Nmap
Nmap
Date: 14, January, 2021
Author: Dhilip Sanjay S
Click Here to go to the TryHackMe room.
Nmap - Introduction
Nmap can be used to perform many different kinds of port scan.
65535 Ports available
System ports (0-1023)
User Ports (0-49151)
Dynamic and/or Private Ports (49152-65535)
Depending on how the port responds, it can be determined as being open, closed, or filtered (usually by a firewall)
Questions
What networking constructs are used to direct traffic to the right application on a server?
Answer: Ports
How many of these are available on any network-enabled computer?
Answer: 65536
How many of these are considered "well-known"? (These are the "standard" numbers mentioned in the task)
Answer: 1024
Nmap Switches
What is the first switch listed in the help menu for a 'Syn Scan'
Answer: -sS
Which switch would you use for a "UDP scan"?
Answer: -sU
If you wanted to detect which operating system the target is running on, which switch would you use?
Answer: -O
Nmap provides a switch to detect the version of the services running on the target. What is this switch?
Answer: -sV
The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
Answer: -v
Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
Answer: -vv
What switch would you use to save the nmap results in three major formats?
Answer: -oA
What switch would you use to save the nmap results in a "normal" format?
Answer: -oN
A very useful output format: how would you save results in a "grepable" format?
Answer: -oG
Sometimes the results we're getting just aren't enough. If we don't care about how loud we are, we can enable "aggressive" mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning. How would you activate this setting?
Answer: -A
How would you set the timing template to level 5?
Answer: -T5
How would you tell nmap to scan port 80
Answer: -p 80
How would you tell nmap to scan ports 1000-1500?
Answer: -p 1000-1500
How would you tell nmap to scan all ports?
Answer: -p-
How would you activate a script from the nmap scripting library
Answer: --script
How would you activate all of the scripts in the "vuln" category?
Answer: --script=vuln
Basic Scan Types
When port scanning with Nmap, there are three basic scan types. These are:
TCP Connect Scans (-sT)
If Nmap sends a TCP request with the SYN flag set to a closed port, the target server will respond with a TCP packet with the RST (Reset) flag set. By this response, Nmap can establish that the port is closed.
If, however, the request is sent to an open port, the target will respond with a TCP packet with the SYN/ACK flags set. Nmap then marks this port as being open (and completes the handshake by sending back a TCP packet with ACK set).
Nmap sends a TCP SYN request, and receives nothing back. This indicates that the port is being protected by a firewall and thus the port is considered to be filtered.
SYN "Half-open" Scans or "Stealth" scans.(-sS)
These scan require sudo permission. If nmap is not run with sudo permission, then it defaults to TCP scan.
If a port is closed then the server responds with a RST TCP packet. If the port is filtered by a firewall then the TCP SYN packet is either dropped, or spoofed with a TCP reset.
UDP Scans (-sU)
UDP connections are stateless.
When a packet is sent, there should be no response - if this happens then Nmap refers to the port as being open|filtered (it could be firewalled).
If it gets a UDP response, then the port is market as open.
When a packet is sent to a closed UDP port, the target should respond with an ICMP (ping) packet containing a message that the port is unreachable.
Since UDP scans are slow, the common ports are scanned:
nmap -sU --top-ports 20 <target>
Questions
There are two other names for a SYN scan, what are they?
Answer: Half-Open, Stealth
Can Nmap use a SYN scan without sudo permissions?
Answer: N
If a UDP port doesn't respond to an Nmap scan, what will it be marked as?
Answer: open|filtered
When a UDP port is closed, by convention the target should send back a "port unreachable" message. Which protocol would it use to do so?
Answer: ICMP
Less common scan types
Additionally there are several less common port scan types which are stealthier than SYN scan. These are:
TCP Null Scans (-sN)
When the TCP request is sent with no flags set at all. As per the RFC, the target host should respond with a
RST
if the port is closed.
TCP FIN Scans (-sF)
A request is sent with the FIN flag (usually used to gracefully close an active connection). Once again, Nmap expects a
RST
if the port is closed.
TCP Xmas Scans (-sX)
Xmas scans (-sX) send a malformed TCP packet and expects a
RST
response for closed ports.It's referred to as an xmas scan as the flags that it sets (PSH, URG and FIN) give it the appearance of a blinking christmas tree when viewed as a packet capture in Wireshark.
