Nmap, or network mapper, is the most widely used network scanner. It has been ported to most platforms, and is the underlying scan tool in a number of commercial and open source vulnerability testing products. It can incorporate scripts and has speed and performance settings for intrusion detection system (IDS) evasion. You can use Nmap for:
- Host discovery
- Port/service discovery
- Operating system and service fingerprinting
- Enumeration
- Hardware (MAC) address detection
- Vulnerability/exploit detection
Nmap is command-line based, though there are GUI variants such as Zenmap. The basic syntax for Nmap is:
nmap [Scan Type(s)] [Option(s)] <target>.
Ping Sweeping
fping -a -g IPRANGE
- try out fping to show only alive(a) hosts
- (g) switch orders ping sweep instead of standard ping
fping -a -g IPRANGE
- use CIDR notation
fping -a -g 10.54.12.0/24
- os start and end addresses
fping -a -g 10.54.12.0 10.54.12.255
- suppress (ICMP Host Unreachable) about offline hosts
fping -a -g 192.168.82.0 192.168.82.255 2>/dev/null
nmap Ping Scanning
nmap -sn 200.200.0.0/16
nmap -sn 200.200.0.1-12
nmap -sn 200.200.0.*
nmap -sn 200.200.12-13.*
use the switch -iL to save host list in a file
or use a saved host file
nmap -sn ?"fileName.txt" -iL newSavedList.txt
Use this to check what host discovery methods are available
man nmap
Host Discovery:
-sL : List scan – simply list targets to scan
-sn : ping scan – disable port scan
-Pn : treat all hosts as online — skip host discovery
-PS/PA/PU/PY(portlist): TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM : ICMP echo, timestamp, and netmask request discovery probes
-PO(protocol list) : IP Protocol Ping
This gives list of live hosts that responded to pings or to nmap probes.
OS Fingerprinting
Send network requests to host and then analyze the responses. There are tiny differences in the network stack implementation of various operating systems. This tool sends a series of specially crafted requests to the target host and then examine every bit in responses; thus creating a signature of the host behavior.
The signature is compared against a database of known operating systems signatures; this process exploits differences in network stack implementation, so some guesswork is involved but using tools/experience gets results.
PERFORM RECONNAISSANCE ON EVERY NETWORK NODE
- routes
- firewalls
- hosts
- servers
- printers, etc, etc, etc
Make a table that has three columns
| – IP Address – | = Operating System (OS) – | – Confidence % – |
Perform OS fingerprinting on traffic capture recorded (passive)
or using technique/tools (active)
Offline OS fingerprinting can be done with pOf
Concentrate on active fingerprinting w/nmap
http://lcamtuf.coredump.cx/p0f3/
Use the -O flag in nmap
Add -Pn switch to skip ping scan if already known target is alive
nmap -Pn -O <target(s)>
Set the OS guess level
–oscan-limit : limit OS detection to promising targets
–oscan-guess : guess OS more aggressively
If you need to detect the OS of a machine that you know is alive but is not responding to ping probes, try this:
nmap -Pn -O
Conversely, limit better guesses when scanning thousands of hosts and limit the time sink.
nmap -O --oscan-limit
After hooking VPN, run this:
ifconfig
Look for tap0 inet address and netmask
Check that mask:
255.255.255.0 === 24
https://www.calculator.net/ip-subnet-calculator.html
Perform a passive scan:
sudo arp-scan -lsudo netdiscover -p
Active scan a network using 20 arp requests per IP address
sudo netdiscover -c 20
Use the -s source flag to fake source of ARP requests
arp-scan -l -s 10.142.111.240
From that IP in tap0, run a fping
fping -a -g 10.142.111.0/24 2> /dev/null
Then fun a ping scan for services listening on network in Metasploit and save to your postgresql:
db_nmap -sn -n 10.142.111.*
db_nmap -sT -sV -O -n 10.142.111.1-254 -A -v
Scan for vulnerabilities in Metasploit too!
