GitHubWrite Ups

Nmap

It's always recommended to store every single scan during a penetration test. They can be used for comparison and documentation/reporting later down the line.

Host Discovery

When conducting a pentest, should first get an overview of which systems are online the we can work with.

ICMP Echo Request:

sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d " " -f 5
Example Output:

10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28
Scanning Option
Description

10.129.2.0/24

Target network range

-sn

Disables port scanning

-oA tnet

Stores the results in all formats starting with the name 'tnet'

This only works against hosts who's firewall allows icmp requests

Host & Port Scanning

  • Open ports and its services

  • Service versions

  • Information that the services provided

  • Operating system

6 Different States for a Scanned Port:

State
Description

open

This indicates that the connection to the scanned port has been established These connections can be TCP connections, UDP datagrams, or SCTP associations

closed

The TCP protocol indicates that the packet we received back contains an RST flag. (Can also be used to determine if a target host is alive or not)

filtered

Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target

unfiltered

This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed

open|filtered

If we do not get a response for a specific port, nmap will set it to that state. This indicates that a firewall or packet filter may protect the port

closed|filtered

This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall

Discovering Open TCP Ports

  • By default nmap scans the top 1000 TCP ports with the SYN scan (-sS)

    • only when run as root, otherwise TCP scan (-sT)

  • Can define ports in different ways:

    • One by one (-p21,22,80,443)

    • By range (-p22-80)

    • By top ports (--top-ports=100)

    • Or all ports (-p-)

Connect Scan

  • TCP Connect Scan (-sT)

    • Uses the TCP three-way handshake to determine if a specific port is open or clised

    • Scan sends SYN packet, if target port responds with SYN-ACK port is marked open and RST packet is sent

  • Most accurate way to determine the state of the port

  • Stealthiest scan option

    • Doesn't leave open connections and/or unsent packets making it less likely to be picked up my an IDS or IPS

  • Doesn't disrupt the services running on the port

    • Considered a "polite" scan

  • Can also bypass firewall rules that disallow inbound but allow outbound traffic

  • This type of scan is slow because it has to wait for a response

Filtered Ports

  • Most cases a firewall drops or rejects a packet

Discovering Open UDP Ports

  • Sometimes firewalls won't filter UDP ports

  • UDP is a stateless protocol and does not require a handshake

    • UDP scan (-sU) takes much longer because no ack is received

    • Only receive a response if a service is configured to do so

Saving the Results

When running scans, the results should always be saved for comparisons, documentation, and reports. Nmap is capable of saving results in 3 different formats:

  • Normal Output (-oN)

    • saves with the .nmap extension

  • Grepable Output (-oG)

    • saves with the .gnmap extension

  • XML Output (-oX)

    • saves with the .xml extension

You can also use -oA to save to all output types

Styling XML to HTML

The XML output can easily be turned into HTML reports that are easy to read and share. This is extrememly useful during the reporting process.

To Convert:

xsltproc target.xml -o target.html

Service Enumeration

  • Getting exact version numbers allows for exploit research and development

Service Version Detection

  • You can perform a service version scan with the -sV option

  • Nmap will grab the service's banner and output it to screen

  • Will also attempt signature-based matching to find version numbers

Scripting Engine (NSE)

Nmap allows us to run scripts against the target to gather more information. We can also write our own using Lua.

Nmap has 14 different categories for scripts:

  • auth: determination of authentication creds

  • broadcast: used for host discovery, discovered hosts can be automatically added to the scans

  • brute: attempts to log into services by brute-forcing credentials

  • default: default scripts executed by -sC

  • discovery: evaluates the accessible services

  • dos: check for denial of service vulnerabilities (not used often as it harms the service running)

  • exploit: attempts to exploit known vulnerabilities in the service

  • external: uses external services for further processing

  • fuzzer: identifies vulnerabilities and unexpected packet handling by sending different fields; can take a long time to run

  • intrusive: intrusive scripts that could negatively impact the system

  • malware: check if malware infects the target

  • safe: defensive scripts that do not perform any intrusive or destructive actions

  • version: extension for service detection

  • vuln: identification for specific vulnerabilities

Default Script

sudo nmap [target] -sC

Specific Script Categories

sudo nmap [target] --script [category]

Defined Scripts

sudo nmap [target] --script [script-name],[script-name],...

Performance

On low bandwidth networks or when scanning a large range of hosts, speeding up your scan can be helpful. You can change:

  • how fast nmap scans (-T [0-5])

  • which frequency (--min-parallelism [number])

  • which timeouts (--max-rtt-timeout [time])

  • how many packets should be sent (--min-rate [number])

  • the number of retries for each port (--max-retries [number])

Bypassing Firewalls and IPS/IDS

Nmap's TCP ACK scan (-sA) is much harder for firewalls to filter than a normal scan. This is because nmap only send an ACK to a given port, and the firewall struggles to determine whether or not that connection was made internally first.

Detecting IDS/IPS

Detecting an IDS/IPS can be much more difficult than detecting firewalls. This is because they are passive monitoring tools.

Using several virtual private servers (VPS) with different IP addresses is recommended to determine whether or not these systems exist. If one of the IPs gets blocked, we know an administrator has taken action and we can continue the scans from a different IP.

Decoys

The decoy scan (-D) will generate various random IP addresses inserted into the IP header to disguise the origin of the packet. The decoys must be alive, otherwise the service on the target may be unreachable due to SYN-flooding security measures. You can also manually edit the source IP with -S.

DNS Proxying

By default, nmap performs a reverse DNS resolution to find more information on the target. We can manually specify which DNS servers to use with --dns-server [nameserver]. This could be useful when the company has their own DNS servers as they are usually more trusted than ones from the internet. We can also specify the source port (--source-port) to be 53, since its often not filtered by firewalls and IDS/IPS.

PreviousCracking WPA2 PasswordsNextFfuf

Last updated