Owner: 侯智晟 (meowhecker)
Email: meowheckerouo@gmail.com
[TOC]
# Mapping Network & Discovering alive Host
Before initial an attack the target machine,It is crucial to gather essential information
- Machine is online?
- What the services are running ?
Namp is open source tools (1997), Play a pivotal role in mapping the target systems (This is very important!!)
- Identifying Active/Dead Hosts:
- Identifying Running Services on Hosts:
Workflow for Namp tools
## Sub Network (Term Explanation)
### Network segment
A Network segment refers to a Physical Connected portion of network.
e.g. switch or Access point
### Subnetwork
Subnetwork represents a Logic Connection with a network
e.g router
### LAB subnetwork practice
Topology
Q1. ARP packet (segment-1)
Q2. ARP packet (segment-2)
solved!!
## Mapping target Network (Dead list)
Defined target scope we want to scan
- list
meohecker1.com meowhecker2.com 192.168.1.2
- Range
10.10.10.1-10 -> scan 10.10.10.1 ~ 10.10.10.10
- subnet
machineip/30 -> ignore 2 bit -> scan 4 ip address
- file.txt
`nmap -iL list_of_hosts.txt.`
Check a list of host without port scan
```
nmap -sL MACHINE_SCOPE
```
sL -> list scan!!
This option will give you a **detailed list** of the hosts that Nmap will scan without scanning them
>Reverse-DNS look up(Default): nmap connect to DNS server to do reverse-DNS lookup(ip to host name) it might reveal information to the pentester
### LAB - Mapping Network
Not Scanning -> `dead list`
```
nmap -sL 10.10.12.13/29
```
```
nmap -sL 10.10.0-255.101-125
```
Solved !!
## Discover the live host via Network Protocol
We can use TCP/IP Protocols to discover the live hosts.
- Layer2
ARP Protocol: Send a frame to broadcast address
Layey3
ICMP Protocol: Type(8 echo) | Type (0 echo reply)
Layer4
TCP Protocol
UDP Protocol
### LAB-Discover the live host
Topology
Q1. PC-1 ping PC-2
Solved
Q2. PC2 ping PC5 (Cross the network segment)
2 ARP Query
Solved !
## ARP alive host Discovery
When the attacker and target exist in same network segment, ARP (Address Resolution Protocol) requests can be employed to discover alive hosts.
Upon receiving the MAC address of the target machine, it can confirm that the target machine is alive.
```
nmap -RP -sn ATTACKERIP/NETWORK_SEGMENT
```
RP -> Using ARP to discover alive machine
sn -> Ping scan (Forbidden Port scanning)
### arp-scan (Another Tools)
Another tool for ARP-based.
Usage:
The command will send ARP request for all valid IP
```
arp-scan --localnet
or
arp-scan AttackerIP/24
```
---
Specify the interface
```
sudo arp-scan -I eth0 --localnet
```
### LAB-ARP discover Alive host
Solved !
## ICMP Alive Host Discovery
### Echo Request (Default blocked by Windows Machines)
ICMP type 8 -> Echo request
ICMP type 0 -> ECHO reply (Discover Alive Machine )
Flags
PE -> Using ICMP echo
sn -> Ping scan - Disable Port Scan
```
nmap -PE -sn TARGET
```
### ICMP timestamp Request (Bypass default firewall)
When Default default ICMP echo request(type 8) are blocked by firewalls, ICMP timestamp requests (type: 13) can be employed for discovering alive machines.
ICMP timestamp reqeust (type:13)
ICMp timestamp reply (type:14)
```
nmap -PP -sn 10.10.68.220/24
```
10.10.68.133, 10.10.68.134 are new machines.
### ICMP Address Mask require
ICMP type 17 -> Address Mask require
ICMP type 18 -> Address Mask reply
flags
PM: Ping address mask
```
sudo nmap -PM -sn 10.10.68.220/24
```
According previous result, we can know that have four host is live at least but the result return 0 hosts up, we can infer target network segmentation have firewall rules block our Address mask request.
### LAB ICMP discover alive host
Solved!!
## TCP/UDP alive host Discovery
If you are not privilege user, Namp will attempt a three-way handshake for TCP-base host discovery.
