General notes
- By default, nmap uses only IPv4 for scanning. Try to perform scans twice, one without and one with the ‑6 parameter.
nmap -6 -sT -sC fc:00:...%eth0 - Run nmap as root, because some scans (e.g. which require incomplete handshakes) are not possible in userspace.
- How does nmap detects if a host is up? It does the following and if at least one test returns a response, the host is considered as online.
- ARP request (if the target is in the same Ethernet subnet)
- ICMP echo request
- TCP SYN to port 443
- TCP ACK to port 80
- ICMP timestamp request
- You can use iptables to measure the traffic to / from the target (e.g. to optimize a port scan before to be more silent.)
NC / Netcat
Try netcat first on interesting ports or narrow port ranges to be more silent
Network scan
Choose a port which is probably open on systems on this network. E.g. 445 for Windows hosts or 22 for Linux hosts.
for i in $(seq 1 254); do nc -zv -w 1 10.10.10.$i 445; done
Port scan
For TCP:
nc -nvv -w 1 -z 10.11.1.220 3388-3390 2>&1 | grep open
For UDP: (This will need more time because if a firewall is in our way, the ICMP messages could be filtered out and nc then would wait a moment for a time out before moving to the next port.)
nc -nvv -u -w 1 -z 10.11.1.220 3388-3390 2>&1 | grep open
SNMP
If SNMP is available, a list of open ports can be retrieved as well. See the SNMP article.
Masscan
Scan very fast:
masscan -e tun0 -p 1-65535 --rate 2000 $victim masscan -e tun0 -p U:1-65535 --rate 2000 $victim
Network sweeping
Scanning a whole subnet. The following scans from 192.168.5.0 until 192.168.5.255.
nmap 192.168.5.0/24
The following is more efficient, skipping special addresses.
nmap 192.168.5.1-254
This notation can also be used other segments, like 192.168.1–10.1–254. IPv6 addresses can be defined the same way but currently not with a range.
To scan and output in a grep friendly way, use ‑oG like here
nmap -sn 10.10.10.0/24 -oG /tmp/t grep Up /tmp/t | cut -d" " -f2
Show only open ports in a network
nmap 10.11.1.1-254 -p2233 --open
Host sweeping with PowerShell:
1..225 | % { echo "10.10.10.$_"; ping -n 1 -w 100 10.10.10.$_ | select-string ttl }
Single client scanning
Scan the most interesting 1000 ports (~ 71 KB of traffic)
nmap 10.10.10.10
Scan all ports (~ 4,5 MB of traffic)
nmap -p 1-65535 10.10.10.10
Netcat can be used as primitive port scanner which could be interesting on a target where it is installed already.
nc -nvv -w 1 -z $victim 1-1500 for port in $(seq 1 1500); do nc -nvv -w1 -z $victim $port 2>&1 | grep succeeded; done
Reading IPs from file
It’s possible to load a file which contains the target IPs (separated via any white space).
nmap -i retrieved_dhcp_host_ips.txt
Random scanning
Nmap can generate random IP ranges to scan for surveys.
nmap -iR 2 192.168.5.0/24
Detect hosts
Nmap has several methods to detect hosts.
Good goto line:
nmap -PS21,22,23,25,53,80,110,111,135,137,139,143,443,445,502,993,995,1433,1432,1723,3306,3389,590,8080 -PE -iL hosts.txt
Create a host list via the host discovery packets which the hosts send by themselfs; that means that this method is passive.
nmap -sL 192.168.5.1-254
Create a list of active hosts. This uses an additional ICMP echo request for each reported host.
nmap -sn 192.168.5.1-254
Create a list of active hosts which are active on given ports. Nmap sends a TCP SYN packet to each port to initiate the three way handshake. (If a server reponds, nmap closes it with a RST packet so that no connection will be created.)
For example, use ‑PS22,111 to detect Linux servers or PS-137–139,45,3389 to detect Windows Systems. Or add a port from a service you’re expecting in the network.
nmap -PS22-23,80,443 192.168.5.0/24
If a firewall blocks this, use the PA option which sends a TCP ACK. Statefull firewalls often don’t accept new SYN packets from the internet, but an incomming ACK packe seems to be from a existing connection. The service will respond a RST, but that doesn’t matter because it proves that the service is alive.
nmap -PA80 192.168.5.1-254
Another alternative is using an UDP ping.
nmap -PU80 192.168.5.1-254
Another alternative is the SCTP INIT ping, which shows also the MAC addresses. (Root privileges are needed for this!)
nmap -PY80 192.168.5.1-254
Another alternative with the IP protocol ping.
nmap -PO80 192.168.5.1-254
Another option for Ethernet networks is the ARP Ping option. Obviously, this works only in the local network until the next gateway.
