Nmap

1. Basic commands

nmap --help (shows all the information about nmap)

We are going to use :

• netdiscover -r

• arp command

arp -a

arp-scan l

3 parts:

• SYN (SYNchronize), SYN ACK (SYNchronize-ACKnowledgement), ACK (ACKnowledge)

• SYN (SYNchronize), SYN ACK (SYNchronize-ACKnowledgement), RST (Connection has closed)

nmap -T4 -p- -A

• -T4: choose speed between 1 and 5.

• -p-: scan all ports, if we dont put -p- is going to scan the top 1 thousand ports (most common ports)

• also we can scan specific ports, ex: -p 80,443,53

• -A: this stands for everything, this prinst everything this can tell me

2. Advanced

• By default the scan is trough the TCP Protocol, if we dont find nothing interesting here we can change to UDP (-sU) or other protocol.

• --open (just open ports)

• -sS (TCP SYN Survey, more silent)

• --min-rate "number of packages per second you want to send" (scan velocity) 5000 is a great option

• -vvv (triple vervose, shows information without waiting to the scan finishes)

• -n (Remove DNS Resolution, this speed up the scan cause the scan applies DNS Resolution by default)

• -Pn (Dont ping)

• -oG "allPorts or the name we want" Extract info in allports file

• extractPorts.sh script

# Used: 
# nmap -p- --open -T5 -v -n ip -oG allPorts

# Extract nmap information
# Run as: 
# extractPorts allPorts
function extractPorts(){
	ports="$(cat $1 | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',')"
	ip_address="$(cat $1 | grep -oP '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' | sort -u | head -n 1)"
	echo -e "\n[*] Extracting information...\n" > extractPorts.tmp
	echo -e "\t[*] IP Address: $ip_address"  >> extractPorts.tmp
	echo -e "\t[*] Open ports: $ports\n"  >> extractPorts.tmp
	echo $ports | tr -d '\n' | xclip -sel clip
	echo -e "[*] Ports copied to clipboard\n"  >> extractPorts.tmp
	cat extractPorts.tmp; rm extractPorts.tmp
}

• -sC (Launch recognise basic scripts, if we do locat .nse we can see all of them)

• -sV (Troubleshooting Version Scans)

• -sCV (Mix -sC and -sV)

3. Scripts

• To see categories of nmap scripts:

grep -r categories /usr/share/nmap/scripts/*.nse |grep -oP '".*?"'|sort -u

• Examples:

nmap --script=http-enum.nse -p80,443,8080 ipHost -oN webScan

nmap -p21,445 --script="vuln and safe" ipHost -oN vulnSafeScan

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount {IP} (With this script, if we discover shares, to mount in our machine, first showmount -e {IP}, then mkdir {folder} and then sudo mount -t nfs {IP}:/{name of its folder} {name of our folder}/)

4. Methodology

First step creating a directory to gather all the scaning information and ping -c 1 "Target IP Address" to see if the machine is on (send 1 packet and recive 1 pakcet)

Now, deppending on the TTL fingerprint we know against what system we are:

128 ---> Windows

64 ---> Linux

255 ---> Network

255 ---> Solaris

Then we run a first nmap command to extract open ports

sudo nmap -A -Pn 192.168.120.130-132

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn "Target IP Address" -oG allPorts

then

extractPorts allPorts

Now that we have all the open ports extracted we can do an exhaustive scan of them:

nmap -sCV -p"Here copy all the open ports, ex: 53,88,525,etc." -oN targeted

To do this with 2 commands:

sudo nmap -sS --min-rate 5000 -p- <IP> -Pn -v -oN nmap_inicial

ports=$(cat nmap_inicial | grep '^[0-9]' | cut -d '/' -f1 | xargs | tr ' ' ',')

nmap -p$ports -sC -sV <IP> -Pn -oN nmap_final

To run UDP scan

nmap -sU -A --top-ports=20 --version-all {IP}

5. Firewall evasion

- Fragmentation

Splitting a single packet into smaller ones.

This can disable the ability of some Firewall or IDS systems to either apply their packet filtering rules or, to process all the fragments. They may inspect the single fragment, but not the whole packet.

Modern iDSs have the ability to rebuild fragmented packets. So may not always work.

-f = fragment packets:

nmap -sS -f 0.0.0.0

No extra packets displayed on wireshark:

sudo nmap -f 0.0.0.0 -n -p 80 --disable-arp-ping -Pn

More bytes will cause more fragments:

sudo nmap -f 0.0.0.0 -p 80 -Pn --data-length 100 --disable-arp-ping

Add another -f argument cause fragment to become 16 bytes instead of 8:

sudo nmap -f -f -sS 0.0.0.0 -p 80 -Pn -n --disable-arp-ping

• Can also use --mtu to specify a custom ofset size. Must be a multiple of eight.

• Use wireshark to check fragmentation

- Decoys

Add noise to the IDS by sending scans from spoofed IP addresses. As a result, a bunch of forged IP's(decoys) will appear on the IDS, along with the attackers real IP, confusing the analyst.

• A couple considerations with this method:

◇ All decoys need to be up and running

◇ The real IP address shoudl appear in random order to the IDS

◇ ISPs traversed by spoofed traffic lets the traffic go through.

ME identifies our position. No ME randomizes our position:

sudo nmap -sS -D 0.0.0.0,ME,0.0.0.0 [target 0.0.0.0]

Generate random decoys that don't exsist on the network:

sudo nmap -D RND:10 0.0.0.0 -sS -p 80 -Pn --disabled-arp-ping

- Timing (Adding Delays)

nmap -sS -T[0~5] 0.0.0.0

- Source Port

Simple method of changing source port. Poorly configured firewalls may allows traffic coming from certain ports.

• 53 (DNS replies) and 20 (active FTP) are very commonly accepted

nmap -sS --source-port 53 0.0.0.0

nmap -g 80 -sS 0.0.0.0/24

- Advanced Port Scanning

Add 10 extra bytes into packet header. Take advantage of firewalls relying on misconfigurations when check packet headers.

sudo nmap -sS --data-length 10 -p 21 0.0.0.0

Spoof MAC address to popular:

sudo nmap --spoof-mac apple 0.0.0.0 -p 80 -Pn --disable-arp-ping -n

Choose a random MAC:

sudo nmap --spoof-mac 0 0.0.0.0 -p 80 -Pn --disable-arp-ping -n

Choose a specific MAC:

sudo nmap --spoof-mac 00:11:22:33:44:55 0.0.0.0 -p 80 -Pn --disable-arp-ping -n

With a list of hosts:

Randomize the host during the scan:

sudo nmap -iL hosts.lists -sS -p 80,443,135,5555,21,22 --randomize-hosts

Perform slow scan and randomize the hosts:

sudo nmap -iL hosts.list -sS -p 80,443,135,5555,21,22 --randomize-hosts -T 2