### TCP - Syn ping
Sending only a SYN packet is a common method for TCP host discovery.
Attacker -> connect to target's port 80
---
Specify the Port Scope
```
nmap -PS80,442,8080 -sn 10.10.68.220/24
```
```
nmap -PS20-25 -sn 10.10.68.220/24
```
### TCP - ACK ping(-sn)
Send only Ack packet trigger unexpected behavior and is useful for host discovery.
Flags
PA : Only send ACK packet (ping ACK)
```
nmap -PA -sn 10.10.68.220/24
```
### UDP ping
UDP ping involves sending the UPD packet and inferring the target aliveness base on the reply message(ICMP).
According reply message -> we can infer that the target is alive.
```
nmap -PU -sn 10.10.68.220/24
```
### Masscan (Another Tools)
Masscan is more aggressive tools for network scanning and can be used for quick scan.
```
apt install masscan.
masscan MACHINE_IP/24 -p443
masscan MACHINE_IP/24 -p80,443
masscan MACHINE_IP/24 -p22-25
masscan MACHINE_IP/24 ‐‐top-ports 100
```
### LAB TCP/UPD Discover host
Solved !!
## Reverse-DNS lookup
Utilizing Reverse DNS lookup can provide more information to an attacker
Even If the host is down, the -R option can add ed to query DNS server to obtain the hostname of offline host
Additionally. a DNS server can be specified using the `--dns-servers DNS_SERVER` option.
### LAB - Reverse DNS lookup
Solved
### Summary
# Port Scanning
- TCP connect port scan
- TCP syn port scan
- UDP port scan
When the target's firewall is up, , the absent of response (sliently to drop the pacekt) prevent us to receiving a banner from the target.
Namp can categorize port into Six state (If the port is unreachable -> it won't display in result)
**Open**: A server listen on port and is not blocked by firewall rules.
**Close**: Not server listen on port but (the port is open !!) and not blocked by firewall rules.
**Filtered**: the probe can not archive the target host. we can't determine the port is open or close
**Unfilted**: Nmap cannot determine if the port is open or closed, although the port is accessible.(This state occur when we Mapping the firewall rule via the ACK scanning)
**Open | filtered**: Open or filtered
**close | filtered**: Close or filtered
### LAB - UPD/TCP Port
Solved!!
## TCP flags
RPC 793 https://datatracker.ietf.org/doc/html/rfc793.html#section-3.1
TCP flags play a crucial role in the communication between devices over a TCP connection. Each flag in the TCP header serves a specific purpose.
TCP format and flags
URG -> Urgent pointer indicate the incoming data is urgent, it can ignore to wait previous TCP segment.
ACK -> Acknowledgement
PSH -> push buffer data to application promptly
**RST -> The Reset packet with the RST flag can be used to terminate a TCP connection abruptly. Situations where no server or server didn't know how to handle the request may trigger the use of this flag**
SYN -> Synchronize sequence numbers
FIN -> Finishing Connection!
### LAB - TCP flags
Solved!!
## TCP - Connection Scan (sT)
If we are not privileged users, the TCP connection scan (sT) is the only option available.
Port is Open
Port is close(Port is accessible but no server run )
Tearing TCP connection
Usage
sT: TCP connection SCAN
Default -> Scan 1000 common port
F: 1000 common port -> 100 common port
r: to scan the ports in consecutive order -> 1,2,3,4,5,6,7,8,9
```
nmap -sT 10.10.120.184
or
nmap -sT -F 10.10.120.184
or
nmap -sT -r 10.10.120.184
```
### LAB-TCP connection Scan (sT)
Previous Scan result!
Solved !!
## TCP SYN Scan (sS)
Syn scan is Default scan mode and require privilege permission (Root)
As the scan does not establish a full TCP connection, it tends to be more stealthy, reducing the chances of detection.
**Due the the lack of TCP connection establishment, the service info may be not reliable**
Port is close
Usage
```
sudo nmap -sS 10.10.177.213
```
### LAB TCP SYN Scan (sS)
Previous Scan Result
Solved!!
