Cheat Sheet : Nmap

-

Nmap

Nmap is the industry standard tool used mainly for port scanning. It also has scripting functionality using the LUA language to extend its capabilities into different types of port scans and exploits as well. Being cross platform, it is used as a major jumping point for exploiting machines that you have little information on outside of just an ip subnet or address. Below is a basic cheat sheet and examples for some common uses of it.

Discovery Scans:
Option    Description
--------------------
-sP          Ping
-sL          List Scan
-sO         Protocol Scan
-sV         Verify

Common Switches:
Option     Description
--------------------------
-n        Skip DNS resolving
-sn        Disable port scan
-Pn        Skip host discovery
-PO        Ip protocol ping
-PE        Icmp echo
-PP        Icmp timestamp (useful if they only disable echo request)
-PM        Icmp netmask (useful if they only disable echo request)
-sO        Ip protocol id scan
-p          Ports
-sV        Version scan
-O          Operating system scan
-sC        Default script scan
--traceroute   traceroute a path
-A         Agressive scan. Includes a version scan (sV), Operating system scan (O), default script scan (sC) and a traceroute (--traceroute) all in one scan
-sU        UDP scan
-T [0-5]    Timing scan, 5 is the fastest
-v        verbose output
-sA      Ack scan (to see if the port is filtered or unfiltered)
.-oN/-oX/-oS/-oG normal,xml,script kiddie, and grepable format in that order. with these ones you need to add the extension to the end of the filename . oA outputs in all major formats simultaneously Example: nmap -oA rays-scan 10.0.0.115 

Heres some common scan switches and the expected result if the port is open or closed for both windows and linux. (SA = syn/ack, RA = rst/ack). a single - means no response. Also note that the scans after -sT and -sS are RA RA for Windows. That's because they choose not to go with normal network convention for those scan types and it will always be RA, so therefore those scans do not work against Windows.

Option  Description                 

------------------------------------------------------------------------------------------
-sT         full connect scan (does a full 3 way handshake)                               
-sS        Stealth scan/Half open (does 2 way handshake)                               
-sN        Null scan (no flags set, trying to evade ids)                                         
-sX        Xmas scan (set Urg, Psh, and Fin flags only)                                       
-sF        Fin scan (set only Fin flag, try to evade ids)                                         

------------------------------------------------------------------------------------------

Idle Scan: Lets say that I had an attacker machine (A) with an ip of 10.0.0.100, and a target server (T) with an address of 10.0.0.102. In the victims network there is a computer (Z) 10.0.0.104  that is idle with no traffic coming or going from this machine.  From my A computer i craft this packet: hping3   -S  10.0.0.104. This will send a Syn packet continously to the Z computer. In my command window I look at Z's ipid, if its incrementing by one I know its idle because if a packet leaves a computer, it increments the ipid of that computer. If it instead was incrementing by 5, 8, 10 packets etc. I know that its not idle and its sending packets other than its response to my Syn packet. Once that is determined, I then bring up another terminal in my A computer and craft this packet to the T computer: hping3  -a 10.0.0.104  -S  -p 80   10.0.0.102  -c 1. The  -a means spoof an address, here im spoofing the address of the Z computer. The -S  means send a syn packet. The   -p 80 means send the syn to port 80 of 10.0.0.102 (T computer). The   -c 1 means send a count of 1 packet. So I monitor the original terminal that shows the ipid numbers incrementing by one and then I send this command. If port 80 is open on the T computer, the ipid number of Z  will jump to 2 for that one packet. The reason is this: When T computer gets a syn packet to its open port, it will respond with a syn/ack, but it will send it to the Z computer not the A computer because of the spoofed source address. Normally when a computer gets a syn/ack packet out of the blue when it never sent a syn to begin with, it will send an rst/ack back to the server. Because the Z computer had a packet leave its computer, that increments the ipid by one. So the reason it jumps to 2 in the A computers terminal is because Z was already sending it responses incrementing by one, but for this packet it sent A its normal response and it sent T an rst/ack response, thus the jump to 2. If port 80 had been closed, T computer would have sent Z computer and rst/ack, to which Z has no response for, thus it never sends out an extra packet, thus it continues to increment by one. So to wrap up, if my A computer sees the ipid number jump by 2 for the spoof packet I send, I know that port is open. If I send the spoofed packet and the ipid continues incrementing by one, I know the port is closed.