The expected response for open ports with these scans is also identical, and is very similar to that of a UDP scan. These scans will only ever identify ports as being
open|filtered
,closed
, orfiltered
.Microsoft Windows (and a lot of Cisco network devices) are known to respond with a
RST
to any malformed TCP packet -- regardless of whether the port is actually open or not. This results in all ports showing up as being closed.That said, the goal here is, of course, firewall evasion. Many firewalls are configured to drop incoming TCP packets to blocked ports which have the SYN flag set (thus blocking new connection initiation requests). By sending requests which do not contain the SYN flag, we effectively bypass this kind of firewall.
Questions
Which of the three shown scan types uses the URG flag?
Answer: Xmas
Why are NULL, FIN and Xmas scans generally used?
Answer: Firewall Evasion
Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?
Answer: Microsoft Windows
ICMP (or "ping") scanning
To see which IP addresses contain active hosts, and which do not - we use Nmap to perform ping sweep.
nmap -sn 192.168.0.1-254
ornmap -sn 192.168.0.0/24
The
-sn
switch tells Nmap not to scan any ports -- forcing it to rely purely on ICMP packets (or ARP requests on a local network) to identify targets.
Questions
How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)
Answer: nmap -sn 172.16.0.0/16
NSE Scripts
Nmap Scripting Engine (NSE) scripts are written in Lua programming language - scanning for vulnerabilities, automating exploits.
Categories of scripts:
safe - won't affect the target.
intrusive - Not safe (likely to affect the target).
vuln - scan for vulnerabilities.
exploit - attempt to exploit a vulnerability
auth - attempt to bypass authentication for running services.
brute - attempt to bruteforce credentials for running services.
discovery - attempt to query running services for further information about the network. (query SNMP server)
Multiple scripts can be run simultaneously in this fashion by separating them by a comma.
Some scripts requires arguments. They can be given with the
--script-args
nmap switch.The arguments are separated by commas, and connected to the corresponding script with periods (i.e.
<script-name>.<argument>
).Searching for scripts
Search using Nmap Website
Search local storage -
/usr/share/nmap/scripts
. Two ways:grep "ftp" /usr/share/nmap/scripts/script.db
ls -l /usr/share/nmap/scripts/*ftp*
Installing Scripts
sudo apt update && sudo apt install nmap
sudo wget -O /usr/share/nmap/scripts/<script-name>.nse https://svn.nmap.org/nmap/scripts/<script-name>.nse
Questions
What language are NSE scripts written in?
Answer: Lua
Which category of scripts would be a very bad idea to run in a production environment?
Answer: intrusive
What optional argument can the ftp-anon.nse script take?
Answer: maxlist
Steps to Reproduce:
Visit the URL.
What is the filename of the script which determines the underlying OS of the SMB server?
Answer: smb-os-discovery.nse
Steps to Reproduce:
Read through this script. What does it depend on?
Answer: smb-brute
Steps to Reproduce:
Firewall Evasion
Typical Windows host will, with its default firewall, block all ICMP packets. Nmap will register a host with this firewall configuration as dead and not bother scanning it at all.
-Pn
switch - tells Nmap to not bother pinging the host before scanning it.Nmap will always treat the target host as being alive. (effectively bypassing the ICMP block)
If you're already directly on the local network, Nmap can also use ARP requests to determine host activity.
Some useful switches:
-f
- Used to fragment the packets into smaller pieces (less likely that the packets will be detected by a firewall or IDS).--mtu <number>
- Accepts a maximum transmission unit size to use for the packets sent. (it must be a multiple of 8).--scan-delya <time>ms
- used to add delay between packets sent. Useful if the network is unstable, to evade any time-based firewall/IDS triggers.--badsum
- used to generate invalid checksum for packets. Can be used to determine the presence of a firewall/IDS. Usually this packet would be dropped, however, firewalls may potenitally respond automatically, without bothering to check the checksum of the packet.
Questions
Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?
Answer: ICMP
Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?
Answer: --data-length
Note: In Nmap help,
--data-length <num>: Append random data to sent packets
.
Practical
Does the target respond to ICMP ping requests?
Answer: N
Steps to Reproduce:
Perform an Xmas scan on the first 999 ports of the target -- how many ports are shown to be open or filtered?
Answer: 999
Steps to Reproduce:
There is a reason given for this -- what is it?
Answer: No response
Steps to Reproduce:
In the nmap output, there is a reason mentioned - All 1000 scanned ports on <MACHINE_IP> are open|filtered because of 1000 no-responses.
Perform a TCP SYN scan on the first 5000 ports of the target -- how many ports are shown to be open?
Answer: 5
Steps to Reproduce:
Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21?
Answer: Y
Steps to Reproduce:
Login using ftp username:
anonymous
and empty password.
Last updated