NMAP

What networking constructs are used to direct traffic to the right application on a server? ports

Common Port Numbers

Port Number

Usage

20

File Transfer Protocol (FTP) Data Transfer

21

File Transfer Protocol (FTP) Command Control

22

Secure Shell (SSH)

23

Telnet - Remote login service, unencrypted text messages

25

Simple Mail Transfer Protocol (SMTP) E-mail Routing

53

Domain Name System (DNS) service

80

Hypertext Transfer Protocol (HTTP) used in World Wide Web

110

Post Office Protocol (POP3) used by e-mail clients to retrieve e-mail from a server

119

Network News Transfer Protocol (NNTP)

123

Network Time Protocol (NTP)

139

NetBios

143

Internet Message Access Protocol (IMAP) Management of Digital Mail

161

Simple Network Management Protocol (SNMP)

194

Internet Relay Chat (IRC)

443

HTTP Secure (HTTPS) HTTP over TLS/SSL

445

SMB

Nmap 7.91 ( https://nmap.org )

Usage: nmap [Scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:

Can pass hostnames, IP addresses, networks, etc.

Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254

-iL : Input from list of hosts/networks -iR : Choose random targets --exclude : Exclude hosts/networks --excludefile : Exclude list from file

HOST DISCOVERY: -

sL: List Scan - simply list targets to scan

-sn: Ping Scan - disable port scan

-Pn: Treat all hosts as online -- skip host discovery

-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports

-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes

-PO[protocol list]: IP Protocol Ping

-n/-R: Never do DNS resolution/Always resolve [default: sometimes]

--dns-servers : Specify custom DNS servers

--system-dns: Use OS's DNS resolver

--traceroute: Trace hop path to each host

SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags : Customize TCP scan flags -sI : Idle scan -sY/sZ: SCTP INIT/COOKIE-ECHO scans -sO: IP protocol scan -b : FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER: -p : Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 --exclude-ports : Exclude the specified ports from scanning -F: Fast mode - Scan fewer ports than the default scan -r: Scan ports consecutively - don't randomize --top-ports : Scan most common ports --port-ratio : Scan ports more common than

SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info --version-intensity : Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for debugging)

SCRIPT SCAN: -sC: equivalent to --script=default --script=: is a comma separated list of directories, script-files or script-categories --script-args=: provide arguments to scripts --script-args-file=filename: provide NSE script args in a file --script-trace: Show all data sent and received --script-updatedb: Update the script database. --script-help=: Show help about scripts. is a comma-separated list of script-files or script-categories.

OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively

TIMING AND PERFORMANCE: Options which take are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T: Set timing template (higher is faster) --min-hostgroup/max-hostgroup : Parallel host scan group sizes --min-parallelism/max-parallelism : Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies probe round trip time. --max-retries : Caps number of port scan probe retransmissions. --host-timeout : Give up on target after this long --scan-delay/--max-scan-delay : Adjust delay between probes --min-rate : Send packets no slower than per second --max-rate : Send packets no faster than per second

FIREWALL/IDS EVASION AND SPOOFING: -f; --mtu : fragment packets (optionally w/given MTU) -D : Cloak a scan with decoys -S : Spoof source address -e : Use specified interface -g/--source-port : Use given port number --proxies : Relay connections through HTTP/SOCKS4 proxies --data : Append a custom payload to sent packets --data-string : Append a custom ASCII string to sent packets --data-length : Append random data to sent packets --ip-options : Send packets with specified ip options --ttl : Set IP time-to-live field --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address --badsum: Send packets with a bogus TCP/UDP/SCTP checksum

OUTPUT: -oN/-oX/-oS/-oG : Output scan in normal, XML, s|: Output in the three major formats at once -v: Increase verbosity level (use -vv or more for greater effect) -d: Increase debugging level (use -dd or more for greater effect) --reason: Display the reason a port is in a particular state --open: Only show open (or possibly open) ports --packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) --append-output: Append to rather than clobber specified output files --resume : Resume an aborted scan --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --webxml: Reference stylesheet from Nmap.Org for more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w/XML output

MISC: -6: Enable IPv6 scanning -A: Enable OS detection, version detection, script scanning, and traceroute --datadir : Specify custom Nmap data file location --send-eth/--send-ip: Send using raw ethernet frames or IP packets --privileged: Assume that the user is fully privileged --unprivileged: Assume the user lacks raw socket privileges -V: Print version number -h: Print this help summary page.

EXAMPLES:

nmap -v -A scanme.nmap.org

nmap -v -sn 192.168.0.0/16 10.0.0.0/8

nmap -v -iR 10000 -Pn -p 80

nmap -T4 -F 192.168.0.* | tee scanresults.txt

  • -T4 Tells nmap to wait four seconds

  • -F Tells nmap to send a FIN packet to all hosts

  • 192.168.0.* Is the subnet to scan, using * as a wildcard to state all on the network.

  • | tee ScanResults.txt Tells nmap to display the results and send them to the text file ScanResults.txt

SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

How would you tell nmap to scan all ports? -p-

Scan types

When port scanning with Nmap, there are three basic scan types. These are:

  • TCP Connect Scans (-sT)

  • SYN "Half-open" Scans (-sS)

  • UDP Scans (-sU)

Additionally there are several less common port scan types, some of which we will also cover (albeit in less detail). These are:

  • TCP Null Scans (-sN)

  • TCP FIN Scans (-sF)

  • TCP Xmas Scans (-sX)

If a port is closed, which flag should the server send back to indicate this? RST

There are two other names for a SYN scan, what are they? half-open and stealth

If a UDP port doesn't respond to an Nmap scan, what will it be marked as? open|filtered

When a UDP port is closed, by convention the target should send back a "port unreachable" message. Which protocol would it use to do so? ICMP

ICMP network scanning

To perform a ping sweep, we use the -sn switch in conjunction with IP ranges which can be specified with either a hypen (-) or CIDR notation. i.e. we could scan the 192.168.0.x network using:

  • nmap -sn 192.168.0.1-254

or

  • nmap -sn 192.168.0.0/24

The -sn switch tells Nmap not to scan any ports -- forcing it to rely primarily on ICMP echo packets (or ARP requests on a local network, if run with sudo or directly as the root user) to identify targets. In addition to the ICMP echo requests, the -sn switch will also cause nmap to send a TCP SYN packet to port 443 of the target, as well as a TCP ACK (or TCP SYN if not run as root) packet to port 80 of the target.

NSE Scripting

The Nmap Scripting Engine (NSE) is an incredibly powerful addition to Nmap, extending its functionality quite considerably. NSE Scripts are written in the Lua programming language, and can be used to do a variety of things: from scanning for vulnerabilities, to automating exploits for them. The NSE is particularly useful for reconnaisance, however, it is well worth bearing in mind how extensive the script library is.

There are many categories available. Some useful categories include:

  • safe:- Won't affect the target

  • intrusive:- Not safe: likely to affect the target

  • vuln:- Scan for vulnerabilities

  • exploit:- Attempt to exploit a vulnerability

  • auth:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)

  • brute:- Attempt to bruteforce credentials for running services

  • discovery:- Attempt to query running services for further information about the network (e.g. query an SNMP server).

Perform a TCP SYN scan on the first 5000 ports of the target -- how many ports are shown to be open?

nmap -sS -p1-5000 -vv -Pn 10.10.42.12

PreviousToolsNextnetcat

Last updated