## UDP Scan
UDP is connectionless protocol, we can't guarantee receiving the response form the UPD service
Open(reply), Open | filtered (Be blocked, Not reply )
Port is close
ICMP type 3 Destination unreachable!(Port unreachable)
```
nmap -sU -F -v 10.10.155.68
```
```
nmap -sU 10.10.155.68
```
### LAB - UDP Scanning
Previous Scan Result
Solved
## Port Scope/Scan Speed and Performance
### Port Scope
Port list
`-p80,443,8080`
Port Range
`-p20-23`
Scan All Port
`-p-`
### Scan common port
F: Scan 100 common port
--top-ports NUMBER_PORT
### Scan Speed
**Set timing template**
`-T0~5`
- paranoid (0) (slowest)
- sneaky (1)
- polite (2)
- normal (3) (Default)
- aggressive (4) (Using in CTF )
- insane (5) (fastest)
For avoiding the IDS detection, we can chose the T0 or T1
TO mode is scan one port at one time and wait 5 minute between send a probe
T1 -> T1 mode is suitable for real-world testing.
T5 -> T5 mode is the fastest but may result in packet loss. (Affect the Result correctly).
**Packet per second**
Use these options for control over packet speed.
```
--min-rate PACKET_PER_SECOND
--max-rate PACKET_PER_SECOND
```
### Multiple Probes
Multiple threading
Use multiple threads for faster scanning.
```
--min-parallelism THREADS_PROBE
--max-parallelism THREADS_PROBE
```
### LAB - Port Scope/Scan Speed and Performance
Solved !!
## Summary (cheat sheet) Basic 上
---
## Null, FIN, Xmas Scan (Bypass stateless firewall )
These type of scans are efficient for bypassing stateless firewall.
By Using a flag combination that do not match the SYN packet,it become it possible to bypass the firewall and reach the system behind it.
>Stateless fire only check the specific packet's features and do not to analysis packet behavior. e.g. packet Src, dst, flags... (Those Features are defined by developer)
### Null Scan (sN)
Null scan -> TCP flags are set to zero
Due to no flags, the server will didn't reply the response
#### Port: Open | filtered
Null scan relies on the leak of response to infer that the port is not close
#### Port: Close
#### Usage
```
nmap -sN 10.10.233.164 -T4
```
### FIN Scan (sF)
#### Port : Open | filtered
#### Port : Close
```
nmap -sF 10.10.233.164 -T4
```
### Xmas (sX) FIN PSH URG
#### Port : Open |filtered
#### Port : Close
#### Usage
### LAB NULL, FIN, Xmas Scan
Solved
## Maimon Scan (sM) FIN/ACK
I think is can be used to discover the firewall Rule setting
If we didn't receive the RST ACK -> we can refer that the target may have firewall to drop the packet.
```
sudo nmap -sM 10.10.252.27 -T4
```
### LAB Mimon Scan
## ACK, Window(Mapping the Firewall rules), Customer Scan
ACK, Window Scan typically use for mapping firewall rules, and not necessary discover whether servier is actively listening on a port
### ACK scan (sA) - Identify the firewall rule configuration
#### Firewall Down
---
#### Firewall UP
### Window Scan
Windows scan examines the TCP Window field of the RST packets returned. On specific systems, this can reveal whether the port is open.
Window Scan is similar to the Ack Scan and is a good way to map the target firewall rule configuration.
#### Case: No firewall
#### Case: Firewall UP
#### Usage
```
nmap -sW 10.10.233.164 -T4
```
### Customer Scan
Customer setting tcp flag
```
--scanflags RSTSYNFIN
```
RST = 1
SYN = 1
FIN = 1
### LAB - ACK, Window, Customer Scan
```
nmap -sA 10.10.89.2 -T4
```
Solved !!
## Spoofing(Same network segment), Decoy Scan(Useful)
### Spoofing Scan
Spoofing Scan works in specific network environments where the attacker can monitor the traffic.
```
nmap -sS -S SPOOFED_IP TARGETMACHINE
```
In general using, we need to specify the interface where the network segment is the same as the target machine (-e) and disable ping scan (-Pn).
