Nmap

Nmap is a tool that is primarily for detecting devices on a network and detecting open ports that are open

Ping scans

Ping scanning (host discovery) is a technique for determining whether the specified computers are up and running. Nmap performs ping scan by default before port scan to avoid wasting time on hosts that are not even connected. To instruct Nmap to only perform ping scan:

nmap -sn <ip range or list>
#e.g.
nmap -sn 10.1.1.1/8

This will cause Nmap to ping every one of the specified addresses and then report the list of hosts which did respond to the ping.

Nmap uses different kinds of ping packets when run with user or root privileges and when scanning the same or different subnets:

Run As External IP Local IP
User privileges TCP SYN at ports 80 & 443 TCP SYN at ports 80 & 443 and ARP
Root privileges TCP SYN at ports 80 & 443 and ICMP ARP

Ping scan types

Option Ping scan type
-Pn Disable ping scan entirely
-PS TCP SYN (default at port 80)
-PA TCP ACK (default at port 80)
-PU UDP
-PY SCTP INIT
-PE ICMP Echo
-PP ICMP timestamp
-PM ICMP address mask
-PO Other IP protocol
-PR ARP scan

-Pn is useful when the machine is heavily firewalled, TCP 80 and 443 ports and IGMP requests are blocked, but the IP address might still have a machine listening on other less common ports.

Port scan

There are 3 main states a port can be in:

  • open - there is a program listening and responding to requests on this port
  • closed - the host replies with an “error: no program listening on this port” reply to requests to this port
  • filtered - the host doesn’t reply at all. This can be due to restrictive firewall rules, which “drop” a packet without sending a reply

In addition to these there are 3 more states that Nmap can classify a port. These are used when Nmap cannot reliably determine the state but suspects two of the three possible states:

  • open|closed (unfiltered) - the port is either open or closed
  • closed|filtered - the port is either closed or filtered
  • open|filtered - the port is either open or filtered

Service Enumeration

Common Flags

  • -T{0-5} - Sets the timing - Higher is faster.
    • Normally, if you are on an internal network, -T4 is a good choice. It makes the scan faster and assumes a reliable connection
  • -p<port-list> - Specifies port(s) to scan. By default, it will scan the most common 1000 ports.
    • -p- - This will scan ports 1-65535
    • -p0- - This will scan ports 0-65535. There is not normally anything on port 0 but if you are already doing a full TCP scan, you might as well scan an extra one.
    • -p$(tr '\n' ',' < ./portList) - Will scan all ports in a line separated file called portList.
  • -sC - Run default scripts - equivalent to --script=default
  • -sV - Try to enumerate service versions - I think it does this by banner grabbing
  • -oA <filename> - Output in all formats.
    • -oN - Normal
    • -oX - XML
    • -oG - Greppable
  • -F - Fast, only scan the top 100 ports

Useful scripts

smb-users-enum - Enumerates smb users

Tags

  • Enumeration