------------------------------------------------------------------------------------------
NMAP Scripting: https://nmap.org/nsedoc/  has a list of all the scripts included in nmap. Scripts end in the .nse extension and use Lua as the scripting language. The different categories are pretty self explanatory, but one to look for is safe versus not safe. If you are doing a pentest and the customer contract states there will be no distruption of the network during business hours, then you want to make sure you only run the scripts in the safe category. These have been tested to be passive in nature unlike some of the brute force and exploit scripts. 

* NSE script categories 
*auth: This category is for scripts related to user authentication. Nmap --script auth 10.10.10.12 
* broadcast: This is a very interesting category of scripts that use broadcast petitions to gather information. 
* brute: This category is for scripts that help conduct brute-force password auditing. 
* default: This category is for scripts that are executed when a script scan is executed (-sC). Nmap --script default 10.10.10.12 
* discovery: This category is for scripts related to host and service discovery. This category of scripts is ideal when we need to have as much information as possible for a specific target. Nmap --script discovery 10.10.10.12 
* dos: This category is for scripts related to denial of service attacks. 
* exploit: This category is for scripts that exploit security vulnerabilities. 
* external: This category is for scripts that depend on a third-party service. performs an automatic Web Whois to the target and discovers additional information like the geographical location,the name of the organization and the net range. Nmap --script external scanme.nmap.org 
* fuzzer: This category is for NSE scripts that are focused on fuzzing. 
* intrusive: This category is for scripts that might crash something or generate a lot of network noise. Scripts that system administrators may consider intrusive belong to this category. 

* malware: This category is for scripts related to malware detection. 

* safe: This category is for scripts that are considered safe in all situations. Nmap - -script safe 10.10.10.12 

* version: This category is for scripts that are used for advanced versioning. 

* vuln: This category is for scripts related to security vulnerabilities 

* You can run multiple scripts at once: $ nmap --script http-headers,http-title scanme.nmap.org 

* Run all the scripts in the vuln category: $ nmap -sV --script vuln 

*  Run the scripts in the categories version or discovery: $ nmap -sV --script="version,discovery" 

* Run all the scripts except for the ones in the exploit category: $ nmap -sV --script "not exploit" 

* Run all HTTP scripts except http-bruteand http-slowloris: $ nmap -sV --script "(http-*) and not(http-slowloris or httpbrute)" 

* help files would be nmap --script-help "ftp-*" 

*  nmap --scan-delay 5s -g 53 -Pn -n -sS --open -p21 --script=banner,ftp-anon,ftpbounce 10.0.0.115 . Scan delay is delay between each packet, -g spoof the source port (most 53 ports will be let through a firewall), no dns or arp 

* nmap --script-help "ssh-*" also do it without the - to get more scripts. nmap --scan-delay 5s -g 53 -Pn -n -sS --open -p22 --script=sshv1 

* nmap --script-help "smtp-*" nmap --scan-delay 5s -g 53 -Pn -n -sS --open -p25 --script=smtp-brute,smtpenum-users 10.0.0.115 

* nmap --script-help "dns-*"  nmap --scan-delay 5s -g 53 -Pn -n -sS --open -p53 --script=dns-cache-snoop,dnsservice-discovery,dns-update,dns-zone-transfer,dns-recursion 10.0.0.115 .The dns cache thing is somethinig most dont realize. dns servers love to cache domains, the dns-cache script has about 100 domains like facebook, wikipedia,etc. so modifying the nse for that with other domains 

* Github.com is a great place to find NSE scripts that others have written. Heres an example of cloning a repo onto kali and adding the script to nmap:
So to install an nse script you download one like https://github.com/SpiderLabs/Nmap-Tools/blob/master/NSE/httpscreenshot.nse and then copy it over to /usr/local/share/nmap/scripts/ then after thats done you run nmap --script-updatedb . So in the terminal of kali type: git clone git://github.com/SpiderLabs/Nmap-Tools.git. Then cd Nmap-Tools/NSE/. Then cp htp-screenshot.nse /usr/share/nmap/scripts . Finally nmap --script-updatedb. Then from there you can do you namp --script-help "http-screenshot" to see it in there.

