SlideShare uma empresa Scribd logo

Nmap Hacking Guide

Aryan G
Aryan G

Nmap Network Scanning for Pen Testers

Tecnologia
1 de 12
Baixar para ler offline
NMAP Network Scanning! ! Types of Scans ! -sL = List scan, enumerates every IP address and does a reverse-DNS lookup. ! -sS = TCP SYN scan. Can postfix a “U” on the end to do a UDP scan. ! -sV = Enabled version detection. ! ! -PS, -PA, -PU, -PE = All ping types. ! -PS = Sends TCP SYN packets.! -PA = Sends TCP ACK packets. ! -PU = Sends UDP packets.! -PE = Send normal ICMP echo request. Fast Ping Sweep nmap -n -sn -PE -T5 --max-retries 0 --min-parallelism 100 -iL subnets.txt -oA nmap-pingsweep !Modifiers ! -p- = Scan all 65535 ports. The default is only to scan about 1000. ! ! -A = Turns on aggressive scanning which is -sV, -sC, -O and - -traceroute all flagged on. ! ! -T4 = Specifies timing from 1 - 5. ! ! -oA testfile = Outputs the rest results to a file called testfile with normal extension, XML extension and grepable extension. ! ! -O = OS detection.! ! Phases of an NMAP Scan ! Target Enumeration = NMAP researches the IP addresses provided. ! ! Host Discovery = Discover which targets are online and deserve further investigation. ! ! Reverse-DNS Resolution = Once hosts are determined it looks up the DNS names of all hosts found online via a ping scan. Some host names say what they do. ! ! Port Scanning = Probes are sent and responses (open, closed, filtered) are analysed. ! ! Version Detection = Probes are sent to ports to determine the application versions. ! ! OS Detection = Different configurations in the responses can reveal the OS in use.! ! Traceroute = It can find network routes. ! ! Script Scanning = Can build custom scripts. ! ! Output = Output the contents to external media. ! ! Page of1 12
Host Discovery Ping Scanning ! -iL = You can provide a list. ! -iR = Lets you scan at random. ! ! You can test to see what ports nmap will scan using nmap -sL -n <targets> and it will show you a list without actually scanning anyone. ! ! DNS Resolution (looking for server names) ! The core routing protocol is Border Gateway Protocol (BGP). ! ! Commands for controlling DNS lookups:! -n = No DNS resolution. DNS resolution is slow. ! -R = Do DNS resolution for all IPs, even the offline ones, by default its only done for online ones. ! - -system-dns = Use system DNS resolver. ! - -dns-servers <server1>, <server2> = Specify your own DNS servers.! ! -sP = Ping scan only.! -PN = Don’t perform a ping scan. ! ! Pings (ICMP echo requests) are usually blocked by firewalls nowadays. Using the command ! nmap -sP -PE -R -v tells NMAP to do a ping and reverse DNS lookup scan on all hosts, even if they appear to be down (no ping response). ! ! -PS = Sends empty TCP packet with SYN flag set. ! The default port is 80 but you can specify more using: nmap -PS-25,80,113,1050 etc.! If the port is closed a RST (reset) packet will be sent.! If a SYN/ACK packet is sent the port is open and NMAP will teardown the connection with a RST packet. ! If nothing happens, no packet is returned, the port is down. ! ! -PA = Sends an empty TCP packet with the ACK flag set.! Works similar to -PS. ! When the -PS is blocked by the firewalls, this may get through. ! If a stateful firewall is in use, this is unlikely to work. ! ! -PU = Sends an empty UDP ping! By default its send to an uncommon port. ! When the packet hits the port an ICMP port unreachable packet is sent back. ! Bypasses all TCP filters. ! ! -PE = Sends ICMP echo ping request.! -PP = ICMP timestamp query.! -PM = ICMP address mask query.! ! -PO = IP protocol ping.! ! -PR = ARP scan.! - -send-ip = Send raw IP packets rather than ethernet ones. ! - -spoof-mac = Lets you spoof your MAC address. ! ! Page of2 12
! Port Scanning Overview ! Protocols have 4 unique elements:! 1. Source IP! 2. Destination IP! 3. Source port! 4. Destination port! ! The nmap-services file contains a list of ports-to-applications as a reference. ! ! Port 0 is a wildcard port and the computer will choose an available one for you. ! ! The reserved port range is 0-1023.! The ephemeral port range is specified by the OS usually 32k~ - 65k~. Located in /proc/sys/net/ ipv4/ip_local_port_range on linux systems. ! ! Port Number Service Description 21 ftp Insecure file transfer protocol. 22 ssh Secure remote terminal administration. 23 telnet Insecure remote terminal administration. 25 smtp Mail servers. 53 dns Domain name servers run off this port. 80 http Web servers. 113 auth Used to authenticate mail or IRC. 256 FW1-securemote Checkpoint firewall-1 devices often have this administration port open. 389 ldap Light Weight Directory Protocol is used to store contact information. 443 https SSL. 554 rtsp Real Time Stream Control Protocol used by media servers. (QuickTime and RealServer). 636 ldapssl LDAP over SSL. 1723 pptp Point-to-point tunnelling protocol used by VPNs. 3389 ms-term-server Microsoft terminal services allow users to access application data on a remote computer. Port State Description Open Open ports accepting TCP or UDP connections are what we are looking for. Closed The port exists and responds to NMAP but there is no application listening on that port. Filtered NMAP can’t determine if the port is open or closed, often due to a firewall. Page of3 12
