Description
Used for host discovery, port scanning, enumerating services, detecting operating systems, etc.
Types of Scans
- -sS TCP-SYN scan
- send SYN packet
- if SYN/ACK then port is open, RST then port is closed
- send back RST packet
- -sT TCP Connect scan
- completes three-way handshake making it highly accurate but not the most stealthy
- good for firewalls that only allows for outgoing packets
- -sU UDP scan
- stateless protocol doesn’t require three-way handshake making it slower and only returns response if the application is configured to do so
- -sA ACK scan
- used to detect firewalls
Host Discovery
sudo nmap IP_Address -sn
where -sn disables port scanning
Other Helpful Options
- —packet-trace for showing all the packets that are send and received
- -n to disable DNS resolution
- —disable-arp-ping to disable ARP ping
- —reason displays reason for the port being a certain state
- saving results
- -oN normal output
- -oG grepable output
- -oX XML output
- -p- scanning all ports
- -v verbose output
Service Versions
- -sV
NSE
- 14 categories of scripts
- -sC for default scripts
- —script category for specific scripts
Performance
- —min-parallelism number for the frequency the packets should have
- -T 0-5 for how fast the scan shuld be
- —max-rtt-timeout time
- —min-rate number
- —max-retries number
Firewalls and IDS/IPS Evasion
firewalls
- use -sA method for filtering for firewalls
IDS/IPS
- using decoys -D places random IP addresses into the IP header so the IDS/IPS does not know where the packet originated from
- example: -D RND: 5
- specify the source IP address using -S option
- use —source-port 53 if you are in a demilitarized zone and the company’s DNS servers are more trusted than the outside network