--------------------------------------------------------------------------------------------
Evasion Techniques:

*  Syn scan is still the best stealthy scan always do one 

* Source port manipulation, dns tcp 53, ftp tcp 20, kerberos tcp or udp 88 and dhcp udp 67. the syntax would be --source-port or -g . A common error that many administrators are doing when configuring firewalls is to set up a rule to allow all incoming traffic that comes from a specific port number.The –source-port option of Nmap can be used to exploit this misconfiguration. Common ports that you can use for this type of scan are: 20,53 and 67.  Example:  Nmap --source-port 53 scanme.nmap.org .  This doesnt work with tcp connect scan , dns requests, os version scanning or script scanning 

* Fragmentation: -f (fragment packets or --mtu (using the specified mtu). split up the tcp header over several packets to make it harder for packet filters. you can specify this option once and split the packets into eight bytes or less after the ip header. You can specify the -f again to use 16 bytes per fragment. Generally not supported for connect scans, ftp bounce, version detection and scripting engine. This technique was very effective especially in the old days however you can still use it if you found a firewall that is not properly configured. The Nmap offers that ability to fragment the packets while scanning with the –f option so it can bypass the packet inspection of firewalls. Example: nmap –f 10.0.0.100 if you use wireshark when running this scan you will see some packets that say fragmented ip protocol 

* Scan delay: --scan-delay or --max-scan-delay. Wait at least the given amount of time between each probe. Evade threshold based IDS and ips. Nmap tries to detect rate limiting and adjust the scan delay accordingly. A low -- max-scan-delay can speed up nmap, most pentesters go with 3 sec. Example: -- scan-delay 15.5s 

* Decoy scanning: -D , basically your cloaking a scan with decoys. makes it appear to the remote host that the hosts you specify as decoys are scanning the target network too. This makes the scan less obvious to various network monitoring systems. Hosts you use as decoys should be up, and use ip addresses instead of names. Can be defeated through router tracing, response dropping and other active mechanisms. they work with initial ping scan(using icmp,syn,ack), actual port scanning phase and remote OS detection. They do not work with version detection scans or tcp connect scans. You need to have in mind that the host that you will use as decoys must be online in order this technique to work.Also using many decoys can cause network congestion so you may want to avoid that especially if you are scanning the network of your client. # nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip # nmap -n –D 192.168.1.5, 192.168.1.6, 192.168.1.7, 192.168.1.8   192.168.1.10. 

* Data length: --data-length (append random data to sent packets). one way that ids finds that its nmap in play is its default data length signature, thats where this comes into play. tcp packets are generally 40 bytes and icmp echo requests are just 28. Append the given number of random bytes to most of the packets it sends and not to use any protocol specific payloads. Adds extra padding to the packet making it look less like a scan packet and more like a legit packet. Another way to do this is modifying the mtu size. Nmap is giving the option to the user to set a specific MTU (Maximum Transmission Unit) to the packet.This is similar to the packet fragmentation technique that we have explained above.During the scan that size of the nmap will create packets with size based on the number that we will give.In this example we gave the number 24 so the nmap will create 24- byte packets causing a confusion to the firewall.Have in mind that the MTU number must be a multiple of 8 (8,16,24,32 etc). You can specify the MTU of your choice with the command –mtu number target. Example: nmap --mtu 24 10.10.10.12. Also for the one about appending data, example: nmap -- data-length 25 10.10.10.12 (that would add 25 more bytes to the packet). 

