By default, Nmap scans the top 1000 TCP ports with the SYN scan (-sS). This means that if we do not define ports and scanning methods, these parameters are set automatically.
Here Nmap will display the state the port is in (open, closed, etc.) and also the service it runs on.
Now, we want to find out more information about the open ports, we can do this by running a packet trace scan:
The Nmap TCP Connect Scan (-sT) uses the TCP three-way handshake to determine if a specific port on a target host is open or closed.
The scan sends a SYN packet to the target port and waits for a response. It is considered open if the target port responds with a SYN-ACK packet and closed if it responds with an RST packet.
Because it’s the most accurate way of determining the true state of a port.
The connect scan does not leave any unfinished connections or unsent packets on the target host, which makes it less likely to be detected by intrusion detection systems (IDS) or intrusion prevention systems (IPS).
Some system administrators sometimes forget to filter the UDP ports in addition to the TCP ones.
Since UDP is a stateless protocol and does not require a three-way handshake like TCP. We do not receive any acknowledgment. Consequently, the timeout is much longer, making the whole UDP scan (-sU) much slower than the TCP scan (-sS).
Let’s look at an example of what a UDP scan (-sU) can look like and what results it gives us:
When conducting any enumeration, determining the application and its version accurately is essential. We can use this information to scan for known vulnerabilities and analyze the source code.
Service version detection
A quick port scan with show us a small overview of the available ports and what versions they are.
sudo nmap 10.129.2.28 -p- -sV
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 19:44 CEST
[Space Bar]
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 3.64% done; ETC: 19:45 (0:00:53 remaining)|
Nmap command |
Description |
|
10.129.2.28 |
Scans the specified target. |
|
-p- |
Scans all ports. |
|
-sV |
Performs service version detection on specified ports. |
Once the scan is complete, we will see all TCP ports with the corresponding service and their versions that are active on the system.
sudo nmap 10.129.2.28 -p- -sV
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 20:00 CEST
Nmap scan report for 10.129.2.28
Host is up (0.013s latency).
Not shown: 65525 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
110/tcp open pop3 Dovecot pop3d
139/tcp filtered netbios-ssn
143/tcp open imap Dovecot imapd (Ubuntu)
445/tcp filtered microsoft-ds
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
995/tcp open ssl/pop3 Dovecot pop3d
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
Service Info: Host: inlane; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.73 secondsBanner grabbing
Nmap looks at the banners of the scanned ports and prints them out. If it cannot identify versions through the banners, Nmap attempts to identify them through a signature-based matching system.
The issue here is that the automatic scan can miss some information because sometimes Nmap does not know how to handle it.
So, what can we do about this?
We can manually connect to the SMTP server using nc, grab the banner, and intercept the network traffic using tcpdump. Then we can see what Nmap did not show us.
Tcpdump
sudo tcpdump -i eth0 host 10.10.14.2 and 10.129.2.28
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytesNc
nc -nv 10.129.2.28 25
Connection to 10.129.2.28 port 25 [tcp/*] succeeded!
220 inlane ESMTP Postfix (Ubuntu)Tcpdump – Intercepted Traffic
18:28:07.128564 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [S], seq 1798872233, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 331260178 ecr 0,sackOK,eol], length 0
18:28:07.255151 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [S.], seq 1130574379, ack 1798872234, win 65160, options [mss 1460,sackOK,TS val 1800383922 ecr 331260178,nop,wscale 7], length 0
18:28:07.255281 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], ack 1, win 2058, options [nop,nop,TS val 331260304 ecr 1800383922], length 0
18:28:07.319306 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [P.], seq 1:36, ack 1, win 510, options [nop,nop,TS val 1800383985 ecr 331260304], length 35: SMTP: 220 inlane ESMTP Postfix (Ubuntu)
18:28:07.319426 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], ack 36, win 2058, options [nop,nop,TS val 331260368 ecr 1800383985], length 0These first three lines are showing us the three-way handshake.
After that, the target SMTP server sends us a TCP packet with the PSH and ACK flags. PSH states that the target server is sending data to us;ACK simultaneously informs us that all required data has been sent.
Nmap Scripting Engine commands
Another handy feature of Nmap is the Nmap Scripting Engine (NSE). It provides us with the possibility to create scripts in Lua for interaction with certain services.
These scripts fit into the following categories:
|
Category |
Description |
|
auth |
Determination of authentication credentials. |
|
broadcast |
Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans. |
|
brute |
Executes scripts that try to log in to the respective service by brute-forcing with credentials. |
|
default |
Default scripts executed by using the -sC option. |
|
discovery |
Evaluation of accessible services. |
|
dos |
These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services. |
|
exploit |
This category of scripts tries to exploit known vulnerabilities for the scanned port. |
|
external |
Scripts that use external services for further processing. |
|
fuzzer |
This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time. |
|
intrusive |
Intrusive scripts that could negatively affect the target system. |
|
malware |
Checks if some malware infects the target system. |
|
safe |
Defensive scripts that do not perform intrusive and destructive access. |
|
version |
Extension for service detection. |
|
vuln |
Identification of specific vulnerabilities. |
Using scripts for a vulnerability assessment
One key benefit of the NSE is the ability to use the vuln category to find and identify known vulnerabilities. Below, you can see that CVE-2019-0211, CVE-2018-1312, and CVE-2017-15715 were discovered using this scan:
sudo nmap 10.129.2.28 -p 80 -sV --script vuln
Nmap scan report for 10.129.2.28
Host is up (0.036s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
| /wp-login.php: Possible admin folder
| /readme.html: WordPress version: 2
| /: WordPress version: 5.3.4
| /wp-includes/images/rss.png: WordPress version 2.2 found.
