โHackMD
Nmap 101
tags: cybersecurity nmap scanning
Why though?
Proper enumeration is the backbone of effective exploitation.
- When performing a security audit, it's important to get an outlook of the infrastructure.
- The same way if you're fighting a war you would want to know the lay of the land, it's terrain etc
- Understanding what services are running on the targets is crucial.
- To map this digital landscape, we perform port scanning
- Ports are networking constructs used to direct traffic to the right application on a server.
- They are necessary for making multiple network requests or having multiple services available.
- Network connections are made between two ports - an open port listening on the server ,and a randomly selected port on your own computer.
- Every computer has a total of 65535 ports with the first 1024 ports being regarded as well known ports
- We need to know which of these ports a server has open in order to successfully attack it :)
Enter Nmap
The goto tool for port scanning is nmap
Based on how ports respond to scanning they can be classified as either:
- open
- closed
- filtered (usually by a firewall)
Nmap is powerful, can scan for vulnerabilities through its scripting engine and in some cases can exploit those vulnerabilities
Switch it up
Nmap uses switches, syntax: nmap [switches] [ip]
You can read about them via its man page by man nmap
| Switch | Action |
|---|---|
| -sS | SYN 'half open' scan |
| -sT | TCP Connect scan |
| -sU | UDP scan |
| -sN | TCP null scan |
| -sF | TCP fin scan |
| -sX | TCP xmas scan |
| -sn | ping sweep when supplied with an ip range |
| -p | only scan specified ports |
| -p- | scan all ports |
| -Pn | assume alive - don't bother pinging host |
| -sV | service version detection |
| -sC | script scan = default |
| -v | versbose |
| -vv | very verbose |
| -oN | output in normal format |
| -oG | output in grep format |
| -oA | output in normal, xml and grep format |
| -A | enable OS detection, version detection, script scanning, and traceroute |
| โexclude | excludes a list of hosts from the scan |
| -T[i] | increase timing to [i] where 1<=i<=5 |
| โscript | activate scripts |
| โscript=vuln | activate scripts in the vuln category |
Syn Scans
Are used to scan tcp port range of targets
a.k.a half open or stealth scans
instead of performing a full three way handshake, syn scan sends back an RST packet after receiving a SYN/ACK from the server(preventing the server from repeatedly trying to make the request.)
The advatages of this are:
- it can be used to bypass older IDS that are looking for a full three way handshake. This does not apply to modern solutions , and is the reason syn scans are called stealth scans.
- syn scans are often not logged by applications listening on open ports because standard practice is to log a connection once it has been fully established.
- since they don't complete the three way handshake for evrey port they are significantly faster than a standard tcp connect scan.
However,
- they need sudo permissions since they need to create raw packets as opposed to the full tcp handshake
- unstable services are sometimes brought down by syn scans. So if it's a prod environment , well you might be better off going another route :)
syn scan is the default scan used by nmap if you run it with sudo, otherwise if you run it as a normal user nmap will run a tcp connect scan.
UDP Scans
These connections are stateless.
Rather than initiating a connection with a three way handshake, UDP connections rely on sending packets to the target port and hoping that they make it.
- open|filtered - packet is sent to a UDP port and there is no response.
- open - packet is sent to a UDP port and the port sends back a UDP response.
- usually there is no response, in which case the request is sent a second time as a double check.
- closed - packet is sent to a UDP port and the target responds with an ICMP packet containing a message that the port is unreachable.
UDP scans are really slow compared to TCP scans due to the difficulty in establishing whether ports are open or close.
Consequently it's a good idea to run it as
syntax: nmap -sU โtop-ports [target]
placing 20 as the target scans the top 20 most commonly used UDP ports.
Null, Fin, and Xmas Scans
- null: sends a packet with no flag values set, the target should respond with a RST if the port is closed.
- fin: sends a packet with the FIN flag set (used to gracefully close an active connection). Nmap expects RST if the port is closed
- xmas: sends a malformed packet with URG,PSH,and FIN giving it the appearance of a christmas tree when viewed in wireshark hence its name.
- if the port is open, there is no response to the malformed packet
- however, it can only ever identify ports as open/filtered, closed, filtered.
While RFC 793 demands that network hosts respond to malformed packets with a RST TCP packet for closed ports, and not to respond at all for open ports, this isn't the case in real life.
Ms Windows and a lot of cisco devices respond with a RST to malformed packets, identifying those ports as closed.
The main aim is firewall evasion
Many firewalls are configured to drop incoming TCP packets to blocked ports which have the SYN flag set to prevent initiation of new connections.
A bypass for this is to send a packet without the SYN flag set.
ICMP Network Scanning
Your fist objective during black box testing is to map out the network.
A good way to do this is via a ping sweep where you send an ICMP packet to each possible host in the specified network. When nmap receives a response, it marks that address as being alive.
While this might not always be accurate, it can provide a baseline.
syntax: nmap -sn [ip range] e.g nmap -sn 192.168.0.1-254 or nmap -sn 192.168.0.1/24
-sn instructs nmap:
- not to scan any ports
- forcing it to primarily rely on ICMP echo packets, or ARP requests on a local network if run with sudo permission, to identify targets
- to send a TCP SYN packet to port 443 of the target as well as a TCP ACK (or TCP SYN if not run as root) packet to port 80 of the target
NSE Scripts
Overview
Nmap Scripting Engine scripts are written in Lua and can be used to scan for vulnerabilities as well as exploit them.
It is particularly useful for recon.
Some useful categories are:
- safe: won't affect the target
- intrusive: Not safe: likely to affect the target
- vuln: scan for vulnerabilities
- exploit: attempt to exploit a vulnerability
- auth: Attempt to bypass authentication e.g login to an FTP server anonymously
- brute: Attempt to bruteforce credentials for running services
- discovery: attempt to query running services for further information about the network. e.g Query an snmp server
Searching for scripts
All NSE script are stored in /usr/share/nmap/scripts/ by default.
There are two ways to search for scripts:
- use the /usr/share/nmap/scripts/script.db file which is a formatted text file containing filenames and categories for each available script
- syntax: head script.db
- Nmap uses this file to keep track of and utilise scripts for the scripting engine. But, we can also grep through to look for scripts
- The second way is to ls
- syntax: ls -l /usr/share/nmap/scripts/[asterisk]ftp[asterisk]
Firewall evasion
Using -Pn , nmap assumes the host is alive and skips sending ICMP packets, which bypasses the ICMP block most firewalls have.
If you are on the local network, nmap can use ARP requests to determine host activity.
For a comprehensive list of switches useful for fw evasion read this
Some switches worth noting are:
- -f : fragments the packets making them less likely to be detected by IDS / firewalls
- โmtu [number]: accetps a maximum transmission unit size for the packets sent. Has to be multiples of 8
- โscan-delay [time in milliseconds] : used to add delays between packets sent. Useful for unstable networks and / or bypassing time based IDS / FW triggers.
- โbadsum : generates an invalid checksum for packets. While the TCP/IP stack would drop this , firewalls may autorespond without bothering to check the checksum of the packet, letting us know where the firewall is located and we can adjust accordingly.
