Nmap

Network Scan & Map

https://github.com/nmap/nmap

Nmap, or network mapper, is the most widely used network scanner. It has been ported to most platforms, and is the underlying scan tool in a number of commercial and open source vulnerability testing products. It can incorporate scripts and has speed and performance settings for intrusion detection system (IDS) evasion. You can use Nmap for:

  • Host discovery
  • Port/service discovery
  • Operating system and service fingerprinting
  • Enumeration
  • Hardware (MAC) address detection
  • Vulnerability/exploit detection

Nmap is command-line based, though there are GUI variants such as Zenmap. The basic syntax for Nmap is:

nmap [Scan Type(s)] [Option(s)] <target>.

Ping Sweeping

fping -a -g IPRANGE
  • try out fping to show only alive(a) hosts
  • (g) switch orders ping sweep instead of standard ping
fping -a -g IPRANGE
  • use CIDR notation
fping -a -g 10.54.12.0/24
  • os start and end addresses
fping -a -g 10.54.12.0 10.54.12.255
  • suppress (ICMP Host Unreachable) about offline hosts
fping -a -g 192.168.82.0 192.168.82.255 2>/dev/null

nmap Ping Scanning

nmap -sn 200.200.0.0/16
nmap -sn 200.200.0.1-12
nmap -sn 200.200.0.*
nmap -sn 200.200.12-13.*

use the switch -iL to save host list in a file
or use a saved host file

nmap -sn ?"fileName.txt" -iL newSavedList.txt

Use this to check what host discovery methods are available

man nmap

Host Discovery:
-sL : List scan – simply list targets to scan
-sn : ping scan – disable port scan
-Pn : treat all hosts as online — skip host discovery
-PS/PA/PU/PY(portlist): TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM : ICMP echo, timestamp, and netmask request discovery probes
-PO(protocol list) : IP Protocol Ping

This gives list of live hosts that responded to pings or to nmap probes.

OS Fingerprinting
Send network requests to host and then analyze the responses. There are tiny differences in the network stack implementation of various operating systems.  This tool sends a series of specially crafted requests to the target host and then examine every bit in responses; thus creating a signature of the host behavior.
The signature is compared against a database of known operating systems signatures; this process exploits differences in network stack implementation, so some guesswork is involved but using tools/experience gets results.

PERFORM RECONNAISSANCE ON EVERY NETWORK NODE

  • routes
  • firewalls
  • hosts
  • servers
  • printers, etc, etc, etc

Make a table that has three columns
| – IP Address – | = Operating System (OS) – | – Confidence % – |

Perform OS fingerprinting on traffic capture recorded (passive)
or using technique/tools (active)

Offline OS fingerprinting can be done with pOf
Concentrate on active fingerprinting w/nmap
http://lcamtuf.coredump.cx/p0f3/

Use the -O flag in nmap
Add -Pn switch to skip ping scan if already known target is alive

nmap -Pn -O <target(s)>

Set the OS guess level
–oscan-limit : limit OS detection to promising targets
–oscan-guess : guess OS more aggressively

If you need to detect the OS of a machine that you know is alive but is not responding to ping probes, try this:

nmap -Pn -O

Conversely, limit better guesses when scanning thousands of hosts and limit the time sink.

nmap -O --oscan-limit

After hooking VPN, run this:

ifconfig

Look for tap0 inet address and netmask
Check that mask:
255.255.255.0 === 24
https://www.calculator.net/ip-subnet-calculator.html

Perform a passive scan:

sudo arp-scan -lsudo netdiscover -p

Active scan a network using 20 arp requests per IP address

sudo netdiscover -c 20

Use the -s source flag to fake source of ARP requests

arp-scan -l -s 10.142.111.240

From that IP in tap0, run a fping

fping -a -g 10.142.111.0/24 2> /dev/null

Then fun a ping scan for services listening on network in Metasploit and save to your postgresql:

db_nmap -sn -n 10.142.111.*
db_nmap -sT -sV -O -n 10.142.111.1-254 -A -v

Scan for vulnerabilities in Metasploit too!

db_nmap --script rdp-vuln* -p- 10.142.111.240
db_nmap --script smb-vuln* -p 137,139,445 10.142.111.48
db_nmap -sV -O -A 10.142.111.140

Target Designation

Description

192.168.1.50

Scan only this IP.

scanme.host.tld

Scan only this host by name.

192.168.1.0/24

company.tld/24

192.168.1.*

Scan the entire subnet.

scanme.host.tld/24

Scan the entire subnet that the host is in.