db_nmap --script rdp-vuln* -p- 10.142.111.240
db_nmap --script smb-vuln* -p 137,139,445 10.142.111.48
db_nmap -sV -O -A 10.142.111.140
Target Designation |
Description |
192.168.1.50 | Scan only this IP. |
scanme.host.tld | Scan only this host by name. |
192.168.1.0/24 company.tld/24 192.168.1.* | Scan the entire subnet. |
scanme.host.tld/24 | Scan the entire subnet that the host is in. |
192.168.1.20-50 | Scan only this range. |
192.168.1.20-25,7.44 | Scan the range 192.168.1.20 to 25, also scan 192.168.7.44. |
Scan Type |
Example |
Comment |
-h | nmap -h | Help |
-V | nmap -V | List your Nmap version. |
-d | nmap -d 192.168.1.50 | Enable debugging output. Lists every step Nmap is taking, along with the output. |
-sS (TCP SYN scan) | nmap -sS 192.168.1.50 | Send a TCP SYN to see if the target port responds with a SYN ACK (port is open) or a RST (reset – the port is closed). Also known as a half-open scan as it does not complete the TCP 3-way handshake. This is the default for root users. |
-sT (TCP connect scan) | nmap -sT 192.168.1.50 | Complete the TCP 3-way handshake. Nmap asks the underlying operating system to establish a connection with the target on the specified port. The default for regular (non-root) users. |
-sV | nmap -sV 192.168.1.50 | Probe open ports to determine service version. |
-sU (UDP scan) | nmap -sU 192.168.1.50 | Conduct a UDP scan. Because UDP does not use a handshake, a service listening on a UDP port might not send any response. Ports that send a response display as open. Ports that send no response are displayed as open | filtered (unknown). Ports that send an ICMP unreachable error (type 3 code 3) display as closed. Can be used with -sV to help reveal additional open ports, and differentiate if a port is truly open or filtered. |
-sL | nmap -sL 192.168.1.50 | List the targets that will be scanned. |
-sA | nmap -sA www.company.tld | Find out if a host/network is protected by a firewall. “Filtered” results indicate firewall is on. “Unfiltered” results indicate port is accessible, but might be open or closed. (See -p option for more information about port states). Run with -A option to determine if accessible ports are actually open or closed (nmap -sA -A www.comptia.org). |
Option |
Example |
Comment |
-p <port range> |
|
|
-r | nmap -r 192.168.1.0/24 | Scan ports consecutively; do not randomize. |
–top-ports <number> | nmap –top-ports 200 | Scan the top 200 ports. |
-6 |
| Scan IPv6 addresses. |
-iL <inputfilename> | nmap -iL /tmp/test.txt | Scan hosts listed in a file. |
–exclude | nmap 192.168.1.0/24 –exclude 192.168.1.5 | Exclude certain hosts from a scan. |
-n | nmap -n 192.168.1.0/24 | Do not resolve names (saves time). |
-R | nmap -R 192.168.1.0/24 | Attempt to resolve all names with reverse DNS lookup. |
-F (fast mode) | nmap -F 192.168.1.50 | Scan fewer ports than default. |
-O | nmap -O 192.168.1.50 |
|
-A | nmap -A 192.168.1.50 | Enable OS detection, service version detection, script scanning, and traceroute. |
–version-intensity <level> | nmap -sV –version-intensity 9 192.168.1.50 |
|
–script=<scriptname> | nmap –script=banner.nse 192.168.1.50 | Use an NSE script. |
-sC | nmap -sC 192.168.1.50 | Scan using all default scripts. |
-v | nmap -A -v 192.168.1.50 | Increase verbosity of output. |
-vv | nmap -vv 192.168.1.50 | Very verbose output. |
-oN/-oX/-oS/-oG/-oA <filename> | nmap 192.168.1.50 -oA results.txt |
|
Bonus Tip: How to connect with freerdp command:
xfreerdp /f /u:USERNAME /p:PASSWORD /v:HOST:PORT
Happy hacking!