NMAP – Intermediate/Advanced

The snippet pretty much says it all. Im gunna go over many nmap options and essentially say what they are good for. In the interest of keeping similar-in-purpose commands together, they will be divided by purpose. Although it will ultimately be up to the reader to string together final commands. And for the sake of my sanity the nmap scripts will NOT be covered o.o waaaay too many involving other concepts to delve into. And yes much of this can be gathered from the man pages, but if you are interested in this article in the first place, you probably don’t want to read the man pages for some reason. That and they are not very terse(terse man pages tend to be a Bad Thing).

So here’s Nmap straight from my grimoire:

Target and output:

-h : lists common options and cleanly states the target input and output options, not much else needs to be said.

Host Discover:

-n : no DNS resolutions. This dramatically speeds up scans and makes sure your IP isn’t logged in the DNS server(cause youre not touching it). Always use it whenever you do not need to know the domain name or anything of the target(cause you know it)

-R :Reverse resolution against all targets, good to make sure you are getting the domain name/hoster of the target.

–dns-servers server :Choose an alternate DNS server for server. This is great for controlling where your requests are going to and with the right DNS server you can get the needed info while leaving a trace that the target doesn’t have access to.

-sL : the list scan. This doesn’t even touch any of the targets but lists them. The best purpose with this is for preforming DNS resolution or reverse resolution, allowing you to uncover potentially useful domain listings against a network, regardless if it is up or not(or blocking scans).

-sP :the classic ping sweep, no port scan, sends ICMP echo and an Ack to port 80

-PS : ‘ping’ the target with a SYN to port 80, often more reliable then the typical ping sweep and you can specify a specific port(such as a common port used by a specific OS 🙂 ) as part of the option like -PS139 will ping port 139.

-PA :exactly the same as above but sends an Ack instead and thereby MAY not be blocked where the others are.

-PU :Once again like above but sends a UDP packet instead. Most reliable against a closed port so high random port numbers are more ideal. Only useful if TCP is the only thing being screened.

-PY: the SCTP ping. It is a new scan similar to the TCP SYN scan but uses the SCTP protocol instead of the TCP or UDP protocol. I havn’t heard much about it but I assume that many firewalls currently would not block it. Im not sure how common support for this protocol exists and if anyone knows I’d love to be informed since it could raise the value of this significantly 🙂

-PE :Sends an echo request, unreliable.

-PP :time-stamp request and sometimes neglected by firewalls

-PM : netmask request, also sometimes neglected.

-PR : The arp scan, used only on LANs and is faster and automatically used when applicable. Almost unblock-able but it’s generally a good idea to spoof your MAC first…

–reason : specifies why the host is determined to be up

Port Scanning:

-PN :don’t ping, just scan away. Great if only ping scans are being blocked and you know the target is up or for shaving off time running a scan against a target you know is up.

-p :selects specific ports to scan.

-F : scan only the most common of ports (for quicker scans against many targets)

-sS :the default SYN scan. It can be pretty fast but sends a RST packet to tear down connections, which can reveal your IP, hence why of the moment it is not a good idea to use with TOR or proxychains. If this has recently changed or a workaround has been found, let me know 🙂 otherwise use the next option…

-sT: full connect scan. Actually establishes a connection to the remote port. Incredibly slow but TOR and proxychain friendly.

-sU : the UDP scan. Its great because many people forget about UDP but it is excruciatingly slow and it’s a good idea to restrict scans to common UDP ports.

-sF :sends a FIN packet, works against some firewalls but cant tell between open and filtered states.

-sA :the ACK scan. works against some firewalls but can only tell the difference between filtered and unfiltered ports. Comparing this result with a FIN scan result can be rewarding.

-sN :null scan. Sends a pac
ket with no flags, not very effective.

-sX :Christmas tree scan, sets FIN,PSH, and URG flags on 
the packet, not very effective.

-sW : Windows scan, similar to the ACK scan but interprets results based on the window value of RST packets. Not very effective

-sM : Maimon scan. FIN/ACK flags, not very effective and only effects some BSD machines.

–scanflags flags : makes a custom port scan with specified flags. SYNFIN tends to be a good option cause it will go through some firewalls but give the same results of a SYN scan.

-sI zombieIP:the zombie/idle scan. Most stealthy but very slow. It detects ports by sending a SYN packet with a source address of the zombieIP and then polling the zombieIP’s IPID for specific changes. Simple devices(like yes a reachable printer or kiosk), those close to you or the target, and devices receiving little traffic are the best candidates, but the process of finding a good zombie can be slow. Use -O and -v on a potential zombie will show it’s IPID sequence. Incremental or broken little-endian incremental are ideal. Make sure you use -PN!!! Otherwise you will ping the target first and that pretty much is a dead giveaway that ruins the stealth of the scan.

-sO :the IP protocol scan. It detects not ports, but what protocols a target understands which pretty much any of them can be potentially exploitable. Uses -p to specify a protocol by it’s number or -F to scan all of them.

-b ftpIP : the FTP bounce scan. Not as useful anymore but occasionally it works. It proxies a SYN scan through specified ftpIP which can be specified as username:password@ftpIP:port 

-sY :The SCTP scan equivalent to the SYN scan. 

-sZ : sends an SCTP cookie echo. It pretty much acts like a FIN scan result wise.

-sV : Runs version checks against open ports. Blows away stealth.

-O : tries to identify the OS through many checks. Blows away stealth

Dealing with firewalls:

Ack and Fin scans have a reputation of beating weak firewalls. And UDP can be often overlooked. The zombie scan has the bonus of abusing IP trust relationships. Using -n or using certain DNS servers can be helpful.

-g port :sets the source port for the outgoing packets. Sometimes firewalls are configured to let certain source ports through to allow certain resources. Good ones tend to be 88,53,30 and for UDP 67 and 5353

-6 :use IPv6. last I checked only works with a connect scan but sometimes it can be trickier to block.

-f :fragment’s packets. more fs the more heavily fragmented. This can beat some IDSes

–scan-delay 1155: waits 15 seconds between scans to slow things down and not trigger some IDS alarms.

–randomize-hosts :scan targets in a random order.

–data-length X :fills the packets with random data X bytes. It can slow scan time down slightly but it is less obvious.

-D ip,ip,ip :Sends decoy scans from the given ip addresses. Not good with versioning.

–badsum : uses a bad checksum on packets. Hosts shouldn’t reply to them but sometimes routers will.


——————–

Notes: This is by no means complete. It is designed for the amateur port scanner cut down on stupid scans by giving a manageable summary of various important options and why they are used. Please correct me of any possible errors 🙂
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s