Showing posts with label nmap. Show all posts
Showing posts with label nmap. Show all posts

Getting started with Nmap - Part 8

In the last part, we learnt about the various options that Nmap provides for avoiding detection by firewall and IDS. So far, the output from Nmap that we've been looking at is all from the console. In this post, we'll look at the various output options that Nmap provides.

Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.

Create Text Output


 While the results of the scan are stored in the text file, Nmap also outputs to STDOUT (usually, the console).

nikhilh@ubuntu:~$ nmap -d -oN scan-results.txt scanme.nmap.org
...
...

nikhilh@ubuntu:~$ cat scan-results.txt 
# Nmap 7.70 scan initiated Fri Aug 24 15:10:21 2018 as: nmap -d -oN scan-results.txt scanme.nmap.org
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received syn-ack (0.083s latency).
Scanned at 2018-08-24 15:10:21 PDT for 23s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack
80/tcp   open  http       syn-ack
9929/tcp open  nping-echo syn-ack

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
# Nmap done at Fri Aug 24 15:10:44 2018 -- 1 IP address (1 host up) scanned in 23.06 seconds

It is important to note here that the debug information was not saved to the text file. To ensure that the previous content of the file are not erased, use the --append-output option.

Create XML Output


This is the most used output type. Scan results in XML format can also be used as an input to Zenmap or Ndiff. While the results of the scan are stored in the XML file, Nmap also outputs to STDOUT (usually, the console).

nikhilh@ubuntu:~$ nmap -d -oX scan-results.xml scanme.nmap.org
...
...

nikhilh@ubuntu:~$ cat scan-results.xml 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/local/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.70 scan initiated Fri Aug 24 15:20:07 2018 as: nmap -d -oX scan-results.xml scanme.nmap.org -->
<nmaprun scanner="nmap" args="nmap -d -oX scan-results.xml scanme.nmap.org" start="1535149207" startstr="Fri Aug 24 15:20:07 2018" version="7.70" xmloutputversion="1.04">
<scaninfo type="connect" protocol="tcp" numservices="1000" services="1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-993,995,999-1002,1007,1009-
...
...
848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389"/>
<verbose level="1"/>
<debugging level="1"/>
<taskbegin task="Ping Scan" time="1535149207"/>
<taskend task="Ping Scan" time="1535149207" extrainfo="1 total hosts"/>
<taskbegin task="Parallel DNS resolution of 1 host." time="1535149207"/>
<taskend task="Parallel DNS resolution of 1 host." time="1535149207"/>
<taskbegin task="Connect Scan" time="1535149207"/>
<taskend task="Connect Scan" time="1535149228" extrainfo="1000 total ports"/>
<host starttime="1535149207" endtime="1535149228"><status state="up" reason="syn-ack" reason_ttl="0"/>
<address addr="45.33.32.156" addrtype="ipv4"/>
<hostnames>
<hostname name="scanme.nmap.org" type="user"/>
<hostname name="scanme.nmap.org" type="PTR"/>
</hostnames>
<ports><extraports state="filtered" count="996">
<extrareasons reason="no-responses" count="996"/>
</extraports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh" method="table" conf="3"/></port>
..
...
<runstats><finished time="1535149228" timestr="Fri Aug 24 15:20:28 2018" elapsed="21.08" summary="Nmap done at Fri Aug 24 15:20:28 2018; 1 IP address (1 host up) scanned in 21.08 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

The above XML file has hard-coded stylesheet paths which make it useful only on the system where it was created. To make a portable XML file, use the --webxml option along with -oX. To avoid using the stylesheet at all, use the --no-stylesheet option.

