TCP 10.10.14.2:33436 > 10.129.2.28:50000 S ttl=41 id=21939 iplen=44 seq=736533153 win=1024 <mss 1460>
SENT (1.0481s) TCP 10.10.14.2:33437 > 10.129.2.28:50000 S ttl=46 id=6446 iplen=44 seq=736598688 win=1024 <mss 1460>
PORT STATE SERVICE
50000/tcp filtered ibm-db2
# SYN-Scan From DNS Port
sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53
SENT (0.0482s) TCP 10.10.14.2:53 > 10.129.2.28:50000 S ttl=58 id=27470 iplen=44 seq=4003923435 win=1024 <mss 1460>
RCVD (0.0608s) TCP 10.129.2.28:50000 > 10.10.14.2:53 SA ttl=64 id=0 iplen=44 seq=540635485 win=64240 <mss 1460>
PORT STATE SERVICE
50000/tcp open ibm-db2
--source-port 53 # performs scans on specified source port
# Connect to filtered port
ncat -nv --source-port 53 10.129.2.28 50000
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to 10.129.2.28:50000.
220 ProFTPd
