Useful options#

OptionDescription
-v[v]Verbosity Level
-6 <IPv6 address>Scan IPv6 host/network. Sometimes admins forget to filter ports for IPv6 protocol
--packet-traceShow all packets sent and received
-nSkip DNS name resolution

Host discovery#

sudo nmap 10.129.2.0/24 -sn -oA nmap.log
OptionDescription
10.129.2.1Target single host
10.129.2.2-5Target hosts range
10.129.2.0/24Target network range
10.129.2.2 10.129.2.3Target multiple IPs
-iL <filename.lst>Scan targets listed in <filename.lst>

Scanning options#

  • -sn - disable ports scanning
    • This makes Nmap to use -PE (ICMP Echo Requests a.k.a. ping scan) to discover hosts
    • Usually we should expect the ICMP reply if the host is alive
  • --reason - determine why Nmap treats the target as alive
  • --disable-arp-ping - self explanatory
sudo nmap 10.129.2.18 -sn -oA nmap.log -PE --reason
# ...
SENT (0.0074s) ARP who-has 10.129.2.18 tell 10.10.14.2
RCVD (0.0309s) ARP reply 10.129.2.18 is-at DE:AD:00:00:BE:EF
Host is up, received arp-response (0.028s latency).

Read more#

Host and Port Scanning#

sudo nmap 10.129.2.28 --top-ports=10

By default Nmap scans with the SYN scan (-sS) if we are running it as root or with a TCP scan (-sT) otherwise.

  • -p 80,443 - scan 2 ports
  • -p 80-100 - scan ports within range
  • -p- - scan all ports, no fucks given
  • --top-ports=10 - scan 10 ports that Nmap considers most frequent
  • -F => --top-ports=100

States#

StateDescription
openThe connection to the scanned port has been established. These connections can be TCP connectionsUDP datagrams and SCTP associations.
closedThe packet received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.
filteredNmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an ICMP error code from the target.
unfilteredOnly occurs during the TCP-ACK (-sA) scan and means that the port is accessible, but it cannot be determined whether it is open or closed.
open|filteredIf we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.
closed|filteredOnly occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.

Connect Scan ( -sT)#

Uses TCP three-way handshake to determine if a port is open or closed.

It sends SYN and considers port open if receives SYN-ACK. Then it closes connection with RST.

This is the most accurate way to determine the state of a port.

It is also most stealthy, as it doesn’t leave any unfinished connections/unsent packets on the target host, which make it less likely to be detected by IDSs/IPSs.

It is also useful when the target host has a firewall dropping incoming packets, but allowing outgoing ones. The Connect Scan can bypass the firewall this way.

It is slower than the other types of scans, due to waiting for a response from the target after each packet.

sudo nmap 10.129.2.28 -p 443 --packet-trace --disable-arp-ping -Pn -n --reason -sT

CONN (0.0385s) TCP localhost > 10.129.2.28:443 => Operation now in progress
CONN (0.0396s) TCP localhost > 10.129.2.28:443 => Connected
Host is up, received user-set (0.013s latency).

PORT    STATE SERVICE REASON
443/tcp open  https   syn-ack

Filtered ports#

filtered state means Nmap cannot correctly identify whether the scanned port is open or closed as there’s no response is returned from the target for the port OR we get an error code from the target.

The filtered packets can be either dropped or rejected.

dropped#

When a packet gets dropped, Nmap doesn’t receive response from the target and will resend the requests to the target again (--max-retries=10 is set by default).

sudo nmap 10.129.2.28 -p 139 --packet-trace -n --disable-arp-ping -Pn

SENT (0.0381s) TCP 10.10.14.2:60277 > 10.129.2.28:139 S ttl=47 id=14523 iplen=44  seq=4175236769 win=1024 <mss 1460>
SENT (1.0411s) TCP 10.10.14.2:60278 > 10.129.2.28:139 S ttl=45 id=7372 iplen=44  seq=4175171232 win=1024 <mss 1460>

PORT    STATE    SERVICE
139/tcp filtered netbios-ssn
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 2.06 seconds

In this case the scan took ~2s, which is pretty long for a single host.

