Nmap

active vs. passive scanning

• passive scanning:
  • “involves scanning a network without directly interacting with the target device”¹
  • “is usually carried out through packet capture and analysis tools like Wireshark”¹
• active scanning:
  • ” is a scanning method whereby you scan individual endpoints in an IT network to retrieve more detailed information”
  • “active scan involves sending packets or queries directly to specific asshow to scann

nmap scanning technics

• TCP Connect Scans (-sTi)
  • default setting when run without sudo permission
  • “performing the three-way handshake with each target port”²
  • Nmap tries to connect to each specified TCP port, and determines whether the service is open by the response it receives
• SYN Scans (-sS)
  • default setting when run with sudo permission
  • sometimes referred to as “Half-open” scans, or “Stealth” scans.
  • after getting the SYN/ACK Package from the Target the Client send a RST (Reset) Package
  • that resets the connection and for the target the connection is not fully established
  • significantly faster than a standard TCP Connect scan
  • disadvantage:
    • unstable services are sometimes brought down by SYN scans
    • need sudo permissions
• UDP Scans (-sU)
  • sends a UDP Packet to a Port

  • when there is no response the port will be considerd as “open

    filtered”

  • when there is a ICMP response with the message that the port is unreachable the port will be marked as closed
  • much slower than TCP Scans

scanning techniques

#-sC: Performs a script scan using the default set of scripts.
#-sV: Enables version detection, which will detect what versions are running on what port.
nmap -sC -sV xx.xx.xx.xx

## ping scan to find active hosts
### is to obtain a "map" of the network structure
nmap -sn 192.168.0.0/24

## OS Scan
nmap -O xx.xx.xx.xx

## Detecting Services
nmap -sV xx.xx.xx.xx

Paramter

# basic scan types
-sT     TCP Connect Scans
-sS     SYN "Half-open" Scans
-sU     UDP Scans 

-Pn     disable the ping scan host will always be treated as alive
-f      fragment the packets making it less likely that the packets will be detected by a firewall or IDS

-oG     grepable output

-sV     Version Detection
-O      OS detection

-oN     normal output to a file

-sC                     default scripts
--script=<categorie>    use scripts from categorie

-p-     scan all ports

Nmap Scripting Engine (NSE)

• is writen in lua an can do powerfull things
• some useful catefories:
  • safe:- Won’t affect the target
  • intrusive:- Not safe: likely to affect the target
  • vuln:- Scan for vulnerabilities
  • exploit:- Attempt to exploit a vulnerability
  • auth:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)
  • brute:- Attempt to bruteforce credentials for running services
  • discovery:- Attempt to query running services for further information about the network (e.g. query an SNMP server).
• list of all categories
• help for the scripts

# examples for scripts
--script=safe
--script=vuln
--script=smb-enum-users,smb-enum-shares

# using scripts with arguments
nmap -p 80 --script http-put --script-args http-put.url='/dav/shell.php',http-put.file='./shell.php'

# built in help
nmap --script-help <script-name>

finding scripts

• nmap website
• Filesystem

ls -l /usr/share/nmap/scripts/*ftp*
grep "safe" /usr/share/nmap/scripts/script.db

install/update scripts

sudo apt update && sudo apt install nmap

sudo wget -O /usr/share/nmap/scripts/<script-name>.nse https://svn.nmap.org/nmap/scripts/<script-name>.nse
nmap --script-updatedb

references

• Kali.org: nmap Usage Example
• linux.die.net: nmap(1) - Linux man page
• namp manpage
• tryhackme: further nmap

1. https://tryhackme.com/room/adventofcyber4 ↩ ↩²

2. https://tryhackme.com/room/furthernmap ↩