Posts Tagged ‘Nmap’

nmap

Nmap is a powerful network scanner used to identify systems and services. nmap was originally developed with network security in mind, it is a tool that was designed to find vulnerabilities within a network. nmap is more than just a simple port scanner though, you can use nmap to find specific versions of services, certain OS types, or even find that pesky printer someone put on your network without telling you.

nmap can be used for good and for evil, today we will cover some common situations where nmap makes life easier for sysadmins which is generally good. Even if some Sysadmins are evil…

Discover IP’s in a subnet (no root)

 $ nmap -sP 192.168.0.0/24
 Starting Nmap 7.30 ( http://nmap.org ) at 2016-10-12 21:12 GMT
 Nmap scan report for 192.168.0.1
 Host is up (0.0013s latency).
 Nmap scan report for 192.168.0.92
 Host is up (0.0032s latency).
 Nmap scan report for 192.168.0.113
 Host is up (0.0011s latency).

This is one of the simplest uses of nmap. This command is commonly refereed to as a “ping scan”, and tells nmap to send an icmp echo request, TCP SYN to port 443, TCP ACK to port 80 and icmp timestamp request to all hosts in the specified subnet. nmap will simply return a list of ip’s that responded. Unlike many nmap commands this particular one does not require root privileges, however when executed by root nmap will also by default send arp requests to the subnet.

Scan for open ports (no root)

 $ nmap 192.168.0.0/24
 Starting Nmap 7.30 ( http://nmap.org ) at 2016-10-12 21:20 GMT
Nmap scan report for 192.168.0.1 Host is up (0.0043s latency). Not shown: 998 closed ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 

This scan is the default scan for nmap and can take some time to generate. With this scan nmap will attempt a TCP SYN connection to 1000 of the most common ports as well as an icmp echo request to determine if a host is up. nmap will also perform a DNS reverse lookup on the identified ip’s as this can sometimes be useful information.

Identify the Operating System of a host (requires root)

 # nmap -O 192.168.0.164
 Starting Nmap 7.30 ( http://nmap.org ) at 2016-10-12 21:35 GMT
 Nmap scan report for 192.168.0.112
 Host is up (0.00032s latency).
 Not shown: 996 closed ports
 PORT STATE SERVICE
 88/tcp open kerberos-sec
 139/tcp open netbios-ssn
 445/tcp open microsoft-ds
 631/tcp open ipp
 MAC Address: 00:00:00:00:00:00 (Unknown)
 Device type: general purpose
 Running: Apple Mac OS X 10.5.X
 OS details: Apple Mac OS X 10.5 - 10.6 (Leopard - Snow Leopard) (Darwin 9.0.0b5 - 10.0.0)
 Network Distance: 1 hop

With the -O option nmap will try to guess the targets operating system. This is accomplished by utilizing information that nmap is already getting through the TCP SYN port scan. This is usually a best guess but can actually be fairly accurate. The operating system scan however does require root privileges.

Identify Hostnames (no root)

 $ nmap -sL 192.168.0.0/24
 Starting Nmap 7.30 ( http://nmap.org ) at 2016-10-12 21:35 GMT
 Nmap scan report for 192.168.0.0
 Nmap scan report for router.local (192.168.0.1)
 Nmap scan report for fake.local (192.168.0.2)
 Nmap scan report for another.fake.local (192.168.0.3)

This is one of the most subtle commands of nmap, the -sL flag tells nmap to do a simple DNS query for the specified ip. This allows you to find hostnames for all of the ip’s in a subnet without having send a packet to the individual hosts themselves.

Hostname information can tell you a lot more about a network than you would think, for instance if you labeled your Active Directory Servers with ads01.domain.com you shouldn’t be surprised if someone guesses its use.

TCP Syn and UDP Scan (requires root)

 # nmap -sS -sU -PN 192.168.0.164
 Starting Nmap 7.30 ( http://nmap.org ) at 2016-10-12 21:12 GMT
 Nmap scan report for 192.168.0.112
 Host is up (0.00029s latency).
 Not shown: 1494 closed ports, 496 filtered ports
 PORT STATE SERVICE
 88/tcp open kerberos-sec
 139/tcp open netbios-ssn
 445/tcp open microsoft-ds
 631/tcp open ipp
 88/udp open|filtered kerberos-sec
 123/udp open ntp
 137/udp open netbios-ns
 138/udp open|filtered netbios-dgm
 631/udp open|filtered ipp
 5353/udp open zeroconf

The TCP SYN and UDP scan will take a while to generate but is fairly unobtrusive and stealthy. This command will check about 2000 common tcp and udp ports to see if they are responding. When you use the -Pn flag this tells nmap to skip the ping scan and assume the host is up. This can be useful when there is a firewall that might be preventing icmp replies.

