Nmap

This documentation has been made from my notes during CTF and pentests and also using the Network enumeration with NMAP module of HTB Academy It is really worth taking this course if you have some cubes in your HTB Academy accounts :)

Use Cases

Audit the security aspects of networks
Simulate penetration tests
Check firewall and IDS settings and configurations
Types of possible connections
Network mapping
Response analysis
Identify open ports
Vulnerability assessment as well.

Source Hackthebox Academy

General tips

Do not neglect UDP scan, you could find interesting services like SNMP

Recommended methodology

sudo nmap -Pn -sV -sC -p- IP-ADR scan tcp all ports (this command is an example use the one you like best)
sudo nmap 10.129.2.28 -sU -Pn -n --disable-arp-ping --packet-trace -F --reason scan top 100 udp ports

Remove noise when using nmap through proxychains

Add quiet_mode to your proxychains conf file (you should just need to uncomment it usually around line 50 of the file)

Scan all ports for services and with default script

sudo nmap -T4 -sC -O -sV -p- --min-rate=1000 IP-ADR
sudo nmap -T4 -sC -O -sV -p- IP-ADR
sudo nmap -Pn -sV -sC -p- IP-ADR

Aggressive scan of all port

This scan will output OS as if you used -O, service versions as with -sV and script scanning -sC
nmap -T4 -A -p- 10.10.10.97 This mode sends a lot more probes, and it is more likely to be detected, but provides a lot of valuable host information

Put results in a file

-oA <filename> This includes XML output, greppable output, and text output --oN <filename> Normal output with the .nmap file extension
-oG <filename> Grepable output with the .gnmap file extension
-oX <filename> XML output with the .xml file extension
- xsltproc target.xml -o target.html convert it to html for nice output readable from a browser
Nmap Output official documentation

Host discovery on a network

sudo nmap -sn 10.10.110.0-254
sudo nmap 10.129.2.0/24 -sn | grep for | cut -d" " -f5

Scan multiple IPs

sudo nmap -sn -oA tnet 10.129.2.18 10.129.2.19 10.129.2.20| grep for | cut -d" " -f5
sudo nmap -sn -oA tnet 10.129.2.18-20| grep for | cut -d" " -f5
sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5 from a list

Other useful scans and tips

nmap -v -oG - See which port are scanned
nmap -sV --open <ip address> This will run a service enumeration (-sV) scan against the default top 1,000 ports and only return open ports (--open).
The ttl will give us info about the OS, for example ttl=128 is windows
sudo nmap -v -O TARGET-IP nmap OS Detection Scan
sudo nmap -v 192.168.86.39 --script banner.nse Banner Grab to Enumerate Ports

UDP Port Scan

sudo nmap 10.129.2.28 -F -sU -F will scan the top 100 ports
sudo nmap 10.129.2.28 -sU -Pn -n --disable-arp-ping --packet-trace -F --reason -Pn Disables ICMP Echo requests, -n Disables DNS resolution.

Nmap Scripts

Do not neglect nmap scripts they can be very useful to push your enumeration to the next level. You can specify a script by using the option --script. Note that the -sC option will perform a scan using the default set of script so it is like doing --script=default

--script vuln will enumerate for known vulnerabilities on the found services in the target
It also accepts wildcard * so say you want all the scripts from a specific category you can do --script "smb-*"
--script=banner for banner grabbing
--script-trace trace the progress of NSE scripts. See what command nmap sends what ports are used and what response we receive

Category	Description
auth	Determination of authentication credentials.
broadcast	Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans.
brute	Executes scripts that try to log in to the respective service by brute-forcing with credentials.
default	Default scripts executed by using the -sC option.
discovery	Evaluation of accessible services.
dos	These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services.
exploit	This category of scripts tries to exploit known vulnerabilities for the scanned port.
external	Scripts that use external services for further processing.
fuzzer	This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time.
intrusive	Intrusive scripts that could negatively affect the target system.
malware	Checks if some malware infects the target system.
safe	Defensive scripts that do not perform intrusive and destructive access.
version	Extension for service detection.
vuln	Identification of specific vulnerabilities.

