Nmap Port Scan

Version Enumeration with Nmap:

Always start with a full nmap scan to check it returns version information.

sudo nmap <ip> -p- -A -T4 -vv

We can also use the nmap script scans to look for vulnerable services:

sudo nmap <ip> -p <ports> --script=vuln -T4 -vv

Introduction

Also see [[(3) Study Notes/(1) Red Team/Pentest/(2) Network/(99) Testing Tools/(1) Enumeration Tools/Nmap|Nmap]].

Example Payload:

sudo nmap $ip -T4 -p- -A -vv

Trick for faster scanning:

First, do a full port scan without -A:

sudo nmap $ip -T4 -p-

Then, perform -A on all open ports.

sudo nmap $ip -T4 -A -vv -p [Open Ports]

SYN Scan

Example Syntax:

sudo nmap -sS 192.168.50.149

Benefits:

  • Faster (as less packets were sent)

  • May be stealthier (if the firewall does not log incomplete connections. The application may also not record the connection as it never reached the application)

UDP Scan

Example Syntax:

sudo nmap -sU 192.168.50.149

Both SYN and UDP scans can also be combined into one scan:

sudo nmap -sU -sS 192.168.50.149

Network Sweeping

Example Syntax:

nmap -sn 192.168.50.1-253

  • Use the -sn option to perform no port scan.

We can use grep for a larger network:

nmap -v -sn 192.168.50.1-253 -oG ping-sweep.txt

Then:

grep Up ping-sweep.txt | cut -d " " -f 2

Web Sweep:

nmap -p 80 192.168.50.1-253 -oG web-sweep.txt

  • This sweep for port 80 across the whole 192.168.50.0/24 network. Then:

grep open web-sweep.txt | cut -d " " -f 2

General Sweep:

nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt

  • --top-ports for enumerating common services.

OS Detection

Example Syntax:

sudo nmap -O 192.168.50.14 --osscan-guess

  • Use --osscan-guess for aggressive OS guess.

Windows LOLBAS

Test-NetConnection in PowerShell

Example Syntax:

Test-NetConnection -Port 445 192.168.50.151

  • This basically equals to testing the port with Telnet.

Basic Port Scan in PowerShell:

1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null

  • This loops through 1 to 1024 and attempt to build TCP connections with each of the ports of 192.168.50.151.

Bonus: Monitoring Traffics

iptables

  • Use iptables to monitor traffics of scanning.

sudo iptables -I INPUT 1 -s 192.168.50.149 -j ACCEPT

  • -I for inserting a new rule (to inbound traffic with INPUT)

    • The number following INPUT indicates where to insert the rule (Rule Order), with 1 being at the top of all rules.

  • -s for the source of traffic

  • -j for specifying what this rule does. Here ACCEPT means to let the packet go through.

sudo iptables -I OUTPUT 1 -d 192.168.50.149 -j ACCEPT

  • -I for inserting a new rule (to outbound traffic with OUTPUT)

  • -d for the destination of traffic

sudo iptables -Z

  • -Z for zeroing the packet and the byte counter. This is to reset the counters in iptables to obtain a fresh set of data.

After Scanning, use this to show the traffic generated:

sudo iptables -vn -L

Nessus

Not much useful stuff.

Nmap

NSE Scripts:

sudo nmap --script "vuln" [ip]

How to use customized NSE Scripts:

1. Google the relevant NSE script:

  • Download the .nse file to out machine.

2. Copy the script into the nmap scripts folder:

sudo cp /home/kali/Downloads/[script].nse /usr/share/nmap/scripts/[script].nse

3. Update script.db:

sudo nmap --script-updatedb

4. Use the script:

sudo nmap --script "[script].nse" [ip]

Last updated