nmap

Network Mapper is a free and open source utility for network discovery and security auditing.


select


host

# classic
$ nmap 192.168.1.0-255,192.168.1.0/24

# from file
$ nmap -iL targets.txt

# exclude hosts
$ nmap 10.0.0.1-255 --exclude 10.0.0.1,10.0.0.10

# scan 10 random targets on internet
$ nmap -iR 10

# find random NFS shares online
$ nmap -p2049 --open -iR 0 

# collect signature of web servers
$ nmap -p80,443 -Pn -T4 --open --script http-headers,http-title,ssl-cert --script-args http.useragent="A web crawler :)",http-headers.useget -oX random-webservers.xml -iR 0
# -Pn : without ping
# -T4 : aggressive timing template

port/interface

# select ports
$ nmap -p1-100,80,443 10.0.0.1

# ports by protocol (T:tcp, U:udp)
$ nmap -pT:25,U:53 10.0.0.1

# exclude ports
$ nmap -p1-100 --exclude-ports 22,53 10.0.0.1

# all ports
$ nmap -p- 10.0.0.1

# select interface
$ nmap -e eth1 scanme.nmap.org

port states


  • open: a service is listening for connections
  • closed: port is accessible (it receives and responds to nmap packets), but there is no application listening on it.
  • filtered: no signs that the packets were received and the state could not be established, packets are being dropped by some kind of filtering

unprivileged users : by default use TCP Connect Scan, uses the high-level connect() system call (slower)

privilaged user : by default launches a SYN Stealth Scan, use raw packets to send specially crafted TCP packets, technique known as half open.


service/OS fingerprinting


# service detection
$ nmap -sV scanme.nmap.org

# OS detection
$ nmap -O scanme.nmap.org

# -sV + -O + -sC (script scanning) + --traceroute
$ nmap -A scanme.nmap.org 

host discovery


# TCP SYN scan
$ nmap -sn -PS80,21 192.168.1.0/24
# -sn: ping scan - disable port scan
# send a TCP SYN
# receive an RST -> close
# receive an SYN/ACK -> open
# --packet-trace: show all data sent and received
# TCP ACK scan
$ nmap -sn -PA 192.168.1.0/24
# send a TCP ACK
# receive nothing -> close
# receive an TCP RST -> open
# UDP scan
$ nmap -sn -PU 192.168.1.0/24
# send an empty UDP packet to port 40125
# receive ICMP port unreachable -> online
# receive various ICMP error messages -> offline
# (important to choose closed ports)
# ICMP ping scan
$ nmap -sn -PE 192.168.1.0/24 # ICMP echo request
$ nmap -sn -PP 192.168.1.0/24 # ICMP timestamp reply
$ nmap -sn -PM 192.168.1.0/24 # ICMP address mark reply
# can bypass misconfigured firewalls
# IP protocol scan
$ nmap -sn -PO 192.168.1.0/24
# -PO: by default use different protocols IGMP, IP-in-IP and ICMP
$ nmap -sn -PO1,2,17 scanme.nmap.org # choose protocol with their numbers

# TCP: 6, UDP: 17, ICMP: 1, IGMP: 2, IP-in-IP: 4, SCTP: 132

# all packets send are empty, it is a good think to send data inside them
$ nmap -sn -PO --data-length 100 scanme.nmap.org
# ARP scan
$ nmap -sn -PR 192.168.1.0/24
# send ARP requests to all
# if ARP reply -> online
# else -> offline

# used by default by nmap in LAN, -PS to disable
$ nmap -sn -PS --packet-trace --send-ip 192.168.1.254

# MAC address spoofing
$ nmap -sn -PR --spoof-mac <mac address> scname.nmap.org
# with -PR we can use IPv6 and it will use ICMPv6 (replace ARP in v4)

scan techniques


# TCP SYN (not logged)
$ nmap -sS scanme.nmap.org

# full handshake with connect() (logged)
$ nmap -sT scanme.nmap.org

# TCP ACK
$ nmap -sA scanme.nmap.org

timing template


# aggressive timing
$ nmap -T4 192.168.4.20
# -T0: paranoid (5 min)
# -T1: sneaky
# -T2: polite
# -T3: default
# -T4: aggressive
# -T5: insane

scan report


$ nmap -oX scanme.xml scanme.nmap.org
# -oX: XML
# -oN: nmap output
# -oG: greppable text
# -oA: for all

NSE scripts


nmap can be used with Nmap Scripting Engine (NSE), it provides an interface for users to script additional tasks.