! Administrators should use NMAP often and disable any open and unused ports. ! Ensure you’re on the vendors security notification list. ! Firewall rules should be added. ! ! To get a time estimate while a scan is running press ENTER.! ! Flags ! Port scans use flags beginning with -s and the uppercase letter of the word such as -sS or -sO. ! ! ! ! ! ! Unfiltered The port is accessible but NMAP can’t determine if its open or closed. The TCP ACK request is the only type that returns this state. Open | Filtered This happens when no response is given from the port. NMAP can’t figure out if its open or filtered. Closed | Filtered NMAP is unable to determine if the port is closed or filtered. Only happens with the IP ID Idle scan. Port State Description Scan Types Flag Meaning -sS SYN Stealth scan. Default scan. Half connect. -sT TCL connect scan. Used when don’t have root. -sU UDP port scan. -sF, -sX, -sN TCP FIN, Xmas, Null scan. Good for getting around firewalls, don’t work well on windows. -sA TCP ACK scan. Good for distinguishing if a firewall is stateful or not. Cannot distinguish between open and closed ports. -sW TCP Window scan. Similar to ACK scan but can distinguish if ports are open or closed. -sM TCP Maimon scan. Similar to FIN scan but works against less hosts, but more effective on the ones it gets passed the firewalls. -sI <zombie host> TCP Idle scan. The most stealthy scan. -sO IP protocol scan. Reports back which protocols are supported on the host. -b <FTP bounce proxy> TCP FTP Bounce scan. Tricks FTP servers into performing port scans by proxy, deprecated now, mostly patched. Page of4 12
! ! ! Port Selection Flag Meaning -F Fast scan. Only the first 100 ports. -p 22 Scan a specific port by number. -p ssh Scan a specific port by name. -p 22,25,80 Scan a list of ports separated by commas. -p 80-85,8000-8080 Scan a list of ports by ranges separated by a hyphen. -p-100,60000- You can omit the first port in a range to imply port 1 or the last to imply port 65535. -p- Omit the whole range to scan everything. -pT:20,23,110,U:53,111,137,161 Separate TCP and UDP scans by using T:n,n,n -p 1-1013, [1024-] Enclosing port ranges in brackets will cause only those registered in nmap-services to be scanned. Page of5 12 Time Selection Flag Meaning s, m, h All times are in milliseconds unless you specify seconds, minutes or hours. -T0 through -T5 From very slow (T0) to extremely aggressive (T5). - -min-rtt-timeout! - -max-rtt-timeout! - -initial-rtt-timeout The min, max and initial amount of time NMAP will wait for a port scan probe to respond. - -host-timeout Tell nmap to give up on hosts that take more than the given amount of time to scan. - -min-rate! - -max-rate Sets the floor and ciel for the number of packets to be sent per second. - -max-retries Maximum number of retransmissions per port. - -min-hosgroup! - -max-hostgroup Min and max number of hosts Nmap will port scan in parallel. - -min-parallelism! - -max-parallelism Limits min or max number of port scan probes nmap will have outstanding. - -scan-delay! - -max-scan-delay How long nmap should wait between sending probes to individual hosts.
! ! ! Port Scanning Techniques and Algorithms ! Output Options Flag Meaning -v Verbose mode. -d 0-9 Debugging mode, the higher the number the more information shown. - -packet-trade Nmap prints a summary of every packet sent and received. -oN <filename> Prints output to standard nmap format. Requires a filename. -oX <filename> XML output. -oG <filename> Grepable output. -oA <filename> Output to all formats. - -resume <filename> Continue an aborted output. - -append-output Append to existing file. - -open Only show open ports in the nmap interesting ports table. Miscellaneous Options Flag Meaning -6 Tells nmap to scan the target using IPv6. -r Causing nmap to scan in numerical order, by default the ports are scanned in a random order. -PN Skip the ping test and scan every target. - -reason Adds a column to the interesting ports table describing why the port is interesting. ICMP Type Codes Flag Meaning 0 Network unreachable. 1 Host unreachable. 2 Protocol unreachable. 3 Port unreachable. 4 Fragment needed but don’t-fragment bit set. 5 Source route failed. 6 Destination network unknown. Page of6 12
FIN / NULL / XMAS Scan ! Any packet not containing SYN, RST or ACK bits will result in a return RST if the port is closed and no response if the port is open. ! ! If you don’t include these three bits, any combination of the other bits (FIN, PSH, URG) are fine. ! ! -sN = Null Scan, does not set any bits, TCP flag header is 0.! -sF = Fin Scan, sets only the TCP FIN bit.! -sX = Xmas Scan, Sets the FIN, PSH and URG flags lighting the packet up like a christmas tree.! ! They are good at sneaking through non-stateful firewalls. ! ! Most big OS like Microsoft deviate away from the RFC standard and just return a RST packet on all ports. ! ! - -scan-flags <flags> = You can custom build your own packets by mashing together flag names:! - -scan-flags URLACKPSHRSTSYNFIN! ! TCP ACK Scan (-sA) ! Only the ACK flag is set by default. ! Unfiltered systems, open and closed ports will return a RST packet. ! Unfiltered systems are reachable by the ACK packet but nmap is unsure if they are open or closed.! ! Ports that don’t respond or send a certain ICMP error message are filtered. ! ! Combine FIN and ACK scans to see if ports are open. ! ! If one scan identifies a port as open or filtered and another identifies it as open or closed we can work out which ones are open. ! ! 7 Destination host unknown. 8 Source host isolated (obsolete). 9 Destination network administratively prohibited. 10 Destination host administratively prohibited. 11 Network unreachable for type of service (TOS). 12 Host unreachable for TOS. 13 Communication administratively prohibited by filtering. 14 Host precedence violation. 15 Precedence cutoff in effect. ICMP Type Codes Flag Meaning Page of7 12
