Network Enumeration with Nmap
eldeim@htb[/htb]$ nmap --help
<SNIP>
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
<SNIP>Host Discovery
Scan Network Range
eldeim@htb[/htb]$ sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5
10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28Scanning Options
Description
10.129.2.0/24
Target network range.
-sn
Disables port scanning.
-oA tnet
Stores the results in all formats starting with the name 'tnet'.
This scanning method works only if the firewalls of the hosts allow it. Otherwise, we can use other scanning techniques to find out if the hosts are active or not. We will take a closer look at these techniques in "Firewall and IDS Evasion".
Scan IP List
During an internal penetration test, it is not uncommon for us to be provided with an IP list with the hosts we need to test. Nmap also gives us the option of working with lists and reading the hosts from this list instead of manually defining or typing them in.
Such a list could look something like this:
If we use the same scanning technique on the predefined list, the command will look like this:
Scanning Options
Description
-sn
Disables port scanning.
-oA tnet
Stores the results in all formats starting with the name 'tnet'.
-iL
Performs defined scans against targets in provided 'hosts.lst' list.
In this example, we see that only 3 of 7 hosts are active. Remember, this may mean that the other hosts ignore the default ICMP echo requests because of their firewall configurations. Since Nmap does not receive a response, it marks those hosts as inactive.
Scan Multiple IPs
It can also happen that we only need to scan a small part of a network. An alternative to the method we used last time is to specify multiple IP addresses.
If these IP addresses are next to each other, we can also define the range in the respective octet.
Scan Single IP
Before we scan a single host for open ports and its services, we first have to determine if it is alive or not. For this, we can use the same method as before.
Scanning Options
Description
10.129.2.18
Performs defined scans against the target.
-sn
Disables port scanning.
-oA host
Stores the results in all formats starting with the name 'host'.
If we disable port scan (-sn), Nmap automatically ping scan with ICMP Echo Requests (-PE). Once such a request is sent, we usually expect an ICMP reply if the pinging host is alive. The more interesting fact is that our previous scans did not do that because before Nmap could send an ICMP echo request, it would send an ARP ping resulting in an ARP reply. We can confirm this with the "--packet-trace" option. To ensure that ICMP echo requests are sent, we also define the option (-PE) for this.
Scanning Options
Description
10.129.2.18
Performs defined scans against the target.
-sn
Disables port scanning.
-oA host
Stores the results in all formats starting with the name 'host'.
-PE
Performs the ping scan by using 'ICMP Echo requests' against the target.
--packet-trace
Shows all packets sent and received
Another way to determine why Nmap has our target marked as "alive" is with the "--reason" option.
Scanning Options
Description
10.129.2.18
Performs defined scans against the target.
-sn
Disables port scanning.
-oA host
Stores the results in all formats starting with the name 'host'.
-PE
Performs the ping scan by using 'ICMP Echo requests' against the target.
--reason
Displays the reason for specific result.
We see here that Nmap does indeed detect whether the host is alive or not through the ARP request and ARP reply alone. To disable ARP requests and scan our target with the desired ICMP echo requests, we can disable ARP pings by setting the "--disable-arp-ping" option. Then we can scan our target again and look at the packets sent and received.
We have already mentioned in the "Learning Process," and at the beginning of this module, it is essential to pay attention to details. An ICMP echo request can help us determine if our target is alive and identify its system. More strategies about host discovery can be found at:
Host and Port Scanning
Open ports and its services
Service versions
Information that the services provided
Operating system
There are a total of 6 different states for a scanned port we can obtain:
State
Description
open
This indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations.
closed
When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.
filtered
Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.
unfiltered
This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.
open|filtered
If we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.
closed|filtered
This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.
Discovering Open TCP Ports
By default, Nmap scans the top 1000 TCP ports with the SYN scan (-sS). This SYN scan is set only to default when we run it as root because of the socket permissions required to create raw TCP packets. Otherwise, the TCP scan (-sT) is performed by default. This means that if we do not define ports and scanning methods, these parameters are set automatically. We can define the ports one by one (-p 22,25,80,139,445), by range (-p 22-445), by top ports (--top-ports=10) from the Nmap database that have been signed as most frequent, by scanning all ports (-p-) but also by defining a fast port scan, which contains top 100 ports (-F).