Are divided in categoies:

  • auth: scripts related to user authentication
  • broadcast: scripts that use broadcast petitions to gather information
  • brute: scripts that help conduct brute-force password auditing
  • default: scripts that are executed when a script scan is executed (-sC)
  • discovery: scripts related to host/service discovery.
  • dos: scripts related to denial of service attacks
  • exploit: scripts that exploit security vulnerabilities
  • external: scripts that depend on a third-party service
  • fuzzer: scripts that are focused on fuzzing
  • intrusive: scripts that might crash something or generate a lot of network noise
  • malware: scripts related to malware detection
  • safe: scripts that are considered safe in all situations
  • version: scripts that are used for advanced versioning
  • vuln: scripts related to security vulnerabilities
# execute all scripts
$ nmap -sC scname.nmap.org

# script arguments
$ nmap --script http-title --script-args http.useragent="Mozilla 999" scname.nmap.org

# script selection
$ nmap --script dns-brute scname.nmap.org
$ nmap --script http-headers,http-title scanme.nmap.org

# run all scripts in the vuln category
$ nmap -sV --script vuln scname.nmap.org

# run all http scripts except 2 of them
$ nmap -sV --script "(http-*) and not (http-slowloris or http-brute)" scname.nmap.org

Interesting scripts: secwiki.org/w/Nmap/External_Script_Library

broadcast ping scans

$ nmap --script broadcast-ping scname.nmap.org
# send ICMP echo request
# receive ICMP echo reply -> open
# else -> close

Scan IPv6 adresses

$ nmap -6 scanme.nmap.org

# Multicast Listener Discovery (MLD) request to LAN
$ nmap -6 --script targets-ipv6-multicast-mld --script-args interface=en0

# ICMPv6 RA with SLAAC
$ nmap -6 --script targets-ipv6-multicast-slaac --script-args interface=en0 -sn

# ICMPv6 echo request to all nodes link-local multicast address (ff02::1)
$ nmap -6 --script targets-ipv6-multicast-echo --script-args'newtargets,interface=eth0' -sL

# ICMPv6 requets with invalid extension header to (ff02::1)
$ nmap -6 --script=targets-ipv6-multicast-invalid-dst.nse --script-args'newtargets,interface=eth0' -sn

Gathering network information with broadcast scripts

NSE broadcast scripts perform tasks to detect Dropbox listeners, sniffing hosts, and discovering DHCP, MS SQL or NCP server.

There are 44 differents scripts : nmap.org/nsedoc/categories/broadcast.html

# use all script in broadcast categorie
$ nmap --script broadcast -e eth0

$ nmap --script "broadcast and not targets-*"

scanning through proxies

# TOR, mask origin address
$ nmap -sV -Pn -n --proxies socks4://127.0.0.1:9050 scanme.nmap.org

### Spoofing the origin IP of a scan
# find hosts with an incremental IP ID: zombie
# IP ID : used for fragmentation
$ nmap -p80 --script ipidseq <your ip>/24
$ nmap -p80 --script ipidseq -iR 1000
# -> |_ipidseq: Incremental!

# launch idle scan
$ nmap -Pn -sI <zombie host> scname.nmap.org

optimizing scans


phases of scan

  • 1 - Target enumeration: parses the target list.
  • 2 - Host discovery: establishes if the targets are online and in the network with ICMP echo request and some additional probes (-Pn to skip).
  • 3 - Reverse DNS resolution: (-n to skip).
  • 4 - Port scanning: determines the state of the ports with SYN/TCP Connect (depending on the user privileges)(-sn to skip).

skipping phases

$ nmap -T4 -n -Pn -p- 74.207.244.221
# scan with aggressive timing template
# without DNS resolution (-n)
# without ping (-Pn)

shodan


### Perform IP address geolocation
### Getting information from WHOIS records
### Traceroute geolocation information
### Querying Shodan to obtain target information
# use API ley
# https://developer.shodan.io/.

$ nmap -sn -Pn -n --script shodan-api --script-args shodan-api.apikey=<ShodanAPI KEY> scname.nmap.org

# https://developer.shodan.io/pricing

# save in CSV files
$ nmap -sn -Pn -n --script shodan-api --script-args shodan-api.apikey='<ShodanAPI KEY>',shodan-api.outfile=results.csv scname.nmap.org

# single target
$ nmap -sn -Pn -n --script shodan-api --script-args shodan-api.apikey='<ShodanAPI KEY>',shodan-api.target=<IP>
# -n: DNS resolution disable

ncrack


Discover systems with weak password, high-speed network authentication cracking tool. Supports popular network protocols (FTP, SSH, Telnet, HTTP(S), POP3(S), SMB, RDP, VNC, SIP, Redis, PostgreSQL, and MySQL).

$ ncrack <service-name>://scname.nmap.org:<port-number>

# basic dictionary attack agoinst a SSH server
$ ncrack ssh://scname.nmap.org:<port>

# give username and password files
$ ncrack -U <user-list> -P <passwords-list> <service-name>://scname.nmap.org:<port-number>

# give username
$ ncrack --user <username> <service-name>://scname.nmap.org:<port-number>

# give password
$ ncrack --pass <service-name>://scname.nmap.org:<port-number>

# pausing
$ ncrack --resume cracking-session <[service-name]>://scname.nmap.org:<[port-number]>

$ ncrack --save cracking-session <[service-name]>://scname.nmap.org:<[port-number]>

nmap.org/ncrack/man.html