TCP Window Scan (-sW) ! This is the same as an ACK scan but it looks at the window size to differentiate if the port is actually open or closed. Not very effective. ! ! TCP Maimon Scan (-sM) ! A FIN / ACK packet is sent, the RFC says the computer should send a RST in response to this but some BSD systems simply drop the packet. ! ! TCP Idle Scan (-sI <zombie host>) ! Allows the use of a zombie host. ! ! Steps:! 1. Probe zombies IP ID and record it.! 2. Forge a SYN packet from the zombie and send it to the desired port on the target. The zombies IP ID may or may not be incremented. ! 3. Probe the zombies IP ID again. ! 1. An increase of 1 means the zombie has not send out any packets except for the one you spoofed.! 1. This means the port is closed.! 2. An increase of 2 means the zombie sent out a packet. ! 1. This means that the port is open. ! ! Very stealthy scan. ! ! NMAPS default decoy scan -D is like idle scan but less stealthy. ! ! If you can spoof internal web servers you may be able to exploit trust relationships. ! ! Sometimes IPS block this kind of spoofing. ! ! To find a good zombie host you need the following properties:! 1. Assign IP IDs incrementally on a global basis (not per connection). ! 2. It should be idle. ! 3. Low latency. ! ! Use -O OS Identification on the network to find idle printers and networked devices. ! ! Use -PN to disable port scanning as to not give away your location. ! ! IP Protocol Scan (-sO) ! Detects which protocols are supported by the host (TCP, ICMP, IGMP etc). ! ! Page of8 12
TCP FTP Bounce Scan (-b) ! FTP has a proxy feature where you can connect with one connection and have files sent to a different host. ! ! You send files from the FTP server to a host to see if its open, good way to bypass firewalls.! ! Format: -b <username>:<password>@<server>:<port>! ! Timing ! -T0 -T1 -T2 -T3 -T4 -T5! ! ! NMAP Technique ! 1. Check if the port is on the exclude list. ! 2. If its a TCP port, nmap will attempt to connect or do a stealth scan. ! 3. Nmap then listens for service banners for 5 seconds, using a null probe as no data is sent. ! 1. If the service is detected the probe is done for this port.! 4. UDP port scan begins now.! 1. Combining version detection with UDP scans can be very rewarding.! 5. UDP Null probe. ! ! Rarity ! Each scan type has a rarity value of how likely it is to return some useful information:! ! - -version-intensity <0-9> = Zero is only a null scan, 9 does everything. ! - -version-intensity = Sets it to 2.! - -version-all = Sets it to 9.! ! RPC (Sun Remote Procedure Call) ! rpcinfo -p ultra! ! ! -T0 -T1 -T2 -T3 -T4 -T5 Name: Paranoid Sneaky Polite Normal Aggressive Insane min-rtt- timeout 100 100 100 100 100 50 max-rtt- timeout 300,000 15,000 10,000 10,000 1250 300 Page of9 12
Exclude <port> ! Exclude 53 = exclude a port. ! ! Probe <protocol> <probe name> <probe send string> ! Protocol = TCP or UDP only.! Probe name = Plain english such as ‘GetRequest’ or ‘DNSStatusRequest’.! Probe string = Starts with a q and delimiter. Such as q| GET / HTTP /1.0rnrn |! ! Match <service> <pattern> [<version info>] ! OS Detection ! Device type = High level classification eg printer, desktop, firewall, router.! ! Running = Operating system and version if detected.! ! OS Details = More details about the OS. ! ! Uptime guess = Looks at packet counter to see how long the host has been online. ! ! Network Distance = How many hops between you and the router.! ! TCP Sequence Prediction = How easy the TCP sequence number is to guess, (trivial joke / easy / medium / formidable / worthy / challenge / good luck!).! ! TCP Sequence Generation = Information about sequence generation. ! ! Nmap Scripting Engine ! Activate it with -sC or - -script. ! ! Two types of scripts: service scripts and host scripts. Service scripts run against each port, host scripts run once per host. ! ! auth = Attempts to determine authentication credentials through brute force. ! ! default = General scripts.! ! discovery = Try to find information about the target.! ! external = Send data to third party (eg whois). ! ! intrusive = Risk of crashing target.! Page of10 12
! malware = Test if target is infected with malware. ! ! safe = Less likely to crash host. ! ! version = Attempt to detect versions.! ! vuln = Check for known vulnerabilities. ! ! -sC performs a script scan using the default scripts. ! ! - -script <script category> | <directory> | <filename> | all! is more specific. ! ! Scripts use the .nse file extension.! ! - -script-args provides arguments to the script. ! ! - -script-trace prints all network traffic from the script. ! ! ! NSE Scripts ! ! Detecting and Subverting Firewalls and Intrusion Detection Systems (IDS) ! Look at the Not shown: xxx filtered ports line in the results, this shows a deny by default rule. ! ! Intrusion detection systems can sometimes forge packets but this speeds up a scan as they don’t have to wait around for the timeout connection. ! ! Mac Spoofing ! - -spoof-mac option can be used to spoof the address.! Script Category Description Parameters asn-query.nse discovery, external Finds locations. IP address. pop3-brute.nse Intrusive, auth Attempts to log into pop3 accounts by guessing passwords. IP address. sniffer-detect.nse discovery Detect if targets network card is in promiscuous mode. IP address. sql-injection.nse Intrusive, vuln Targets a web server to detect URLs that are vulnerable to sql injection. IP address. Page of11 12
! The first 3 digits of a MAC address are given to hardware companies by the IEEE, the remaining digits are assigned by the company. It’s easy to change your MAC address.! ! MAC based authentication is very weak. ! ! Can use company names such as “Apple” with the spoof mac command. ! ! Intrusion Detection Evasion ! Watch for unexplained TTL jumps, IDS often mess them up. ! ! Watch out if the network scans you back after a scan this could be an IDS. ! ! Slow scans down and you’re less likely to be noticed. ! ! Fragmenting packets can often help. ! ! Use decoys: -D RND:<num of decoys> to spoof scans. Decoys should be online. ! Can use -S <IP> to spoof an innocent IP address. Page of12 12

