Nmap will find you

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
An awesome WordPress blog showcases scanning and enumeration for a red team engagement.

This post is strictly for educational use only and sources above are utilized - do not misuse information within; GET CONSENT BEFORE TOUCHING SOMEONE ELSE'S NETWORK INAPPROPRIATELY. Think of a network like an advanced messenger pigeon, do not get weird with the bird unless you are a veterinarian with permission or you are a network/systems security engineer with consent (signatures are smart) to perform your assessment.

Why does this matter?
1545141041912.png

Businesses are attacked via network and systems attacks. An attacker or even automated bots are scanning for ports, services, and then automatic exploitation to: gain access, launch more attacks, and much more.

Well-known tools like Nmap and Nessus have made port scanning process automated. Nmap is an opensource tool used to discover hosts and services on a computer network, thus building a "map" of the network.

If looking to become a Certified Ethical Hacker, you will study scanning and enumeration. Port scanning simply determines open ports and services, Nmap and Zmap are the most popular free solutions.

Some techniques for port scanning:
  • Address Resolution Protocol (ARP) - In this technique, a series of ARP broadcast is sent, and the value for the target IP address field is incremented in each broadcast packet to discover active devices on the local network segment. This scan helps us to map out the entire network.
  • Vanilla TCP connect - It is the basic scanning technique that uses connect system call of an operating system to open a connection to every port that is available.
  • TCP SYN (Half Open) - SYN scanning is a technique that a malicious hacker uses to determine the state of a communications port without establishing a full connection. These scans are called half open because the attacking system doesn’t close the open connections.
  • TCP FIN - This scan can remain undetected through most firewalls, packet filters, and other scan detection programs. It sends FIN packets to the targeted system and prepares a report for the response it received.
  • TCP Reverse Ident - This scan discovers the username of the owner of any TCP connected process on the targeted system. It helps an attacker to use the ident protocol to discover who owns the process by allowing connection to open ports.
  • TCP XMAS - It is used to identify listening ports on the targeted system. The scan manipulates the URG, PSH and FIN flags of the TCP header.
  • TCP ACK - It is used to identify active websites that may not respond to standard ICMP pings. The attacker uses this method to determine the port status by acknowledgment received.
  • UDP ICMP Port - This scan is used to find high number ports, especially in Solaris systems. The scan is slow and unreliable.

In Nmap's manual you will see some port states, these include:
  • Open means that an application on the target machine is listening for connections/packets on that port.
  • Closed ports have no application listening on them, though they could open up at any time.
  • Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed.

Some simple scans (options) for Nmap:
nmap 172.16.54.144 -O will use various techniques at the operating system level to identify the operating system. The operating system type and version is very useful for vulnerability detection. Doing a quick search on OS version will show know vulnerabilities and exploits for the operating system.
nmap 172.16.54.144 -sV will use various techniques to identify a specific service and it’s version running on a port. The service type and version is very useful for vulnerability detection. Doing a quick search on the service version will show know vulnerabilities and exploits for the network service.
nmap 172.16.54.0/24 -sP will send an ICMP request to every IP address in a given range. If the host is alive AND responding to ping requests it will reply with an ICMP reply.

Hold My Beer Security said:
Typically, in a red team engagement the red team knows the IP scheme and network services of the team(s) they are attacking. As a competition organizer we want our red team to be successful but not obliterate our blue teams. We want our red teamers to get and gain persistence and give them enough guidance to do their job.

nmap –top-ports 100 -T5 172.16.X.0/24 start with network scan of all hosts and scan the top 100 ports on each.
nmap -p- -sV 172.16.X.0/24 an intensive scan that will scan all hosts on a network, scan all ports on each machine, and service version identification for vulnerability detection.

You can easily setup Nmap on a virtual private server hosting provider, simply register and deploy a server with 2 CPU which should only be $0.03 (three cents) hourly. I prefer Debian and Ubuntu! SSH into your server using Putty and paste the below into your terminal session.
Code:
apt update
apt upgrade -y
apt install nmap -y
Now you are ready to go! Just paste in one of the Nmap options.

Assuming we have permission from the appropriate individuals at United States Naval Academy, how about we ping their website "ping usna.edu", which resolves to 136.160.88.139. If we check the ASN, we will find they use University of Maryland's IP addresses. The route is 136.160.0.0/16 so we also know their IPs to check for services (if we had permission). If someone is using Cloudflare or another gateway service to obscure their IP addresses, this is not impossible but becomes a greater challenge with appropriate configurations.

nmap -n -sn 127.0.0.1 -oG - | awk '/Up$/{print $2}' is great for getting a list of all IP addresses online - the equivalent of a ping sweep. Nmap's manual on host discovery is often a helpful resource. Unfortunately a ping sweep is not always reliable so Nmap will check port 80 if there is no ping reply. Since sometimes ping and port 80 may not be working, you may want to specify alternative ports.

For a large Nmap cheat sheet, Hacker Target has highlighted many useful options. Nmap is incredibly powerful, look at the cheat sheet and find "Digging deeper with NSE Scripts".

Have any other useful tips, questions, or stories? Just reply with them below!
 
Last edited:
Top