* Scan with Random Order: In this technique you can scan a number of hosts in random order and not sequential.The command that you use to instruct Nmap to scan for host in random order is –randomize-hosts.This technique combined with slow timing options in nmap command can be very effective when you don’t want to alert firewalls. Example: nmap --randomize-hosts 10.10.10.1-20 10.

* Sending bad checksums: Checksums are used by the TCP/IP protocol to ensure the data integrity.However sending packets with incorrect checksums can help you to discover information from systems that is not properly configured or when you are trying to avoid a firewall. You can use the command nmap –badsum 10.0.0.115 in order to send packets with bad checksums to your targets.In the image below we didn’t get any results.This means that the system is suitable configured. 

* Mac address spoofing: Another method for bypassing firewall restrictions while doing a port scan is by spoofing the MAC address of your host.This technique can be very effective especially if there is a MAC filtering rule to allow only traffic from certain MAC addresses so you will need to discover which MAC address you need to set in order to obtain results. Specifically the –spoof-mac option gives you the ability to choose a MAC address from a specific vendor,to choose a random MAC address or to set a specific MAC address of your choice.Another advantage of MAC address spoofing is that you make your scan more stealthier because your real MAC address it will not appear on the firewall log files. a. Specify MAC address from a Vendor —-> –spoof-mac Dell/Apple/3Com b. Generate a random MAC address —-> –spoof-mac 0 c. Generate a random MAC address —-> –spoof-mac 0 Examples: nmap -sT -Pn --spoof-mac Dell 10.10.10.12

Comments

Post a Comment

Popular posts from this blog

Cheat Sheet : Wireshark

-
 Now that you know some command line packet sniffing, lets go over some wireshark display filters: * If you want to filter by a protocol, just type it in, like arp, dns, etc.   * If you click the analyze tab you can filter here as well   * If you did it by tp, you can go to preferences/protocols/tcp and take the check out of “relative sequence numbers” and they will show the real seq numbers   * Right click a packet and follow tcp stream to see the whole conversation between the client and the server . if you do this and you close out of the window you will see that the filter is listed for these packets   * A source filter can be applied to restrict the packet view in wireshark to only those packets that have source IP as mentioned in the filter. The filter applied in the example below is: ip.src == 10.10.10.5   * A destination filter can be applied to restrict the packet view in wireshark to only those packets that have destination IP as m...
Read more

Monitor and block SSH connection attempts

-
Monitor and block SSH connection attempts. Here is a simple guide for iptables... This will set iptables to default: ........ sudo iptables -P INPUT ACCEPT sudo iptables -P OUTPUT ACCEPT sudo iptables -P FORWARD ACCEPT Then flush the rules: sudo iptables -F INPUT sudo iptables -F OUTPUT sudo iptables -F FORWARD This allows you to view your current rules: $ sudo iptables -L ........ Install iptables-persistent package to save tables on reboot. $ sudo apt-get install iptables-persistent During the installation, you will asked if you want to save your current firewall rules. If you update your firewall rules and want to save the changes, run this command: $ sudo netfilter-persistent save $ sudo netfilter-persistent reload ........ With the following, an attacker is allowed to produce exactly 3 faulty logins in 2 minutes. Afterwards, they will be blocked for 120 seconds. 1) Add the following line to /etc/ssh/sshd...
Read more

Cheat Sheet : NetCat

-
Netcat is known by most hackers as the swiss army knife of hacking. Its a great tool to setup backdoors or just plain and simple tcp or udp connections. Heres a few examples of how you can use netcat: Lets do some exercises with it in Kali linux. Our VMs today are a kali linux  and a windows 7. First start by looking at the help file nc -h  1. Lets check to see what ports are listening,(first start the apache2 service) type: nc -v 80  2. If you had started the apache service on kali linux you should see it shows there as open  3. You can also set up a listener port, type: nc -lvp 1234  4. The l here is for listen, the v is for verbose, the p is to specify the port to listen on  5. Lets open up a second terminal window and use netcat to connect to the listener  6. In the second terminal type: nc 10.0.0.100 1234 and hit enter  7. The first terminal should show you connected  8. Now lets chat from the second terminal b...
Read more