NMAP (CEHV11)
Hey people,
welcome back to my blog-post today I will be covering NMAP in depth with more examples and commands/parameters and so on. Lets kick off.
NMAP
NMAP also known as (network mapper) is a free and open source and has utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing services upgrade schedules and monitoring hst or sevice running uptime. Please visit to this website for more information.
I want to cover about NMAP scan types:
stealth scan:
Half-open scan or SYN scan — only SYN packets sent. Responses same as full. If you did not catch what SYN scan is or about that packet please consider to search for more information about this specific issue in your mind.
It is very useful for hiding efforts and evading firewalls
nmap -sS <target-ip>
full connect:
TCP connect or full open scan. The first two steps ( SYN and SYN/ACK) are exactly the same as with a SYN scan. Then, instead of aborting the half-open connection with a RST packet.
full connection and then tears down with RST
Easiest to detect but also the most reliable.
nmap -sT <target-ip>
TCP,ACK scan / flag probe -multiple methods:
TTL version, if TTL or RST packet < 64 port is open
Windows version , f the Windows on the RST packet is anything other than 0, port open
It can be used to check filtering. If ACK is sent and no response, stateful firewall present.
nmap -sA <target-ip> (ACK scan)
nmap -sW <target-ip>( windows scan)
NULL, FIN and Xmas scan:
It uses FIN,URG or PSH flag
Open gives no response. Closed give RST/ACK
nmap -sN <target-ip> (null scan)
nmap -sF <target-ip>(fın scan)
SPOOFING:
Decoy:
nmap -Pn <spoofed IP> <target-ip>
Source Address spoofing:
nmap -e <network-interface> -S <IP-source> <target>
Mac address spoofing:
nmap — spoof-mac <MAC|vendor> <target>
Decoy will send spoofed IP address along with your IP address
FIREWALL evasion:
Multiple Decoy IP addresses:
this command is used to scan multiple decoy IP addresses. Nmap will send multiple packets with different IP addresses, along with your attacker’s IP address.
nmap -D RND:<number> <target>
as an example as shown below:
nmap -D RDN:30 10.10.10.10
1) paranoid:
paranoid (0) intrusion detection system evasion:
nmap <target-ip> -T0
2) Sneaky:
sneaky (1) intrusion detection system evasion:
nmap <target-ip> -T1
3) Polite:
polite (2) slows down the san to use less bandwidth and use less target machine resources
nmap <target-ip> -T2
4) Normal:
normal (3) which is default speed
nmap <target-ip> -T3
5) Agressive:
Agressive (4) speeds scan; assumes you are on reasonably fast and reliable network
nmap <target-ip> -T4
6) Insane:
Insane (5) speeds scan; assumes you are on an extraordinarly fast network
nmap <target-ip> -T5
UDP scan:
Most popular services runs over the TCP, but there are many common services that also UDP; DNS(53), DHCP(67), NTP(123), NETBIOS(137), etc…
- nmap sU <target-ip>
- nmap -sU -p U:53,123 <targetip>
- nmap -sU -sS -p U:53,123 T:80,443 <target-ip>
List of switches:
- -sA (ACK scan)
- -sF (FIN scan)
- -sI (IDLE scan)
- -sL (DNS scan)
- -sN (NULL scan)
- -sO (Protocol scan)
- -sP or -sn (Ping scan)
- -sR (RPC scan)
- -sS (SYN scann)
- -sT (TCP connect)
- -sW (Windows scan)
- -sX (XMAS scan)
- -A (OS detection)
- -sV (determine service info)
- -PI (ICMP scan)
- -Pn (no ping)
- -Po(no ping)
- -PS (SYN scan)
- -PT(TCP ping)
- -oN(normal output)
- -oX (XML output)
- -n(never do dns scan)
- -f(fragment packets)
- -D(IP address decoy
NSE SCRIPT:
NSE stands for nmap scripting engine and it’s basically a digital library of nmap scripts that helps to enhance the default nma features and report the results in a traditional nmap output
for the good purposes NMAP allows you to create your own NSE script which can be importable to the config file of NMAP and that is superb.
with that being said. lets show those in the practical manner:
NSE SCRIPT PRACTİCALLY:
Scan with default NSE scripts. Considered useful for discovery and safe:
nmap 10.10.10.10 -sC
nmap 10.10.10.10 --script default
Scan with a single script example banner as below:
nmap 10.10.10.10 --script=banner
Scan with a wildcard example HTTP:
nmap 10.10.10.10 — script=http*
NSE script with argument:
nmap — script snmp-sysdescr — script-args snmpcommunity=admin 10.10.10.10
Useful NSE script Examples:
http site map generator:
nmap -Pn — script=http-sitemap-generator scanme.nmap.org
fast search for random web servers:
nmap -n -Pn -p 80 — open -sV -vvv — script banner,http-title -IR 1000
Brute force DNS hostnames guessing subdomains:
nmap -Pn — script=dns-brute domain.com
safe SMB scripts to run:
nmap -n -Pn -vv -O -sV — script- smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2*, -vv 10.10.10.10
Checks for SQL injection:
nmap -p 80 — script http-sql-injection scanme.nmap.org
Summary
So far, I have tried to share almost every useful commands but at least, I do recommend you to search about more such awesome parameters,commands because NMAP has been designed,written very well, and as I mentioned in my blog check whether you shall be able to create your own NSE scripts and that can be very handy especially by proof of concept.
Many Thanks for u support and reading this blog.
Ahmet Göker | junior hacker | PoC/exploit researcher | CTF player | CE bachelor
U can follow me on social platforms :
Twitter: https://twitter.com/TurkishHoodie_
medium: https://medium.com/@turkishhoodie010
Telegram: DarkGhost
linkedin: https://www.linkedin.com/in/ahmetgöker
Youtube: https://youtube.com/TurkishHoodie