Create Grepable Output


Using this option, we can have output that is in a format which is convenient for grep to work on. While the results of the scan are stored in the text file, Nmap also outputs to STDOUT (usually, the console).

nikhilh@ubuntu:~$ nmap -d -oG scan-results.txt scanme.nmap.org
...
...

nikhilh@ubuntu:~$ cat scan-results.txt
# Nmap 7.70 scan initiated Fri Aug 24 15:27:16 2018 as: nmap -d -oG scan-results.txt scanme.nmap.org
# Ports scanned: TCP(1000;1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-
...
...
56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 45.33.32.156 (scanme.nmap.org) Status: Up
Host: 45.33.32.156 (scanme.nmap.org) Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 9929/open/tcp//nping-echo///, 31337/open/tcp//Elite/// Ignored State: filtered (996)
# Nmap done at Fri Aug 24 15:27:37 2018 -- 1 IP address (1 host up) scanned in 21.75 seconds

Create all Output Types


If you require all three output file types to be created, use this option.

nikhilh@ubuntu:~$ nmap -d -oA scan-results scanme.nmap.org

nikhilh@ubuntu:~$ ls scan-results*
scan-results.gnmap  scan-results.nmap  scan-results.xml

That's it for my Nmap tutorial! It is very important for you to know that the options that we've learnt over the tutorial are not an exhaustive list of options that Nmap provides. These are the options that you must know when you start playing around with Nmap. For an exhaustive list of Nmap options, visit their docs page at: https://nmap.org/book/man.html.

If you have any questions, leave them in the comments below and I'll get back to you as soon as I can! Thanks for reading!
By at No comments:
Labels: , , , , , , ,

Getting started with Nmap - Part 7

In the last part, we looked at OS and service version detection along with a few timing options that help in speeding up or slowing down scans according to need. In this post, we'll look at Nmap options that will help you evade firewalls and Intrusion Detection Systems (IDS).

Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.

Fragmented Packets

  1. Packets containing malicious payload would be instantly detected by IDS and dropped. 
  2. For this reason, packets can be broken down into multiple fragments so that when the IDS examines each packet, they seem harmless. This applies to those types of IDS which don't re-assemble packets before examining them.
  3. Once the packets are re-assembled at the target host, the malicious payload will be effectively delivered.
This type of scan (or fragscan) requires sudo privileges. This option fragments the packet into multiple 8-byte fragments.

nikhilh@ubuntu:~$ sudo nmap -d -f scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 07:52 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Final times for host: srtt: 48065 rttvar: 70016  to: 328129

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 21.53 seconds
           Raw packets sent: 2014 (88.540KB) | Rcvd: 736 (29.440KB)

On Windows systems, an additional option --send-eth is required for fragmented packets to be transmitted. With this option, Nmap sends packets at the raw Ethernet layer rather than at the IP layer. Microsoft has disabled raw socket support on Windows OS.

Set Maximum Transmission Unit (MTU)


MTU is the maximum size of a packet which can be handled by the network.
  1. On an average, most Ethernet networks have an MTU size of 1500 bytes.
  2. Sending a packet with higher MTU size than what the network can handle will lead to packet drops.
  3. MTU size must always be a multiple of 8 (which is 1 byte)
nikhilh@ubuntu:~$ sudo nmap -d --mtu 1504 scanme.nmap.org

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 08:32 PDT
...
...
Not shown: 996 filtered ports
Reason: 996 no-responses
PORT      STATE SERVICE    REASON
22/tcp    open  ssh        syn-ack ttl 128
80/tcp    open  http       syn-ack ttl 128
9929/tcp  open  nping-echo syn-ack ttl 128
31337/tcp open  Elite      syn-ack ttl 128
Final times for host: srtt: 52299 rttvar: 87551  to: 402503

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 22.42 seconds
           Raw packets sent: 2011 (88.416KB) | Rcvd: 1579 (63.164KB)

In the above snippet, I used a MTU of 1504 which is more than 1500. So, how did this work? Nmap hands over the 1504 byte packet to the Network Interface Card (NIC) of the local system which then fragments the packets.

Using a Decoy


Using this option, it can be made to seem that the target system is being scanned by multiple systems at the same time. This allows the true IP to be "lost in the crowd". Using a lot of decoys is not advisable because that will cause network congestion.

nikhilh@ubuntu:~$ nmap -d -D RND:10 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 13:17 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 6.64 seconds

It is also possible to specify a comma-separated list of decoy IP addresses.

