So every time you want to pentest / hack something , normally we start with NMAP Scan. So interestingly the victims have started taking some measures to safeguard themselves. and hence it is worth knowing how to effectively use NMAP. In this guide we will see the basic details and meaning of majority of available options in NMAP.
Part 1 : https://ethicalhackx.com/nmap-tutorial-part-1/
NMAP Scan Types
TCP SYN Scan ( -sS )
In TCP / SYN Scan, the three-way handshake does not happens and hence on the target system no sessions are created, no logs on the target system for your activity with NMAP. This means you can use this where first priority is hiding yourself. root/administrator is required for this scan.
We will also see this in Wireshark to understand better what is TCP SYN Scan, half open scanning
root@ETHICALHACKX:~# nmap -sS -p 80 192.168.56.103 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-01 23:51 IST Nmap scan report for 192.168.56.103 Host is up (0.00019s latency). PORT STATE SERVICE 80/tcp open http MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
So we can see above in Wireshark that TCP SYN Scan does not completes Three-way handshake. The connect() method is not invoked and hence no connection is established, and hence no logs
TCP Connect Scan ( -sT )
TCP Connect Scan unlike SYN Scan, uses Operating System’s connect() call, which create a connection and thus three-way handshake is complete. This is default scan when root/admin is not available. Also keeping in mind this is only for TCP and not UDP ports. We will also see in Wireshark logs how is this different from SYN scan.
root@ETHICALHACKX:~# nmap -sT -p 80 192.168.56.103 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-01 23:53 IST Nmap scan report for 192.168.56.103 Host is up (0.00022s latency). PORT STATE SERVICE 80/tcp open http MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds root@ETHICALHACKX:~#
Notice the difference in SYN ACK packets in SYN and Connect() scan.
UDP Scan ( -sU)
UDP Scan looks for open UDP ports on the target machine. If the response is appropriate menas the port is open else it is closed.
root@ETHICALHACKX:~# nmap -sU 192.168.56.103 -F Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-01 23:54 IST Nmap scan report for 192.168.56.103 Host is up (0.00030s latency). Not shown: 93 closed ports PORT STATE SERVICE 53/udp open domain 68/udp open|filtered dhcpc 69/udp open|filtered tftp 111/udp open rpcbind 137/udp open netbios-ns 138/udp open|filtered netbios-dgm 2049/udp open nfs MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 99.21 seconds root@ETHICALHACKX:~#
So we see the result is all open UDP ports on the target machine.
FIN Scan ( -sF )
Since Cyber Awareness is on rise, Firewalls are in place, which tends to drop SYN packets. Here FIN scan comes to our rescue as in this only FIN flag is set, FIN is finished flag usually by sender. No TCP handshake takes place
root@ETHICALHACKX:~# nmap -sF -p 80 192.168.56.103 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-01 23:56 IST Nmap scan report for 192.168.56.103 Host is up (0.00039s latency). PORT STATE SERVICE 80/tcp open|filtered http MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds
Again we can see in Wireshark logs and notice no handshake, and hence no logs are created.
NULL Scan ( -sN )
All the headers are set to NULL and most of the time target host is not sure what to do in such case, the result might be unreliable as the packet is considered as invalid. Windows Servers are unlikely to give any useful information. But this is sometimes helpful in cases where non-Windows servers is behind a firewall
root@ETHICALHACKX:~# nmap -sN -p 80 192.168.56.103 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-01 23:54 IST Nmap scan report for 192.168.56.103 Host is up (0.00035s latency). PORT STATE SERVICE 80/tcp open|filtered http MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
Xmas Scan
Just like NULL scan where every header was null, here every header is set to on. Now again due to TCP stack implementation in windows machines , won’t respond. XMas Scan manipulates FIN URG and PSH Headers in TCP
root@ETHICALHACKX:~# nmap -sX -p80 192.168.56.103 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 01:05 IST Nmap scan report for 192.168.56.103 Host is up (0.00026s latency). PORT STATE SERVICE 80/tcp open|filtered http MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds
Notice the flags set in Wireshark.
RPC Scan
RPC Scan ( Remote Procedure Call ) scans the target for any ports which responds to RPC calls. RPC Scan scans system since RPC Service can run on a number of ports and hence this scan tries to list programs out along with their version. RPC allows remote calls to execute on the target system under certain conditions and lucky you are if you get one of these. So sometimes it is good idea to scan.
Bounce Scan
Bounce Scan is named so because an old loophole in FTP Protocol ( mostly fixed now). When you scan the FTP Server it ‘bounces’ the scan packets to the connected internal network which is normally not accessible, which may sometimes breah the firewall. So here a valid FTP Server should be present attached to network you are trying to ‘Bounce Scan’
Idle Scan
Idle scan is a very controversial method and a very stealthy method as it can only be used for malicious purposes. It is one of the stealthiest scan . The packets needs to bounce off to a zombie host which you don’t need to have any control but has to meet some conditions.
