Nmap

[WDavid404]

Nmap Advanced Port Scans

TCP Null Scan, FIN Scan, and Xmas Scan

Null Scan: a lack of reply in a null scan indicates that either the port is open or a firewall is blocking the packet.

FIN Scan: no response will be sent if the TCP port is open.

Xmas Scan

An Xmas scan sets the FIN, PSH, and URG flags simultaneously. if an RST packet is received, it means that the port is closed. Otherwise, it will be reported as open|filtered.

[WDavid404]

TCP Maimon Scan

TCP ACK scan

an ACK scan will send a TCP packet with the ACK flag set. This scan won’t tell us whether the target port is open in a simple setup. This kind of scan would be helpful if there is a firewall in front of the target. Consequently, based on which ACK packets resulted in responses, you will learn which ports were not blocked by the firewall. In other words, this type of scan is more suitable to discover firewall rule sets and configuration.

Case: After setting up the target VM MACHINE_IP with a firewall, we repeated the ACK scan. This time, we received some interesting results. As seen in the console output below, we have three ports that aren't being blocked by the firewall. This result indicates that the firewall is blocking all other ports except for these three ports.

Window scan

The TCP window scan is almost the same as the ACK scan; however, it examines the TCP Window field of the RST packets returned. On specific systems, this can reveal that the port is open.

Custom Scan

If you want to experiment with a new TCP flag combination beyond the built-in TCP scan types, you can do so using --scanflags. For instance, if you want to set SYN, RST, and FIN simultaneously, you can do so using --scanflags RSTSYNFIN.

[WDavid404]

Spoofing and Decoys

spoofing: be used in a limited condition.

In brief, scanning with a spoofed IP address is three steps:

1. Attacker sends a packet with a spoofed source IP address to the target machine.
2. Target machine replies to the spoofed IP address as the destination.
3. Attacker captures the replies to figure out open ports.

In general, you expect to specify the network interface using -e and to explicitly disable ping scan -Pn. Therefore, instead of nmap -S SPOOFED_IP MACHINE_IP, you will need to issue nmap -e NET_INTERFACE -Pn -S SPOOFED_IP MACHINE_IP to tell Nmap explicitly which network interface to use and not to expect to receive a ping reply. It is worth repeating that this scan will be useless if the attacker system cannot monitor the network for responses.

When you are on the same subnet as the target machine, you would be able to spoof your MAC address as well. You can specify the source MAC address using --spoof-mac SPOOFED_MAC. This address spoofing is only possible if the attacker and the target machine are on the same Ethernet (802.3) network or same WiFi (802.11).

decoy

You can launch a decoy scan by specifying a specific or random IP address after -D. For example, nmap -D 10.10.0.1,10.10.0.2,ME MACHINE_IP will make the scan of MACHINE_IP appear as coming from the IP addresses 10.10.0.1, 10.10.0.2, and then ME to indicate that your IP address should appear in the third order. Another example command would be nmap -D 10.10.0.1,10.10.0.2,RND,RND,ME MACHINE_IP, where the third and fourth source IP addresses are assigned randomly, while the fifth source is going to be the attacker’s IP address. In other words, each time you execute the latter command, you would expect two new random IP addresses to be the third and fourth decoy sources.

[WDavid404]

Fragmented Packets

Purpose: To bypass wallfire and IDS. Nmap provides the option -f to fragment packets.

• Once chosen, the IP data will be divided into 8 bytes or less.
• Adding another -f (-f -f or -ff) will split the data into 16 byte-fragments instead of 8.
• You can change the default value by using the --mtu; however, you should always choose a multiple of 8.

The data that we will fragment across multiple packets is highlighted in red. To aid in the reassembly on the recipient side, IP uses the identification (ID) and fragment offset, shown on the second row of the figure below.

Compare running sudo nmap -sS -p80 10.20.30.144 and sudo nmap -sS -p80 -f 10.20.30.144.