Scanning Top 10 TCP Ports
Scanning Options
Description
10.129.2.28
Scans the specified target.
--top-ports=10
Scans the specified top ports that have been defined as most frequent.
We see that we only scanned the top 10 TCP ports of our target, and Nmap displays their state accordingly. If we trace the packets Nmap sends, we will see the RST flag on TCP port 21 that our target sends back to us. To have a clear view of the SYN scan, we disable the ICMP echo requests (-Pn), DNS resolution (-n), and ARP ping scan (--disable-arp-ping).
Scanning Options
Description
10.129.2.28
Scans the specified target.
-p 21
Scans only the specified port.
--packet-trace
Shows all packets sent and received.
-n
Disables DNS resolution.
--disable-arp-ping
Disables ARP ping.
We can see from the SENT line that we (10.10.14.2) sent a TCP packet with the SYN flag (S) to our target (10.129.2.28). In the next RCVD line, we can see that the target responds with a TCP packet containing the RST and ACK flags (RA). RST and ACK flags are used to acknowledge receipt of the TCP packet (ACK) and to end the TCP session (RST).
Request
Message
Description
SENT (0.0429s)
Indicates the SENT operation of Nmap, which sends a packet to the target.
TCP
Shows the protocol that is being used to interact with the target port.
10.10.14.2:63090 >
Represents our IPv4 address and the source port, which will be used by Nmap to send the packets.
10.129.2.28:21
Shows the target IPv4 address and the target port.
S
SYN flag of the sent TCP packet.
ttl=56 id=57322 iplen=44 seq=1699105818 win=1024 mss 1460
Additional TCP Header parameters.
Response
Message
Description
RCVD (0.0573s)
Indicates a received packet from the target.
TCP
Shows the protocol that is being used.
10.129.2.28:21 >
Represents targets IPv4 address and the source port, which will be used to reply.
10.10.14.2:63090
Shows our IPv4 address and the port that will be replied to.
RA
RST and ACK flags of the sent TCP packet.
ttl=64 id=0 iplen=40 seq=0 win=0
Additional TCP Header parameters.
Connect Scan on TCP Port 443
Host and Port Scanning
Filtered Ports
When a port is shown as filtered, it can have several reasons. In most cases, firewalls have certain rules set to handle specific connections. The packets can either be dropped, or rejected. When a packet gets dropped, Nmap receives no response from our target, and by default, the retry rate (--max-retries) is set to 10. This means Nmap will resend the request to the target port to determine if the previous packet was accidentally mishandled or not.
Let us look at an example where the firewall drops the TCP packets we send for the port scan. Therefore we scan the TCP port 139, which was already shown as filtered. To be able to track how our sent packets are handled, we deactivate the ICMP echo requests (-Pn), DNS resolution (-n), and ARP ping scan (--disable-arp-ping) again.
Host and Port Scanning
Scanning Options
Description
10.129.2.28
Scans the specified target.
-p 139
Scans only the specified port.
--packet-trace
Shows all packets sent and received.
-n
Disables DNS resolution.
--disable-arp-ping
Disables ARP ping.
-Pn
Disables ICMP Echo requests.
We see in the last scan that Nmap sent two TCP packets with the SYN flag. By the duration (2.06s) of the scan, we can recognize that it took much longer than the previous ones (~0.05s). The case is different if the firewall rejects the packets. For this, we look at TCP port 445, which is handled accordingly by such a rule of the firewall.
Host and Port Scanning
Scanning Options
Description
10.129.2.28
Scans the specified target.
-p 445
Scans only the specified port.
--packet-trace
Shows all packets sent and received.
-n
Disables DNS resolution.
--disable-arp-ping
Disables ARP ping.
-Pn
Disables ICMP Echo requests.
As a response, we receive an ICMP reply with type 3 and error code 3
Discovering Open UDP Ports
Some system administrators sometimes forget to filter the UDP ports in addition to the TCP ones. Since UDP is a stateless protocol and does not require a three-way handshake like TCP. We do not receive any acknowledgment. Consequently, the timeout is much longer, making the whole UDP scan (-sU) much slower than the TCP scan (-sS).