Official documentation

Debug

If you get this error Warning: 10.10.64.180 giving up on port because retransmission cap hit (2)
Try using -T4 instead of -T5
Check this post here for more info on this error

General tips

Sometimes a port will be filtered it can happen if a firewall makes a filter and allow access only from specific addresses.
locate scripts/name-of-technology to find scripts related to a specific technology
--top-ports=10 Scans the specified top ports that have been defined as most frequent.
--packet-trace Shows all packets sent and received.
-n Disables DNS resolution.
--disable-arp-ping
-sT uses the TCP three-way handshake to determine if a specific port on a target host is open or closed. The scan sends an SYN packet to the target port and waits for a response. It is considered open if the target port responds with an SYN-ACK packet and closed if it responds with an RST packet. Most accurate way to determine state of a port.

States

State	Description
open	This indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations.
closed	When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.
filtered	Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.
unfiltered	This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.
open\|filtered	If we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.
closed\|filtered	This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.

State

Description

open

This indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations.

closed

When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.

filtered

Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.

unfiltered

This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.

open|filtered

If we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.

closed|filtered

This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.

Source HTB Academy

Firewall and IDS/IPS Evasion

Nmap's TCP ACK scan (-sA) method is much harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or Connect scans (-sT) because they only send a TCP packet with only the ACK flag. When a port is closed or open, the host must respond with an RST flag. Unlike outgoing connections, all connection attempts (with the SYN flag) from external networks are usually blocked by firewalls. However, the packets with the ACK flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network.

Decoy

There are cases in which administrators block specific subnets from different regions in principle. This prevents any access to the target network. Another example is when IPS should block us. For this reason, the Decoy scanning method (-D) is the right choice. With this method, Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet sent. With this method, we can generate random (RND) a specific number (for example: 5) of IP addresses separated by a colon (:). Our real IP address is then randomly placed between the generated IP addresses. In the next example, our real IP address is therefore placed in the second position. Another critical point is that the decoys must be alive. Otherwise, the service on the target may be unreachable due to SYN-flooding security mechanisms.

sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5 example using decoy

The spoofed packets are often filtered out by ISPs and routers, even though they come from the same network range. Therefore, we can also specify our VPS servers' IP addresses and use them in combination with "IP ID" manipulation in the IP headers to scan the target.

Another scenario would be that only individual subnets would not have access to the server's specific services. So we can also manually specify the source IP address (-S) to test if we get better results with this one. Decoys can be used for SYN, ACK, ICMP scans, and OS detection scans. So let us look at such an example and determine which operating system it is most likely to be.

sudo nmap 10.129.2.28 -n -Pn -p445 -O test firewall rule
sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0 Scan using different source IP

DNS Proxying

By default, Nmap performs a reverse DNS resolution unless otherwise specified to find more important information about our target. These DNS queries are also passed in most cases because the given web server is supposed to be found and visited. The DNS queries are made over the UDP port 53. The TCP port 53 was previously only used for the so-called "Zone transfers" between the DNS servers or data transfer larger than 512 bytes. More and more, this is changing due to IPv6 and DNSSEC expansions. These changes cause many DNS requests to be made via TCP port 53.

However, Nmap still gives us a way to specify DNS servers ourselves (--dns-server <ns>,<ns>). This method could be fundamental to us if we are in a demilitarized zone (DMZ). The company's DNS servers are usually more trusted than those from the Internet. So, for example, we could use them to interact with the hosts of the internal network. As another example, we can use TCP port 53 as a source port (--source-port) for our scans. If the administrator uses the firewall to control this port and does not filter IDS/IPS properly, our TCP packets will be trusted and passed through.

SYN-Scan of a Filtered Port

sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace

SYN-Scan From DNS Port

sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53 (-n disables DNS resolution)

Connect To The Filtered Port

ncat -nv --source-port 53 10.129.2.28 50000

Source HTB Academy

Resources

PreviousNetcat and alternatives NextNuclei

Last updated 1 year ago