Set a source port


Firewalls block incoming connections based on the application port number, transport layer protocol and more. To get around any source port restriction, it is possible to spoof the port number and get past the firewall.

It is important to note that this option is not compatible with TCP Connect scan (-sT option). This option can also be specified as -g.

nikhilh@ubuntu:~$ sudo nmap -d -sS --source-port 3389 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 13:23 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 13:23
...
...
Discovered open port 22/tcp on 45.33.32.156
...
...
Final times for host: srtt: 28093 rttvar: 41588  to: 194445

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 23.81 seconds
           Raw packets sent: 2012 (88.456KB) | Rcvd: 478 (19.124KB)

Add payload data


When Nmap sends packets there is no payload data; the packets are empty. In some cases, adding payload data can solicit a response from the target system.

nikhilh@ubuntu:~$ nmap -d --data-length 16 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 13:31 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 18.62 seconds

In the above situation, 16 bytes of payload data will be added to each packet that Nmap sends.

Scan Multiple Hosts in Random Order


To avoid detection by intrusion detection systems, it is advisable to always scan multiple hosts in a random order. This option is especially useful when scanning multiple systems on the same subnet.

nikhilh@ubuntu:~$ nmap -d --randomize-hosts scanme.nmap.org 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 13:43 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Not shown: 996 filtered ports
Reason: 993 no-responses and 3 host-unreaches
PORT      STATE SERVICE    REASON
22/tcp    open  ssh        syn-ack
...
...
Nmap scan report for localhost (127.0.0.1)
Host is up, received conn-refused (0.00013s latency).
Scanned at 2018-08-24 13:43:48 PDT for 0s
Not shown: 999 closed ports
...
...
Nmap done: 2 IP addresses (2 hosts up) scanned in 69.02 seconds

Spoof MAC address


The MAC address is your identity on the LAN. If you can change that, you've effectively changed your identity and the benefits of that are obvious. For one, you can get past MAC filtering, provided you know which MAC addresses are blocked.

nikhilh@ubuntu:~$ nmap -d --spoof-mac 0 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 14:03 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
Spoofing MAC address F1:31:59:C6:60:C9 (No registered vendor)
...
...
31337/tcp open  Elite      syn-ack
Final times for host: srtt: 82422 rttvar: 15862  to: 145870

Read from /usr/local/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 16.59 seconds

It is also possible to specify a vendor-specific MAC address.

nikhilh@ubuntu:~$ nmap -d --spoof-mac vmware scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 14:46 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
Spoofing MAC address 00:05:69:CA:56:27 (VMware)
...
...
Read from /usr/local/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 22.01 seconds

Idle Zombie Scan


Idle zombie scan is a combination of packet forging and scanning, making it the ultimate stealth scan. This concept is based on tracking fragment identification number (IP ID) and that this number increases whenever a system sends a packet.

It is important to note that the zombie used must be truly idle. Since Nmap, by default pings the target host before scanning, it is advisable to use -Pn option to prevent the initial ping.

While I cannot demonstrate this concept because I don't have an available zombie host, here is the command construction:
nikhilh@ubuntu:~$ sudo nmap -d -Pn -sI <zombie-ip> scanme.nmap.org

 That's it for part 7! Evading firewalls and IDS is very important to ensure that your scanning attempts stay hidden from the target network's administrators. If there are any questions, leave them in the comments below and I'll get back to you as soon as I can!

 In the next (and final) part, we'll look at some of the output file types that Nmap provides.
By at No comments:
Labels: , , , , , , , ,

Getting started with Nmap - Part 6

In part 5, we learned of the various types of port-specific scanning techniques. In this post, we'll understand OS and version detection along with timing options that Nmap provides.

The process of OS detection is also known as TCP/IP fingerprinting. It is performed using a set of fingerprints that Nmap has collected for a particular OS. This set of fingerprints includes the type of responses that specific OSes have towards certain packets.

Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.

