NMAP (Network Mapper): Ping | SYN | TCP | UDP | Scripts | OS | Version
Nmap (Network Mapper) is a free and open-source utility for network discovery and security auditing.
What can be done with NMAP
- Host Detection
- Port Scanning
- Service and Version Detection
- Operating System Detection
- Firewall Detection
- Vulnerability Assessment
- Brute Force Attacks
- Exploitation
Ping Scanning ( -sn )
Only print out the available hosts. No port scan after host discovery
The default behavior for a privileged user is,
- ICMP echo request
- TCP SYN Packet to port 443
- TCP ACK Packet to port 80
- ICMP Timestamp Request
When executed by an unprivileged user only send packets using a connect call to ports 80 and 443 on the target.
# nmap -sn 192.168.1.221
# nmap -sn 192.168.1.221 -n | grep "Nmap scan" | cut -d" " -f5
Parameters:
- -sn - Ping Scan
- -n - to avoid host name (No DNS Resolution)
- grep "Nmap scan" - To filter line showing IP address
- cut -d" " -f5 - Cut the IP address onlt wit delimiter as space
- -p- - Scan all ports
- -Pn - Avoid hostname discovery(Ping)
- -p22,80 - Specify ports
- -sS -sU -pT:22,80,U:53,139-150 - Specify TCP and UDP ports
- --top-ports 50 - Scans for top 50 ports
- -p1-65535 - Scan all ports
SYN Scan ( -sS )
It is relatively stealthy since it never completes TCP connections. This technique is often referred to as half-open scanning because you don't open a full TCP connection.
# nmap -sS 192.168.1.221 --top-ports 50
First packet SYN sent by kali to start the three-way handshake. The second packet is an ACK sent by the destination system. The third packet is an RST sent by kali because it's is a SYN scan the three-way handshake is not completed and corrupted by RST.
Results:
- When we send a SYN packet the destination system replies a SYN-ACK packet to show that it's ready for a connection. And we send RST to corrupt the handshake and Nmap interprets this result as the port is open.
- If the destination system reply is a RST packet for our SYN packet that means the port is accessible but it's close.
- If the destination system doesn't respond to our send packet and Nmap thinks that the packet is dropped or filtered It's a common behavior of the firewalls.
- If the destination system replies to an ICMP unreachable packet for a SYN packet, it is interpreted as filtered.
TCP Scan ( sT )
Send a TCP SYN packet without completing a 3-way handshake and monitor the results
# nmap -sT -Pn 192.168.1.221 --top-ports 10
First packet SYN sent by kali to start the three-way handshake. The second packet is an ACK sent by the destination system. The third packet is an ACK sent by kali to complete the TCP three-way handshake. The fourth packet is a RST sent by kali again to end the conversation.
UDP Scan ( sU )
UDP scan works by sending a UDP packet to every targeted port. UDP scanning is generally slower and more difficult than TCP
Should run with version detection option for more accurate results.
# nmap -Pn -sU 192.168.1.221 --top-ports 10 -sV --reason
Parameters:
-sV - Version Detection
--reason - show the reason why the port is set as open, closed, or filter
Version and Operating System Detection
#nmap -sS -Pn 192.168.1.221 --top-ports 10 -sV -O
Parameters:
-sV Version Detection
-O Operating System Detection
Nmap Scripting Engine (NSE)
-sC - Default Parameter
--script - to specify custom scripts
/usr/share/nmap/scripts - Defalt place for nmap scripts
Tasks can be performed with NSE:
- Network Discovery
- More Sophisticated version Detection
- Vulnerability Detection
- Backdoor Detection
- Vulnerability Exploitation
Categories:
To identify script category, go to scripts under /usr/share/nmap/scripts direcory
# less script_name
Search the keyword categories with / press n key to find next
# nmap --script-help script_name
# nmap --script-help ssh-hostkey
- default: -sC
- auth: Authorization bypass
- brute: Brute force attack
- dos: Denial of service
- exploit: To exploit a known vulnerability
- safe: Safe to run
- intrusive: Scripts not in safe category
- malware: To look for malware in destination hosts
- version: Version detection scripts
- vuln: Vulnerability scanning scripts
Update Script Database:
# nmap --script-updatedb
Search Script:
# locate *.nse | grep telnet
Running Scripts:
# nmap -sS -p23 10.0.0.1 --script telnet-brute
# nmap -sU -p53 10.0.0.1 --script "dns_*"
# nmap -sS -Pn -p23 192.168.1.221 -p22 -sC
# nmap -sS -Pn -p23 192.168.1.221 -p22 -sC -vvv
# nmap --script-help smb-brute
# nmap 192.168.1.221 -p443 --script ssh* -sV
Some Handy Scripts
- *-brute.nse Dictionary or brute force attack to the server
- *-info.nse Information about service
- dns-recursion Tells if DNS allows recursion
- dns-zone-transfer Tells if DNS allows zone transfer
- http-slowloris-check Check if webserver is vulnerable by slowloris
- ms-sql-info MSSQL instance version and configuration
- ms-sql-dump-hashes Password hashes for MSSQL service
- nbstat Netbios name and MAC address
- smb-enum-users Users of windows host
- smb-enum-shares Sharing of windows hosts
Some Dictionary or brute force attack scrips:
- ftp-brute
- ftp-anon
- ms-sql-brute
- oracle-sid-brute
- snmp-brute
- telnet-brute
- vmauthd-brute
- vnc-brute
Hey, I must say you have gathered really a good stuff about scanning tools for all the readers. I really appreciate it. Thanks!
ReplyDeleteUDP Port Scan
They want to print in-house in case of any last-minute changes to the agenda or the guests in attendance. renting impresoras madrid
ReplyDeleteOverall, 48 port PoE switches are an important tool for businesses and organizations that require reliable, high-capacity network connectivity for a variety of devices and applications. 48 Port PoE Switch
ReplyDeleteFantastic! Dive into the world of Nmap (Network Mapper) and unleash its incredible potential for network exploration and security enhancement. web development company
ReplyDelete