Scanning

Nmap

Scan types

Three basic scan types :

• TCP Connect Scans -->-sT --> [SYN] [SYN/ACK] [ACK]

• SYN "Half-open" Scans -->-sS--> [SYN] [SYN/ACK] [RST]

• UDP Scans --> (-sU) --> there should be no response

  • nmap -sU --top-ports 20 <target> because very long

    • open | filtered response = no response so the port is open or firewalled

    • open = theres is a response, it's unusual, the port is open

    • close = target respond with an ICMP (ping) packet containing a message that the port is unreachable

Less common port scan types (sometimes usefull for firewall evasion) :

• TCP Null Scans (-sN) --> TCP request is sent with no flags, target should respond with [RST] if the port is closed

• TCP FIN Scans (-sF) --> TCP request is sent with the FIN flag (usually used to close an active connection). Nmap expects a [RST] if the port is closed.

• TCP Xmas Scans (-sX) --> send a malformed TCP packet with flags PSH, URG and FIN and expects a [RST] response for closed ports.

Ping sweep (usefull in a black box network pentest) :

• nmap -sn 192.168.0.0/24 -->-sn switch tells Nmap to rely purely on ICMP packets (or ARP requests on a local network) to identify targets.

Scripting engine

• safe: Won't affect the target

• intrusive: Not safe: likely to affect the target

• vuln: Scan for vulnerabilities

• exploit: Attempt to exploit a vulnerability

• auth: Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)

• brute: Attempt to bruteforce credentials for running services

• discovery: Attempt to query running services for further information about the network (e.g. query an SNMP server).

Script arguments

https://nmap.org/nsedoc/  --> scripts and arguments
nmap --script-help <script-name> --> built-in help menu
<script-name>.<argument>
nmap -p 80 --script http-put --script-args http-put.url='/dav/shell.php',http-put.file='./shell.php'

Searching for scripts

grep "safe" /usr/share/nmap/scripts/script.db
grep "ftp" /usr/share/nmap/scripts/script.db
ls -l /usr/share/nmap/scripts/*ftp*

Firewall evasion

Windows default firewall block all ICMP packets. Fortunately Nmap provides an option for this: -Pn, which tells Nmap to not bother pinging the host before scanning it.

If you're already directly on the local network, Nmap can also use ARP requests to determine host activity.

The following switches are of particular note:

-f : Used to fragment the packets (i.e. split them into smaller pieces) making it less likely that the packets will be detected by a firewall or IDS.
An alternative to -f, but providing more control over the size of the packets: --mtu <number>, accepts a maximum transmission unit size to use for the packets sent. This must be a multiple of 8.
--scan-delay <time>ms: Used to add a delay between packets sent. This is very useful if the network is unstable, but also for evading any time-based firewall/IDS triggers which may be in place.
--badsum: This is used to generate in invalid checksum for packets. Any real TCP/IP stack would drop this packet, however, firewalls may potentially respond automatically, without bothering to check the checksum of the packet. As such, this switch can be used to determine the presence of a firewall/IDS.