Active Scanning

Active Gathering

These all have a higher chance of detection due to the fact you are actively targeting the organization directly.

Port Scanning

• Host Discovery Strategies: https://nmap.org/book/host-discovery-strategies.html

By default, nmap scans top 1000 ports with SYN scan, -sS. This scan is default when ran as root. Without root privs, -sT TCP scan is used instead.

Ports can be open, closed or filtered (unknown / firewall interference)

When identifying issues --packet-trace can be utilized to trace packets and identify the response. Other packet types, such as ICMP, DNS or ARP can be disabled with -Pn, -n and --disable-arp-ping, respectively.

TCP Connect Scan

The TCP connect scan, -sT fully completes the TCP three-way handshake by sending a SYN packet, waiting for a SYN/ACK response, then returning an ACK or RST. This method is highly accurate, but also is less stealthy. As the handshake completes, the connection can trigger alarms in firewall or IDS systems. However, this scan may be required to bypass system firewall rules where inbound is blocked but outbound is allowed.

eric@hackbook:~$ nmap -sT

When to use

• accuracy is a priority
• stealth is not required
• full handshake is needed to prevent errors or instability on target device
• target may have a host firewall that drops inbound-only connections

TCP SYN Scan

The SYN scan, -sS is known as a half-open scan or stealth scan, as the scanner only sends a SYN packet and monitors for SYN/ACK as open or RST to determine open/closed. The three-way handshake is not completed, which can potentially evade logs or IDS/IPS solutions.

When to use

• stealth is important
• speed is important, at the cost of some accuracy

TCP ACK Scan

The ACK scan, -sA sends a packet with only the ACK flag, which means the host must respond with RST for closed/open ports. ACK packets tend to bypass firewall rules as it indicates a connection may already be in progress. However, these scans only return filtered or unfiltered and --packet-trace may be required to make further sense of the results

When to use

• firewalls / IPS / IDS are filtering other TCP packets from reaching the destination

TCP FIN, NULL & Xmas Scans

-sN, -sF, and -sX are scans meant to exploit a loophole in TCP's RFC 793 that states any packet missing SYN, RST or ACK should return RST if the port is closed and nothing if the port is open. This scan type will never return a true open status, only open|filtered, closed or filtered. Further investigation will be required on any open|filtered ports to further narrow down the state. Utilizing version detection with -sV defeats the purpose of this scan and is not advised.

When to use

• need to sneak through non-stateful firewalls and/or packet filtering routers
• stealth is important

UDP Scan

The UDP scan, -sU , exclusively targets UDP ports. It can be used in conjunction with either the TCP connect or SYN scan to scan both TCP and UDP ports in the same run. UDP scanning is tricky, as UDP ports are not required to respond, and there is no handshake. Certain known ports like DNS/SNMP will get a more custom payload to attempt to get a response back. Otherwise, ports receive a packet with an empty payload. Most commonly, ports are seen as open|filtered which means nmap is unsure the true status of the port. Adding version scanning, using -sUV can help further narrow down if the port is open, but increases the time further. This scan can be extremely slow due to rate limiting of unreachable UDP packets. A full 65k port scan on a single linux host can take over 18 hours.

When to use

• To specifically check for services on UDP ports

Scripts

Default scripts can be loaded with -sC or --script=default. These include safe scans such as robots.txt, ftp checks, clock skew, dns checks, smb checks. Other scripts can be searched using --script-help <keyword|category>. There are 14 total categories of scripts:

• --initial-rtt-timeout 50ms --max-rtt-timeout 100ms can set the round-trip-time min/max timeout to speed up the scan.
  • This can cause an increase in scan speed, but can also cause hosts or ports that respond slower to be mislabeled as down.
• --max-retries by default nmap tries 10 times.
  • can be lowered to increase scan speed, but again can miss slower responding ports or hosts
• --min-rate setting the # of packets to be sent per second can increase scan speed. need to be careful not to set too high and overload the network
• -T sets the speed/aggressiveness of the scan 0-5
  • this also sets some of the settings above automatically as seen here
  • T0 and T1 have 5m and 15s scan delay, respectively. In other words, each packet will have a sleep period in between packets. These are good for IDS evasion and remaining stealthy during scanning
  • T5 is the most aggressive that also makes use of max-retries and max-rtt-timeout that can cause some accuracy loss, but is incredibly quick and noisy. IDS or firewalls may block or rate-limit this.
• Omitting version detection (no -sV) can also greatly increase performance. Using a basic port scan to find open ports in the first pass, then going back to target version scanning on specific ports can help performance.

Evasion

Firewall/IDS Evasion and Spoofing | Nmap Network Scanning * -sA can be used to carry out a TCP ACK scan to determine filtered state of a port * -D can be used to spoof IPs and setup decoys to mask which IP is the legitimate source of the scan * -D RND:5 creates 5 random IPs to spoof packets from * Decoys do not work with version detection -sV or connect scans -sC * Generally, it's better to specify which IPs as decoys and ensure these IPs are actually online. If the decoy IPs are all down, it becomes trivial to determine which IP was the real scanner, and it can inadvertently SYN flood the target. * --source-port binds activity to a specific port which could evade firewall * for example, binding it to 80/443 will make it look like HTTP traffic instead of a random high port performing port scanning * same logic for port 53, hosts may respond on a DNS request instead of another type.

Cheatsheet

# simple full TCP port scan with version detection
nmap -sSV -p- -oA <output_file> <target>

# nmap with scripts, version detection and all ports saved to file
nmap -sC -sV -p- -oA <output_file> <target> 

# aggressive scan that performs service detection, OS detection, traceroute
# and default scripts. better to use against specific ports
nmap -A -p<port> <target>

# nmap scan IP range and print just online IPs (ICMP / ARP scan)
sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5

# ICMP echo only, with packet trace (TTL can assist in identifying OS)
nmap 10.129.2.18 -sn -oA host -PE --packet-trace --disable-arp-ping 

# TCP, UDP, with version detection (CAN BE VERY SLOW, NARROWING DOWN PORTS PREFERRED)
nmap -sSUV -p<ports> <target> 

# search for specific scripts
nmap --script-help <keyword|category>

# alternate method of searching for scripts
find / -type f -name ftp* 2>/dev/null | grep scripts

# run a certain category of scripts, like vuln
nmap <target> --script vuln

# run multiple specific scripts
nmap <target> --script banner,smtp-commands

# run specific scripts in a category
nmap <target> --script "discovery and http-*"

Vuln Scanning

• Using more detailed scanners like nessus or OpenVas to probe for specific vulns on a target. High likelihood of detection, can be even noisier than a simple port scan

Network Mapping

• Using traceroute, nmap to identify multiple hosts and gateways. Medium-High likelihood of detection depending on speed of scanning.

Banner Grabbing

• Retrieving service info via banners via nc or curl. Low chance of detection but connection attempts can appear in logs.

OS Fingerprinting

• nmap -O Low likelihood of detection, similar to banner grabbing

Service Enumeration

• nmap -sV Low likelihood of detection, similar to banner grabbing

Web Spidering

• Crawling website to identify pages, directories and files such as with Burp Suite Spider. Low-Medium chance of detection depending on crawler configuration