Have an account?
It looks like you're new here. If you want to get involved, click one of these buttons!
Apply for Membership
Who's Online (0)
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
nmap for beginners
nmap (or network map) is a port scanning/os detection tool used, by the ethical, to find open ports that may be accessible to hackers. When you first download and open nmap, I will talk about the command line version, not Zenmap, it may not seem like much, you type in the nmap command and you may not know what commands to use to successfully scan, find, and log all of the open ports and/or any other information you want. Bluntly, there are a lot of commands. As of now there are 13+ scan options.
Below are the details of what these scan options are:
-sT :: -sT is one of the most basic scan types, how it operates is very simple, in UNIX systems, a connection between two computers is started by one, the client, sending a connect() commands to the server, if the connection is successful to that port, a connection is made, if there is no response, either the server is down or the port is closed or blocked. The only flaw in this scan type is that it is logged, server side, so every port scanned is logged, this is a tell tale sign that someone is port scanning the server when there are 1000 port scans logged by one ip address over the span of 5 minutes.
-sS :: -sS is another basic scan command that stands for SYN scan or stealth scan. Before I go any farther, let me explain how a SYN scan works. When a typical TCP connection is established, the client computer sends a SYN (or synchronize) packet to the server, the server would reply with a SYN packet and a ACK (or acknowledge) packet back to the client and then the connection can be made. Once the client wants to end the connection he sends a RST (or reset) packet back to the server and the connection is severed. In a SYN scan, or SYN connection, the client sends a SYN packet, looks for s SYN/ACK packet back from the server and if it finds on it sends a RST packet back before the connection is ever fully made between the client and the server, thus eliminating the logging of ip addresses on the server. Although this may seem like the perfect command to use all of the time, firewalls and intrusion detection systems can detect SYN scans, but there are other options that will be discussed later on that can even get around those obstacles.
-sF :: -sF is based on another type of packet sent by the client or server to terminate a connection. First, the difference between the RST and the FIN packets is that where the RST packet is meant for immediately closing a connection, the FIN packet is an elaborate 4 way "handshake" method of closing a connection. That is both the client and the server send a pair of FIN/ACK packets back and forth to each other to end the connection. Going along with this four way handshake ideology, if the computer that is scanning a port sends that FIN/ACK packet, it should get a response with the same "contents" meaning the port is open, but since the port is seeing it as closing a connection it doesn't need to log the ip address, as it thinks it did that when the connection was first made (the first packets have, in their contents, the ip address of the client computer), this is an efficient way to get around the firewall or IDS (intrusion detection system) catching you ip address (that is, instead of useing the SYN scan, you use the FIN scan).
-sN :: -sN, or Null scan, is much more basic than the -sF scan type or any of the other scan types. Basically, the client sends a "null" packet, a packet of nothing except the port number. If the port is open it will send a RST packet back to end the connection immediately, if the port is closed, no response will sent by the port, showing nmap that the port is indeed open. Again, since no initial packet with all of the client side information was sent, no ip address or connection will be logged, server side.
-sX :: -sX, or the Xmas Tree Scan, is much more elaborate than the FIN and Null scans, it involves the sending of three specific packets, URG, PUSH, and FIN. First of all, the URG packet is basically a pointer to the last part of urgent data according to the RFC guidelines (that of which determines what the definition of urgent data is, see bottom for link), the PUSH packet (or PSH packet/PSH bit) is designed to be a reassuring packet that makes sure that the TCP connection and all underlying packets make it to the server/other user, and the FIN packet was defined above. So, now that the different "packets" or "bits" of the packet have been defined, when the scan/string of three packets are sent to the port, the response will be nothing, server side. This is because, if you look at each part of the three string packet, the contents of that "master packet" are basically null, nothing, empty, showing nmap that the port is open. And so if the port is closed, the response will be RST. Just as a side note: they call this the Christmas (or Xmas) tree packet (or scan) because when translated into binary, the URG/PSH/FIN packets are "00101001", the alternating nature of each bit in the byte (much like on and off) is like that of flickering lights on a Christmas tree.
-sP :: -sP, or Ping scan, is meant to find all of the hosts on a designated server. The ping method is a little different than that of your ping command in command prompt, instead of sending a TCP ping, it first tries a ICMP (Internet Control Message Protocol) ping. If there is no response from the server, it is possible that ICMP ping requests are blocked, if this is true it will try the traditional TCP ping request, if there is still no response, the host is offline, or the port (usually 80) is filtered. If you just want to try a TCP ping request method for finding hosts and not the ICMP method, type the command, -P0.
-sU :: -sU, or the UDP scan, scans the target for open UDP (User Datagram Protocol) ports. UDP is meant for the sending of "messages" or data (datagram) to another host of the Internet Protocol (IP) network. Thus, if open, can easily be exploited through a tool such as metasploit, although it should be noted that UDP scans don't provide much information in most attack planning's as TCP is mainly used over UDP by most servers. nmap performs this scan by sending 0-byte UDP packets, if the response is "ICMP Port Unreachable" then the port is closed, if there is no response, nmap assumes its open. But there are issues with this scan type, that is that if a firewall blocks " ICMP Port Unreachable" messages, the port will appear open, giving a false-positive response to nmap. Also, UDP scans can be slow, but, if the host is a Microsoft using machine, it may be extremely fast because their OS's don't limit the number of "ICMP Port Unreachable" messages outputted by the server and so, all 65535 UDP ports can be scanned very quickly.
-sO :: -sO, or IP Protocol Scans, scans the target server to find out which ip protocols are supported (TCP, IGMP, ICMP, etc.). Although no ports are scanned, it can be useful to know if you can use another type of port scan for a specific protocol (ex..//ICMP).
