Network Mapper - NMAP
Discover hidden ports and vulnerabilities with NMAP
NMAP is the most common port scanning tool. For Windows there is Advanced Port Scanner
TCP Connect Scans
TCP Connect Scan -sT performs Three-way
handshake to the target server.
| Port Type | Response Flag |
|---|---|
| Open | SYN/ACK |
| Closed | RST |
| Filtered | - |
Firewall can be easily configured to respond RST to TCP requests:
iptables -I INPUT -p tcp --dport <port> -j REJECT --reject-with tcp-reset
SYN Scans - “Half-open”
SYN scans -sS are used to scan ports similar way as
TCP scans. SYN scans sends back a RST TCP packet after
receiving a SYN/ACK from the server. SYN scans are
default nmap scans when run with sudo permission.
Advantages over TCP scan:
- Older Intrusion Detection systems could be only looking for full three-way handshake.
- Often connections are only logged when completed.
- Significantly faster
Disadvantages:
- root/sudo permission required
- Unstable services could crash, production environment?
UDP Scans
Unlike TCP, UDP connections are stateless. UDP scans
-sU are more difficult and slower. When UDP packet is
sent to open UDP port, there should be no response meaning that port
is open|filtered.
| Port Type | Response | Result |
|---|---|---|
| Open | - | open / filtered |
| Open | UDP response | open (rare) |
| Closed | ICMP packet | closed |
| Filtered | - | open / filtered |
UDP scans are very slow - top 100 ports typically takes 20 minutes.
Limit amount of port with
--top-ports <number>.
NULL, FIN and Xmas
NULL scans (-sN) are TCP requests without any flags.
Target should send RST flag if port is closed.
FIN scans (-sF) are TCP requests that only contain
FIN flag.
Xmas scans (-sX) send malformed TCP packet, PSH, URG
and FIN flags are set.
In all of these three rare scan types, if port is open, no response is expected.
| Port Type | Response | Result |
|---|---|---|
| Open | - | open / filtered |
| Closed | RST Packet | closed |
| Filtered | ICMP packet | filtered |
| Filtered | - | open / filtered |
ICMP Network Scanning
in technique called Ping Sweeping nmap sends ICMP
packets (-sn) to each ip address of network. Response
IPs are marked as alive. For example
nmap -sn 192.168.0.0/24 or
nmap -sn 192.168.0.0-255.
Nmap Scripting Engine - NSE
Powerful addition that extends nmap functionalities like vulnerability scanning and automated exploiting. Written in Lua. Particularly useful for reconnaissance.
Some useful categories:
- safe - won’t affect target
- intrusive - likely to affect the target
- vuln
- exploit - attempt exploit
- auth - bypass authentication like anonymous login attempts
- brute
- discovery
- full list of categories
Using NSE
use scripts with --script=SCRIPT_NAME,OTHER_SCRIPT
and script args as --script-args. For example:
nmap -p 80 --script http-put --script-args http-put.url='/dav/shell.php',http-put.file='./shell.php'
All scripts and arguments can be found here.
Finding NSE scripts
Nmap stores scripts at /usr/share/nmap/scripts.
For searching /usr/share/nmap/scripts/script.db can
be used.
Use grep:
grep "ftp" /usr/share/nmap/scripts/script.db.
Installing scripts
Manually:
sudo wget -O /usr/share/nmap/scripts/<script-name>.nse https://svn.nmap.org/nmap/scripts/<script-name>.nse
Automatically:
sudo apt update && sudo apt install nmap
Firewall Evasion
With default configuration nmap ping’s hosts to see if they are
up. Windows firewall for example drops all ICMP packets. Using flag
-Pn nmap ignores pinging and treats all targets as
alive. Unfortunately this may take long time. In local network nmap
can use ARP requests.
-f- fragments packets, less likely to be detected by firewall.--scan-delay <time>ms- delay between packets sent. For unstable networks and time based firewalls.--badsum- invalid checksum for packets. Real TCP/IP stack drops this, however firewalls could respond automatically. Could be used to determine the presence of firewall.
Disclaimer
Please note that unauthorised port scanning is illegal, so confirm that you have permission to do so.