192.168.1.20-50

Scan only this range.

192.168.1.20-25,7.44

Scan the range 192.168.1.20 to 25, also scan 192.168.7.44.

Scan Type

Example

Comment

-h

nmap -h Help

-V

nmap -V List your Nmap version.

-d

nmap -d 192.168.1.50 Enable debugging output. Lists every step Nmap is taking, along with the output.

-sS (TCP SYN scan)

nmap -sS 192.168.1.50 Send a TCP SYN to see if the target port responds with a SYN ACK (port is open) or a RST (reset – the port is closed). Also known as a half-open scan as it does not complete the TCP 3-way handshake. This is the default for root users.

-sT (TCP connect scan)

nmap -sT 192.168.1.50 Complete the TCP 3-way handshake. Nmap asks the underlying operating system to establish a connection with the target on the specified port. The default for regular (non-root) users.

-sV

nmap -sV 192.168.1.50 Probe open ports to determine service version.

-sU (UDP scan)

nmap -sU 192.168.1.50 Conduct a UDP scan. Because UDP does not use a handshake, a service listening on a UDP port might not send any response. Ports that send a response display as open. Ports that send no response are displayed as open | filtered (unknown). Ports that send an ICMP unreachable error (type 3 code 3) display as closed. Can be used with -sV to help reveal additional open ports, and differentiate if a port is truly open or filtered.

-sL

nmap -sL 192.168.1.50 List the targets that will be scanned.

-sA

nmap -sA www.company.tld

Find out if a host/network is protected by a firewall. “Filtered” results indicate firewall is on. “Unfiltered” results indicate port is accessible, but might be open or closed. (See -p option for more information about port states). Run with -A option to determine if accessible ports are actually open or closed (nmap -sA -A www.comptia.org).

Option

Example

Comment

-p <port range>

  • nmap -p 80 192.168.1.50
  • nmap -p 80,443 www.company.tld
  • nmap -p1024-3000 192.168.1.0/24
  • nmap -p U:53,111,137,T:21-25,80,139,443 192.168.1.0/24
  • nmap -p- 192.168.1.50
  • Only scan the specified port(s).
  • Most implementations permit either a space or no space after -p.
  • Port status can be OPEN, CLOSED (no service on that port – OS sent a TCP reset), or FILTERED (no response, possibly due to a firewall).
  • UDP ports: U
  • TCP ports: T
  • All TCP ports: -p-

-r

nmap -r 192.168.1.0/24 Scan ports consecutively; do not randomize.

–top-ports <number>

nmap –top-ports 200 Scan the top 200 ports.

-6

  • nmap -6 2001:f0d0:1003:51::4
  • nmap -6 scanme.company.tld
  • nmap -6 fe80::8d50:86ce:55ad:bc5c
Scan IPv6 addresses.

-iL <inputfilename>

nmap -iL /tmp/test.txt

Scan hosts listed in a file.

–exclude

nmap 192.168.1.0/24 –exclude 192.168.1.5

Exclude certain hosts from a scan.

-n

nmap -n 192.168.1.0/24

Do not resolve names (saves time).

-R

nmap -R 192.168.1.0/24

Attempt to resolve all names with reverse DNS lookup.

-F (fast mode)

nmap -F 192.168.1.50

Scan fewer ports than default.

-O

nmap -O 192.168.1.50
  • Enable OS detection.
  • Nmap will guess at the OS, but is not always accurate.

-A

nmap -A 192.168.1.50

Enable OS detection, service version detection, script scanning, and traceroute.

–version-intensity <level>

nmap -sV –version-intensity 9 192.168.1.50

  • Use with -sV.
  • Specifies level of interrogation from 0 (light) to 9 (try all probes).

–script=<scriptname>

nmap –script=banner.nse 192.168.1.50

Use an NSE script.

-sC

nmap -sC 192.168.1.50

Scan using all default scripts.

-v

nmap -A -v 192.168.1.50

Increase verbosity of output.

-vv

nmap -vv 192.168.1.50

Very verbose output.

-oN/-oX/-oS/-oG/-oA <filename>

nmap 192.168.1.50 -oA results.txt

  • Save output in normal, XML, script kiddie, Grepable, or all (except script kiddie) formats to the given file name.
  • Default save location is the user’s profile (i.e., /root/).

Bonus Tip: How to connect with freerdp command:

xfreerdp /f /u:USERNAME /p:PASSWORD /v:HOST:PORT

Happy hacking!

Leave a Reply

Your email address will not be published. Required fields are marked *