Operating System Detection


Using this option, Nmap attempts to detect the OS running on the target machine.

nikhilh@ubuntu:~$ sudo nmap -O 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 16:52 PDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000040s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
631/tcp open  ipp
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.8 - 4.14
Network Distance: 0 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds

For OS detection to work accurately, Nmap requires at least 1 open and 1 closed port. When scanning multiple systems, it is advisable to use --osscan-limit to not OS scan hosts which do not meet this criteria.

nikhilh@ubuntu:~$ sudo nmap -d -O --osscan-limit 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 16:57 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Skipping OS Scan against localhost (127.0.0.1) due to absence of open (or perhaps closed) ports
Nmap scan report for localhost (127.0.0.1)
Host is up, received localhost-response (0.0000020s latency).
All 1000 scanned ports on localhost (127.0.0.1) are closed because of 1000 resets
Final times for host: srtt: 2 rttvar: 0  to: 100000

Read from /usr/local/bin/../share/nmap: nmap-os-db nmap-payloads nmap-services.
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
           Raw packets sent: 1000 (44.000KB) | Rcvd: 2000 (84.000KB)

To limit the maximum number of tries for Nmap to determine the OS, use the --max-os-tries <number> option.

Determine the Service Version


Using this option, Nmap attempts to detect the version of the service running on any open ports. By itself, this option will skip ports 9100 - 9107. These ports are usually associated with network printers which respond with garbage values when Nmap probes them for service version detection.

nikhilh@ubuntu:~$ sudo nmap -d -sV 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 06:53 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 43 scripts for scanning.
mass_rdns: Using DNS server 127.0.1.1
Initiating SYN Stealth Scan at 06:53
...
...
Initiating Service scan at 06:53
Scanning 1 service on localhost (127.0.0.1)
Completed Service scan at 06:53, 6.02s elapsed (1 service on 1 host)
NSE: Script scanning 127.0.0.1.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 06:53
NSE: Starting hnap-info against 127.0.0.1:631.
NSE: Starting vmware-version against 127.0.0.1:631.
NSE: Starting http-server-header against 127.0.0.1:631.
NSE: Starting http-trane-info against 127.0.0.1:631.
NSE: [hnap-info 127.0.0.1:631] HTTP: Host returns proper 404 result.
NSE: [vmware-version 127.0.0.1:631] Couldn't download file: /sdk
NSE: Finished vmware-version against 127.0.0.1:631.
NSE: [http-trane-info 127.0.0.1:631] HTTP: Host returns proper 404 result.
NSE: Finished hnap-info against 127.0.0.1:631.
NSE: Finished http-server-header against 127.0.0.1:631.
NSE: Finished http-trane-info against 127.0.0.1:631.
Completed NSE at 06:53, 0.02s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 06:53
Completed NSE at 06:53, 0.00s elapsed
Nmap scan report for localhost (127.0.0.1)
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.74 seconds
           Raw packets sent: 1000 (44.000KB) | Rcvd: 2001 (84.044KB)
  1. To prevent Nmap from skipping 9100-9107 ports, use the --all-ports option. 
  2. To probe the host more intensely for service versions, use the --version-intensity <intensity-number [0-9]>.
    1. Using a lower intensity could possibly lead Nmap to miss detecting versions which it could have with a higher intensity.

Guessing an OS


On the off-chance that Nmap is unable to determine the OS, it has the ability to guess the OS using the information that it has.

(In the below example, --osscan-guess has not been utilized because Nmap couldn't find an unknown OS while scanning the host. The example below is just for demonstration purposes.)