TCP SYN and UDP scan for all ports (requires root)

 # nmap -sS -sU -PN -p 1-65535 192.168.0.164
 Starting Nmap 7.30 ( http://nmap.org ) at 2016-10-12 21:36 GMT
 Nmap scan report for 192.168.0.112
 Host is up (0.00021s latency).
 Not shown: 131051 closed ports
 PORT STATE SERVICE
 88/tcp open kerberos-sec
 139/tcp open netbios-ssn
 445/tcp open microsoft-ds
 631/tcp open ipp
 17500/tcp open unknown
 88/udp open|filtered kerberos-sec
 123/udp open ntp
 137/udp open netbios-ns
 138/udp open|filtered netbios-dgm
 631/udp open|filtered ipp
 5353/udp open zeroconf
 17500/udp open|filtered unknown
 51657/udp open|filtered unknown
 54658/udp open|filtered unknown
 57798/udp open|filtered unknown
 58488/udp open|filtered unknown
 60027/udp open|filtered unknown

This command is the same as above however by specifying the full port range from 1 to 65535 nmap will scan to see if the host is listening on all available ports. You can use the port range specification on any scan that performs a port scan.

TCP Connect Scan (no root)

 $ nmap -sT 192.168.0.164
 Starting Nmap 7.30 ( http://nmap.org ) at 2016-10-12 21:40 GMT
 Nmap scan report for 192.168.0.112
 Host is up (0.0015s latency).
 Not shown: 964 closed ports, 32 filtered ports
 PORT STATE SERVICE
 88/tcp open kerberos-sec
 139/tcp open netbios-ssn
 445/tcp open microsoft-ds
 631/tcp open ipp

This command is similar to the TCP SYN scan however rather than sending a SYN packet and reviewing the headers it will ask the OS to establish a TCP connection to the 1000 common ports.

Aggressively Scan Hosts (no root)

 $ nmap -T4 -A 192.168.0.0/24
 Nmap scan report for 192.168.0.67
 Host is up (0.00060s latency).
 Not shown: 996 closed ports
 PORT STATE SERVICE VERSION
 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (protocol 2.0)
 | ssh-hostkey: 1024 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:6c (DSA)
 |_2048 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:6c (RSA)
 80/tcp open http nginx 1.1.19
 |_http-title: 403 Forbidden
 |_http-methods: No Allow or Public header in OPTIONS response (status code 405)
 111/tcp open rpcbind
 | rpcinfo:
 | program version port/proto service
 | 100000 2,3,4 111/tcp rpcbind
 | 100000 2,3,4 111/udp rpcbind
 | 100003 2,3,4 2049/tcp nfs
 | 100003 2,3,4 2049/udp nfs
 | 100005 1,2,3 46448/tcp mountd
 | 100005 1,2,3 52408/udp mountd
 | 100021 1,3,4 35394/udp nlockmgr
 | 100021 1,3,4 57150/tcp nlockmgr
 | 100024 1 49363/tcp status
 | 100024 1 51515/udp status
 | 100227 2,3 2049/tcp nfs_acl
 |_ 100227 2,3 2049/udp nfs_acl
 2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)
 Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Unlike some of the earlier commands this command is very aggressive and very obtrusive. The -A simply tells nmap to perform OS checking and version checking. The -T4 is for the speed template, these templates are what tells nmap how quickly to perform the scan. The speed template ranges from 0 for slow and stealthy to 5 for fast and obvious.

Fast Scan (no root)

 $ nmap -T4 -F 192.168.0.138
 Starting Nmap 7.30 ( http://nmap.org ) at 2016-10-12 21:48 GMT
 Nmap scan report for 192.168.0.112
 Host is up (0.00047s latency).
 Not shown: 96 closed ports
 PORT STATE SERVICE
 88/tcp open kerberos-sec
 139/tcp open netbios-ssn
 445/tcp open microsoft-ds
 631/tcp open ipp

This scan limits the scan to the most common 100 ports, if you simply want to know some potential hosts with ports open that shouldn’t be this is a quick and dirty command to use.