Recomendados

NMAP
NMAPNMAP
NMAP
PrateekAryan1
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
Varun Kakumani
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
N map presentation
N map presentationN map presentation
N map presentation
ulirraptor
 
NMap
NMapNMap
NMap
Pritesh Raka
 
Scanning with nmap
Scanning with nmapScanning with nmap
Scanning with nmap
commiebstrd
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi
 
Nmap
NmapNmap
Nmap
Megha Sahu
 

Recomendados

NMAP
NMAPNMAP
NMAP
PrateekAryan1
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
Varun Kakumani
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
N map presentation
N map presentationN map presentation
N map presentation
ulirraptor
 
NMap
NMapNMap
NMap
Pritesh Raka
 
Scanning with nmap
Scanning with nmapScanning with nmap
Scanning with nmap
commiebstrd
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi
 
Nmap
NmapNmap
Nmap
Megha Sahu
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
n|u - The Open Security Community
 
Nmap
NmapNmap
Nmap
Sreekanth Narendran
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
n|u - The Open Security Community
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
itmind4u
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
Phannarith Ou, G-CISO
 
Nmap
NmapNmap
Nmap
Fat-Thing Gabriel-Culley
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
Mohammed Akbar Shariff
 
Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"
abend_cve_9999_0001
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
amiable_indian
 
Zen map
Zen mapZen map
Zen map
harisnaved
 
The magic of ettercap
The magic of ettercapThe magic of ettercap
The magic of ettercap
n|u - The Open Security Community
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
Utkarsh Verma
 
Nmap commands
Nmap commandsNmap commands
Nmap commands
Kailash Kumar
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
Mohammed Adam
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)
KHNOG
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
n|u - The Open Security Community
 
Netcat
NetcatNetcat
Netcat
penetration Tester
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
Sam Bowne
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
amiable_indian
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
shwetha mk
 
Nmap
NmapNmap
Nmap
Meztli Valeriano Orozco
 
Taller: Exploración de redes con Nmap
Taller: Exploración de redes con NmapTaller: Exploración de redes con Nmap
Taller: Exploración de redes con Nmap
Websec México, S.C.
 

Mais conteúdo relacionado

Mais procurados

Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
Utkarsh Verma
 

Mais procurados (20)

NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
Nmap
NmapNmap
Nmap
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Nmap
NmapNmap
Nmap
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"Nmap 9 truth "Nothing to say any more"
Nmap 9 truth "Nothing to say any more"
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
 
Zen map
Zen mapZen map
Zen map
 
The magic of ettercap
The magic of ettercapThe magic of ettercap
The magic of ettercap
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
 
Nmap commands
Nmap commandsNmap commands
Nmap commands
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Netcat
NetcatNetcat
Netcat
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
 

Destaque

Building Streaming And Fast Data Applications With Spark, Mesos, Akka, Cassan...
Building Streaming And Fast Data Applications With Spark, Mesos, Akka, Cassan...Building Streaming And Fast Data Applications With Spark, Mesos, Akka, Cassan...
Building Streaming And Fast Data Applications With Spark, Mesos, Akka, Cassan...
Lightbend
 
Vip genial 3 ejercicios con nmap fantastico-231095402-nmap-1
Vip genial 3 ejercicios con nmap fantastico-231095402-nmap-1Vip genial 3 ejercicios con nmap fantastico-231095402-nmap-1
Vip genial 3 ejercicios con nmap fantastico-231095402-nmap-1
xavazquez
 

Destaque (19)

Nmap
NmapNmap
Nmap
 
Taller: Exploración de redes con Nmap
Taller: Exploración de redes con NmapTaller: Exploración de redes con Nmap
Taller: Exploración de redes con Nmap
 
Que es y como usar nmap
Que es y como usar nmapQue es y como usar nmap
Que es y como usar nmap
 
Glint with Apache Spark
Glint with Apache SparkGlint with Apache Spark
Glint with Apache Spark
 