nmap -PR 192.168.5.1-254
List IPs of a network, mark online ones
nmap -sL 10.10.64.0/27 | awk '/Nmap scan report/{print $NF}'
Detect hosts via a zombie
Nmap can use a zombie server which performs the scan from his perspective. The zombie has to be idle because the IP ID field must not change between a scan. Therefore, scan a potential zombie first with
nmap -v -O zombie.andreas-klingler.de
and note the IP ID Sequence Generation output to decide if this could be a zombie or not. After this, scan as follows.
nmap -Pn -p22,80,143 -sI <zombie_ip> $victim
Determine the OS and version numbers
Determine the OS
nmap -v -O $target
nmap -v --osscan-guess $target
Or try to get information about the version numbers of active services. This can be further extended via an additional -A switch.
nmap -sV [-A] $victim
Detect protocols
Determine which protocols the attacked client supports.
nmap -sO $victim
FTP BOUNCE attack
FTP server can talk directly to each other. This feature can be used to perform port scans from thiry-party FTP servers.
Check if a FTP server is prone to this attack by scanning with nmap (parameter ‑sC). This will return “ftp-bounce: bounce working!” if the target is vulnerable. Then, perform the scan from the first FTP server to the second like follows:
proxychains4 -q nmap -p23 -Pn -v -b anonymous:dsfsd@$victim 10.2.2.23
Detect open ports between two systems
- Create nc listener in a bash loop for a certain range.
Fast internal scanning
Small script to scan from an internal host to see which ports are open outbound.
!/bin/bash
host=10.5.5.11
for port in {1..65535}; do
timeout .1 bash -c "echo >/dev/tcp/$host/$port" &&
echo "port $port is open" done
echo "Done"
With PowerShell:
1..2048 | % { echo ((new-object Net.Sockets.TcpClient).Connect("10.10.10.10",$_)) "Port $_ is open" } 2>$null }
Nmap options
- Ignore hosts which seems to be inactive: With the ‑Pn option, nmap skips the initial check if a host is alive before performing any further checks. This means that the entire network is probed, also for IPs which seems not to be used at the moment.
- Set the scan speed with ‑T X — nmap will wait X seconds between packets
- 0 = 5 minutes
- 1 = 15 seconds
- 2 = 0,4 seconds
- 3 = automatic / default
- 4 = more aggresive
- 5 = extremly aggresive, can overload and miss packets.
- Add traceroute: With –traceroute, traceroute is executed for every host which is alive.
- No DNS resolution: Speed up the scan with -n.
- Complete DNS resolution: Force reverse DNS resolution for all possible hosts within the given range with -R. This includes offline hosts also. This could return interesting DNS entries from hosts which are currently offline.
- Use specified DNS servers: Use only given DNS servers with –dns-servers srv1,srv2. In some networks, it could be that only some local DNS servers can resolve all addresses because there are not exposed to the public DNS system. In this case, try to figure out which DNS servers in the interesting network are online and add these to the real scan run.
- Scan also UDP by adding -sU. Caution: Because UDP doesn’t use a connection, nmap has to wait for a timeout and try it again to make sure that the packet wasn’t simply lost. So, this switch should be used specificly and not in a wide scan.
- Caution: This scan can be unreliable; make sure to scan multiple times to make sure no port was omitted!
- Try exotic scan types like -sN, -sF, -sX, ‑sZ or ‑sM which can bypass filter. (See manpage for more details.)
- Try to scan for proxy FTP servers. Very unusual today, but you can never know. See the manpage for details.
- Speed up and scan for fewer ports with the ‑F options. Scans the most usual 100 ports instead of the most usual 1000 ports.
- Play the Romulans by adding some decoy attackers via -D <ip1>,<ip2>. Nmap will produce also packets from this IPs so that an IDS would see a portscan from other systems also.
- Use proxies (SOCKS or HTTP) with –proxies <proxy1>. This reduces the speed and it can be necessary to decrease some other parameters like timeouts. See the manpage.
Nmap output options
Additional to the regular output via STDOUT, nmap can output the results also in different ways.
The following writes the default output which would be generated to STDOUT into a text file.
nmap ... -oN <filename>
The following writes the results in a XML file.
nmap ... -oX <filename>
The following creates files in all formats (.txt, .xml and .grepable)
nmap ... -oA <basename>
Nmap scripts
Tools
dnmap
- Distributes port scanning
- One server controlls n clients which perform the actual scans.
- See https://tools.kali.org/information-gathering/dnmap for short usage.
zenmap
- UI for nmap which makes reading the output easier.
EyeWitness
Create automated screenshots from a list of webservers.
Windows
Determine a single port in PowerShell:
PS> Test-NetConnection -Port 123 $target
Check multiple ports in PowerShell:
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("10.10.10.10", $_)) "TCP port $_ is open"} 2>$null
Leave a Reply
You must be logged in to post a comment.