Let's look at an example of what a UDP scan (-sU) can look like and what results it gives us.
UDP Port Scan
Scanning Options
Description
10.129.2.28
Scans the specified target.
-F
Scans top 100 ports.
-sU
Performs a UDP scan.
Another disadvantage of this is that we often do not get a response back because Nmap sends empty datagrams to the scanned UDP ports, and we do not receive any response. So we cannot determine if the UDP packet has arrived at all or not. If the UDP port is open, we only get a response if the application is configured to do so.
Scanning Options
Description
10.129.2.28
Scans the specified target.
-sU
Performs a UDP scan.
-Pn
Disables ICMP Echo requests.
-n
Disables DNS resolution.
--disable-arp-ping
Disables ARP ping.
--packet-trace
Shows all packets sent and received.
-p 137
Scans only the specified port.
--reason
Displays the reason a port is in a particular state.
If we get an ICMP response with error code 3 (port unreachable), we know that the port is indeed closed.
Scanning Options
Description
10.129.2.28
Scans the specified target.
-sU
Performs a UDP scan.
-Pn
Disables ICMP Echo requests.
-n
Disables DNS resolution.
--disable-arp-ping
Disables ARP ping.
--packet-trace
Shows all packets sent and received.
-p 100
Scans only the specified port.
--reason
Displays the reason a port is in a particular state.
For all other ICMP responses, the scanned ports are marked as (open|filtered).
Scanning Options
Description
10.129.2.28
Scans the specified target.
-sU
Performs a UDP scan.
-Pn
Disables ICMP Echo requests.
-n
Disables DNS resolution.
--disable-arp-ping
Disables ARP ping.
--packet-trace
Shows all packets sent and received.
-p 138
Scans only the specified port.
--reason
Displays the reason a port is in a particular state.
Another handy method for scanning ports is the -sV option which is used to get additional available information from the open ports. This method can identify versions, service names, and details about our target.
Version Scan
Scanning Options
Description
10.129.2.28
Scans the specified target.
-Pn
Disables ICMP Echo requests.
-n
Disables DNS resolution.
--disable-arp-ping
Disables ARP ping.
--packet-trace
Shows all packets sent and received.
-p 445
Scans only the specified port.
--reason
Displays the reason a port is in a particular state.
-sV
Performs a service scan.
Saving the Results
Different Formats
While we run various scans, we should always save the results. We can use these later to examine the differences between the different scanning methods we have used. Nmap can save the results in 3 different formats.
Normal output (
-oN) with the.nmapfile extensionGrepable output (
-oG) with the.gnmapfile extensionXML output (
-oX) with the.xmlfile extension
Service Enumeration
Service Version Detection
It is recommended to perform a quick port scan first, which gives us a small overview of the available ports. This causes significantly less traffic, which is advantageous for us because otherwise we can be discovered and blocked by the security mechanisms. We can deal with these first and run a port scan in the background, which shows all open ports (-p-). We can use the version scan to scan the specific ports for services and their versions (-sV).
A full port scan takes quite a long time. To view the scan status, we can press the [Space Bar] during the scan, which will cause Nmap to show us the scan status.
Another option (--stats-every=5s) that we can use is defining how periods of time the status should be shown. Here we can specify the number of seconds (s) or minutes (m), after which we want to get the status.
Scanning Options
Description
10.129.2.28
Scans the specified target.
-p-
Scans all ports.
-sV
Performs service version detection on specified ports.
--stats-every=5s
Shows the progress of the scan every 5 seconds.
Scanning Options
Description
10.129.2.28
Scans the specified target.
-p-
Scans all ports.
-sV
Performs service version detection on specified ports.
-Pn
Disables ICMP Echo requests.
-n
Disables DNS resolution.
--disable-arp-ping
Disables ARP ping.
--packet-trace
Shows all packets sent and received.
If we look at the results from Nmap, we can see the port's status, service name, and hostname. Nevertheless, let us look at this line here:
NSOCK INFO [0.4200s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [10.129.2.28:25] (35 bytes): 220 inlane ESMTP Postfix (Ubuntu)..
Tcpdump
Nc
Tcpdump - Intercepted Traffic
The first three lines show us the three-way handshake.
1.
