Nmap

An in depth look at scanning with Nmap, a powerful network scanning tool...

Introduction

Nmap helps us establish which services are running on the targets that we are testing. We can perform a port scan to see which ports are open. Ports are necessary for making multiple multiple network requests of having multiple services available.

Every computer has a total of 65535 available ports with a few of them being standard ports. For example, port 80 would run a http server and port 443 would run a https server.

Nmap can be used to run many different types of port scans and can determine ports to be either open, closed, or filtered.

Nmap Switches

Nmap is run from the terminal and to access the arguments or options available, the man nmap command can be used or the syntax nmap -h.

TCP Connect Scans

We have covered the three-way handshake here. Nmap tries to connect to each specified TCP port and determines whether it is open or not via the response it receives:

  1. If nmap were to send a TCP request with the SYN flag set to be closed, the target will respond with a TCP flag set and therefore, nmap can establish that the port is closed.

  2. If however, nmap were to send the request to an open port, the target will respond with a TCP SYN/ACK flag set. This marks that the port is open and nmap will send an ACK flag set back.

  3. If nothing is sent back after a request is sent, then the port is protected by a firewall and the port is considered to be filtered.

However, it is quite easy to configure a firewall to respond with a RST packet. For example, the command in iptables would look like:

iptables -I INPUT -p tcp --dport <port> -J REJECT --reject-with tcp-reset

The switch for a TCP connect scan is -sT.

SYN Scans

SYN scans are used to scan the TCP port-range of a target. They are sometimes referred to as 'half-open' or 'stealth' scans.

When a TCP connect scan is run, a full handshake is completed with the target. When a SYN scan is run, it sends back a RST packet instead of an ACK packet. This prevents the server from repeatedly trying to make the request.

The advantages:

  • Can be used to bypass older intrusion systems. However, with modern solutions, this is no longer the case.

  • Not often logged by applications listening on open ports.

  • Scans are faster

The disadvantages:

  • Requires sudo permissions

  • Unstable services can be brought down with SYN scans.

To identify whether the ports are open or closed, the same rules as with a TCP connect scan apply.

The switch for a SYN scan is -sS.

UDP Scans

connections are stateless. This means that UDP connections rely on sending packets to a target port and hoping that they make it. This is why UDP is very good for connections which rely on speed but the lack of acknowledgement makes UDP scans a lot slower. Due to it being slow, it is recommended to just run the scan on the top ports, not all of them.

When a packet is sent to a UDP port, there should be no response. Nmap will then mark the port as open/filtered (i.e. open but could be firewalled). If it gets a UDP response, then the port is marked as open. However, this is uncommon and generally, a second packet is sent to double check that the port is open/filtered.

When a packet is sent to a closed UDP port, the target port should respond with an packet. This clearly identifies the port as a closed port.

The switch for a UDP scan is -sU.

NULL, FIN & Xmas Scans

These 3 types of scans are generally used to perform SYN "stealth" scans. All 3 are interlinked and are less commonly used than the previous ones.

NULL scans (-sN) are when the TCP request is sent with no flags set at all. According to the RFC, the target host should respond with a RST packet if the port is closed.

FIN scans (-sF) are when a TCP request is sent with the FIN flag (which is usually used to close an active connection). In this case, nmap also expects a RST packet to be sent back if the port is closed.

Xmas scans (-sX) send a malformed TCP packet with the PSH, URG, and FIN flags set. When viewed as a capture in Wireshark, it gives the appearance of a blinking Christmas tree, hence the name xmas. It also expects a RST packet if the port is closed.

The expected response for open ports with these scans is also identical and there is no response to the malformed packet. Unfortunately, as with UDP ports, the expected behaviour for filtered ports is also the same as open ports. If a port is only identified as filtered, that is generally because the target host responded with an unreachable ICMP packet.

ICMP Network Scanning

This type of scan helps us obtain a "map" of the network that we are scanning (i.e. the network structure, which IP addresses contain active hosts, etc.). Nmap sends an ICMP packet to each possible IP address for the specified network. When it receives a response, it marks that IP address as being alive.

To perform this scan, we would use the switch -sn with an IP range. An example command would be as follows:

# IP range specified with a hyphen
nmap -sn 192.168.0.1-254

# IP range specified with a CIDR notation
nmap -sn 192.168.0.1/24

# To scan an entire network
nmap -sn 192.168.0.x

NSE Scripts

The Nmap Scripting Engine (NSE) is an incredibly powerful addition to Nmap, extending its functionality quite considerably. NSE Scripts are written in the Lua programming language, and can be used to do a variety of things: from scanning for vulnerabilities to automating exploits for them.

An exhaustive list of the many categories available can be found here.