-sI :: -sI, or Idle Scanning, is an advanced stealth scan of the ports. Basically it works by using a "Zombie Host", which must be chosen by the client (and also a port number, this is optional). The scan works by exploiting the "predictable IP fragmentation ID" sequence generation on the zombie host to determine the open ports on the target server. In its most basic form, this attack basically assigns an arbitrary IP address, defined by the client, then does a port scan to a target. The logged IP address will be that of the zombie host, you can use this instead of a stealth scan. The attacker, once initiating an attack, will check the IPID on the zombie host and if it has incremented by 2 (or changed by two steps in its sequence), this means that the target received the packets sent by the zombie host, this shows that the port is open. If the zombie host's IPID has incremented by one, then the port is closed because the zombie host has received a RST by the server. Although this may seem like the best alternative to using the SYN scan or stealth scan, it is possible through the zombie host's log on the server to back trace the IPID back to the client/attack, but it required a deep looking into a log file, and if the target is something like google, who receive millions of ip addresses and log files every day, it is very unlikely the client/attack will get caught. Also, it is possible to accidently use a taken ip address and so get unreliable results back from the server, so try to use a site with low traffic if you are going to use the idle scan method.
-sV :: -sV, or version scan, collects information of a target port such as the device name/version number etc. The command -A is used for port OS detection. This information is found through the use of a complex series of probes, check the bottom of this post if you are interested for a link on the subject.
-sA :: -sA, or ACK scan, is used to distinguish between stateful and stateless firewalls, it does this by sending an ACK packet to the server/port, if the server responds with a RST, it is unfiltered and open because the RST request was allowed through the firewall, if nothing comes back, the port is filtered. If the server is stateless, it just blocks incoming SYN packets. If it is stateful, it tracks connections and blocks unsolicited ACK packets. This type of scan should never be used just by itself, it should be used with other scan options as it doesn't detect ports but probes the firewalls over those ports, if you use it by itself you will either get an error or you will not receive an nmap report.
-sW :: -sW, or Window scan, is similar to the ACK scan but also reports open ports, as well as filtered/unfiltered ports. This is due to anomalies in TCP Window size reporting by some operating systems. The TCP Window size has to do with the data a sender can send on a particular connection before it gets an acknowledgment back from the receiver that it has gotten some of the data.
-sR :: -sR, or RPC scan, can be used with other scan options to determine if an open UDP and/or TCP port is an RPC (Remote Procedure Call) service. An RPC is a network protocol that allows a computer program running on one host to cause code to be executed on another host, or, ideally, a client can run/execute code on a server. If this scan finds an RPC service, it will give information on the service.
-sL :: -sL, or List scan, just list the hosts on a server without pinging or scanning the hosts.
-T is used to set the timing on a scan, it ranges from 0-5 (Paranoid, Sneaky, Polite, Normal, Aggressive and Insane) (ex..// -T5) where the less time in between port scans, the higher the "t number", so the lower the number, the longer the scan will take. But the longer the time, the less of a chance the server will pick up that you just scanned 1000 ports systematically. So, instead of 1000 ports in 5 sec. it would be 1000 ports in 50 min.
-D is used for decoys. Decoys, all though it does not hide your ip, it makes it look as though other ip's are scanning the server as well.
-PT switches on TCP pinging.
-PS makes -PT send SYN packets to ping the server with instead of ACK packets. But they are all for the TCP pinging method, not ICMP pinging.
-PU (with optional port numbers after the option) sends UDP packets as your ping, although its still TCP pinging. You would use these/ping to suspected closed ports as UDP ports dont respond to non-UDP packet sending pings, or 0 length UDP requests.
-PE is a Standard ICMP Echo Request, standard ICMP ping
-PP is an ICMP Timestamp Request
-PM is a Netmask Request
-PB uses both ICMP Echo Request and TCP ping with ACK packets instead of SYN packets.
-f is a fragmentation option which fragments you ip address, for use with the -sS, -sF, -sX or -sN commands. Although most modern firewalls feature a defragmenter which will make your ip address obvious to the server, despite your fragmentation.
-O is for OS fingerprinting, used along with -v verbosity options allows you to discover information about a remote operating system and about its TCP Sequence Number generation, this is useful for planning Idle scans.
-oN, -oX or -oG are used for outputting nmap scan results to a file, (ex..//-oN random.txt) -oN is human readable, -oX is an xml log, and -oG is a grepable log for linux systems (used to sort and filter certain character/words/etc. out of a txt file).
-oA is for all three options for the -oN, -oX and -oG options
–append-output option adds the scan results to a .txt file instead of overwriting it.
-6 is for IPv6
-v, I highly recommend using this on all scans, is for verbose mode. Use twice for more verbosity, use -d (once or twice) for more verbose output.
--resume can be used if you have canceled the scan and you wish to resume where you left off.
-iL <inputfilename> is for reading hosts from an input file.
-F is for scanning only those ports in the nmap service file, this makes the scan fast as it does not need to discover the ports.
-ttl <value> option sets the IPv4 packets time-to-live. This is used for mapping paths through networks and for determining ACL's (Access Control List) on firewalls. By scanning the same port with different ttl values, you have a traceroute effect, great for mapping network ports/networks although the traceroute function does this for you.
Hopefully, you find this tutorial on nmap helpful, if you have any questions, just message me, reply to the post, or email me.
Helpful nmap links:
Another great paper thanks chronic!
For some reason I cant post this on the main page blog because a script on the WordPress panel makes firefox crash -_-
Add a Comment