Ping Scan ( -sP & -sn )
Ping scan is used to check if the host is alive. -sn means no port scan is done
root@ETHICALHACKX:~# nmap -sn 192.168.56.103 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-01 23:58 IST Nmap scan report for 192.168.56.103 Host is up (0.00032s latency). MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
Version Detection ( -sV )
Version detection scans tells you the version of services running on the respective ports, this helps you to determine the related exploits for the particular versions, greatly helps in hacking / penetration testing. In the result below I have scanned only few ports so to keep the result sort as metasploitable2 has many open ports.
root@ETHICALHACKX:~# nmap -sV -p1-50 192.168.56.103 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-01 23:32 IST Nmap scan report for 192.168.56.103 Host is up (0.0016s latency). Not shown: 46 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC) Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 0.81 seconds
OS Detection Scan ( -O )
OS Detection SCan tries to guess the Operating System on the target machine. The Nmap nmap-os-db database contains about 2600 Operating Systems, and sending TCP UDP Packets, nmap compares the results in database , resulting into identifying the Operating System on target machine. If you go through lines you can notice this is mostly based on the ports detected. The OS Detection scan may also give unreliable results sometimes and also the result might match to many in the nmap-os-db.
root@ETHICALHACKX:~# nmap -O 192.168.56.102 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 00:04 IST Nmap scan report for 192.168.56.102 Host is up (0.00040s latency). Not shown: 991 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 143/tcp open imap 443/tcp open https 445/tcp open microsoft-ds 5001/tcp open commplex-link 8080/tcp open http-proxy 8081/tcp open blackice-icecap MAC Address: 08:00:27:6C:38:0C (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.17 - 2.6.36 Network Distance: 1 hop OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds root@ETHICALHACKX:~# nmap -O 192.168.56.103
in case of unreliable scan results for OS Scan , you might use –osscan-guess argument
Aggressive Scan ( -A )
Scan Aggressively to harvest as much information possible. Be careful of the network before you run this .
root@ETHICALHACKX:~# nmap -A 192.168.56.103
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 00:21 IST
Nmap scan report for 192.168.56.103
Host is up (0.00047s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.56.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2019-11-02T00:22:02+00:00; +5h29m58s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open shell Netkit rshd
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 10
| Capabilities flags: 43564
| Some Capabilities: LongColumnFlag, ConnectWithDatabase, SupportsCompression, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, Support41Auth
| Status: Autocommit
|_ Salt: R^`I-DN9t]Si8y{|{wci
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
|_ssl-date: 2019-11-02T00:22:02+00:00; +5h29m59s from scanner time.
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ VNC Authentication (2)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 5h29m58s, deviation: 0s, median: 5h29m57s
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|_smb-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.47 ms 192.168.56.103
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.08 seconds
root@ETHICALHACKX:~#
Timing Template and Performance
| T0 | T1 | T2 | T3 | T4 | T5 | |
|---|---|---|---|---|---|---|
| Name | Paranoid | Sneaky | Polite | Normal | Aggressive | Insane |
This can be used same as other arguments appending -T5 , -T4…..
IDS Evasion while Scanning
Discussed above in the scan types, we talked about nmap getting caught by firewall, IPS IDS. Lets scan with some evasion techniques.
Decoy Scan ( -D )
Specifying a Zombie Machine while scanning, I wonder what it does when you specify a IP which belongs to same internal network as scan initiator. Watch the Wireshark log for Decoy Scan . Keep in mind that router path tracing can reveal the actual machine IP doing the scan behind the Zombie IP. And the Zombie Ip you are using better be up.
root@ETHICALHACKX:~# nmap -p 22 -D 192.168.56.111 192.168.56.103 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 00:38 IST Nmap scan report for 192.168.56.103 Host is up (0.00034s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds root@ETHICALHACKX:~#
Fragmented Scan ( -f )
The fragmented packets meaning the actual Ip packet is divided into more tiny pieces so that the packet capture / filters can be evaded. Also be cautious that the fragmented packets sometimes might not be usable at the other end on target machine, so it all depends on the scan type and timing of packets here.
Spoof Source Port Number ( –source-port ; -g )
What in case a firewall is setup to allow/drop packets from a port number ? Or network admin is monitoring you nmap activities coming from a fixed port. Or just say you want the traffic to appear from a fixed port number of your choice
root@ETHICALHACKX:~# nmap -p 44 -g 22 -D 192.168.56.222 192.168.56.103 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 01:03 IST Nmap scan report for 192.168.56.103 Host is up (0.00037s latency). PORT STATE SERVICE 44/tcp closed mpm-flags MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
I have combined the Decoy scan and source port here.
Nmap Scripts
Default Script Scan ( -sC )
Banner Grabbing Sscan ( -script banner )
root@ETHICALHACKX:~# nmap -script banner 192.168.56.103 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 01:01 IST Nmap scan report for 192.168.56.103 Host is up (0.0013s latency). Not shown: 977 closed ports PORT STATE SERVICE 21/tcp open ftp |_banner: 220 (vsFTPd 2.3.4) 22/tcp open ssh |_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 23/tcp open telnet |_banner: \xFF\xFD\x18\xFF\xFD \xFF\xFD#\xFF\xFD' 25/tcp open smtp |_banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu) 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 512/tcp open exec |_banner: \x01Where are you? 513/tcp open login 514/tcp open shell |_banner: \x01getnameinfo: Temporary failure in name resolution 1099/tcp open rmiregistry 1524/tcp open ingreslock |_banner: root@metasploitable:/# 2049/tcp open nfs 2121/tcp open ccproxy-ftp |_banner: 220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.56.103] 3306/tcp open mysql | banner: >\x00\x00\x00\x0A5.0.51a-3ubuntu5\x00\x0D\x00\x00\x00@>TnO|E$\x |_00,\xAA\x08\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\... 5432/tcp open postgresql 5900/tcp open vnc |_banner: RFB 003.003 6000/tcp open X11 6667/tcp open irc | banner: :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostna |_me...\x0D\x0A:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resol... 8009/tcp open ajp13 8180/tcp open unknown MAC Address: 08:00:27:14:6D:DE (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 15.67 seconds root@ETHICALHACKX:~#
So this was basics about NAMP, I hope this was informational and useful. In the next part we will see some useful namp scripts like scanning target for vulnerability with nmap and more.