To activate NSE scripts, we can use --script=vuln for example. This will activate the scripts from the vuln category. To run a specific script we would run --script=http-fileupload-exploiter for example. Multiple scripts can be run simultaneously by separating them with a comma.

Note: some scripts require arguments which can be given with --script-args switch.

An example command to run would be:

nmap -p 80 --script http-put --script-args http-put.url='/dav/shell.php',http-put.file='./shell.php'

Nmap scripts come with built-in help menus, which can be accessed using nmap --script-help <script-name>.

Searching For Scripts

  1. We could use the Nmap website which contains a list of all official scripts.

  2. We could search our local machine at /usr/share/nmap/scripts.

To search, we could use the /usr/share/nmap/scripts/script.db file and we could grep through it to find what would suit our use case. Or we could use the command ls -l /usr/share/nmap/scripts/*ftp* to search for scripts. Whichever method you choose, you will gain the same results.

Installing New Scripts

  1. Run this command to ensure your files and folders are up to date: sudo apt update && sudo apt install nmap

  2. You can run this command to install scripts manually from Nmap: sudo wget -O /usr/share/nmap/scripts/.nse https://svn.nmap.org/nmap/scripts/.nse

  3. You must run this command to update the database file with the newly downloaded script: nmap --script-updatedb

Firewall Evasion

Stealth scans along with NULL, FIN & Xmas scans help to evade firewalls. However, a typical Windows host will still block ICMP packets. Nmap will ping a target be default to determine whether a host is up or not. If ICMP packets are not being received, Nmap will automatically mark the host as dead without bothering to scan it. Luckily, Nmap offers a switch to avoid this issue.

The switch -Pn tells Nmap to not bother pinging the host before scanning it. However, this kind of scan can take a long time. It's also worth noting that if you are already on the local network, Nmap can use ARP requests to determine host activity.

There are other switches which Nmap considers useful for firewall evasion which can be found here.

Answers

Task 2

What networking constructs are used to direct traffic to the right application on a server? Ports

How many of these are available on any network-enabled computer? 65535

How many of these are considered “well-known”? 1024

Task 3

What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)? -sS

Which switch would you use for a “UDP scan”? -sU

If you wanted to detect which operating system the target is running on, which switch would you use? -O

Nmap provides a switch to detect the version of the services running on the target. What is this switch? -sV

The default output provided by Nmap often does not provide enough information for a pentester. How would you increase the verbosity? -v

Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two? -vv

What switch would you use to save the Nmap results in three major formats? -oA

What switch would you use to save the Nmap results in a “normal” format? -oN

A very useful output format: how would you save results in a “grepable” format? -oG

his is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning. How would you activate this setting? -A

How would you set the timing template to level 5? -T5

How would you tell Nmap to only scan port 80? -p 80

How would you tell Nmap to scan ports 1000–1500? -p 1000–1500

How would you tell Nmap to scan all ports? -p-

How would you activate a script from the Nmap scripting library (lots more on this later!)? — script

How would you activate all of the scripts in the “vuln” category? — script=vuln

Task 5

Which RFC defines the appropriate behaviour for the TCP protocol? RFC9293

If a port is closed, which flag should the server send back to indicate this? RST

Task 6

There are two other names for a SYN scan, what are they? Half-Open, Stealth

Can Nmap use a SYN scan without Sudo permissions (Y/N)? N

Task 7

If a UDP port doesn’t respond to an Nmap scan, what will it be marked as? open|filtered

When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so? ICMP

Task 8

Which of the three shown scan types uses the URG flag? xmas

Why are NULL, FIN and Xmas scans generally used? Firewall Evasion

Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port? Microsoft Windows

Task 9

How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation) nmap -sn 172.160.0.0/16

Task 10

What language are NSE scripts written in? Lua

Which category of scripts would be a very bad idea to run in a production environment? Intrusive

Task 11

What optional argument can the ftp-anon.nse script take? maxlist

Task 12

What is the filename of the script which determines the underlying OS of the SMB server? smb-os-discovery.nse

Read through this script. What does it depend on? smb-brute

Task 13

Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch? ICMP

Which Nmap switch allows you to append an arbitrary length of random data to the end of packets? — data-length

Task 14

Does the target IP respond to ICMP echo (ping) requests (Y/N)? N

Perform an Xmas scan on the first 999 ports of the target — how many ports are shown to be open or filtered? 999

There is a reason given for this — what is it? No Response

Perform a TCP SYN scan on the first 5000 ports of the target — how many ports are shown to be open? 5

Can Nmap login successfully to the FTP server on port 21? (Y/N) Y

PreviousIntroductory NetworkingNextWeb Hacking Fundamentals

Last updated