nikhilh@ubuntu:~$ sudo nmap -d -O --osscan-guess scanme.nmap.org
[sudo] password for nikhilh: 
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 06:38 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 06:38
...
...
Overall sending rates: 75.94 packets / s, 3339.26 bytes / s.
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or (tcp and (src host 45.33.32.156)))
Initiating OS detection (try #1) against scanme.nmap.org (45.33.32.156)
OS detection timingRatio() == (1535031531.632 - 1535031531.128) * 1000 / 500 == 1.006
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received reset ttl 128 (0.060s latency).
...
...
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose
Running: Actiontec embedded, Linux 2.4.X|3.X
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2
OS details: Actiontec MI424WR-GEN3I WAP, DD-WRT v24-sp2 (Linux 2.4.37), Linux 3.2
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=8/23%OT=22%CT=%CU=%PV=N%G=N%TM=5B7EB8ED%P=x86_64-unkno
OS:wn-linux-gnu)SEQ(SP=106%GCD=1%ISR=104%TS=U)OPS(O1=M5B4%O2=M5B4%O3=M5B4%O
OS:4=M5B4%O5=M5B4%O6=M5B4)WIN(W1=FAF0%W2=FAF0%W3=FAF0%W4=FAF0%W5=FAF0%W6=FA
OS:F0)ECN(R=Y%DF=N%TG=80%W=FAF0%O=M5B4%CC=N%Q=)T1(R=Y%DF=N%TG=80%S=O%A=S+%F
OS:=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=N%TG=80%W=FAF0%S=O%A=S+%F=AS%O=M5B4%RD=0%Q=
OS:)T4(R=Y%DF=N%TG=80%W=7FFF%S=A%A=Z%F=R%O=%RD=0%Q=)T6(R=Y%DF=N%TG=80%W=7FF
OS:F%S=A%A=Z%F=R%O=%RD=0%Q=)U1(R=N)IE(R=Y%DFI=N%TG=80%CD=S)

 TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Final times for host: srtt: 59841 rttvar: 45038  to: 239993

 Read from /usr/local/bin/../share/nmap: nmap-os-db nmap-payloads nmap-services.
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.34 seconds
           Raw packets sent: 2054 (92.594KB) | Rcvd: 1042 (42.470KB)

The TCP/IP fingerprint generated in the output can be submitted to Nmap to help improve the accuracy of Nmap's OS detection feature.

Now, we'll start looking at the timing options. With these options you can manipulate the time between probes on a host, time between hosts and more.

Using Timing Templates


The easiest way to manipulate the timing options, albeit as a whole, is to use timing templates. They vary from 0-5 with 0 being the most slow and 5 being the fastest.
  1. T0: Paranoid
  2. T1: Sneaky
  3. T2: Polite
  4. T3: Normal (default timing template)
  5. T4: Aggressive
  6. T5: Insane
The more aggressive the scan, the more noticeable it is on the target system. In general, one would use slow scanning when trying to evade firewalls and fast scanning on speedy networks.

Below, I've used the fastest timing template:

nikhilh@ubuntu:~$ nmap -d -T5 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 13:15 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 250, min 50, max 300
  max-scan-delay: TCP 5, UDP 1000, SCTP 5
  parallelism: min 0, max 0
  max-retries: 2, host-timeout: 900000
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 13:15
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
...
...
Final times for host: srtt: 77087 rttvar: 15669  to: 139763

 Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 6.70 seconds

When using the default timing template, I expect the time taken to scan to be more than 6.7s

nikhilh@ubuntu:~$ nmap -d -T3 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 13:14 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 13:14
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 13:14, 0.08s elapsed (1 total hosts)
...
...
Reason: 996 no-responses
PORT      STATE SERVICE    REASON
22/tcp    open  ssh        syn-ack
80/tcp    open  http       syn-ack
9929/tcp  open  nping-echo syn-ack
31337/tcp open  Elite      syn-ack
Final times for host: srtt: 80227 rttvar: 15726  to: 143131

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 8.80 seconds

Set the Minimum/Maximum Number of Parallel Probes


These options specify the minimum and the maximum number of parallel port scanning that can take place when scanning the target system. In general, these values are set by Nmap based on the network speed and quality.