Verbose

 $ nmap -T4 -A -v 192.168.0.164
 Starting Nmap 7.30 ( http://nmap.org ) at 2016-10-12 21:50 GMT
 NSE: Loaded 93 scripts for scanning.
 NSE: Script Pre-scanning.
 Initiating Ping Scan at 21:50
 Scanning 192.168.0.164 [2 ports]
 Completed Ping Scan at 21:50, 0.00s elapsed (1 total hosts)
 Initiating Parallel DNS resolution of 1 host. at 21:50
 Completed Parallel DNS resolution of 1 host. at 21:50, 0.01s elapsed
 Initiating Connect Scan at 21:50
 Scanning 192.168.0.187 [1000 ports]
 Discovered open port 139/tcp on 192.168.0.164
 Discovered open port 445/tcp on 192.168.0.164
 Discovered open port 88/tcp on 192.168.0.164
 Discovered open port 631/tcp on 192.168.0.164
 Completed Connect Scan at 21:50, 5.22s elapsed (1000 total ports)
 Initiating Service scan at 21:50
 Scanning 4 services on 192.168.0.164
 Completed Service scan at 21:51, 11.00s elapsed (4 services on 1 host)
 NSE: Script scanning 192.168.0.164.
 Initiating NSE at 21:51
 Completed NSE at 21:51, 12.11s elapsed
 Nmap scan report for 192.168.0.164
 Host is up (0.00026s latency).
 Not shown: 996 closed ports
 PORT STATE SERVICE VERSION
 88/tcp open kerberos-sec Mac OS X kerberos-sec
 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
 631/tcp open ipp CUPS 1.4
 | http-methods: GET HEAD OPTIONS POST PUT
 | Potentially risky methods: PUT
 |_See http://nmap.org/nsedoc/scripts/http-methods.html
 | http-robots.txt: 1 disallowed entry
 |_/
 Service Info: OS: Mac OS X; CPE: cpe:/o:apple:mac_os_x

By adding verbose to a majority of the commands above you get a better insight into what nmap is doing; for some scans verbosity will provide additional details that the report does not provide.
While these are 10 very useful nmap commands I am sure there are some more handy nmap examples out there. If you have one to add to this list feel free to drop it into a comment.

Performing a nMap Scan

tv - programer

When working on an app or a code, you may often need some reference material that’s where cheatsheets become very useful.

Here we present to you with an A-Z of cheatsheets that are relevant to programmers and developers. It doesn’t cover all languages or databases, but you’ll find most of what you need. If there’s anything missing, feel free to let us know so we can do better.

1. Asynchronous JavaScript And XML (AJAX): This is a group of interrelated web development techniques that are used to create asynchronous web applications on the client side.

2. Apache: If you’re using the Apache HTTP server then this cheat sheet is just what you would need in front of you.

3. Apache Ant: This java library and command line tool is used for automating software build processes.

4. Apache Cassandra: The open source distributed database management system is often the first pick when scalability is a concern.

5. American Standard Code for Information Interchange (ASCII): The most common character encoding scheme.

6. Berkeley DB: Oracle’s Berkeley DB is a fast and reliable option chosen by many developers.

7. Blueprint: This is a cheatsheet on the popular CSS framework/

8. C: In many ways it is the father of some of the most popular programming languages.

9. C#: A cheatsheet on C# never goes to waste. Most programmers learn the language and a cheatsheet always helps.

10. C++: One of the most useful programming languages ever. It is a must learn language for programmers.

11. Calculus and Analysis: Programmers and developers often need to have a good grasp on calculus and analysis in order to build certain types of apps.

12. Clojure: One of the most popular languages running on the Java Virtual Machine.

13. CSS: Cascading Style Sheets along with HTML is the language of the internet.

14. Debian: A cheatsheet on one of the most popular Linux-based distributions.

15. Django: Written in Python, this is an open source web application framework used by many.

16. DOM – Document Object Model: This is the convention used for interacting with objects in XHTML, XML and HTML.

17. Drupal: The open source content management system is highly popular amongst developers/

18. Eclipse: One of the most popular IDEs, used almost everywhere today.

19. Fedora: One of the big daddies from amongst the Linux-based distributions.

20. Firebug: The web development add-on for Mozilla’s Firefox has turned quite a few heads.

21. Git: It doesn’t matter whether you support open source or not, Git needs no introduction.

22. Groovy: This is another programming language that runs on the Java Virtual Machine.

23. Hadoop: Big Data is the future and hence, so is Hadoop.

24. Haskell: This is an open source functional programming language.

25. HTML: Use the Hypertext Markup Language to create your own website.

26. Java: The inescapable language for programmers and developers.

27. JavaScript: The scripting language for the web.

28. jQuery: A feature rich JavaScript library.