[SYN]
18:28:07.128564 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [S], <SNIP>
2.
[SYN-ACK]
18:28:07.255151 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [S.], <SNIP>
3.
[ACK]
18:28:07.255281 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], <SNIP>
After that, the target SMTP server sends us a TCP packet with the PSH and ACK flags, where PSH states that the target server is sending data to us and with ACK simultaneously informs us that all required data has been sent.
4.
[PSH-ACK]
18:28:07.319306 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [P.], <SNIP>
The last TCP packet that we sent confirms the receipt of the data with an ACK.
5.
[ACK]
18:28:07.319426 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], <SNIP>
Nmap Scripting Engine
Nmap Scripting Engine (NSE) is another handy feature of Nmap. It provides us with the possibility to create scripts in Lua for interaction with certain services. There are a total of 14 categories into which these scripts can be divided:
Category
Description
auth
Determination of authentication credentials.
broadcast
Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans.
brute
Executes scripts that try to log in to the respective service by brute-forcing with credentials.
default
Default scripts executed by using the -sC option.
discovery
Evaluation of accessible services.
dos
These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services.
exploit
This category of scripts tries to exploit known vulnerabilities for the scanned port.
external
Scripts that use external services for further processing.
fuzzer
This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time.
intrusive
Intrusive scripts that could negatively affect the target system.
malware
Checks if some malware infects the target system.
safe
Defensive scripts that do not perform intrusive and destructive access.
version
Extension for service detection.
vuln
Identification of specific vulnerabilities.
We have several ways to define the desired scripts in Nmap.
Default Scripts
Specific Scripts Category
Defined Scripts
For example, let us keep working with the target SMTP port and see the results we get with two defined scripts.
Nmap - Specifying Scripts
Scanning Options
Description
10.129.2.28
Scans the specified target.
-p 25
Scans only the specified port.
--script banner,smtp-commands
Uses specified NSE scripts.
We see that we can recognize the Ubuntu distribution of Linux by using the' banner' script. The smtp-commands script shows us which commands we can use by interacting with the target SMTP server. In this example, such information may help us to find out existing users on the target. Nmap also gives us the ability to scan our target with the aggressive option (-A). This scans the target with multiple options as service detection (-sV), OS detection (-O), traceroute (--traceroute), and with the default NSE scripts (-sC).
Scanning Options
Description
10.129.2.28
Scans the specified target.
-p 80
Scans only the specified port.
-A
Performs service detection, OS detection, traceroute and uses defaults scripts to scan the target.
With the help of the used scan option (-A), we found out what kind of web server (Apache 2.4.29) is running on the system, which web application (WordPress 5.3.4) is used, and the title (blog.inlanefreight.com) of the web page. Also, Nmap shows that it is likely to be Linux (96%) operating system.
Vulnerability Assessment
Now let us move on to HTTP port 80 and see what information and vulnerabilities we can find using the vuln category from NSE.
Nmap - Vuln Category
Scanning Options
Description
10.129.2.28
Scans the specified target.
-p 80
Scans only the specified port.
-sV
Performs service version detection on specified ports.
--script vuln
Uses all related scripts from specified category.
Performance
Optimized RTT
Scanning Options
Description
10.129.2.0/24
Scans the specified target network.
-F
Scans top 100 ports.
--initial-rtt-timeout 50ms
Sets the specified time value as initial RTT timeout.
--max-rtt-timeout 100ms
Sets the specified time value as maximum RTT timeout.
When comparing the two scans, we can see that we found two hosts less with the optimized scan, but the scan took only a quarter of the time. From this, we can conclude that setting the initial RTT timeout (--initial-rtt-timeout) to too short a time period may cause us to overlook hosts.
Max Retries
Another way to increase scan speed is by specifying the retry rate of sent packets (--max-retries). The default value is 10, but we can reduce it to 0. This means if Nmap does not receive a response for a port, it won't send any more packets to that port and will skip it.
Default Scan
Reduced Retries
Scanning Options
Description
10.129.2.0/24
Scans the specified target network.
-F
Scans top 100 ports.
--max-retries 0
Sets the number of retries that will be performed during the scan.
Again, we recognize that accelerating can also have a negative effect on our results, which means we can overlook important information.
Last updated