🎇Network Enumeration with nmap

Introduction

Features

• Host discovery

• Port scanning

• Service enumeration and detection

• OS detection

• Scriptable interaction with the target service (Nmap Scripting Engine)

Types of Results

• If our target sends an SYN-ACK flagged packet back to the scanned port, Nmap detects that the port is open.

• If the packet receives an RST flag, it is an indicator that the port is closed.

• If Nmap does not receive a packet back, it will display it as filtered. Depending on the firewall configuration, certain packets may be dropped or ignored by the firewall.

Host Discovery

• There are many options Nmap provides to determine whether our target is alive or not. The most effective host discovery method is to use ICMP echo requests, which we will look into.

• Network Range Scan:

  sudo nmap 10.129.2.0/24

• List of IP's in a file Scan:

  sudo nmap -iL hosts.lst

• Scan multiple IP's:

  sudo nmap 10.129.2.18 10.129.2.19 10.129.2.20

• To see what type of request is sending to the host/s we can specify the flag "--packet-trace".

• Another way to determine why Nmap has our target marked as "alive" is with the "--reason" option.

• To disable ARP requests and scan our target with the desired ICMP echo requests, we can disable ARP pings by setting the "--disable-arp-ping" option.

• How to identify which OS is running based in the TTL result from nmap or ping:

• TTL=64 = *nix - the hop count so if your getting 61 then there are 3 hops and its a *nix device. Most likely Linux.
  TTL=128 = Windows - again if the TTL is 127 then the hop is 1 and its a Windows box.
  TTL=254 = Solaris/AIX - again if the TTL is 250 then the hop count is 4 and its a Solaris box.

open	This indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations.
closed	When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.
filtered	Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.
unfiltered	This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.
open|filtered	If we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.
closed|filtered	This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.

Analyzing a packet result

We can see from the SENT line that we (10.10.14.2) sent a TCP packet with the SYN flag (S) to our target (10.129.2.28). In the next RCVD line, we can see that the target responds with a TCP packet containing the RST and ACK flags (RA). RST and ACK flags are used to acknowledge receipt of the TCP packet (ACK) and to end the TCP session (RST).

Filtered Ports

When a port is shown as filtered, it can have several reasons. In most cases, firewalls have certain rules set to handle specific connections. The packets can either be dropped, or rejected. When a packet gets dropped, Nmap receives no response from our target, and by default, the retry rate (--max-retries) is set to 1. This means Nmap will resend the request to the target port to determine if the previous packet was not accidentally mishandled.

Let us look at an example where the firewall drops the TCP packets we send for the port scan. Therefore we scan the TCP port 139, which was already shown as filtered. To be able to track how our sent packets are handled, we deactivate the ICMP echo requests (-Pn), DNS resolution (-n), and ARP ping scan (--disable-arp-ping) again.

We see in the last scan that Nmap sent two TCP packets with the SYN flag. By the duration (2.06s) of the scan, we can recognize that it took much longer than the previous ones (~0.05s). The case is different if the firewall rejects the packets. For this, we look at TCP port 445, which is handled accordingly by such a rule of the firewall.

As a response, we receive an ICMP reply with type 3 and error code 3, which indicates that the desired host is unreachable. Nevertheless, if we know that the host is alive, we can strongly assume that the firewall on this port is rejecting the packets, and we will have to take a closer look at this port later.

Discovering Open UDP Ports

Some system administrators sometimes forget to filter the UDP ports in addition to the TCP ones. Since UDP is a stateless protocol and does not require a three-way handshake like TCP. We do not receive any acknowledgment. Consequently, the timeout is much longer, making the whole UDP scan (-sU) much slower than the TCP scan (-sS). Another disadvantage of this is that we often do not get a response back because Nmap sends empty datagrams to the scanned UDP ports, and we do not receive any response. So we cannot determine if the UDP packet has arrived at all or not.

• If the UDP port is open, we only get a response if the application is configured to do so.

• If we get an ICMP response with error code 3 (port unreachable), we know that the port is indeed closed.

• For all other ICMP responses, the scanned ports are marked as (open|filtered).

References

• https://nmap.org/book/man-port-scanning-techniques.html

Output Options

• Normal output (-oN) with the .nmap file extension

• Grepable output (-oG) with the .gnmap file extension

• XML output (-oX) with the .xml file extension

• option (-oA) to save the results in all formats

Service enumeration

• The option (-sV) give us the version of the service

• Another option (--stats-every=5s) that we can use is defining how periods of time the status should be shown. Here we can specify the number of seconds (s) or minutes (m), after which we want to get the status.

