🛸Scanning
Nmap
Host and port scanning information that are needed includes:
Open ports and its services
Service versions
Information that the services provided
Operating system
Scan Network Range
Using the ICMP echo request to scan for a network range.
nmap -T4 -sn <target ip>/24
sudo nmap <target ip>/24 -sn -oA <filename> | grep for | cut -d" " -f5
sudo nmap -sn -oA <output filename> -iL <target ip list> | grep for | cut -d" " -f5
With port scan disabled, Nmap will send a ARP ping
sudo nmap <target ip> -sn -oA <filename> -PE --packet-trace
Disable ARP requests and scan our target with the desired ICMP echo requests
sudo nmap <target ip> -sn -oA <filename> -PE --packet-trace --disable-arp-ping
Namp Host Discovery Reference:
Port Scanning Techniques Reference:
Nmap Flags:
-sn: Ping Scan - disable port scan
-oA: Output in the three major formats at once
-iL : Input from list of hosts/networks
-PE: ICMP echo
--packet-trace: Show all packets sent and received
--reason: Display the reason a port is in a particular state
--disable-arp-ping: (No ARP or ND Ping)
-vvvv: Increase verbosity level (use -vv or more for greater effect) which will output the ports directly when Nmap detected them
Nmap (TCP)
Initial Scan
Run a service enumeration against the target's top 1000 ports. It will only detect open ports and output the scan result to 3 types of file formats. The formats are text output (.nmap), greppable output (.gnmap) and XML output (.xml).
nmap -sV --open <target ip> -oA <filename>
Full TCP port scan
Run a full TCP port scan to check for any services that are running on non-standard ports
nmap -p- --open <target ip> -oA <filename>
TCP SYN scan (-sS) is faster than TCP CONNECT scan (-sT)
sudo nmap -sS -p- <target ip> -oA <filename>
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -p- 10.129.128.0 -oA TCPsSall
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-11 08:49 +08
Nmap scan report for 10.129.128.0
Host is up (0.17s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 839.15 secondsNmap Flags
-p-: All ports
--open: Only show open (or possibly open) ports
-sV: Probe open ports to determine service/version info
-A: Enable OS detection, version detection, script scanning, and traceroute
-O: Enable OS detection
-vvvv: Increase verbosity level (use -vv or more for greater effect)
-oA: Output in the three major formats at once
Nmap (UDP)
UDP Scan
I was reminded not to miss out on UDP scanning to find any potential vulnerabilities
sudo nmap -sUV -T4 -F --version-intensity 0 <target ip> -oA <filename>
Nmap Flags
-sU: UDP Scan
-V: Print version number
-T<0-5>: Set timing template (higher is faster)
-F: Fast mode - Scan fewer ports than the default scan
--version-intensity : Set from 0 (light) to 9 (try all probes)
-oA: Output in the three major formats at once
Saving Nmap Results
-oN: Normal output with the .nmap file extension
-oG: Grepable output with the .gnmap file extension
-oX: XML output with the .xml file extension
-oA: Save the output to all formats
Convert XML Format to HTML
xsltproc <filename>.xml -o <filename>.html
Reference:
Firewall and IDS/IPS Evasion
Nmap's TCP ACK scan (-sA) only sends a TCP packet with only the ACK flag. This method is much harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or Connect scans (-sT).
sudo nmap <target ip> -p <port(s)> -sA -Pn -n --disable-arp-ping --packet-trace
6 different states of a scanned port
open
This indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations.
closed
When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.
filtered
Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.
unfiltered
This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.
open|filtered
If we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.
closed|filtered
This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.
DNS Proxying
SYN-scan from DNS Port
sudo nmap <target ip> -p<port> -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53
Identify the DNS server version number
sudo nmap -sSU -p 53 --script=dns-nsid <target ip>
┌──(kali㉿kali)-[~/idsips]
└─$ sudo nmap -sSU -p 53 --script=dns-nsid 10.129.125.167
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-13 12:27 +08
Nmap scan report for 10.129.125.167
Host is up (0.34s latency).
