Open WDavid404 opened 8 months ago
an ACK scan will send a TCP packet with the ACK flag set.
This scan won’t tell us whether the target port is open in a simple setup.
This kind of scan would be helpful if there is a firewall in front of the target. Consequently, based on which ACK packets resulted in responses, you will learn which ports were not blocked by the firewall. In other words, this type of scan is more suitable to discover firewall rule sets and configuration.
Case: After setting up the target VM MACHINE_IP with a firewall, we repeated the ACK scan. This time, we received some interesting results. As seen in the console output below, we have three ports that aren't being blocked by the firewall. This result indicates that the firewall is blocking all other ports except for these three ports.
The TCP window scan is almost the same as the ACK scan; however, it examines the TCP Window field of the RST packets returned. On specific systems, this can reveal that the port is open.
If you want to experiment with a new TCP flag combination beyond the built-in TCP scan types, you can do so using --scanflags. For instance, if you want to set SYN, RST, and FIN simultaneously, you can do so using --scanflags RSTSYNFIN.
In brief, scanning with a spoofed IP address is three steps:
In general, you expect to specify the network interface using -e and to explicitly disable ping scan -Pn. Therefore, instead of nmap -S SPOOFED_IP MACHINE_IP, you will need to issue nmap -e NET_INTERFACE -Pn -S SPOOFED_IP MACHINE_IP to tell Nmap explicitly which network interface to use and not to expect to receive a ping reply. It is worth repeating that this scan will be useless if the attacker system cannot monitor the network for responses.
When you are on the same subnet as the target machine, you would be able to spoof your MAC address as well. You can specify the source MAC address using --spoof-mac SPOOFED_MAC. This address spoofing is only possible if the attacker and the target machine are on the same Ethernet (802.3) network or same WiFi (802.11).
You can launch a decoy scan by specifying a specific or random IP address after -D. For example, nmap -D 10.10.0.1,10.10.0.2,ME MACHINE_IP will make the scan of MACHINE_IP appear as coming from the IP addresses 10.10.0.1, 10.10.0.2, and then ME to indicate that your IP address should appear in the third order. Another example command would be nmap -D 10.10.0.1,10.10.0.2,RND,RND,ME MACHINE_IP, where the third and fourth source IP addresses are assigned randomly, while the fifth source is going to be the attacker’s IP address. In other words, each time you execute the latter command, you would expect two new random IP addresses to be the third and fourth decoy sources.
Purpose: To bypass wallfire and IDS. Nmap provides the option -f to fragment packets.
The data that we will fragment across multiple packets is highlighted in red. To aid in the reassembly on the recipient side, IP uses the identification (ID) and fragment offset, shown on the second row of the figure below.
sudo nmap -sS -p80 10.20.30.144
In the first two lines, we can see an ARP query and response. Nmap issued an ARP query because the target is on the same Ethernet. The second two lines show a TCP SYN ping and a reply. The fifth line is the beginning of the port scan; Nmap sends a TCP SYN packet to port 80. In this case, the IP header is 20 bytes, and the TCP header is 24 bytes. Note that the minimum size of the TCP header is 20 bytes.
sudo nmap -sS -p80 -f 10.20.30.144.
With fragmentation requested via -f, the 24 bytes of the TCP header will be divided into multiples of 8 bytes, with the last fragment containing 8 bytes or less of the TCP header. Since 24 is divisible by 8, we got 3 IP fragments; each has 20 bytes of IP header and 8 bytes of TCP header. We can see the three fragments between the fifth and the seventh lines.
Spoofing the source IP address can be a great approach to scanning stealthily. However, spoofing will only work in specific network setups. It requires you to be in a position where you can monitor the traffic. Considering these limitations, spoofing your IP address can have little use; however, we can give it an upgrade with the idle scan.
The idle scan, or zombie scan, requires an idle system connected to the network that you can communicate with.
Practically, Nmap will make each probe appear as if coming from the idle (zombie) host, then it will check for indicators whether the idle (zombie) host received any response to the spoofed probe.
This is accomplished by checking the IP identification (IP ID) value in the IP header.
You can run an idle scan using nmap -sI ZOMBIE_IP MACHINE_IP
, where ZOMBIE_IP is the IP address of the idle host (zombie).
The idle (zombie) scan requires the following three steps to discover whether a port is open:
Adding -sV to your Nmap command will collect and determine service and version information for the open ports. You can control the intensity with --version-intensity LEVEL where the level ranges between 0, the lightest, and 9, the most complete. -sV --version-light has an intensity of 2, while -sV --version-all has an intensity of 9.