Apache Spark: Coming up to speed
Apache Spark: Coming up to speedApache Spark: Coming up to speed
Apache Spark: Coming up to speed
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network Forensics
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
 
Analizadores de Protocolos
Analizadores de ProtocolosAnalizadores de Protocolos
Analizadores de Protocolos
 
Hadoop and Big Data Overview
Hadoop and Big Data OverviewHadoop and Big Data Overview
Hadoop and Big Data Overview
 
Apache Spark and Oracle Stream Analytics
Apache Spark and Oracle Stream AnalyticsApache Spark and Oracle Stream Analytics
Apache Spark and Oracle Stream Analytics
 
A Deep Dive into Structured Streaming in Apache Spark
A Deep Dive into Structured Streaming in Apache Spark A Deep Dive into Structured Streaming in Apache Spark
A Deep Dive into Structured Streaming in Apache Spark
 
Apache Kafka lessons learned @PAYBACK
Apache Kafka lessons learned @PAYBACKApache Kafka lessons learned @PAYBACK
Apache Kafka lessons learned @PAYBACK
 
Dive into Spark Streaming
Dive into Spark StreamingDive into Spark Streaming
Dive into Spark Streaming
 
Exploring language classification with spark and the spark notebook
Exploring language classification with spark and the spark notebookExploring language classification with spark and the spark notebook
Exploring language classification with spark and the spark notebook
 
Building Streaming And Fast Data Applications With Spark, Mesos, Akka, Cassan...
Building Streaming And Fast Data Applications With Spark, Mesos, Akka, Cassan...Building Streaming And Fast Data Applications With Spark, Mesos, Akka, Cassan...
Building Streaming And Fast Data Applications With Spark, Mesos, Akka, Cassan...
 
Double Your Hadoop Hardware Performance with SmartSense
Double Your Hadoop Hardware Performance with SmartSenseDouble Your Hadoop Hardware Performance with SmartSense
Double Your Hadoop Hardware Performance with SmartSense
 
Apache ® Spark™ MLlib 2.x: How to Productionize your Machine Learning Models
Apache ® Spark™ MLlib 2.x: How to Productionize your Machine Learning ModelsApache ® Spark™ MLlib 2.x: How to Productionize your Machine Learning Models
Apache ® Spark™ MLlib 2.x: How to Productionize your Machine Learning Models
 
Vip genial 3 ejercicios con nmap fantastico-231095402-nmap-1
Vip genial 3 ejercicios con nmap fantastico-231095402-nmap-1Vip genial 3 ejercicios con nmap fantastico-231095402-nmap-1
Vip genial 3 ejercicios con nmap fantastico-231095402-nmap-1
 
Nmap
NmapNmap
Nmap
 

Semelhante a Nmap Hacking Guide

Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap Discovery
Tai Pan
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
Cassio Ramos
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
Ishraq Al Fataftah
 
Computer network (6)
Computer network (6)Computer network (6)
Computer network (6)
NYversity
 
Tcp Ip Overview
Tcp Ip OverviewTcp Ip Overview
Tcp Ip Overview
Amir Malik
 

Semelhante a Nmap Hacking Guide (20)

Using metasploit
Using metasploitUsing metasploit
Using metasploit
 
Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...
Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...
Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.ppt
 
Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1
 
Practical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPractical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information Gathering
 
Network for amin
Network for aminNetwork for amin
Network for amin
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
 
Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap Discovery
 
NMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge AcademyNMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge Academy
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
 
NMAP1.ppt
NMAP1.pptNMAP1.ppt
NMAP1.ppt
 
Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019
 
Packet sniffingin switch lans
Packet sniffingin switch lansPacket sniffingin switch lans
Packet sniffingin switch lans
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Chapter 6 firewall
Chapter 6 firewallChapter 6 firewall
Chapter 6 firewall
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
 
Computer network (6)
Computer network (6)Computer network (6)
Computer network (6)
 
Tcp Ip Overview
Tcp Ip OverviewTcp Ip Overview
Tcp Ip Overview
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Nmap Hacking Guide

