Nmap

Every computer has a total of 65535 available ports

80: HTTP Webservice

443: HTTPS

139: NETBIOS

445: SMB

It is crucial that we begin any attack with a port scan. can be accomplished using a tool called nmap. Nmap can be used to perform many different kinds of port scan. Nmap will connect to each port of the target in turn. Once we know which ports are open, we can then look at enumerating which services are running on each port – either manually, or more commonly using nmap.

Nmap Switches:

Nmap can be accessed by typing nmap into the terminal command line folowed by switches

nmap -h: access help menu

man nmap: access manual page

-sS: Syn Scan

-sU: UDP Scan

-O: detect OS running on a target machine

-sV: detect the version of the services running on the target

-v: increase the verbosity

-vv: set the verbosity level to two

-oA: save the nmap results in three major formats

-oN: save the nmap results in a "normal" format

-oG: save results in a "grepable" format

-A: enable "aggressive" mode

-T5: increase the speed your scan runs at

-p 80: scan port 80

-p 1000-1500: scan ports 1000-1500?

-p-: scan all ports

--script: activate a script from the nmap scripting library

--script=vuln: activate all of the scripts in the "vuln" category

Scan Types

When port scanning with Nmap, there are three basic scan types. These are:

-sT: TCP conenct scans

-sS: SYN half open/ stealth scans

-sU UDP scans

-sN: TCP Null scans

-sF: TCP FIN scans

-sX: Xmas scans

-sn: tells Nmap not to scan any ports

one of the first three scans are likely to be your go-to in most situations

If a port is closed, the server send back a RST flag

If a UDP port doesn't respond to an Nmap scan, it will be marked as open|filtered

NULL, FIN and Xmas scans generally used for Firewall Evasion

nmap -sn 192.168.0.1-254 OR nmap -sn 192.168.0.0/24 : to perform a ping sweep to determine which Ip address is alive

NSE Scripts

The Nmap Scripting Engine (NSE). Can be used for scanning for vulnerabilities, and automating exploits for them. NSE is particularly useful for reconnaisance

There are many categories available. Some useful categories include:

  • safe:- Won't affect the target

  • intrusive:- Not safe: likely to affect the target

  • vuln:- Scan for vulnerabilities

  • exploit:- Attempt to exploit a vulnerability

  • auth:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)

  • brute:- Attempt to bruteforce credentials for running services

  • discovery:- Attempt to query running services for further information about the network (e.g. query an SNMP server).

  • see more examples here: https://nmap.org/book/nse-usage.html

Working with the NSE

--script=<script-name> : to run a specific script, e.g --script=http-fileupload-exploiter.

nmap --script-help <script-name>: access built in help menus

--script : activate NSE script

--script=vuln : activate vulnerability scanning script

--script=smb-enum-users,smb-enum-shares: run multiple scripts

--script-args : set script arguments e.g http-put ( nmap -p 80 --script http-put --script-args http-put.url='/dav/shell.php',http-put.file='./shell.php'

A full list of scripts and their corresponding arguments (along with example use cases) can be found here.

Searching for Scripts

To find these scripts. first is the page on the Nmap website

The second is the local storage on your attacking machine. Nmap stores its scripts on Linux at /usr/share/nmap/scripts. All of the NSE scripts are stored in this directory by default.

There are two ways to search for installed scripts. One is by using the /usr/share/nmap/scripts/script.db file

can also grep through it to look for scripts. : grep "ftp" /usr/share/nmap/scripts/script.db

The second way to search for scripts is quite simply to use the ls command.

ls -l /usr/share/nmap/scripts/*ftp*

The same techniques can also be used to search for categories of script. For example: grep "safe" /usr/share/nmap/scripts/script.db

Installing New Scripts

sudo apt update && sudo apt install nmap

To install the scripts manually by downloading the script from Nmap

sudo wget -O /usr/share/nmap/scripts/.nse https://svn.nmap.org/nmap/scripts/.nse nmap --script-updatedb

Firewall Evasion

-Pn: tells Nmap to not bother pinging the host before scanning it

PreviousBash and Linux CommandsNextTools

Last updated