```
nmap -sS -e NET_INTERFACE -Pn -S SPOOFED_IP TARGET_IP
```
### Decoy Scan (Stealth Techniques)
Decoy Scan allow the attacker to make it harder for defender to identify the attacker machine.
Usage:
If attacker ip is 10.66.45.69
```
nmap -sS -D 10.10.1.1,23.12.32.22,ME,RND,RND TARGET_MACHINE
```
Scan sequence -> 10.10.1.1 -> 23.12.32.22 -> 12.66.45.69 -> 71.23.12.23 -> 192.168.3.2
### LAB - Spoofing & Decoy Scan
Solved
## Fragment Packet (Bypass IDS/Firewall)
Firewalls (software/hardware) typically check the IP and TCP headers. More advanced firewalls may also check the carried data.
IDS check packet behavior and features. Once the traffic matches the features of malicious traffic, an alert is raised.
### Fragment packet
We can attempt to split packet into multiple segment to bypass IDS or firewalls.
Nmap provide the -f option to fragment packets
According to RFC-791, the TCP header is typically 20 bytes (24 bytes with options). By fragmenting the packet, we can bypass firewall rules or IDS.
```
nmap -sS -p80 10.20.30.144 -f
```
Port 80 Analysis
Normal Case (No fragment)
Fragment Case
Customer the packet size -> we can increase the packet size to make look like innocuous.
```
--data-length NUM
```
### LAB Fragment Packet
## Zombie(Idle) Scan (Stealth Techniques)
Zombie scan allows scanning stealthily without exposing our IP or identity.
It upgrades the spoofing scan to use a zombie machine for communication.
Nmap checks the (ip.id) value to determine if the port is open, close, filtered.
### Connect to Zombie Machine to Record ip.id Value
### Port: Open
### Port: Close
### Port: filtered
![Uploading file..._5idd28jl4]()
### Comparing the (ip.id) value to determine the port is open or close
### Usage
```
nmap -sI ZOMBIE_IP MACHINE_IP
```
### LAB Zombie scan
## More information
### Reason (Recommend !!)
We can require Nmap to provide the reason and inference of the scan result.
```
sudo nmap -sS --reason 10.10.252.27
```
Adding the reason provides more clarity about the scan results.
### More Information
v -> Verbose Information
vv
d -> debug
dd -> Debug max
### LAB- More information
## Summary 下
# Post Port Scan
## Service Detection (sV)
Once we discover open port, the next steps is to investigate further and identify the running service and potential vulnerability.
```
nmap -sT -sV --version-intensity 0~9 TARGE_IP -T4
```
0 -> (lightest)
0 -> (complete)
Service detection requires establishing a TCP connection to retrieve the service's banner.
Usage
```
nmap -sT -sV 10.10.139.233 -T4 --reason
```
### LAB Identify Service
Solved !!
## OS Detection & Traceroute
### OS Detection
Nmap can detect the OS type and version based on the reply packet.
OS type is usually detected correctly, but kernel version may not be reliable due to virtualization techniques.
Usage
```
nmap -sS -O 10.10.139.233
```
### Traceroute
```
nmap -sS --traceroute 10.10.139.233
```
### LAB - OS detection
Solved
## Nmap Script engine (NSE - lua Language)
The Nmap Script Engine (NSE) uses Lua, an interpreted language. The default scripts are located in the directory:
```
/usr/share/nmap/scripts
```
Addictional script can be download from the internet.
If we didn't know .nse functionality, we can use less or text editor to lookup
### Specify the script we want to use
```
nmap --script=default
```
### Script Categories
Notice!: Some intrusive script may lead to service crash.
```
nmap -sS -sC 10.10.58.136
```
### LAB- Nmap Script
Solved !
## Output The Result
Save the scan result in a file. !
### Normal (-oN)
```
nmap -sT 10.10.50.162 -T4 -oN 10.10.50.162.nmap
```
### Grepable (It's Suitable when the report have multiple machines )
```
nmap -sT 10.10.50.162 -T4 -oG 10.10.50.162.gnmap
```
### XML form
```
nmap -sS 127.0.0.1 -oS FILENAME
```
### LAB - Output Result
Scan report contain many machine -> gmap + grep
Solved !!
## Summary
Sign in with Wallet
Connect another wallet