Nmap
Last updated
Last updated
It's always recommended to store every single scan during a penetration test. They can be used for comparison and documentation/reporting later down the line.
When conducting a pentest, should first get an overview of which systems are online the we can work with.
| Scanning Option | Description |
|---|---|
This only works against hosts who's firewall allows icmp requests
Open ports and its services
Service versions
Information that the services provided
Operating system
6 Different States for a Scanned Port:
By default nmap scans the top 1000 TCP ports with the SYN scan (-sS)
only when run as root, otherwise TCP scan (-sT)
Can define ports in different ways:
One by one (-p21,22,80,443)
By range (-p22-80)
By top ports (--top-ports=100)
Or all ports (-p-)
TCP Connect Scan (-sT)
Uses the TCP three-way handshake to determine if a specific port is open or clised
Scan sends SYN packet, if target port responds with SYN-ACK port is marked open and RST packet is sent
Most accurate way to determine the state of the port
Stealthiest scan option
Doesn't leave open connections and/or unsent packets making it less likely to be picked up my an IDS or IPS
Doesn't disrupt the services running on the port
Considered a "polite" scan
Can also bypass firewall rules that disallow inbound but allow outbound traffic
This type of scan is slow because it has to wait for a response
Most cases a firewall drops or rejects a packet
Sometimes firewalls won't filter UDP ports
UDP is a stateless protocol and does not require a handshake
UDP scan (-sU) takes much longer because no ack is received
Only receive a response if a service is configured to do so
When running scans, the results should always be saved for comparisons, documentation, and reports. Nmap is capable of saving results in 3 different formats:
Normal Output (-oN)
saves with the .nmap extension
Grepable Output (-oG)
saves with the .gnmap extension
XML Output (-oX)
saves with the .xml extension
You can also use -oA to save to all output types
The XML output can easily be turned into HTML reports that are easy to read and share. This is extrememly useful during the reporting process.
To Convert:
Getting exact version numbers allows for exploit research and development
You can perform a service version scan with the -sV option
Nmap will grab the service's banner and output it to screen
Will also attempt signature-based matching to find version numbers
Nmap allows us to run scripts against the target to gather more information. We can also write our own using Lua.
Nmap has 14 different categories for scripts:
auth: determination of authentication creds
broadcast: used for host discovery, discovered hosts can be automatically added to the scans
brute: attempts to log into services by brute-forcing credentials
default: default scripts executed by -sC
discovery: evaluates the accessible services
dos: check for denial of service vulnerabilities (not used often as it harms the service running)
exploit: attempts to exploit known vulnerabilities in the service
external: uses external services for further processing
fuzzer: identifies vulnerabilities and unexpected packet handling by sending different fields; can take a long time to run
intrusive: intrusive scripts that could negatively impact the system
malware: check if malware infects the target
safe: defensive scripts that do not perform any intrusive or destructive actions
version: extension for service detection
vuln: identification for specific vulnerabilities
On low bandwidth networks or when scanning a large range of hosts, speeding up your scan can be helpful. You can change:
how fast nmap scans (-T [0-5])
which frequency (--min-parallelism [number])
which timeouts (--max-rtt-timeout [time])
how many packets should be sent (--min-rate [number])
the number of retries for each port (--max-retries [number])
Nmap's TCP ACK scan (-sA) is much harder for firewalls to filter than a normal scan. This is because nmap only send an ACK to a given port, and the firewall struggles to determine whether or not that connection was made internally first.
Detecting an IDS/IPS can be much more difficult than detecting firewalls. This is because they are passive monitoring tools.
Using several virtual private servers (VPS) with different IP addresses is recommended to determine whether or not these systems exist. If one of the IPs gets blocked, we know an administrator has taken action and we can continue the scans from a different IP.
The decoy scan (-D) will generate various random IP addresses inserted into the IP header to disguise the origin of the packet. The decoys must be alive, otherwise the service on the target may be unreachable due to SYN-flooding security measures. You can also manually edit the source IP with -S.
By default, nmap performs a reverse DNS resolution to find more information on the target. We can manually specify which DNS servers to use with --dns-server [nameserver]. This could be useful when the company has their own DNS servers as they are usually more trusted than ones from the internet. We can also specify the source port (--source-port) to be 53, since its often not filtered by firewalls and IDS/IPS.
| State | Description |
|---|---|
10.129.2.0/24
Target network range
-sn
Disables port scanning
-oA tnet
Stores the results in all formats starting with the name 'tnet'
open
This indicates that the connection to the scanned port has been established These connections can be TCP connections, UDP datagrams, or SCTP associations
closed
The TCP protocol indicates that the packet we received back contains an RST flag. (Can also be used to determine if a target host is alive or not)
filtered
Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target
unfiltered
This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed
open|filtered
If we do not get a response for a specific port, nmap will set it to that state. This indicates that a firewall or packet filter may protect the port
closed|filtered
This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall