Proper enumeration should be done before any exploitation attempts are made, as the more knowledge we have, the more vectors attack we may use. Nmap is the tool for it.
Let’s map our knowledge in our daily #FromZeroToHacker challenge.
| Table of contents |
| Introduction |
| What have I learnt today? |
| Stats |
| Resources |
Introduction to Nmap
Proper enumeration should be done before any exploitation attempts are made, as the more knowledge we have, the more vectors attack we may use.
When we have an IP (or multiple) address, we need to create a “map” of the landscape we are attacking. Enumeration is the equivalent of exploring the said landscape. We need to know which services are running on the targets, what version they are using, etc.
The first step of this exploration is something called port scanning. Ports are necessary for making network requests or having services available. If you want a server to be able to run more than one website and/or services (an HTTPS website, with an SSH connection, that provides an FTP service) you need to use ports.
Despite having 65.535 available ports, many of them are standard ports. For example, HTTP services are always found on port 90, HTTPS on 443, SMB on port 445, etc.
To find out which services are being used and where we use Nmap to perform different kinds of port scans. Depending on how the port responds, the port can be open, closed or filtered (by a firewall, for example).
What have I learnt today?
Nmap Switches
We can use Nmap switches (or command arguments) to specify what Nmap should do. From scanning only one port with -p 80 to scan all ports with -p-, to specify what type of scan should do (-sV, -sS, etc) or how it stores the results (-oG in grepable format, -oN in normal format, etc)
You can use man nmap or nmap -h, but I found a Cheat Sheet of all the Nmap switches, which is more readable than the terminal.
Scan types: Overview
Using the cheat sheet we just saw, we can find that there are three basic scan types:
-sTto perform TCP connect scans.-sUto perform UDP scans.-sSto perform SYN scans.
Additionally, there are several less common port scans, such as:
-sN to perform TCP Null scans.-sF to perform TCP FIN scans.-sX to perform TCP Xmas scans.
With the exception of a few details (and the exception of UDP scans), all scans are used for similar purposes.
Scan types: TCP connect scans
TCP connect scans (-sT) uses the TCP three-way handshake.
As a recap, the three-way handshake has three stages:
- First, the attacking machine sends a SYN flag.
- Then, the server acknowledges this with a TCP response containing the SYN and the ACK flag.
- Our terminal completes the handshake by sending the ACK flag set.
A TCP connect scan performs the three-way handshake with each target port in turn, and tries to connect to each TCP port, determining if the service is open.
If the connection does not exist (the port is closed), a RST (ReSeT) flag is sent.
If the port is open, the three-way handshake happens. If it is closed, a RST flag is sent. But there is a third possibility: The port is hidden behind a firewall, which drops incoming packets.
Nmap sends a SYN request, receiving nothing back. This indicates that the port is behind a firewall, and the port is filtered (the third option after open or closed).
Scan types: SYN Scans
SYN scans (-sS), like TCP scans, are used to scan the TCP port range. The difference is that SYN scans don’t try to perform a three-way handshake, as SYN scans is the one sending back an RST flag instead of an ACK flag.
This prevents the server from trying to make the request multiple times. Which has advantages, such as:
- It can be used to bypass older (very older) Intrusion Detection Systems. This is why SYN Scans are referred to as stealth scans.
- SYN scans are not logged, as connections are logged once they are fully established.
- SYN scans are faster, as they don’t need to complete the three-way handshake.
There are disadvantages to SYN scans:
- They require sudo permissions.
- Unstable services are often brought down by SYN scans.
But the pros outweigh the cons. This is why SYN scans are the default scans used by Nmap. Unless they are run without sudo permissions. In that case, TCP connect scans are used.
And, as in TCP connect scans, the port can be open, closed or filtered.
Scan types: UDP scans
Unlike TCP, UDP connections are stateless (good when we need speed over quality), so UDP scans are more difficult and slower to scan. The switch for UDP scans is -sU.
If, in response to a UDP request, we get a UDP response, the port is open, but this is unlikely. If we don’t get one, the port is open|filtered. When the packet is sent to a closed UDP, the target should send a message that the port is unreachable, marking the port as closed.
UDP are slower in comparison to TCP and SYN scans (20 min to scan the first 1.000 ports). It is a good practise to run an Nmap scan with --top-ports <NUMBER>. This will scan only the top <NUMBER> ports, making it faster.
UDP sends raw, empty packets.
Scan types: NULL, FIN, and Xmas
NULL, FIN and Xmas TCP are less commonly used. All three are stealthier than an SYN scan:
- NULL scans (-sN) send no flags at all. The target host responds with an RST if the port is closed.