rejected#

When a packet gets rejected, we receive an ICPM type 3 / error code 3 response indicating the port is unreachable. If the host is alive, we can assume the firewall on this port is rejecting the packets.

sudo nmap 10.129.2.28 -p 445 --packet-trace -n --disable-arp-ping -Pn

SENT (0.0388s) TCP 10.129.2.28:52472 > 10.129.2.28:445 S ttl=49 id=21763 iplen=44  seq=1418633433 win=1024 <mss 1460>
RCVD (0.0487s) ICMP [10.129.2.28 > 10.129.2.28 Port 445 unreachable (type=3/code=3) ] IP [ttl=64 id=20998 iplen=72 ]

PORT    STATE    SERVICE
445/tcp filtered microsoft-ds
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

Different types of ICMP error codes:

  • Net Unreachable
  • Net Prohibited
  • Host Unreachable
  • Host Prohibited
  • Port Unreachable
  • Proto Unreachable

UDP scan (-sU)#

UDP is a stateless protocol. We don’t get any ACK. Consequently, the timeout is much longer, making the UDP scan much slower.

sudo nmap 10.129.2.28 -F -sU

PORT     STATE         SERVICE
68/udp   open|filtered dhcpc
137/udp  open          netbios-ns
138/udp  open|filtered netbios-dgm
631/udp  open|filtered ipp
5353/udp open          zeroconf

Nmap done: 1 IP address (1 host up) scanned in 98.07 seconds

Some system administrators sometimes forget to filter the UDP ports in addition to the TCP ones.

Furthermore, we often don’t get a response from the scanned UDP ports (as Nmap sends empty datagrams in this scan type) and we cannot determine if the UDP packet has arrived at all. If the UDP port is open, it is because the application is configured to do so.

sudo nmap 10.129.2.28 -sU -Pn -n --disable-arp-ping --packet-trace -p 137 --reason

SENT (0.0367s) UDP 10.10.14.2:55478 > 10.129.2.28:137 ttl=57 id=9122 iplen=78
RCVD (0.0398s) UDP 10.129.2.28:137 > 10.10.14.2:55478 ttl=64 id=13222 iplen=257
Nmap scan report for 10.129.2.28

PORT    STATE SERVICE    REASON
137/udp open  netbios-ns udp-response ttl 64

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

If we get an ICMP response with error code 3, we know that the port is indeed closed.

sudo nmap 10.129.2.28 -sU -Pn -n --disable-arp-ping --packet-trace -p 100 --reason

SENT (0.0445s) UDP 10.10.14.2:63825 > 10.129.2.28:100 ttl=57 id=29925 iplen=28
RCVD (0.1498s) ICMP [10.129.2.28 > 10.10.14.2 Port unreachable (type=3/code=3) ] IP [ttl=64 id=11903 iplen=56 ]

PORT    STATE  SERVICE REASON
100/udp closed unknown port-unreach ttl 64

Nmap done: 1 IP address (1 host up) scanned in  0.15 seconds

For all other ICMP responses, the scanned ports are marked as open|filtered. This indicates the firewall or packet filter may protect the port.

Version scan (-sV)#

-sV option can identify (or guess) versions, service names and other details about the target.

The service versions are taken from the text banners and the services themselves, however the results might be deliberately malformed by the admins.

sudo nmap 10.129.2.28 -Pn -n --disable-arp-ping -p 445 --reason  -sV

PORT    STATE SERVICE     REASON         VERSION
445/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: Ubuntu

Discovering the OS can be also triggered with -O.

Saving the output#

-o[X/N/G] <filename>Save results to .xml/.nmap/.ngrep
-oA <filename>Save the results to all the supported formats at once
-oSTry it :-)

We can use xsltproc to convert xml output to easier to read HTML:

xsltpropc target.xml -o target.html

Performance#

Round-Trip-Time#

--initial-rtt-timeout 50msSets the specified time value as initial RTT timeout.
--max-rtt-timeout 100msSets the specified time value as maximum RTT timeout.
--min-rtt-timeout

⚠️ Setting the initial RTT timeout (--initial-rtt-timeout) to too short a time period may cause us to overlook hosts.

Retries#

--max-retries 0 (10 by default)

Using less retries may cause us to overlook information.