29. Linux: Command line tips that Linux users will find useful.

30. Mac OS X: This is a keyboard cheatsheets for Apple’s Mac OS X users.

31. Mathematica: The Wolfram Mathematica is considered to be a very powerful system.

32. MATLAB: This is a high-level technical computing language and interactive environment.

33. MySQL: Some have been losing fait over MySQL, but the database still goes strong.

34. NMAP: You hackers know what this is don’t you?

35. Node.js: This is the pick of the lot for building scalable web

36. Oracle: This is a reference cheat sheet for Oracle’s SQL.

37. Perl: The popular programming language is used in a variety of places.

38. PHP: Not much needs to be said about PHP.

39. PostgreSQL: This is often used as an alternative for MySQL.

40. Python: One of the most popular programming languages available today. It is used in everything from game programming to hacking.

41. Ruby: Another popular programming platform used by many across the globe.

42. Ruby on Rails: This is an open source framework that runs on Ruby.

43. Scala: This is an object-functional programming and scripting language running on the JVM.

44. Shell script

45. SQL – Structured Query Language: The programming language used to manage data stored in relational database systems.

46. SQLite: This is the relational database management system that is held in a C programming library.

47. Ubuntu: Linux for humans. It may be so, but a cheatsheet is still useful.

48. Unicode: This is the standard for encoding in the world of computers.

49. Unix: A cheatsheet for working on the Unix command line.

50. WordPress: The content management system has grown in popularity over time.

51. XHTML: This is an XML markup language. It stands for Extensible HTML.

52. XML: XML stands for Extensible Markup Language and is used by many.

53. .NET: This framework from Microsoft runs primarily on Windows and there is a debate about whether it is open source or not.

 

tv-300x2241

 

The de-facto standard in network scanning for many years has been Nmap. Nmap is universally supported by Linux and Windows alike and is free to download > Download Nmap

The only thing I have found is that there are so many commands it makes it difficult to remember what to enter, so here is a quick guide for fast scanning, Also I have created it in a PDF for easy reference > Caintech.co.uk Nmap Cheat

Basic Scanning Techniques

Scan a single target —> nmap [target]

Scan multiple targets —> nmap [target1,target2,etc]

Scan a list of targets —-> nmap -iL [list.txt]

Scan a range of hosts —-> nmap [range of IP addresses]

Scan an entire subnet —-> nmap [IP address/cdir]

Scan random hosts —-> nmap -iR [number]

Excluding targets from a scan —> nmap [targets] –exclude [targets]

Excluding targets using a list —> nmap [targets] –excludefile [list.txt]

Perform an aggressive scan —> nmap -A [target]

Scan an IPv6 target —> nmap -6 [target]

Discovery Options

Perform a ping scan only —> nmap -sP [target]

Don’t ping —> nmap -PN [target]

TCP SYN Ping —> nmap -PS [target]

TCP ACK ping —-> nmap -PA [target]

UDP ping —-> nmap -PU [target]

SCTP Init Ping —> nmap -PY [target]

ICMP echo ping —-> nmap -PE [target]

ICMP Timestamp ping —> nmap -PP [target]

ICMP address mask ping —> nmap -PM [target]

IP protocol ping —-> nmap -PO [target]

ARP ping —> nmap -PR [target]

Traceroute —> nmap –traceroute [target]

Force reverse DNS resolution —> nmap -R [target]

Disable reverse DNS resolution —> nmap -n [target]

Alternative DNS lookup —> nmap –system-dns [target]

Manually specify DNS servers —> nmap –dns-servers [servers] [target]

Create a host list —-> nmap -sL [targets]

Advanced Scanning Options

TCP SYN Scan —> nmap -sS [target]

TCP connect scan —-> nmap -sT [target]

UDP scan —-> nmap -sU [target]

TCP Null scan —-> nmap -sN [target]

TCP Fin scan —> nmap -sF [target]

Xmas scan —-> nmap -sX [target]

TCP ACK scan —> nmap -sA [target]

Custom TCP scan —-> nmap –scanflags [flags] [target]