• Sometimes nmap cant figure it out what is the version of the service since some services do not provide the information in the tcp header. Some only give the banner information after the three-way handshake. If it happens we need to connect to the service via nc to try and grab the version for future exploit decisions.

• After the three-way handshake the banner information is sent through the PSH flag in the TCP header, at the network layer. Another Ack is sent for the acknowledge that we get the information.

• To see this happen:

  sudo tcpdump -i eth0 host <my_ip> and <target_ip>

Nmap Scripting Engine

Scripts categories:

Category	Description
auth	Determination of authentication credentials.
broadcast	Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans.
brute	Executes scripts that try to log in to the respective service by brute-forcing with credentials.
default	Default scripts executed by using the -sC option.
discovery	Evaluation of accessible services.
dos	These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services.
exploit	This category of scripts tries to exploit known vulnerabilities for the scanned port.
external	Scripts that use external services for further processing.
fuzzer	This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time.
intrusive	Intrusive scripts that could negatively affect the target system.
malware	Checks if some malware infects the target system.
safe	Defensive scripts that do not perform intrusive and destructive access.
version	Extension for service detection.
vuln	Identification of specific vulnerabilities.

Performance

https://nmap.org/book/man-performance.html

• When Nmap sends a packet, it takes some time (Round-Trip-Time - RTT) to receive a response from the scanned port. Generally, Nmap starts with a high timeout (--min-RTT-timeout) of 100ms. We can change it with --min-RTT-timeout and --max-RTT-timeout

• We can change how many packets should be sent simultaneously (--min-rate <number>), and with the number of retries (--max-retries <number>) for the scanned ports the targets should be scanned.

Firewall and IDS/IPS

• Nmap's TCP ACK scan (-sA) method is much harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or Connect scans (sT) because they only send a TCP packet with only the ACK flag. When a port is closed or open, the host must respond with an RST flag. Unlike outgoing connections, all connection attempts (with the SYN flag) from external networks are usually blocked by firewalls. However, the packets with the ACK flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network.

Decoys

• There are cases in which administrators block specific subnets from different regions in principle. This prevents any access to the target network. Another example is when IPS should block us. For this reason, the Decoy scanning method (-D) is the right choice. With this method, Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet sent.

• With this method, we can generate random (RND) a specific number (for example: 5) of IP addresses separated by a colon (:). Our real IP address is then randomly placed between the generated IP addresses. In the next example, our real IP address is therefore placed in the second position. Another critical point is that the decoys must be alive. Otherwise, the service on the target may be unreachable due to SYN-flooding security mechanisms.

• sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

• The spoofed packets are often filtered out by ISPs and routers, even though they come from the same network range. Therefore, we can also specify our VPS servers' IP addresses and use them in combination with "IP ID" manipulation in the IP headers to scan the target.

• Another scenario would be that only individual subnets would not have access to the server's specific services. So we can also manually specify the source IP address (-S) to test if we get better results with this one. Decoys can be used for SYN, ACK, ICMP scans, and OS detection scans. So let us look at such an example and determine which operating system it is most likely to be.

• sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

DNS Proxying

• By default, Nmap performs a reverse DNS resolution unless otherwise specified to find more important information about our target. These DNS queries are also passed in most cases because the given web server is supposed to be found and visited. The DNS queries are made over the UDP port 53. The TCP port 53 was previously only used for the so-called "Zone transfers" between the DNS servers or data transfer larger than 512 bytes. More and more, this is changing due to IPv6 and DNSSEC expansions. These changes cause many DNS requests to be made via TCP port 53.

• However, Nmap still gives us a way to specify DNS servers ourselves (--dns-server <ns>,<ns>). This method could be fundamental to us if we are in a demilitarized zone (DMZ). The company's DNS servers are usually more trusted than those from the Internet. So, for example, we could use them to interact with the hosts of the internal network. As another example, we can use TCP port 53 as a source port (--source-port) for our scans. If the administrator uses the firewall to control this port and does not filter IDS/IPS properly, our TCP packets will be trusted and passed through.

• sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

Ping Sweep

Ping sweep is an expression given to the action of sending ICMP packets to every IP in a subnet to find if they are alive or not.

IDS/IPS Medium

sudo nmap -f -Pn -p 53 -sV -D 192.168.2.1,192.168.2.10,10.10.14.88  --source-port 53 10.129.2.48

IDS/IPS Hard

• https://security.stackexchange.com/questions/121900/how-can-the-nmap-tool-be-used-to-evade-a-firewall-ids

• https://nmap.org/book/man-bypass-firewalls-ids.html