PORT STATE SERVICE
53/tcp filtered domain
53/udp open domain udp-response
| dns-nsid:
| NSID dns.example.com (646E732E6578616D706C652E636F6D)
| id.server: dns.example.com
|_ bind.version: 9.7.3-P3Filtered Port Connection
nc -nv -p 53 <target ip> <port>
Exercise:
Identify the OS that the machine is running on before the IDS/IPS systems ban my IP address
sudo nmap -sA --top-ports=10 -Pn -n 10.129.125.141 --disable-arp-ping --packet-trace
──(kali㉿kali)-[~/idsips]
└─$ sudo nmap -sA --top-ports=10 -Pn -n 10.129.125.141 --disable-arp-ping --packet-trace
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-13 09:29 +08
SENT (0.0913s) TCP 10.10.14.38:35762 > 10.129.125.141:3389 A ttl=56 id=51494 iplen=40 seq=0 win=1024
SENT (0.0913s) TCP 10.10.14.38:35762 > 10.129.125.141:23 A ttl=39 id=45252 iplen=40 seq=0 win=1024
SENT (0.0913s) TCP 10.10.14.38:35762 > 10.129.125.141:80 A ttl=57 id=21067 iplen=40 seq=0 win=1024
SENT (0.0913s) TCP 10.10.14.38:35762 > 10.129.125.141:443 A ttl=43 id=13937 iplen=40 seq=0 win=1024
SENT (0.0913s) TCP 10.10.14.38:35762 > 10.129.125.141:22 A ttl=55 id=25670 iplen=40 seq=0 win=1024
SENT (0.0913s) TCP 10.10.14.38:35762 > 10.129.125.141:110 A ttl=55 id=35404 iplen=40 seq=0 win=1024
SENT (0.0913s) TCP 10.10.14.38:35762 > 10.129.125.141:139 A ttl=45 id=17819 iplen=40 seq=0 win=1024
SENT (0.0913s) TCP 10.10.14.38:35762 > 10.129.125.141:445 A ttl=50 id=6243 iplen=40 seq=0 win=1024
SENT (0.0913s) TCP 10.10.14.38:35762 > 10.129.125.141:21 A ttl=38 id=60685 iplen=40 seq=0 win=1024
SENT (0.0913s) TCP 10.10.14.38:35762 > 10.129.125.141:25 A ttl=50 id=57369 iplen=40 seq=0 win=1024
RCVD (0.2642s) TCP 10.129.125.141:3389 > 10.10.14.38:35762 R ttl=63 id=8028 iplen=40 seq=3954519533 win=0
RCVD (0.2647s) TCP 10.129.125.141:80 > 10.10.14.38:35762 R ttl=63 id=8030 iplen=40 seq=3954519533 win=0
RCVD (0.2647s) TCP 10.129.125.141:23 > 10.10.14.38:35762 R ttl=63 id=8029 iplen=40 seq=3954519533 win=0
RCVD (0.2648s) TCP 10.129.125.141:22 > 10.10.14.38:35762 R ttl=63 id=8031 iplen=40 seq=3954519533 win=0
RCVD (0.2648s) TCP 10.129.125.141:21 > 10.10.14.38:35762 R ttl=63 id=8032 iplen=40 seq=3954519533 win=0
SENT (1.4894s) TCP 10.10.14.38:35764 > 10.129.125.141:25 A ttl=59 id=40546 iplen=40 seq=0 win=1024
SENT (1.4895s) TCP 10.10.14.38:35764 > 10.129.125.141:445 A ttl=41 id=19236 iplen=40 seq=0 win=1024
SENT (1.4895s) TCP 10.10.14.38:35764 > 10.129.125.141:139 A ttl=48 id=47284 iplen=40 seq=0 win=1024
SENT (1.4895s) TCP 10.10.14.38:35764 > 10.129.125.141:110 A ttl=53 id=48125 iplen=40 seq=0 win=1024
SENT (1.4895s) TCP 10.10.14.38:35764 > 10.129.125.141:443 A ttl=37 id=18850 iplen=40 seq=0 win=1024
SENT (1.8829s) TCP 10.10.14.38:35767 > 10.129.125.141:3389 A ttl=38 id=45877 iplen=40 seq=0 win=1024
RCVD (2.0542s) TCP 10.129.125.141:3389 > 10.10.14.38:35767 R ttl=63 id=8325 iplen=40 seq=3954191848 win=0
Nmap scan report for 10.129.125.141
Host is up (0.17s latency).
PORT STATE SERVICE
21/tcp unfiltered ftp
22/tcp unfiltered ssh
23/tcp unfiltered telnet
25/tcp filtered smtp
80/tcp unfiltered http
110/tcp filtered pop3
139/tcp filtered netbios-ssn
443/tcp filtered https
445/tcp filtered microsoft-ds
3389/tcp unfiltered ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 2.08 secondsNmap TCP ACK scan tarting the top 10 ports showed the above results. The scan was initially set to target all ports (-p-) and it hit the capped limit of the 100 alerts.
Netcat (Banner Grabbing)
nc -nv 10.129.125.141 22
┌──(kali㉿kali)-[~/idsips]
└─$ nc -nv 10.129.125.141 22
(UNKNOWN) [10.129.125.141] 22 (ssh) open
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
The whole process only triggered 5 alerts.
Nmap (Banner Grabbing)
nmap -sV -p 22 10.129.125.141
┌──(kali㉿kali)-[~/idsips]
└─$ nmap -sV -p 22 10.129.125.141
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-13 09:59 +08
Nmap scan report for 10.129.125.141
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.17 secondsMasscan
Masscan (TCP / UDP)
Masscan can provide a faster scan by using the --rate=1000 flag. It can scan both the TCP and UDP ports together at the same time
sudo masscan -p1-65535,U:1-65535 <target ip> --rate=1000
Code
sudo masscan -p80 10.11.1.0/24 --rate=1000 -e tap0 --router-ip 10.11.0.1Last updated