It is important to note that using -sV will force Nmap to proceed with the TCP 3-way handshake and establish the connection. The connection establishment is necessary because Nmap cannot discover the version without establishing a connection fully and communicating with the listening service. In other words, stealth SYN scan -sS is not possible when -sV option is chosen.
pentester@TryHackMe$ sudo nmap -sV MACHINE_IP
Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-10 05:03 BST
Nmap scan report for MACHINE_IP
Host is up (0.0040s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http nginx 1.6.2
110/tcp open pop3 Dovecot pop3d
111/tcp open rpcbind 2-4 (RPC #100000)
MAC Address: 02:A0:E7:B5:B6:C5 (Unknown)
Service Info: Host: debra2.thm.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.40 seconds
OS detection can be enabled using -O; this is an uppercase O as in OS.
In this example, we rannmap -sS -O MACHINE_IP
on the AttackBox.
The OS detection is very convenient, but many factors might affect its accuracy. First and foremost, Nmap needs to find at least one open and one closed port on the target to make a reliable guess. Furthermore, the guest OS fingerprints might get distorted due to the rising use of virtualization and similar technologies. Therefore, always take the OS version with a grain of salt.
If you want Nmap to find the routers between you and the target, just add --traceroute. Note:
pentester@TryHackMe$ sudo nmap -sS --traceroute MACHINE_IP
Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-10 05:05 BST
Nmap scan report for MACHINE_IP
Host is up (0.0015s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
MAC Address: 02:A0:E7:B5:B6:C5 (Unknown)
TRACEROUTE
HOP RTT ADDRESS
1 1.48 ms MACHINE_IP
Nmap done: 1 IP address (1 host up) scanned in 1.59 seconds
We can see that there are no routers/hops between the two as they are connected directly.
/usr/share/nmap/scripts# ls http*
--script=default
or simply adding -sC
Script Category | Description |
---|---|
auth | Authentication related scripts |
broadcast | Discover hosts by sending broadcast messages |
brute | Performs brute-force password auditing against logins |
default | Default scripts, same as -sC |
discovery | Retrieve accessible information, such as database tables and DNS names |
dos | Detects servers vulnerable to Denial of Service (DoS) |
exploit | Attempts to exploit various vulnerable services |
external | Checks using a third-party service, such as Geoplugin and Virustotal |
fuzzer | Launch fuzzing attacks |
intrusive | Intrusive scripts such as brute-force attacks and exploitation |
malware | Scans for backdoors |
safe | Safe scripts that won’t crash the target |
version | Retrieve service versions |
vuln | Checks for vulnerabilities or exploit vulnerable services |
--oN FILENAME
-oG FILENAME
-oX FILENAME
-oA FILENAME
to combine -oN, -oG, and -oXnmap -sS 127.0.0.1 -oS FILENAME
completing the TCP 3-way handshake。
We are interested in learning whether the TCP port is open, not establishing a TCP connection. Hence the connection is torn as soon as its state is confirmed by sending a RST/ACK.
SYN scan does not need to complete the TCP 3-way handshake; instead, it tears down the connection once it receives a response from the server.
-T0 is the slowest (paranoid), while -T5 is the fastest. According to Nmap manual page, there are six templates:
paranoid (0)
sneaky (1)
polite (2)
normal (3)
aggressive (4)
insane (5)
For example, --max-rate 10 or --max-rate=10 ensures that your scanner is not sending more than ten packets per second.
For instance, --min-parallelism=512 pushes Nmap to maintain at least 512 probes in parallel;
nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt
nmap -v -sn 192.168.50.1-253 -oG ping-sweep.txt
grep Up ping-sweep.txt | cut -d " " -f 2
kali@kali:~$ nmap -p 80 192.168.50.1-253 -oG web-sweep.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-10 03:50 EST
Nmap scan report for 192.168.50.6
Host is up (0.11s latency).
PORT STATE SERVICE
80/tcp open http
Nmap scan report for 192.168.50.8
Host is up (0.11s latency).
PORT STATE SERVICE
80/tcp closed http
...
kali@kali:~$ grep open web-sweep.txt | cut -d" " -f2
192.168.50.6
192.168.50.20
192.168.50.21
For instance, from the Windows 11 client, we can verify if the SMB port 445 is open on a domain controller as follows.
PS C:\Users\student> Test-NetConnection -Port 445 192.168.50.151
ComputerName : 192.168.50.151
RemoteAddress : 192.168.50.151
RemotePort : 445
InterfaceAlias : Ethernet0
SourceAddress : 192.168.50.152
TcpTestSucceeded : True
Note:Port scanning SMB via PowerShell
PS C:\Users\student> 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null
TCP port 88 is open
...
Note: Automating the PowerShell portscanning
Nmap Advanced Port Scans
TCP Null Scan, FIN Scan, and Xmas Scan
Null Scan: a lack of reply in a null scan indicates that either the port is open or a firewall is blocking the packet.
FIN Scan: no response will be sent if the TCP port is open.
Xmas Scan
An Xmas scan sets the FIN, PSH, and URG flags simultaneously. if an RST packet is received, it means that the port is closed. Otherwise, it will be reported as open|filtered.
![image](https://github.com/WDavid404/Note_tryhackme/assets/137129330/16e802d2-d1f5-4a23-81d9-66de1c72865c)