Rates#

When setting the minimum rate (--min-rate <number>) for sending packets, we tell Nmap to simultaneously send the specified number of packets. It will attempt to maintain the rate accordingly.

Timing/aggressiveness#

  • -T 0 / -T paranoid
  • -T 1 / -T sneaky
  • -T 2 / -T polite
  • -T 3 / -T normal (default)
  • -T 4 / -T aggressive
  • -T 5 / -T insane

This can have negative effects if the scan is too aggressive, and security systems may block us due to the produced network traffic.

More on them here.

Firewall & IDS/IPS Evasion#

Firewalls rules detection#

We can use the TCP ACK scan (-sA). It is much harder to filter it as it only sends the ACK packet, and the ACK might mean there is a connection established already.

We may see the STATE of unfiltered as a result.

IDS/IPS detection#

IPS example: fail2ban

  • Using multiple VPSes with different IP addresses aggressively scan a particular port on a particular host.
    • If we are detected, the administrator will probably block the IP address from which we are scanning. As a result we will no longer be able to access the network using that IP address.
    • Once we lose the access to the network from the particular VPS we can safely assume the administrator has taken some security measures.
    • Consequently we need to be quieter with our next scans and disguise all interaction with the target network as much as possible.

Decoys#

Random IP (-D RND:<number>)#

Nmap can generate various random IP addresses inserted into the IP header to disguise the origin of the packet sent. Our real IP address is put randomly between the generated IP addresses.

⚠️ Decoys must be alive, otherwise the service on the target may be unreachable due to SYN-flooding security prevention mechanisms.

Specifying source IP address (-S)#

We can manually specify the source IP address to test if we get better results with this one.

DNS Proxying#

Nmap allows to specify DNS servers ourselves (--dns-server <ns>,<ns>).

This method could be fundamental to us if we are in a DMZ:  - The company’s DNS servers are usually more trusted than those from the Internet  - We could use them to interact with the hosts of the internal network  - Alternatively, we can use TCP :53 as a source port (--source-port) for our scans. If the administrator uses the firewall to control this port and does not filter IDS/IPS properly, our TCP packets will be trusted and passed through  - If we have found out that the firewall accepts :53, it is very likely that IDS/IPS filters might also be configured much weaker than others.  - We can test this by trying to connect to this port by using  nc.

Others#

# Find DNS Server bind.version
sudo nmap -sSU -p 53 10.129.203.57 --packet-trace --script dns-nsid

--script-trace#

sudo nmap -sV -p21 -sC -A 10.129.14.136 --script-trace

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 13:54 CEST
NSOCK INFO [11.4640s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [10.129.14.136:21]
NSOCK INFO [11.4640s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 16 [10.129.14.136:21]
NSOCK INFO [11.4640s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 24 [10.129.14.136:21]
NSOCK INFO [11.4640s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 32 [10.129.14.136:21]
NSOCK INFO [11.4640s] nsock_read(): Read request from IOD #1 [10.129.14.136:21] (timeout: 7000ms) EID 42
NSOCK INFO [11.4640s] nsock_read(): Read request from IOD #2 [10.129.14.136:21] (timeout: 9000ms) EID 50
NSOCK INFO [11.4640s] nsock_read(): Read request from IOD #3 [10.129.14.136:21] (timeout: 7000ms) EID 58
NSOCK INFO [11.4640s] nsock_read(): Read request from IOD #4 [10.129.14.136:21] (timeout: 11000ms) EID 66
NSE: TCP 10.10.14.4:54226 > 10.129.14.136:21 | CONNECT
NSE: TCP 10.10.14.4:54228 > 10.129.14.136:21 | CONNECT
NSE: TCP 10.10.14.4:54230 > 10.129.14.136:21 | CONNECT
NSE: TCP 10.10.14.4:54232 > 10.129.14.136:21 | CONNECT
NSOCK INFO [11.4660s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 50 [10.129.14.136:21] (41 bytes): 220 Welcome to HTB-Academy FTP service...
NSOCK INFO [11.4660s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 58 [10.129.14.136:21] (41 bytes): 220 Welcome to HTB-Academy FTP service...
NSE: TCP 10.10.14.4:54228 < 10.129.14.136:21 | 220 Welcome to HTB-Academy FTP service.

See also#