Post

Nmap

Posted Updated
By Steh
3 min read
Nmap

active vs. passive scanning

  • passive scanning:
    • “involves scanning a network without directly interacting with the target device”1
    • “is usually carried out through packet capture and analysis tools like Wireshark”1
  • active scanning:
    • ” is a scanning method whereby you scan individual endpoints in an IT network to retrieve more detailed information”
    • “active scan involves sending packets or queries directly to specific asshow to scann

nmap scanning technics

  • TCP Connect Scans (-sTi)
    • default setting when run without sudo permission
    • “performing the three-way handshake with each target port”2
    • Nmap tries to connect to each specified TCP port, and determines whether the service is open by the response it receives
  • SYN Scans (-sS)
    • default setting when run with sudo permission
    • sometimes referred to as “Half-open” scans, or “Stealth” scans.
    • after getting the SYN/ACK Package from the Target the Client send a RST (Reset) Package
    • that resets the connection and for the target the connection is not fully established
    • significantly faster than a standard TCP Connect scan
    • disadvantage:
      • unstable services are sometimes brought down by SYN scans
      • need sudo permissions
  • UDP Scans (-sU)
    • sends a UDP Packet to a Port
    • when there is no response the port will be considerd as “openfiltered”
    • when there is a ICMP response with the message that the port is unreachable the port will be marked as closed
    • much slower than TCP Scans

scanning techniques

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

## DISCOVERY
# ARP scan to discover live hosts on a local network without conducting any port scanning
nmap -PR -sn TARGETS

# ICMP request
nmap -PE -sn TARGETS

# uses timestamp request (ICMP Type 13) and checks whether it will get a Timestamp reply (ICMP Type 14)
nmap -PP -sn TARGETS

# uses address mask queries (ICMP Type 17) and checks whether it gets an address mask reply (ICMP Type 18)
nmap -PM -sn TARGETS

# TCP SYN Ping Scan 	
sudo nmap -PS22,80,443 -sn MACHINE_IP/30

# TCP ACK Ping Scan 	
sudo nmap -PA22,80,443 -sn MACHINE_IP/30

# UDP Ping Scan 	
sudo nmap -PU53,161,162 -sn MACHINE_IP/30

#-sC: Performs a script scan using the default set of scripts.
#-sV: Enables version detection, which will detect what versions are running on what port.
nmap -sC -sV xx.xx.xx.xx

## ping scan to find active hosts
### is to obtain a "map" of the network structure
nmap -sn 192.168.0.0/24

## OS Scan
nmap -O xx.xx.xx.xx

## Detecting Services
nmap -sV xx.xx.xx.xx

Paramter

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

# basic scan types
-sT     TCP Connect Scans
-sS     SYN "Half-open" Scans
-sU     UDP Scans 

-Pn     disable the ping scan host will always be treated as alive
-f      fragment the packets making it less likely that the packets will be detected by a firewall or IDS

-oG     grepable output

-sV     Version Detection
-O      OS detection

-oN     normal output to a file

-sC                     default scripts
--script=<categorie>    use scripts from categorie

-p-     scan all ports

Nmap Scripting Engine (NSE)

  • is writen in lua an can do powerfull things
  • some useful catefories:
    • safe:- Won’t affect the target
    • intrusive:- Not safe: likely to affect the target
    • vuln:- Scan for vulnerabilities
    • exploit:- Attempt to exploit a vulnerability
    • auth:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)
    • brute:- Attempt to bruteforce credentials for running services
    • discovery:- Attempt to query running services for further information about the network (e.g. query an SNMP server).
  • list of all categories
  • help for the scripts
1
2
3
4
5
6
7
8
9
10

# examples for scripts
--script=safe
--script=vuln
--script=smb-enum-users,smb-enum-shares

# using scripts with arguments
nmap -p 80 --script http-put --script-args http-put.url='/dav/shell.php',http-put.file='./shell.php'

# built in help
nmap --script-help <script-name>

finding scripts

1
2
3

ls -l /usr/share/nmap/scripts/*ftp*
grep "safe" /usr/share/nmap/scripts/script.db

install/update scripts

1
2
3
4

sudo apt update && sudo apt install nmap

sudo wget -O /usr/share/nmap/scripts/<script-name>.nse https://svn.nmap.org/nmap/scripts/<script-name>.nse
nmap --script-updatedb

references

  1. https://tryhackme.com/room/adventofcyber4 ↩︎ ↩︎2

  2. https://tryhackme.com/room/furthernmap ↩︎

Information Security, Tools
red team nmap
This post is licensed under CC BY 4.0 by the author.