1. sudo nmap -sS -p80 10.20.30.144 In the first two lines, we can see an ARP query and response. Nmap issued an ARP query because the target is on the same Ethernet. The second two lines show a TCP SYN ping and a reply. The fifth line is the beginning of the port scan; Nmap sends a TCP SYN packet to port 80. In this case, the IP header is 20 bytes, and the TCP header is 24 bytes. Note that the minimum size of the TCP header is 20 bytes.

2. sudo nmap -sS -p80 -f 10.20.30.144. With fragmentation requested via -f, the 24 bytes of the TCP header will be divided into multiples of 8 bytes, with the last fragment containing 8 bytes or less of the TCP header. Since 24 is divisible by 8, we got 3 IP fragments; each has 20 bytes of IP header and 8 bytes of TCP header. We can see the three fragments between the fifth and the seventh lines.

[WDavid404]

Idle/Zombie Scan

Spoofing the source IP address can be a great approach to scanning stealthily. However, spoofing will only work in specific network setups. It requires you to be in a position where you can monitor the traffic. Considering these limitations, spoofing your IP address can have little use; however, we can give it an upgrade with the idle scan.

The idle scan, or zombie scan, requires an idle system connected to the network that you can communicate with. Practically, Nmap will make each probe appear as if coming from the idle (zombie) host, then it will check for indicators whether the idle (zombie) host received any response to the spoofed probe. This is accomplished by checking the IP identification (IP ID) value in the IP header. You can run an idle scan using nmap -sI ZOMBIE_IP MACHINE_IP, where ZOMBIE_IP is the IP address of the idle host (zombie).

The idle (zombie) scan requires the following three steps to discover whether a port is open:

1. Trigger the idle host to respond so that you can record the current IP ID on the idle host.
2. Send a SYN packet to a TCP port on the target. The packet should be spoofed to appear as if it was coming from the idle host (zombie) IP address.
3. Trigger the idle machine again to respond so that you can compare the new IP ID with the one received earlier.

[WDavid404]

Service Detection

Adding -sV to your Nmap command will collect and determine service and version information for the open ports. You can control the intensity with --version-intensity LEVEL where the level ranges between 0, the lightest, and 9, the most complete. -sV --version-light has an intensity of 2, while -sV --version-all has an intensity of 9.

It is important to note that using -sV will force Nmap to proceed with the TCP 3-way handshake and establish the connection. The connection establishment is necessary because Nmap cannot discover the version without establishing a connection fully and communicating with the listening service. In other words, stealth SYN scan -sS is not possible when -sV option is chosen.

pentester@TryHackMe$ sudo nmap -sV MACHINE_IP

Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-10 05:03 BST
Nmap scan report for MACHINE_IP
Host is up (0.0040s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
25/tcp  open  smtp    Postfix smtpd
80/tcp  open  http    nginx 1.6.2
110/tcp open  pop3    Dovecot pop3d
111/tcp open  rpcbind 2-4 (RPC #100000)
MAC Address: 02:A0:E7:B5:B6:C5 (Unknown)
Service Info: Host:  debra2.thm.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.40 seconds

[WDavid404]

OS Detection

OS detection can be enabled using -O; this is an uppercase O as in OS. In this example, we rannmap -sS -O MACHINE_IP on the AttackBox.

The OS detection is very convenient, but many factors might affect its accuracy. First and foremost, Nmap needs to find at least one open and one closed port on the target to make a reliable guess. Furthermore, the guest OS fingerprints might get distorted due to the rising use of virtualization and similar technologies. Therefore, always take the OS version with a grain of salt.

Traceroute

If you want Nmap to find the routers between you and the target, just add --traceroute. Note:

• Nmap’s traceroute works slightly different than the traceroute command found on Linux and macOS or tracert found on MS Windows.
• Standard traceroute starts with a packet of low TTL (Time to Live) and keeps increasing until it reaches the target.
• Nmap’s traceroute starts with a packet of high TTL and keeps decreasing it.

pentester@TryHackMe$ sudo nmap -sS --traceroute MACHINE_IP

Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-10 05:05 BST
Nmap scan report for MACHINE_IP
Host is up (0.0015s latency).
Not shown: 994 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
111/tcp open  rpcbind
143/tcp open  imap
MAC Address: 02:A0:E7:B5:B6:C5 (Unknown)

TRACEROUTE
HOP RTT     ADDRESS
1   1.48 ms MACHINE_IP

Nmap done: 1 IP address (1 host up) scanned in 1.59 seconds

We can see that there are no routers/hops between the two as they are connected directly.

