Summary

Nmap is a Tool for enumerating network hosts by analyzing their response to network queries. This tool can identify open ports and fingerprint services.

Host Enumeration

Host Discovery

  • Scan network range:
sudo nmap 10.129.2.0/24
  • Scan IP list:
sudo nmap -iL hosts.lst
  • Multiple targets can also be specified in the same command or as a range of IPs:
sudo nmap 10.129.2.18 10.129.2.19 10.129.2.20
sudo nmap 10.129.2.18-20
  • Flags like --reason and --packet-trace can help in understanding the scan and your relative position to the target

Host and Port Scanning

  • Scans will give the following results for each port
StateDescription
openThis indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations.
closedWhen the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.
filteredNmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.
unfilteredThis state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.
open|filteredIf we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.
closed|filteredThis state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.
  • Ports for a scan can be explicitly stated -p 80,443, based on top ports --top-ports=10 or scan all ports -p-
  • Connect Scans -sT are most accurate, but they also establish a connection, which will be visible in log files. However, it remains to be the most stealthy scan
  • UDP scan -sU take longer than TCP and are difficult to scan, since they typically don’t send a response, even on success. If we get one, we know the port is open.
  • The version scan -sV gives a lot of service information

Saving the Results

  • -oA for all output types
  • -oG for grep-able output
  • -oN for normal output
  • -oX for XML output
  • XML output can be integrated into report via xsltproc
xsltproc target.xml -o target.html

Service Enumeration

  • The version scan -sV will return banners of the different services
  • Sometimes Nmap does not return all gathered information, so it is always a good idea to manually check banners via Netcat or TCPdump
nc -nv 10.129.2.28 25
sudo tcpdump -i eth0 host 10.10.14.2 and 10.129.2.28

Nmap Scripting Engine

  • Scans can be enriched by scripts which will be executed against the port
  • Either use default scripts:
sudo nmap <target> -sC
  • Or run a script explicitly, or categories of scripts
sudo nmap <target> --script <script-name>,<script-name>,...
sudo nmap <target> --script <category>
  • Script are categorized into 14 categories
CategoryDescription
authDetermination of authentication credentials.
broadcastScripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans.
bruteExecutes scripts that try to log in to the respective service by brute-forcing with credentials.
defaultDefault scripts executed by using the -sC option.
discoveryEvaluation of accessible services.
dosThese scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services.
exploitThis category of scripts tries to exploit known vulnerabilities for the scanned port.
externalScripts that use external services for further processing.
fuzzerThis uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time.
intrusiveIntrusive scripts that could negatively affect the target system.
malwareChecks if some malware infects the target system.
safeDefensive scripts that do not perform intrusive and destructive access.
versionExtension for service detection.
vulnIdentification of specific vulnerabilities.

Performance

  • For complex scans performance may be required
  • Presets for scan speed: -T <0-5>
  • Shorten request timeouts: --min-RTT-timeout
  • Maximum of retries if a port does not send a response: --max-retries
  • Amount of requests simultaneously: --min-rate

Firewall and IDS/IPS Evasion

  • The -sA scan is the most difficult to prevent for security measures
  • If we have virtual private servers at our disposal, we can be noise at first and change strategies if we get blocked by any security systems
  • Use decoys if IP addresses are getting blocked: -D <RND>:<amount> however these decoys need to be alive in the network
  • Proxy request over DNS by setting the source port to 53: --source-port 53

Cheat Sheet

Scanning Options

Nmap OptionDescription
10.10.10.0/24Target network range.
-snDisables port scanning.
-PnDisables ICMP Echo Requests
-nDisables DNS Resolution.
-PEPerforms the ping scan by using ICMP Echo Requests against the target.
--packet-traceShows all packets sent and received.
--reasonDisplays the reason for a specific result.
--disable-arp-pingDisables ARP Ping Requests.
--top-ports=<num>Scans the specified top ports that have been defined as most frequent.
-p-Scan all ports.
-p22-110Scan all ports between 22 and 110.
-p22,25Scans only the specified ports 22 and 25.
-FScans top 100 ports.
-sSPerforms an TCP SYN-Scan.
-sAPerforms an TCP ACK-Scan.
-sUPerforms an UDP Scan.
-sVScans the discovered services for their versions.
-sCPerform a Script Scan with scripts that are categorized as “default”.
--script <script>Performs a Script Scan by using the specified scripts.
-OPerforms an OS Detection Scan to determine the OS of the target.
-APerforms OS Detection, Service Detection, and traceroute scans.
-D RND:5Sets the number of random Decoys that will be used to scan the target.
-eSpecifies the network interface that is used for the scan.
-S 10.10.10.200Specifies the source IP address for the scan.
-gSpecifies the source port for the scan.
--dns-server <ns>DNS resolution is performed by using a specified name server.

Output Options

Nmap OptionDescription
-oA filenameStores the results in all available formats starting with the name of “filename”.
-oN filenameStores the results in normal format with the name “filename”.
-oG filenameStores the results in “grepable” format with the name of “filename”.
-oX filenameStores the results in XML format with the name of “filename”.

Performance Options

Nmap OptionDescription
--max-retries <num>Sets the number of retries for scans of specific ports.
--stats-every=5sDisplays scan’s status every 5 seconds.
-v/-vvDisplays verbose output during the scan.
--initial-rtt-timeout 50msSets the specified time value as initial RTT timeout.
--max-rtt-timeout 100msSets the specified time value as maximum RTT timeout.
--min-rate 300Sets the number of packets that will be sent simultaneously.
-T <0-5>Specifies the specific timing template.