IP protocol scan —-> nmap -sO [target]

Send Raw Ethernet packets —-> nmap –send-eth [target]

Send IP packets —-> nmap –send-ip [target]

Port Scanning Options

Perform a fast scan —> nmap -F [target]

Scan specific ports —-> nmap -p [ports] [target]

Scan ports by name —-> nmap -p [port name] [target]

Scan ports by protocol —-> nmap -sU -sT -p U:[ports],T:[ports] [target]

Scan all ports —-> nmap -p “*” [target]

Scan top ports —–> nmap –top-ports [number] [target]

Perform a sequential port scan —-> nmap -r [target]

Version Detection

Operating system detection —-> nmap -O [target]

Submit TCP/IP Fingerprints —-> http://www.nmap.org/submit/

Attempt to guess an unknown —-> nmap -O –osscan-guess [target]

Service version detection —-> nmap -sV [target]

Troubleshooting version scans —-> nmap -sV –version-trace [target]

Perform a RPC scan —-> nmap -sR [target]

Timing Options

Timing Templates —-> nmap -T [0-5] [target]

Set the packet TTL —-> nmap –ttl [time] [target]

Minimum of parallel connections —-> nmap –min-parallelism [number] [target]

Maximum of parallel connection —-> nmap –max-parallelism [number] [target]

Minimum host group size —–> nmap –min-hostgroup [number] [targets]

Maximum host group size —-> nmap –max-hostgroup [number] [targets]

Maximum RTT timeout —–> nmap –initial-rtt-timeout [time] [target]

Initial RTT timeout —-> nmap –max-rtt-timeout [TTL] [target]

Maximum retries —-> nmap –max-retries [number] [target]

Host timeout —-> nmap –host-timeout [time] [target]

Minimum Scan delay —-> nmap –scan-delay [time] [target]

Maximum scan delay —-> nmap –max-scan-delay [time] [target]

Minimum packet rate —-> nmap –min-rate [number] [target]

Maximum packet rate —-> nmap –max-rate [number] [target]

Defeat reset rate limits —-> nmap –defeat-rst-ratelimit [target]

Firewall Evasion Techniques

Fragment packets —-> nmap -f [target]

Specify a specific MTU —-> nmap –mtu [MTU] [target]

Use a decoy —-> nmap -D RND: [number] [target]

Idle zombie scan —> nmap -sI [zombie] [target]

Manually specify a source port —-> nmap –source-port [port] [target]

Append random data —-> nmap –data-length [size] [target]

Randomize target scan order —-> nmap –randomize-hosts [target]

Spoof MAC Address —-> nmap –spoof-mac [MAC|0|vendor] [target]

Send bad checksums —-> nmap –badsum [target]

Output Options

Save output to a text file —-> nmap -oN [scan.txt] [target]

Save output to a xml file —> nmap -oX [scan.xml] [target]

Grepable output —-> nmap -oG [scan.txt] [target]

Output all supported file types —-> nmap -oA [path/filename] [target]

Periodically display statistics —-> nmap –stats-every [time] [target]

133t output —-> nmap -oS [scan.txt] [target]

Troubleshooting and debugging

Help —> nmap -h

Display Nmap version —-> nmap -V

Verbose output —-> nmap -v [target]

Debugging —-> nmap -d [target]

Display port state reason —-> nmap –reason [target]

Only display open ports —-> nmap –open [target]

Trace packets —> nmap –packet-trace [target]

Display host networking —> nmap –iflist

Specify a network interface —> nmap -e [interface] [target]

Nmap Scripting Engine

Execute individual scripts —> nmap –script [script.nse] [target]

Execute multiple scripts —-> nmap –script [expression] [target]

Script categories —-> all, auth, default, discovery, external, intrusive, malware, safe, vuln

Execute scripts by category —-> nmap –script [category] [target]

Execute multiple scripts categories —-> nmap –script [category1,category2, etc]

Troubleshoot scripts —-> nmap –script [script] –script-trace [target]

Update the script database —-> nmap –script-updatedb

Ndiff

Comparison using Ndiff —-> ndiff [scan1.xml] [scan2.xml]

Ndiff verbose mode —-> ndiff -v [scan1.xml] [scan2.xml]

XML output mode —-> ndiff –xml [scan1.xm] [scan2.xml]

For more excellent FREE security training visit >

http://learnnetsec.com 

http://www.youtube.com/user/NetSecNow