- FIN scans (
-sF) are like NULL scans, but sending a FIN flag (used to close an active connection). If the port is closed, an RST flag will be sent. - Xmas scans (
-sX) sends a malformed TCP packet, expecting an RST response for closed ports. The flags sent are PSH, URG and FIN.
The expected response is the same as the UDP scans: No response for open ports, but this is also the expected behaviour if the port is behind a firewall. open|filtered, closed or filtered are the only answers.
The goal here is firewall evasion. Many firewalls drop incoming TCP packets to blocked ports with the SYN flag set. By sending requests that do not contain the SYN flag, we can bypass this type of firewall. But modern IDS solutions know these scan types, so it is not 100% effective.
Scan types: ICMP network scanning
We can create a map of the network structure with a ping sweep, where Nmap sends an ICMP packet to each possible IP address for the specified network. If it gets a response, the IP address is marked as alive.
nmap -sn 192.168.0.1-254 or nmap -sn 192.168.0.0/24
The -sn switch tells Nmap to not scan any ports, sending only ICMP echo packets to identify targets.
NSE Scripts: Overview
The NSE (Nmap Scripting Engine) extends its functionality quite much. Written in Lua language, NSE scripts can be used to do a variety of things: Scanning for vulnerabilities, automating exploits, etc. Some categories of scripts are:
- Safe: Won’t affect the target.
- Intrusive: Likely to affect the target.
- Vuln: Scan for vulnerabilities.
- Exploit: Attempt to exploit a vulnerability.
- Auth: Attempt to bypass authentication.
- Brute: Attempt to brute force credentials.
- Discovery: Attempt to query running services for additional information about the network.
More information at the section on NSE Usage from the Nmap website.
NSE Scripts: Working with the NSE
To run a specific script, we use: --script=<SCRIPT_NAME>.
Multiple scripts can be used: --script=<SCRIPT_NAME_1>,<SCRIPT_NAME_2>,<SCRIPT_NAME_3>.
Some scripts require arguments, which are provided with the -script-args switch:
nmap -p 80 --script http-put --script-args http-put.url='/dav/shell.php',http-put.file='./shell.php'
The arguments are separated by commas, and connected to the corresponding script with periods.
We can check the help menu from one script with nmap --script-help <SCRIPT_NAME>.
NSE Scripts: Searching for scripts.
There are hundreds (604) NSE Scripts. How can we search which one should I use?
There are two options.
- The first is the Nmap website, which contains a list of all official scripts.
- The second one is using the
/usr/share/nmap/scripts/script.db. Despite its extension, is not a database, but a text file containing all the filenames and categories for each script.
Of course, we can use grep with this:
Installing new NSE Scripts
The Nmap website contains all scripts, but what happens if one or more are missing? You can fix it with sudo apt update && sudo apt install nmap.
But we can also download manually with the (long) command:
sudo wget -O /usr/share/nmap/scripts/<SCRIPT_NAME>.nse https://svn.nmap.org/nmap/scripts/<SCRIPT_NAME>.nse
After installing new scripts, update your database with nmap --script-updatedb, which updates script.db.
Firewall evasion
We have tried to bypass firewalls with Stealth (SYN) scans, along with NULL, FIN, and Xmas scans. But there is another common firewall configuration that we should know how to bypass.
The default Windows firewall blocks all ICMP packets by default. This will make Nmap register a host as dead, skipping any further scans.
We can get around with the switch -Pn, which tells Nmap to not bother pinging the host before scanning it. This will treat all hosts as being alive, bypassing the ICMP block. As you can guess, this will make our scans super slow, as it will check and double-check every port.
Other options we have are:
-f: Fragments the packets, making them smaller and less likely to be detected by a firewall or IDS.--mtu <NUMBER>, similar to-f, where we can set the unit size of the packets (it must be a multiple of 8).--scan-delay <TIME>ms: Used to add a delay between packets sent, making our scans less aggressive, and making it easier to evade any time-based defence.--badsum: Generates an invalid checksum for packets. Firewalls may respond automatically, without checking the checksum of the packet, determining the existence of firewalls/IDS.
Here are more ways to evade Firewalls/IDS and spoofing.
Summary
Today we scanned:
- An overview of what Nmap is and does.
- TCP connect scans.
- SYN scans.
- UDP scans.
- NULL, FIN and Xmas scans.
- ICMP Network scanning.
- How to add, list and use NSE scripts.
- Firewall evasion.
Stats
From 57.820th to 54.784th.
Here is also the Skill Matrix:
Resources
Series: Pentesting tools
Other resources
Nmap switches Cheat Sheet
TCP connect scans
SYN scans
UDP scans
NULL scans
NSE Usage
List of all official NSE scripts
How to evade Firewalls/IDS and spoofing
