[! My notes are gathered from academy.hackthebox.com and nmap.org]
Description
Nmap is a tool that every hacker needs in their toolkit as itβs on the road to enumerating a system. In fact, I would consider this as the first step when youβre conducting a pentest.
Scan Types
-sS (TCP SYN scan)
- does not complete the three-way handshake as it only sends a SYN packet and waits to receive a SYN-ACK packet (signifying an open port) or RST packet (signifying a closed port)
- no packet in nmap means the port has a filtered status and you do not know whether the port is closed or open and further testing is required (could be a firewall blocking packets)
- quick scan, stealthy because it doesnβt complete the three-way handshake
-sT (Connect scan) - nmap uses the operating system to connect to the target and port using connect call
- not the most stealthy
-sA (ACK scan)
- sends ACK packet and waits to receive a RST (indicating that itβs open or closed), no response (meaning the port is filtered), or an error (meaning the port is filtered)
- this scan is useful for mapping firewall rules because the firewall canβt figure out if the connection is from the external or internal network
-sU (UDP scan)
- scans for UDP services
- slower
- sends UDP packet
- only know if the port is open if the application is configured to send out responses
Helpful Options
| Option | Description |
|---|---|
| -sn | disables port scanning - sends ping scan with ICMP echo requests (-PE) |
| -PE | scans with ICMP echo requests |
| -iL | performs scan from provided list |
| βdisable-arp-ping | disable ARP pings and ping with ICMP echo requests instead |
| βtop-ports=? | specify the number of the most frequent nmap-defined ports you want to scan |
| -p- | scan all ports |
| -F | top 100 ports with fast scanning |
| -n | disables DNS resolution |
| βpacket-trace | to show all packets in the communication |
| -sV | more information including versions, service names, etc. |
| βreason | why a port is set to a specific state |
| -Pn | disables ICMP echo requests |
| -oN | save as .nmap file |
| -oG | save as .gnmap file (grepable) |
| -oX | save as .xml file |
| -oA | save in all formats |
| βscript __ -sC | using nmapβs scipting engine script (auth, broadcast, brute, discovery, intrusive, version, vuln, fuzzer, external, etc.) using nmapβs scipting engine default scripts |
| -T 0-5 | how fast you want to perform the scan |
| βmin-parallelism | what frequency to send out packets |
| βmin-rate | how many packets to send at the same time |
| βmax-rtt-timeout | timeouts for packets |
| βmax-retries | number of retries |
Nmap performs service enumeration by looking at the banners or through nmapβs signature-based matching database. You can use tcpdump or nc for obtaining more information about the services
Evading Firewalls and IDS/IPS
- start by scanning with a single virtual private server (VPS) and use a different VPS if the host is blocked
- use decoys (using -D) for nmap to generate random IP addresses in addition to our IP address so the server is confused about what the exact origin packet is
- specifying a source IP address (using -S) from inside the same network range
- specify the βsource-port as 53, which specifies the DNS servers (more trusted than those coming from the Internet)