Scanning using Nmap

  • Some of the Nmap example scans we’ll cover in this Module are run using sudo. This is because quite a few Nmap scanning options require access to raw sockets ,254 which in turn require root privileges. Raw sockets allow for surgical manipulation of TCP and UDP packets. Without access to raw sockets, Nmap is limited as it falls back to crafting packets by using the standard Berkeley socket API.

  • Default Nmap TCP will scan 1000 most popular ports

Tesing how much traffic sent by default nmap scan

Monitoring amount of traffic using iptables

sudo iptables -I INPUT -I INPUT 1 -s 192.168.1.5 -j ACCEPT

sudo iptables -I OUTPUT 1 -d 192.168.1.5 -j ACCEPT

sudo iptables -Z

Where

I - Insert a new rule

INPUT - Inbound traffic

OUTPUT - Outbond Traffic

s - source IP address

d - destination IP address

j - Accept the traffic

Z - Zero the packet and byte counters in all chains

Scanning with nmap

nmap 192.168.1.5

Monitoring Traffice

sudo iptables -vn -L

v - Verbose

-n - Numeric Output

-L - list the rules present in all chaing

Resulting Output

Chain INPUT (policy ACCEPT 161 packets, 9880 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    8   344 ACCEPT     0    --  *      *       192.168.1.5          0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 173 packets, 10547 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2019  `**121K**` ACCEPT     0    --  *      *       0.0.0.0/0            192.168.1.5         

Chain piavpn.100.blockAll (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain piavpn.100.protectLoopback (0 references)
 pkts bytes target     prot opt in     out     source               destination

There is 121k of traffice in default nmap scan

Other Tools

1. MASSCAN

2. RustScan

They are faster than nmap, generate a substaintial amout of concurrent traffic. Nmap impose some traffic rate limiting that results in less bandwidth congestion and more covert behavior

  • SYN scanning is a TCP port scanning method that involves sending SYN packets to various ports on a target machine without completing a TCP handshake. If a TCP port is open, a SYN-ACK should be sent back from the target machine, informing us that the port is open. At this point, the port scanner does not bother to send the final ACK to complete the three-way handshake.

Nmap Steath Scan (-sS)

sudo nmap -sS 192.168.1.5

  • Because the three-way handshake is never completed, the information is not passed to the application layer and as a result, will not appear in any application logs

  • Please note that term “stealth” refers to the fact that, in the past, firewalls would fail to log incomplete TCP connections. This is no longer the case with modern firewalls and although the stealth moniker has stuck around, it could be misleading

Various Scanning Technique using nmap

namp -sT $IP >> TCP Connect Scan

nmap -sU $IP >> UDP Scan

  • UDP Scan use two different methods to determine if a port is open or closed.

  • Use Standard ICPM port unreachable Method >>> for Most port

  • send protocol specific packet >>> Common port

    • eg. for port 161 which is used by SNMP - send protocol specific SNMP packet

The UDP scan sU can also be used in conjuction with a TCP SYN Scan (-sS) to build a more complete picture of our target

nmap -sS -sU $IP

Network Sweeping Technique

  • Attempt to probe large volume of target

  • Broad host scan

nmap -sn $IP_Range

print more greppable output or more manageable format can be done by using `-oG` in nmap command and the command like:

nmap -v -sn $IP-Range -oG pingsweet.txt
grep Up pingsweet.txt | cut -d " " -f 2

Sweep specific TCP or UDP port

nmap -p 80 $IP-Range -oG web-sweep.txt
grep open web-sweep.txt | cut -d " " -f2

Top port scanning with OS version, script, traceroute using `-A` option

nmap -sT -A --top-ports=20 $IP-Range -oG top-port-sweep.txt

  • Top 20 port are determined using the /usr/share/nmap/nmap-services

OS scan and Guess OS scan to get rough idea of the target system

sudo nmap -O $IP --osscan-guess

nmap -sT -A $IP
nmap -A -sV $IP

  • Banner Garbbing significantly impacts amount of traffic used as well as speed or our scan

  • Banners can be modified by system administrators and intentionally set to fake service names to mislead potential attackers.

Nmap Scripting Engine (NSE)

  • NSE Scripts are located in the /usr/share/nmap/scripts

  • To view mor information we can used --script-help script_name

Eg. http-headers script

  • http-header scirpt attempt to cnnect HTTP Service on a target system and determine the supported header

nmap --scirpt-help http-headers
nmap --scirpt http-headers $IP

Change Nmap xml output to html file for better readability

xsltproc <nmap_output.xml> -o <namp_output.html>

PreviousTCP/UDP Port ScanningNextSMB and SMTP and SNMP Enumeration

Last updated