Nmap - CSPSec

# **Basic Information** # **Default Scans** ```bash sudo nmap -sC -sV -oA nmap/full.tcp -p- <target_ip> sudo nmap -sU -oA nmap/udp.initial <target_ip> ``` # **Host Discovery** By default, `nmap` will send an ARP ping followed by an ICMP echo request to determine if a host is alive. - `-sn` to disable port scanning - `-oA` to store the results in all formats starting with the name specified - `-iL` to use the provided list of hosts to scan - `-PE` to perform ping scan with ICMP echo requests - `--packet-trace` to show all packets sent and received - `--reason` to display the reason for the results - `--disable-arp-ping` to disable ARP ping ```bash # scan a network range sudo nmap -sn -oA <scan_results> <target_ip_range> | grep for | cut -d" " -f5 # scan a list of IPs sudo nmap -sn -oA <scan_results> -iL <hosts.txt> | grep for | cut -d" " -f5 # scan multipl IPs sudo nmap -sn -oA <scan_results> <target_ip> <target_ip> | grep for | cut -d" " -f5 # show traffic generated during host discovery sudo nmap -sn -oA <scan_results> -PE --packet-trace <target_ip> sudo nmap -sn -oA <scan_results> -PE --reason <target_ip> # disable arp ping and only send an ICMP echo request sudo nmap -sn -oA <scan_results> -PE --packet-trace --disable-arp-ping <target_ip> ``` # **Port Scanning** ## **Scan Results** | **State** | **Description** | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `open` | This indicates that the connection to the scanned port has been established. These connections can be **TCP connections**, **UDP datagrams** as well as **SCTP associations**. | | `closed` | When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an `RST` flag. This scanning method can also be used to determine if our target is alive or not. | | `filtered` | Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target. | | `unfiltered` | This state of a port only occurs during the **TCP-ACK** scan and means that the port is accessible, but it cannot be determined whether it is open or closed. | | `open\|filtered` | If we do not get a response for a specific port, `Nmap` will set it to that state. This indicates that a firewall or packet filter may protect the port. | | `closed\|filtered` | This state only occurs in the **IP ID idle** scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall. | ## **TCP** With filtered ports, take into consideration how long a scan takes to complete. The firewall can either drop or reject the packet. If the firewall drops the packet, the scan may complete in 2.0 seconds or more. This is due to the connection timing out. If the firewall rejects the packet, the scan may complete in 0.1 seconds or less. This is due to the firewall sending an ICMP reply with type 3 and error code 3 indicating the port is unreachable. By default, `nmap` scans the top 1000 TCP port with a SYN scan (`-sS`), also known as a half-open scan since the three-way handshake is not completed. A SYN scan is only done when `nmap` is ran as `root`, otherwise a TCP scan(`-sT`) is done. A TCP scan is also known as a connect scan since a three-way handshake is done. - `--top-ports` to scan the top specified ports - `-Pn` to disable ICMP echo request - `-n` to disable DNS resolution - `-sC` to perform a script scan - `-sV` to enable version detection - `-oA` to scan results to all three formats - `--script` to run a specific script scan - `--disable-arp-ping` to disable ARP ping ```bash # scan the top TCP ports sudo nmap <target_ip> --top-ports=10 # scan a specific port, disable ICMP echo request/DNS/ARP ping, show packets sent and received sudo nmap -p <target_port> --packet-trace -Pn -n --disable-arp-ping <target_ip> # scan all TCP ports sudo nmap -p- <target_ip> ``` ## **UDP** By default, `nmap` scans the top 100 UDP ports. - `-sU` to scan UDP ports - `-oA` to scan results to all three formats - `-Pn` to disable ICMP echo request - `-n` to disable DNS resolution - `--disable-arp-ping` to disable ARP ping - `--script` to run a specific script scan - `-T4` to use the aggressive timing template ```bash # scan the top UDP ports sudo nmap -sU <target_ip> # scan the top UDP ports using a faster timing template sudo nmap -sU -T4 -F <target_ip> # scan a specific port, disable ICMP echo request/DNS/ARP ping, show packets sent and received sudo nmap -p <target_port> -sU --packet-trace -Pn -n --disable-arp-ping <target_ip> ``` # **Service Enumeration** - `-sV` to perform service detection - `--stats-every=5s` to show scan progress every 5 seconds - `-v` to show verbose information ```bash # scan all TCP ports and perform service detection sudo nmap -p- -sV <target_ip> sudo nmap -p- -sV -vv <target_ip> sudo nmap -p- -sV --stats-every=5s <target_ip> ``` # **Nmap Scripting Engine (NSE)** ## **NSE Categories** | **Category** | **Description** | | ------------ | --------------------------------------------------------------------------------------------------------------------------------------- | | `auth` | Determination of authentication credentials. | | `broadcast` | Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans. | | `brute` | Executes scripts that try to log in to the respective service by brute-forcing with credentials. | | `default` | Default scripts executed by using the `-sC` option. | | `discovery` | Evaluation of accessible services. | | `dos` | These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services. | | `exploit` | This category of scripts tries to exploit known vulnerabilities for the scanned port. | | `external` | Scripts that use external services for further processing. | | `fuzzer` | This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time. | | `intrusive` | Intrusive scripts that could negatively affect the target system. | | `malware` | Checks if some malware infects the target system. | | `safe` | Defensive scripts that do not perform intrusive and destructive access. | | `version` | Extension for service detection. | | `vuln` | Identification of specific vulnerabilities. | - `-A` to perform service service detection, OS detection, traceroute and uses defaults scripts to scan the target ```bash # update NSE scripts sudo nmap --script-updatedb # scan with default scripts sudo nmap -sC <target_ip> # scan with specified script catetgory sudo nmap -sC -p <target_port> --script <category> <target_ip> # scan aggressively sudo nmap -A <target_ip> # scan and identify potential vulnerabilities sudo nmap -sC -p <target_port> --script vuln <target_ip> # look for specific scripts sudo updatedb locate scripts/citrix sudo nmap --script <script_name> -p<target_por> <target_ip> ``` # **Performance** - `-F` to scan top 100 ports - `--initial-rtt-timeout` to set initial round time trip timeout, default is 100ms. Setting it too low will impact scan results (missed targets) - `--max-rtt-timeout` to set max round time trip timeout - `--max-retries` to set max retry attempts, default is 10. Setting it too low will impact scan results (missed ports) - `--min-rate` to specify minimum number of packets to send per second - `-T` to specify timing template (0-5), default is 3. Setting it too high can trigger security mechanisms. ```bash # scan with reduced timeout (100ms to 50ms) sudo nmap -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms <target_ip_range> # scan with no retry attempts sudo nmap -F --max-retries 0 <target_ip_range> # scan with specified number of packets per second sudo nmap -F --min-rate 300 <target_ip_range> # scan with a faster timing template sudo nmap -F -T5 <target_ip_range> ``` # **Firewall & IDS/IPS Evasion** With a SYN scan (`-sS`), firewalls are able to quickly identify the scanning traffic and drop/reject packets. With an ACK scan (`-sA`), firewalls have a harder time identifying scanning traffic due to connection tracking. To bypass IDS/IPS, it may be required to use spoofed source IPs. Access to certain subnets may be restricted by source IP. The same concept applies to source port, specifically TCP port 53. This port may be trusted due to DNS request starting to use TCP port 53 more and more. - `-sA` to do ACK scan - `-Pn` to disable ICMP echo request - `-n` to disable DNS resolution - `--disable-arp-ping` to disable ARP ping - `--packet-trace` to show all packets sent and received - `-D RND:5` to generate five random IP addresses that indicates the source IP the connection comes from - `-S` to specify source IP for spoofing - `-e` to send all requests through the specified interface - `--source-port` to specify source port ```bash # scan by sending ACK packet instead of SYN sudo nmap -p <target_port> -sA -Pn -n --disable-arp-ping --packet-trace <target_ip> # scan using decoy IPs to hid traffic sudo nmap -p <target_port> -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5 <target_ip> sudo nmap -n -Pn -p 445 -O -S <spoofed_ip> -e <interface> <target_ip> # scan with specified source port sudo nmap -p <target_port> -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53 <target_ip> ncat -nv --source-port <redir_port> <target_ip> <target_port> nc -nv -s <redir_ip> -p <redir_port> <target_ip> <target_port> ``` # **References** # **Practical Application** | Platform | Name | Notes | | -------- | ---- | ----- | | | | |