| /wp-includes/js/jquery/suggest.js: WordPress version 2.5 found.
| /wp-includes/images/blank.gif: WordPress version 2.6 found.
| /wp-includes/js/comment-reply.js: WordPress version 2.7 found.
| /wp-login.php: WordPress login page.
| /wp-admin/upgrade.php: WordPress login page.
|_ /readme.html: Interesting, a readme.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| vulners:
| cpe:/a:apache:http_server:2.4.29:
| CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715
<SNIP>
|
Nmap command |
Description |
|
10.129.2.28 |
Scans the specified target. |
|
-p 80 |
Scans only the specified port. |
|
-sV |
Performs service version detection on specified ports. |
|
–script vuln |
Uses all related scripts from specified category. |
Commands to bypass security measures
Nmap gives us many different ways to bypass firewalls and IDS/IPS.
But first, let’s define what these security measures are:
-
Firewall: a firewall is a security measure against unauthorized connection attempts from external networks. It checks whether individual network packets are being passed, ignored, or blocked. This mechanism is designed to prevent unwanted connections that could be potentially dangerous.
-
IDS/IPS: IDS scans the network for potential attacks, analyzes them, and reports any detected attacks. IPS complements IDS by taking specific defensive measures if a potential attack should have been detected.
Understanding firewall rules
Firewalls can either drop or reject packets when performing an Nmap scan. The dropped packets are ignored, and no response is returned from the host.
This is different for rejected packets that are returned with an RST flag. These packets contain different types of ICMP error codes:
-
Net Unreachable.
-
Net Prohibited.
-
Host Unreachable.
-
Host Prohibited.
-
Port Unreachable.
-
Proto Unreachable.
Nmap’s TCP ACK scan (-sA) makes it harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or connect scans (sT) because they send a TCP packet with only the ACK flag.
When a port is closed or open, the host must respond with an RST flag.
Unlike outgoing connections, all connection attempts (with the SYN flag) from external networks are usually blocked by firewalls.
However, the packets with the ACK flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network.
Detecting IDS/IPS
The detection of IDS/IPS using Nmap is much more challenging as these are passive traffic monitoring systems.
IDS systems examine all connections between hosts. If the IDS finds packets containing the defined contents or specifications, the administrator is notified and takes appropriate action in the worst case.
So, how can we detect whether these systems are in place during a penetration test?
We’d recommend using several virtual private servers (VPS) with different IP addresses.
Therefore, if at any time this host is blocked and has no access to the target network, we know that the administrator has taken some security measures. Accordingly, we can continue our penetration test with another VPS.
Decoys
If we detect that IDS/IPS exists, then the decoy scanning method (-D) is the right choice.
With this method, Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet sent.
Here’s a decoy scan in action:
sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 16:14 CEST
SENT (0.0378s) TCP 102.52.161.59:59289 > 10.129.2.28:80 S ttl=42 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
SENT (0.0378s) TCP 10.10.14.2:59289 > 10.129.2.28:80 S ttl=59 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
SENT (0.0379s) TCP 210.120.38.29:59289 > 10.129.2.28:80 S ttl=37 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
SENT (0.0379s) TCP 191.6.64.171:59289 > 10.129.2.28:80 S ttl=38 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
SENT (0.0379s) TCP 184.178.194.209:59289 > 10.129.2.28:80 S ttl=39 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
SENT (0.0379s) TCP 43.21.121.33:59289 > 10.129.2.28:80 S ttl=55 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
RCVD (0.1370s) TCP 10.129.2.28:80 > 10.10.14.2:59289 SA ttl=64 id=0 iplen=44 seq=4056111701 win=64240 <mss 1460>
Nmap scan report for 10.129.2.28
Host is up (0.099s latency).
PORT STATE SERVICE
80/tcp open http
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds|
Nmap command |
Description |
|
10.129.2.28 |
Scans the specified target. |
|
-p 80 |
Scans only the specified ports. |
|
-sS |
Performs SYN scan on specified ports. |
|
-Pn |
Disables ICMP Echo requests. |
|
-n |
Disables DNS resolution. |
|
–disable-arp-ping |
Disables ARP ping. |
|
–packet-trace |
Shows all packets sent and received. |
|
-D RND:5 |
Generates five random IP addresses using a decoy that indicates the source IP the connection comes from. |
Learn Nmap today
Nmap is an extremely powerful tool for all infosec professionals, whether you’re using it to protect your network or perform penetration tests, these commands are essential for all cybersecurity professionals to have at hand.
However, remember it’s important to not only rely on tools to do your job. You need to also understand how and why these tools work and what the information you find actually means.
Ready to dive in?
Find out everything you need to know about Nmap with our Academy module:
hackers.top from www.hackthebox.com