  • 1. NMAP Network Scanning! ! Types of Scans ! -sL = List scan, enumerates every IP address and does a reverse-DNS lookup. ! -sS = TCP SYN scan. Can postfix a “U” on the end to do a UDP scan. ! -sV = Enabled version detection. ! ! -PS, -PA, -PU, -PE = All ping types. ! -PS = Sends TCP SYN packets.! -PA = Sends TCP ACK packets. ! -PU = Sends UDP packets.! -PE = Send normal ICMP echo request. Fast Ping Sweep nmap -n -sn -PE -T5 --max-retries 0 --min-parallelism 100 -iL subnets.txt -oA nmap-pingsweep !Modifiers ! -p- = Scan all 65535 ports. The default is only to scan about 1000. ! ! -A = Turns on aggressive scanning which is -sV, -sC, -O and - -traceroute all flagged on. ! ! -T4 = Specifies timing from 1 - 5. ! ! -oA testfile = Outputs the rest results to a file called testfile with normal extension, XML extension and grepable extension. ! ! -O = OS detection.! ! Phases of an NMAP Scan ! Target Enumeration = NMAP researches the IP addresses provided. ! ! Host Discovery = Discover which targets are online and deserve further investigation. ! ! Reverse-DNS Resolution = Once hosts are determined it looks up the DNS names of all hosts found online via a ping scan. Some host names say what they do. ! ! Port Scanning = Probes are sent and responses (open, closed, filtered) are analysed. ! ! Version Detection = Probes are sent to ports to determine the application versions. ! ! OS Detection = Different configurations in the responses can reveal the OS in use.! ! Traceroute = It can find network routes. ! ! Script Scanning = Can build custom scripts. ! ! Output = Output the contents to external media. ! ! Page of1 12
  • 2. Host Discovery Ping Scanning ! -iL = You can provide a list. ! -iR = Lets you scan at random. ! ! You can test to see what ports nmap will scan using nmap -sL -n <targets> and it will show you a list without actually scanning anyone. ! ! DNS Resolution (looking for server names) ! The core routing protocol is Border Gateway Protocol (BGP). ! ! Commands for controlling DNS lookups:! -n = No DNS resolution. DNS resolution is slow. ! -R = Do DNS resolution for all IPs, even the offline ones, by default its only done for online ones. ! - -system-dns = Use system DNS resolver. ! - -dns-servers <server1>, <server2> = Specify your own DNS servers.! ! -sP = Ping scan only.! -PN = Don’t perform a ping scan. ! ! Pings (ICMP echo requests) are usually blocked by firewalls nowadays. Using the command ! nmap -sP -PE -R -v tells NMAP to do a ping and reverse DNS lookup scan on all hosts, even if they appear to be down (no ping response). ! ! -PS = Sends empty TCP packet with SYN flag set. ! The default port is 80 but you can specify more using: nmap -PS-25,80,113,1050 etc.! If the port is closed a RST (reset) packet will be sent.! If a SYN/ACK packet is sent the port is open and NMAP will teardown the connection with a RST packet. ! If nothing happens, no packet is returned, the port is down. ! ! -PA = Sends an empty TCP packet with the ACK flag set.! Works similar to -PS. ! When the -PS is blocked by the firewalls, this may get through. ! If a stateful firewall is in use, this is unlikely to work. ! ! -PU = Sends an empty UDP ping! By default its send to an uncommon port. ! When the packet hits the port an ICMP port unreachable packet is sent back. ! Bypasses all TCP filters. ! ! -PE = Sends ICMP echo ping request.! -PP = ICMP timestamp query.! -PM = ICMP address mask query.! ! -PO = IP protocol ping.! ! -PR = ARP scan.! - -send-ip = Send raw IP packets rather than ethernet ones. ! - -spoof-mac = Lets you spoof your MAC address. ! ! Page of2 12
  • 3. ! Port Scanning Overview ! Protocols have 4 unique elements:! 1. Source IP! 2. Destination IP! 3. Source port! 4. Destination port! ! The nmap-services file contains a list of ports-to-applications as a reference. ! ! Port 0 is a wildcard port and the computer will choose an available one for you. ! ! The reserved port range is 0-1023.! The ephemeral port range is specified by the OS usually 32k~ - 65k~. Located in /proc/sys/net/ ipv4/ip_local_port_range on linux systems. ! ! Port Number Service Description 21 ftp Insecure file transfer protocol. 22 ssh Secure remote terminal administration. 23 telnet Insecure remote terminal administration. 25 smtp Mail servers. 53 dns Domain name servers run off this port. 80 http Web servers. 113 auth Used to authenticate mail or IRC. 256 FW1-securemote Checkpoint firewall-1 devices often have this administration port open. 389 ldap Light Weight Directory Protocol is used to store contact information. 443 https SSL. 554 rtsp Real Time Stream Control Protocol used by media servers. (QuickTime and RealServer). 636 ldapssl LDAP over SSL. 1723 pptp Point-to-point tunnelling protocol used by VPNs. 3389 ms-term-server Microsoft terminal services allow users to access application data on a remote computer. Port State Description Open Open ports accepting TCP or UDP connections are what we are looking for. Closed The port exists and responds to NMAP but there is no application listening on that port. Filtered NMAP can’t determine if the port is open or closed, often due to a firewall. Page of3 12