[WDavid404]

Nmap Scripting Engine (NSE)

• 查询script里关于http一览的例子： /usr/share/nmap/scripts# ls http*
• You can choose to run the scripts in the default category using --script=default or simply adding -sC

Script Category	Description
auth	Authentication related scripts
broadcast	Discover hosts by sending broadcast messages
brute	Performs brute-force password auditing against logins
default	Default scripts, same as -sC
discovery	Retrieve accessible information, such as database tables and DNS names
dos	Detects servers vulnerable to Denial of Service (DoS)
exploit	Attempts to exploit various vulnerable services
external	Checks using a third-party service, such as Geoplugin and Virustotal
fuzzer	Launch fuzzing attacks
intrusive	Intrusive scripts such as brute-force attacks and exploitation
malware	Scans for backdoors
safe	Safe scripts that won’t crash the target
version	Retrieve service versions
vuln	Checks for vulnerabilities or exploit vulnerable services

[WDavid404]

Saving the Output

--oN FILENAME

• grepable： -oG FILENAME
• XML： -oX FILENAME
• -oA FILENAME to combine -oN, -oG, and -oX
• Script Kiddie： nmap -sS 127.0.0.1 -oS FILENAME

[WDavid404]

Basic scan

TCP 3-way handshake

TCP connection scan： -sT

completing the TCP 3-way handshake。 We are interested in learning whether the TCP port is open, not establishing a TCP connection. Hence the connection is torn as soon as its state is confirmed by sending a RST/ACK.

TCP SYN Scan： -sS

SYN scan does not need to complete the TCP 3-way handshake; instead, it tears down the connection once it receives a response from the server.

UDP scan: -sU

scan timing using -T<0-5>

-T0 is the slowest (paranoid), while -T5 is the fastest. According to Nmap manual page, there are six templates:

paranoid (0)
sneaky (1)
polite (2)
normal (3)
aggressive (4)
insane (5)

control the packet rate using --min-rate and --max-rate .

For example, --max-rate 10 or --max-rate=10 ensures that your scanner is not sending more than ten packets per second.

control probing parallelization using --min-parallelism and --max-parallelism .

For instance, --min-parallelism=512 pushes Nmap to maintain at least 512 probes in parallel;

[WDavid404]

OSCP例子：

nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt

nmap -v -sn 192.168.50.1-253 -oG ping-sweep.txt
grep Up ping-sweep.txt | cut -d " " -f 2

kali@kali:~$ nmap -p 80 192.168.50.1-253 -oG web-sweep.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-10 03:50 EST
Nmap scan report for 192.168.50.6
Host is up (0.11s latency).

PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 192.168.50.8
Host is up (0.11s latency).

PORT   STATE  SERVICE
80/tcp closed http
...

kali@kali:~$ grep open web-sweep.txt | cut -d" " -f2
192.168.50.6
192.168.50.20
192.168.50.21

[WDavid404]

Windows clinet上没有nmap的情况

For instance, from the Windows 11 client, we can verify if the SMB port 445 is open on a domain controller as follows.

PS C:\Users\student> Test-NetConnection -Port 445 192.168.50.151

ComputerName     : 192.168.50.151
RemoteAddress    : 192.168.50.151
RemotePort       : 445
InterfaceAlias   : Ethernet0
SourceAddress    : 192.168.50.152
TcpTestSucceeded : True

Note：Port scanning SMB via PowerShell

PS C:\Users\student> 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null
TCP port 88 is open
...

Note： Automating the PowerShell portscanning