NMAP BIBLE #1

    ________________________________________________________________________
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.----------------------------------------------------------------------------.
|_ Learn NMAP and Audit Your Network With IT  *** NMAP BIBLE ***            _|
   \________________________________________________________________________/
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.----------------------------------------------------------------------------.
|                                                                            |
|   Release date : 2021-10-20                                                |
|   Publ/Author  : Adonis Sawan                                              |
|   Language     : English                                                   |
|   Format       : ASCII                                                     |
|____________________________________________________________________________|
.----------------------------------------------------------------------------.
| INSTALLING NMAP                                                            |
| ===============                                                            |
| ► sudo apt install nmap zenmap                                             |
| ► nmap --version                                                           |
| For windows run the nmap exectuable https://nmap.org/dist/nmap-*-setup.exe |
|                                                                            |

 | Nmap Hosts discovery                                                       |
| ====================                                                       |
| Although Nmap is an advanced security tool but also easy to use.           |
| We could simply issue a command from the command line or we can use the    |
| GUI to do this. We simply enter Nmap followed by our targets network       |
| address However, Nmap is flexible in that we aren't limited to just a .    |
| single network address. We could also use a DNS name, a single target      |
| address, a specified number of hosts within a network range, or an external|
| list. We can also exclude hosts if we also choose.                         |
|                                                                            |
| To view all Nmap Option we do                                              |
| ► nmap | less                                                              |
|                                                                            |
| Simple host scan                                                           |
| ► nmap IPADDRESS                                                           |
|                                                                            |
| So let's go ahead and scan our entire network range We can do that by      |
| typing Nmap and the network range we're interested in.                     |
| In this case, it's 192 168.0.0/24 This will scan for all the hosts in the  |
| entire all the hosts in the entire Class C block.                          |
| ► nmap 192.168.0.0/24                                                      |
|                                                                            |
| Scanning hosts from a list. Using a list we could mix and match hosts,     |
| networks or DNS names similarly to how we would from the command line.     |
| The only difference here is that we need to create our list First and then |
| pass it to Nmap during the scanning.                                       |
| So let's create our list with the network and host and then pass it to     |
| nmap using the dash IL switch, so we'll just use Nano to create a file     |
| called hosts.                                                              |
| In this example, I will put one network range and one host inside the file.|
| hosts.txt will contain                                                     |
| 192.168.0.0/24                                                             |
| 192.168.0.100                                                              |
| Now we can use that in our Nmap Command.                                   |
| ► nmap -iL hosts.txt                                                       |
| Also understand that depending on the type of scan you choose such as      |
| scanning A /8 network, this could take a bit of time as their over         |
| 16,000,000 hosts. So just keep these points in mind when planning to use   |
| Nmap in an enterprise.                                                     |
|                                                                            |
| Now let's move past our basic usage and take a look at some host .         |
| discovery option.                                                          |
| What about when we don't really know much about our network? This is where |
| host discovery comes into play,and it's a pretty vital part of the network |
| mapping process.                                                           |
| Now when performing network mapping, there could be instances where        |
| information about the network isn't really known or it's missing.          |
| That's why host discovery is an important step when analyzing a network.   |
|                                                                            |
| Now to discover hosts and map uses several methods. The type is going to   |
| depend on whether you're scanning hosts residing on a local or remote      |
| network and also what options or lack thereof you happen to use at the     |
| command line. So it's important to note that when Nmap is run from the     |
| command line with no options, the default behavior is to first send an     |
| the default behavior is to first send an ICMP echo request to the host     |
| followed by a TCP SYN packet to Port 443. A TCP ACK packet to Port 80, and |
| finally an ICMP timestamp request.                                         |
| Once Nmap completes the ping sweeps and map will proceed to perform a full |
| port scan. However, this isn't exactly what we want. At the moment we're   |
| only interested in discovering hosts, so in this instance we want to use   |
| the dash SN option to perform a simple ping sweep and discover these alive |
| hosts well. let's run a default scan out of host here will target          |
| scanme.org. This is a host that the good people at Nmap have set up.       |
| ► nmap 192.168.1.1 (Scan a single IP)                                      |
| ► nmap 192.168.1.1 192.168.2.1 (Scan specific IPs)                         |
| ► nmap 192.168.1.1-254 (Scan a range)                                      |
| ► nmap scanme.org (Scan a domain)                                          |
| ► nmap 192.168.1.0/24 (Scan using CIDR notation)                           |
| ► nmap -iL targets.txt (Scan targets from a file)                          |
| ► nmap -iR 100 (Scan 100 random hosts)                                     |
| ► nmap --exclude 192.168.1.1 (Exclude listed hosts)                        |
| ► nmap 192.168.1.1-3 -sL (No Scan. List targets only)                      |
| ► nmap 192.168.1.1/24 -sn (No Scan. List targets Disable port scanning.)   |
| ► nmap 192.168.1.1-5 -Pn (Disable host discovery. Port scan only.)         |
| ► nmap 192.168.1.1-5 -PS22-80,110 (TCP SYN discovery on port x.)           |
| ► nmap 192.168.1.1-5 -PA22-80,110 (TCP ACK discovery on port x.)           |
| ► nmap 192.168.1.1-10 -PU53 (UDP discovery on port x.)                     |
| ► nmap 192.168.1.1-1/24 -PR (ARP discovery on local network)               |
| ► nmap 192.168.1.1 -n (No do DNS resolution)                               |
| ► nmap 192.168.1.1 -p 21 (Port scan for port x)                            |
| ► nmap 192.168.1.1 -p 21-110 (Port range)                                  |
| ► nmap 192.168.1.1 -p U:53,T:21-80,110 (scan multiple TCP and UDP ports)   |
| ► nmap 192.168.1.1 -p- (Port scan all ports)                               |
| ► nmap 192.168.1.1 -p http,https,ftp,ssh (Port scan from service name)     |
| ► nmap 192.168.1.1 --top-ports 2000 (Port scan the top x ports)            |
| ► nmap 192.168.1.1 -p-65535 (Scan start at port 1)                         |
| ► nmap 192.168.1.1 -p0- (go through to port 65535)                         |
|                                                                            |

