Nmap in Depth

Scan Types

TCP Connect Scans -sT

  • based on TCP three way handshake
    1. Client –> SYN –> Server
    2. Client <– SYN/ACK <– Server
    3. Client –> ACK –> Server
  • determines if service is open based on response
    • closed: target will respond with RST, reset, flag
    • open: target will respond with SYN/ACK flag

SYN Scans -sS

  • also referred to as half open, or stealth scan
  • doesnt complete tcp three way handshake, instead RST after SYN/ACK from server
    1. Client –> SYN –> Server
    2. Client <– SYN/ACK <– Server
    3. Client –> REST –> Server
  • advantages
    • can bypass older intrusion detection systems
    • often not logged by applications that are listening, most common practice it to only log after successful connection
    • faster than completing handshake
  • disadvantages
    • require sudo
    • unstable services can be taken down by this
  • default scan method in nmap if run as sudo

UDP Scans -sU

  • udp connections are stateless
  • rely on sending packets to a target port and hoping it works
  • packets shouldnt get a response, ports = open|filtered
    • means, port might be open, but there could be a firewall blocking it
    • if there is a response, then the port is open
  • when packet is send to closed port, target should respond with ping packet, containing a message that the port is unreachable
  • very slow, should be used in combination with --top-ports <number>

NULL -sN , FIN -sF and Xmas -sX

  • null scan
    • tcp request with no flags
    • target should respond with RST if port is closed
  • fin scan
    • tcp request with FIN flag
    • target should respond with RST if port is closed
  • xmas scan
    • malformed tcp request
    • target should respond with RST if port is closed

ICMP Network Scanning -sn

  • ping weep
  • scans for host that are up in a range of ip addresses
  • nmap -sn <addr range in cidr>

NSE Scripts

Overview

  • nmap scripting engine
  • written in Lua
  • useful categories
    • safe: wont affect the target
    • intrusive: not safe, likely to affect target
    • vuln: scan for vulnerabilities
    • exploit: attempt to exploit vulnerability
    • auth: attempt to bypass authentication for services
    • brute: attempt to bruteforce credentials for service
    • discovery attempt to query running services for further information about network

Searching for Scripts

  • list of official scripts https://nmap.org/nsedoc/
  • grep file /usr/share/nmap/scripts/script.db
  • or ls path /usr/share/nmap/scripts
  • install new scripts by copying to scripts folder, then update db using nmap --script-updatedb

Firewall Evasion

  • get around block of icmp packets
    • -Pn dont ping hosts before scanning
    • if not used, hosts will be ignored
    • could use ASP request to determine host activity
  • more switches https://nmap.org/book/man-bypass-firewalls-ids.html
    • -f to split packet into smaller pieces
    • --mtu <number> maximum transmission size for packets sent, must be multiple of 8
    • --scan-delay <time>ms delay between packets sent
    • --badsum generate invalid checksum for packet
Last modified 2023.11.09