  • 4. ! Administrators should use NMAP often and disable any open and unused ports. ! Ensure you’re on the vendors security notification list. ! Firewall rules should be added. ! ! To get a time estimate while a scan is running press ENTER.! ! Flags ! Port scans use flags beginning with -s and the uppercase letter of the word such as -sS or -sO. ! ! ! ! ! ! Unfiltered The port is accessible but NMAP can’t determine if its open or closed. The TCP ACK request is the only type that returns this state. Open | Filtered This happens when no response is given from the port. NMAP can’t figure out if its open or filtered. Closed | Filtered NMAP is unable to determine if the port is closed or filtered. Only happens with the IP ID Idle scan. Port State Description Scan Types Flag Meaning -sS SYN Stealth scan. Default scan. Half connect. -sT TCL connect scan. Used when don’t have root. -sU UDP port scan. -sF, -sX, -sN TCP FIN, Xmas, Null scan. Good for getting around firewalls, don’t work well on windows. -sA TCP ACK scan. Good for distinguishing if a firewall is stateful or not. Cannot distinguish between open and closed ports. -sW TCP Window scan. Similar to ACK scan but can distinguish if ports are open or closed. -sM TCP Maimon scan. Similar to FIN scan but works against less hosts, but more effective on the ones it gets passed the firewalls. -sI <zombie host> TCP Idle scan. The most stealthy scan. -sO IP protocol scan. Reports back which protocols are supported on the host. -b <FTP bounce proxy> TCP FTP Bounce scan. Tricks FTP servers into performing port scans by proxy, deprecated now, mostly patched. Page of4 12
  • 5. ! ! ! Port Selection Flag Meaning -F Fast scan. Only the first 100 ports. -p 22 Scan a specific port by number. -p ssh Scan a specific port by name. -p 22,25,80 Scan a list of ports separated by commas. -p 80-85,8000-8080 Scan a list of ports by ranges separated by a hyphen. -p-100,60000- You can omit the first port in a range to imply port 1 or the last to imply port 65535. -p- Omit the whole range to scan everything. -pT:20,23,110,U:53,111,137,161 Separate TCP and UDP scans by using T:n,n,n -p 1-1013, [1024-] Enclosing port ranges in brackets will cause only those registered in nmap-services to be scanned. Page of5 12 Time Selection Flag Meaning s, m, h All times are in milliseconds unless you specify seconds, minutes or hours. -T0 through -T5 From very slow (T0) to extremely aggressive (T5). - -min-rtt-timeout! - -max-rtt-timeout! - -initial-rtt-timeout The min, max and initial amount of time NMAP will wait for a port scan probe to respond. - -host-timeout Tell nmap to give up on hosts that take more than the given amount of time to scan. - -min-rate! - -max-rate Sets the floor and ciel for the number of packets to be sent per second. - -max-retries Maximum number of retransmissions per port. - -min-hosgroup! - -max-hostgroup Min and max number of hosts Nmap will port scan in parallel. - -min-parallelism! - -max-parallelism Limits min or max number of port scan probes nmap will have outstanding. - -scan-delay! - -max-scan-delay How long nmap should wait between sending probes to individual hosts.
  • 6. ! ! ! Port Scanning Techniques and Algorithms ! Output Options Flag Meaning -v Verbose mode. -d 0-9 Debugging mode, the higher the number the more information shown. - -packet-trade Nmap prints a summary of every packet sent and received. -oN <filename> Prints output to standard nmap format. Requires a filename. -oX <filename> XML output. -oG <filename> Grepable output. -oA <filename> Output to all formats. - -resume <filename> Continue an aborted output. - -append-output Append to existing file. - -open Only show open ports in the nmap interesting ports table. Miscellaneous Options Flag Meaning -6 Tells nmap to scan the target using IPv6. -r Causing nmap to scan in numerical order, by default the ports are scanned in a random order. -PN Skip the ping test and scan every target. - -reason Adds a column to the interesting ports table describing why the port is interesting. ICMP Type Codes Flag Meaning 0 Network unreachable. 1 Host unreachable. 2 Protocol unreachable. 3 Port unreachable. 4 Fragment needed but don’t-fragment bit set. 5 Source route failed. 6 Destination network unknown. Page of6 12
  • 7. FIN / NULL / XMAS Scan ! Any packet not containing SYN, RST or ACK bits will result in a return RST if the port is closed and no response if the port is open. ! ! If you don’t include these three bits, any combination of the other bits (FIN, PSH, URG) are fine. ! ! -sN = Null Scan, does not set any bits, TCP flag header is 0.! -sF = Fin Scan, sets only the TCP FIN bit.! -sX = Xmas Scan, Sets the FIN, PSH and URG flags lighting the packet up like a christmas tree.! ! They are good at sneaking through non-stateful firewalls. ! ! Most big OS like Microsoft deviate away from the RFC standard and just return a RST packet on all ports. ! ! - -scan-flags <flags> = You can custom build your own packets by mashing together flag names:! - -scan-flags URLACKPSHRSTSYNFIN! ! TCP ACK Scan (-sA) ! Only the ACK flag is set by default. ! Unfiltered systems, open and closed ports will return a RST packet. ! Unfiltered systems are reachable by the ACK packet but nmap is unsure if they are open or closed.! ! Ports that don’t respond or send a certain ICMP error message are filtered. ! ! Combine FIN and ACK scans to see if ports are open. ! ! If one scan identifies a port as open or filtered and another identifies it as open or closed we can work out which ones are open. ! ! 7 Destination host unknown. 8 Source host isolated (obsolete). 9 Destination network administratively prohibited. 10 Destination host administratively prohibited. 11 Network unreachable for type of service (TOS). 12 Host unreachable for TOS. 13 Communication administratively prohibited by filtering. 14 Host precedence violation. 15 Precedence cutoff in effect. ICMP Type Codes Flag Meaning Page of7 12
