🛸Scanning
Nmap
Host and port scanning information that are needed includes:
Open ports and its services
Service versions
Information that the services provided
Operating system
Scan Network Range
Using the ICMP echo request to scan for a network range.
nmap -T4 -sn <target ip>/24
sudo nmap <target ip>/24 -sn -oA <filename> | grep for | cut -d" " -f5
sudo nmap -sn -oA <output filename> -iL <target ip list> | grep for | cut -d" " -f5
With port scan disabled, Nmap will send a ARP ping
sudo nmap <target ip> -sn -oA <filename> -PE --packet-trace
Disable ARP requests and scan our target with the desired ICMP echo requests
sudo nmap <target ip> -sn -oA <filename> -PE --packet-trace --disable-arp-ping
Namp Host Discovery Reference:
Port Scanning Techniques Reference:
Nmap Flags:
-sn: Ping Scan - disable port scan
-oA: Output in the three major formats at once
-iL : Input from list of hosts/networks
-PE: ICMP echo
--packet-trace: Show all packets sent and received
--reason: Display the reason a port is in a particular state
--disable-arp-ping: (No ARP or ND Ping)
-vvvv: Increase verbosity level (use -vv or more for greater effect) which will output the ports directly when Nmap detected them
Nmap (TCP)
Initial Scan
Run a service enumeration against the target's top 1000 ports. It will only detect open ports and output the scan result to 3 types of file formats. The formats are text output (.nmap), greppable output (.gnmap) and XML output (.xml).
nmap -sV --open <target ip> -oA <filename>
Full TCP port scan
Run a full TCP port scan to check for any services that are running on non-standard ports
nmap -p- --open <target ip> -oA <filename>
TCP SYN scan (-sS) is faster than TCP CONNECT scan (-sT)
sudo nmap -sS -p- <target ip> -oA <filename>
Nmap Flags
-p-: All ports
--open: Only show open (or possibly open) ports
-sV: Probe open ports to determine service/version info
-A: Enable OS detection, version detection, script scanning, and traceroute
-O: Enable OS detection
-vvvv: Increase verbosity level (use -vv or more for greater effect)
-oA: Output in the three major formats at once
Nmap (UDP)
UDP Scan
I was reminded not to miss out on UDP scanning to find any potential vulnerabilities
sudo nmap -sUV -T4 -F --version-intensity 0 <target ip> -oA <filename>
Nmap Flags
-sU: UDP Scan
-V: Print version number
-T<0-5>: Set timing template (higher is faster)
-F: Fast mode - Scan fewer ports than the default scan
--version-intensity : Set from 0 (light) to 9 (try all probes)
-oA: Output in the three major formats at once
Saving Nmap Results
-oN: Normal output with the .nmap file extension
-oG: Grepable output with the .gnmap file extension
-oX: XML output with the .xml file extension
-oA: Save the output to all formats
Convert XML Format to HTML
xsltproc <filename>.xml -o <filename>.html
Reference:
Firewall and IDS/IPS Evasion
Nmap's TCP ACK scan (-sA) only sends a TCP packet with only the ACK flag. This method is much harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or Connect scans (-sT).
sudo nmap <target ip> -p <port(s)> -sA -Pn -n --disable-arp-ping --packet-trace
6 different states of a scanned port
open
This indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations.
closed
When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.
filtered
Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.
unfiltered
This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.
open|filtered
If we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.
closed|filtered
This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.
DNS Proxying
SYN-scan from DNS Port
sudo nmap <target ip> -p<port> -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53
Identify the DNS server version number
sudo nmap -sSU -p 53 --script=dns-nsid <target ip>
Filtered Port Connection
nc -nv -p 53 <target ip> <port>
Exercise:
Identify the OS that the machine is running on before the IDS/IPS systems ban my IP address
sudo nmap -sA --top-ports=10 -Pn -n 10.129.125.141 --disable-arp-ping --packet-trace
Nmap TCP ACK scan tarting the top 10 ports showed the above results. The scan was initially set to target all ports (-p-) and it hit the capped limit of the 100 alerts.
Netcat (Banner Grabbing)
nc -nv 10.129.125.141 22
The whole process only triggered 5 alerts.
Nmap (Banner Grabbing)
nmap -sV -p 22 10.129.125.141
Masscan
Masscan (TCP / UDP)
Masscan can provide a faster scan by using the --rate=1000 flag. It can scan both the TCP and UDP ports together at the same time
sudo masscan -p1-65535,U:1-65535 <target ip> --rate=1000
Code
Last updated