It is important to note that setting these values too high may lead to inaccurate results.

nikhilh@ubuntu:~$ nmap -d --min-parallelism 5 --max-parallelism 10 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 13:19 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 5, max 10
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

Set the Minimum/Maximum Hosts to Scan in Parallel


These options specify the number of hosts that can be scanned in parallel. Setting them too high may lead to inaccurate results.

nikhilh@ubuntu:~$ nmap -d --min-hostgroup 2 --max-hostgroup 3 scanme.nmap.org 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 13:26 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 2, max 3
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 2 IP addresses (2 hosts up) scanned in 21.75 seconds

Set the Minimum/Maximum Packet Rate

Nmap adjusts the packet rate based on network speed and stability. Using these options, the minimum and maximum packet rate can be set. It is important to note that having the minimum packet rate too high may lead to unreliable results.

nikhilh@ubuntu:~$ nmap -d --min-rate 700 --max-rate 1200 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 14:06 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 700, max-rate: 1200
---------------------------------------------
...
...
Final times for host: srtt: 76122 rttvar: 44945  to: 255902

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 3.35 seconds

Set the Minimum/Maximum Scan Delay


Using these options, we can set the time interval between probes. While this can increase scan time, it will also help in avoiding detection.

nikhilh@ubuntu:~$ nmap -d --scan-delay 10ms --max-scan-delay 100ms scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 14:12 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 100, UDP 100, SCTP 100
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 35.99 seconds

Set the Round Trip Timeout (RTT) - Minimum, Initial and Maximum


Nmap waits for a certain time interval for probe responses. If this timeout expires, it re-transmits packets. As per the default timing template, Nmap sets an initial RTT of 1000ms. Nmap dynamically adjusts the RTT based on network performance. The minimum and maximum RTT options set the range for this adjustment.

It is important to note that having a very low RTT may end up slowing scans. In such situations, Nmap will wait for too less time for the packet response and re-transmit packets more often.

nikhilh@ubuntu:~$ nmap -d --initial-rtt-timeout 900ms --max-rtt-timeout 1500ms --min-rtt-timeout 800ms scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 13:46 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 900, min 800, max 1500
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 49.77 seconds

Setting the Maximum Number of Probe Retries


As I said before, Nmap re-transmits packets if it doesn't receive a response the first time. This option set the maximum number of such retries.

nikhilh@ubuntu:~$ nmap -d --max-retries 3 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 13:53 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 3, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Final times for host: srtt: 80692 rttvar: 13467  to: 134560

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 32.14 seconds

Set Host Timeout


When Nmap encounters slow hosts, it waits for a specific interval of time before timing out. Using this option, we can set the time interval that Nmap waits for. Setting the timeout too low will interrupt the scanning process and lead to early termination.

nikhilh@ubuntu:~$ nmap -d --host-timeout 50s scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 14:16 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 50000
  min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 20.69 seconds

Set the Packet Time-To-Live (TTL)


In situations where the target system is present on a slow network, packets sent to it may time out because their TTL value is too low. Using this option, we can manipulate that value.

nikhilh@ubuntu:~$ nmap -d --ttl 20s scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 14:21 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 30.38 seconds

Although the TTL value is specified in seconds, it is equivalent to hop count which decreases by 1 every hop.

Defeat Reset Rate Limits


We know that rate limiting is applied to Type 3 ICMP Port Unreachable messages on UDP ports. If similar rate limiting is present on RST packets, this option can be used. It is important to note that this option works only with TCP SYN scan that we studied before in Part 4.

nikhilh@ubuntu:~$ sudo nmap -d --defeat-rst-ratelimit -sS scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 14:26 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 14:26
...
...
22/tcp    open   ssh        syn-ack ttl 128
80/tcp    open   http       syn-ack ttl 128
9929/tcp  open   nping-echo syn-ack ttl 128
10012/tcp closed unknown    reset ttl 128
31337/tcp open   Elite      syn-ack ttl 128
Final times for host: srtt: 113005 rttvar: 214217  to: 969873

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 24.05 seconds
           Raw packets sent: 2012 (88.456KB) | Rcvd: 1703 (68.124KB)

That's it for part 6! This post has a lot of information that you must remember, especially because these options will be helpful in evading and avoiding detection by IDS and firewalls. If you have any questions, leave them in the comments below and I'll get back to you as soon as I can!

In the next post, we'll take a look at the various firewall and IDS evasion techniques that are built into Nmap.
By at No comments:
Labels: , , , , , , , ,
Subscribe to: Comments (Atom)

Popular posts