  • 8. TCP Window Scan (-sW) ! This is the same as an ACK scan but it looks at the window size to differentiate if the port is actually open or closed. Not very effective. ! ! TCP Maimon Scan (-sM) ! A FIN / ACK packet is sent, the RFC says the computer should send a RST in response to this but some BSD systems simply drop the packet. ! ! TCP Idle Scan (-sI <zombie host>) ! Allows the use of a zombie host. ! ! Steps:! 1. Probe zombies IP ID and record it.! 2. Forge a SYN packet from the zombie and send it to the desired port on the target. The zombies IP ID may or may not be incremented. ! 3. Probe the zombies IP ID again. ! 1. An increase of 1 means the zombie has not send out any packets except for the one you spoofed.! 1. This means the port is closed.! 2. An increase of 2 means the zombie sent out a packet. ! 1. This means that the port is open. ! ! Very stealthy scan. ! ! NMAPS default decoy scan -D is like idle scan but less stealthy. ! ! If you can spoof internal web servers you may be able to exploit trust relationships. ! ! Sometimes IPS block this kind of spoofing. ! ! To find a good zombie host you need the following properties:! 1. Assign IP IDs incrementally on a global basis (not per connection). ! 2. It should be idle. ! 3. Low latency. ! ! Use -O OS Identification on the network to find idle printers and networked devices. ! ! Use -PN to disable port scanning as to not give away your location. ! ! IP Protocol Scan (-sO) ! Detects which protocols are supported by the host (TCP, ICMP, IGMP etc). ! ! Page of8 12
  • 9. TCP FTP Bounce Scan (-b) ! FTP has a proxy feature where you can connect with one connection and have files sent to a different host. ! ! You send files from the FTP server to a host to see if its open, good way to bypass firewalls.! ! Format: -b <username>:<password>@<server>:<port>! ! Timing ! -T0 -T1 -T2 -T3 -T4 -T5! ! ! NMAP Technique ! 1. Check if the port is on the exclude list. ! 2. If its a TCP port, nmap will attempt to connect or do a stealth scan. ! 3. Nmap then listens for service banners for 5 seconds, using a null probe as no data is sent. ! 1. If the service is detected the probe is done for this port.! 4. UDP port scan begins now.! 1. Combining version detection with UDP scans can be very rewarding.! 5. UDP Null probe. ! ! Rarity ! Each scan type has a rarity value of how likely it is to return some useful information:! ! - -version-intensity <0-9> = Zero is only a null scan, 9 does everything. ! - -version-intensity = Sets it to 2.! - -version-all = Sets it to 9.! ! RPC (Sun Remote Procedure Call) ! rpcinfo -p ultra! ! ! -T0 -T1 -T2 -T3 -T4 -T5 Name: Paranoid Sneaky Polite Normal Aggressive Insane min-rtt- timeout 100 100 100 100 100 50 max-rtt- timeout 300,000 15,000 10,000 10,000 1250 300 Page of9 12
  • 10. Exclude <port> ! Exclude 53 = exclude a port. ! ! Probe <protocol> <probe name> <probe send string> ! Protocol = TCP or UDP only.! Probe name = Plain english such as ‘GetRequest’ or ‘DNSStatusRequest’.! Probe string = Starts with a q and delimiter. Such as q| GET / HTTP /1.0rnrn |! ! Match <service> <pattern> [<version info>] ! OS Detection ! Device type = High level classification eg printer, desktop, firewall, router.! ! Running = Operating system and version if detected.! ! OS Details = More details about the OS. ! ! Uptime guess = Looks at packet counter to see how long the host has been online. ! ! Network Distance = How many hops between you and the router.! ! TCP Sequence Prediction = How easy the TCP sequence number is to guess, (trivial joke / easy / medium / formidable / worthy / challenge / good luck!).! ! TCP Sequence Generation = Information about sequence generation. ! ! Nmap Scripting Engine ! Activate it with -sC or - -script. ! ! Two types of scripts: service scripts and host scripts. Service scripts run against each port, host scripts run once per host. ! ! auth = Attempts to determine authentication credentials through brute force. ! ! default = General scripts.! ! discovery = Try to find information about the target.! ! external = Send data to third party (eg whois). ! ! intrusive = Risk of crashing target.! Page of10 12
  • 11. ! malware = Test if target is infected with malware. ! ! safe = Less likely to crash host. ! ! version = Attempt to detect versions.! ! vuln = Check for known vulnerabilities. ! ! -sC performs a script scan using the default scripts. ! ! - -script <script category> | <directory> | <filename> | all! is more specific. ! ! Scripts use the .nse file extension.! ! - -script-args provides arguments to the script. ! ! - -script-trace prints all network traffic from the script. ! ! ! NSE Scripts ! ! Detecting and Subverting Firewalls and Intrusion Detection Systems (IDS) ! Look at the Not shown: xxx filtered ports line in the results, this shows a deny by default rule. ! ! Intrusion detection systems can sometimes forge packets but this speeds up a scan as they don’t have to wait around for the timeout connection. ! ! Mac Spoofing ! - -spoof-mac option can be used to spoof the address.! Script Category Description Parameters asn-query.nse discovery, external Finds locations. IP address. pop3-brute.nse Intrusive, auth Attempts to log into pop3 accounts by guessing passwords. IP address. sniffer-detect.nse discovery Detect if targets network card is in promiscuous mode. IP address. sql-injection.nse Intrusive, vuln Targets a web server to detect URLs that are vulnerable to sql injection. IP address. Page of11 12
  • 12. ! The first 3 digits of a MAC address are given to hardware companies by the IEEE, the remaining digits are assigned by the company. It’s easy to change your MAC address.! ! MAC based authentication is very weak. ! ! Can use company names such as “Apple” with the spoof mac command. ! ! Intrusion Detection Evasion ! Watch for unexplained TTL jumps, IDS often mess them up. ! ! Watch out if the network scans you back after a scan this could be an IDS. ! ! Slow scans down and you’re less likely to be noticed. ! ! Fragmenting packets can often help. ! ! Use decoys: -D RND:<num of decoys> to spoof scans. Decoys should be online. ! Can use -S <IP> to spoof an innocent IP address. Page of12 12