| Nmap basic scanning                                                        |
| ===================                                                        |
| We will perform a default scan and will add the dash V option which will   |
| give us output in verbose mode, so nmap.                                   |
| ► nmap -v scanmean.org                                                     |
| Nmap default behavior is to ping the host 1st to see if it's alive.        |
| Once it completes this sweep, it will perform its port scanning and add    |
| that to the output Nmap does this by sending an ICMP packet to the host.   |
| When Nmap receives a response which is an echo reply Then Nmap reports the |
| host is alive. If we add the dash SN option and scan our target, Nmap will |
| initiate an ARP scan to detect if a host is alive.                         |
| Nmap response with only that the host is alive and doesn't perform a port  |
| scan.                                                                      |
|  ► nmap -v -sn 192.168.0.100                                               |
| This has a couple of advantages. For one, if we're scanning a large        |
| network, this could cut down on the amount of processing time, the second  |
| one is that going to cut down on what the target machine logs from an      |
| Intrusion perspective.                                                     |
|                                                                            |
| What happens if the network administrator blocks ICMP? We will use the dash|
| PS option to send a SYN packet to Port 443 but will also use the dash SN   |
| option which still disables the port scan which is more intrusive.         |
| ► nmap -v -sn -PS443 --disable-arp-ping 192.168.0.100 --packet-trace       |
| We diable arp ping and we add packet trace, this is going to allow us to   |
| see the network communication between the hosts.                           |
| Nmap will send a syn packet to Port 443 in return Nmap receives a packet   |
| with the ACK and reset flag set. This indicates the targets attempt to     |
| establish a connection, thereby confirming the host is up.                 |
|                                                                            |
| We can change the type of packet we use, for instance an ACK packet to     |
| Port 80. We can do this by using the dash PA option.                       |
| ► nmap -v -sn -PA80 --disable-arp-ping 192.168.0.100 --packet-trace        |
| In this case you can see that Nmap sends an ack packet. The remote host    |
| thinks that a connection exists to exchange data. So the remote host sends |
| sends Nmap a reset packet, thereby confirming the host is up.              |
| confirming the host is up.                                                 |
|                                                                            |
| Once you've identified a confirm hosts that exist within your network,     |
| you can then continue your analysis process to identify areas of risk by   |
| performing port scanning.                                                  |
|                                                                            |
| Port scanning is the process of testing numerous ports to determine what   |
| state these ports are in. Usually the most interesting state of a port is  |
| open. Support scanning is useful for a couple of reasons.Security,         |
| auditing, asset management and compliance testing.                         |
| For instance, maybe you're interested in finding unauthorized file sharing |
| servers or printers by scanning the open ports, we can reveal security     |
| weaknesses or provide an application inventory. Or, we could even validate |
| our software compliance by showing that we've adhered to approved policies.|
|                                                                            |
| Each computer has 65,535 ports and they are similar to an IP address in    |
| that it identifies where application specific network traffic is intended. |
| For example, by default a web browser connects to TCP port 80 by default.  |
| However, if you specify HTTPS, port 443 will be used.                      |
|                                                                            |
| Nmap classifies ports in six states open, closed, filtered, unfiltered,    |
| open | filtered and closed | filtered.                                     |
|                                                                            |
| Now open ports are such that they are accepting connections via TCP and UDP|
| Nmap determines this by sending a TCP syn packet to the open port.         |
| If the host sends a packet back with SYN and ACK flag set, the port is open|
|                                                                            |
| Close ports are such that there is a port accessible, but there's no       |
| application listening. Close ports are determined by sending a syn packet  |
| to the port, and Nmap receiving a reset packet in response.                |
|                                                                            |
| However, just because these ports are closed doesn't mean they aren't      |
| useful. Close ports can be useful during additional host discovery and OS  |
| discovery techniques.                                                      |
|                                                                            |
| The last four port states are typically where there's security             |
| appliances in the middle of the communication between Nmap and the port.   |
|                                                                            |
| Filtered ports are ones in which a syn packet is sent to a port, and       |
| there's no response at all. Usually this means that there's a firewall or  |
| some type of security appliance filtering the port.                        |
|                                                                            |
| Unfiltered ports are ports in which in map has determined the port is      |
| accessible, but can't determine whether the port is open or closed.        |
|                                                                            |
| In Open | filtered and close | filtered are stats Nmap cannot even         |
| determine whether the ports are open, closed or filtered                   |
|                                                                            |
| If you run nmap with no options, it's going to perform a TCP syn scan.     |
| But we can also enable this behavior by using the dash S Capital S switch. |
| So if I want to scan using a TCP syn packet, the switch would be dash s    |
| small for scan and capital S for syn. If I want to use a TCP connect scan, |
| I would use dash s small for scan and dash S Capital T for connect.        |
| Syn scan is the most frequently used port scan, this is because it could   |
| be performed quickly. It's also relatively stealthy because it doesn't     |
| complete a TCP connection and allows a clear distinction between open,     |
| closed and filtered ports.                                                 |
|                                                                            |
| So let's run a simple syn scan at scanme.org and see what type of ports are|
| open.                                                                      |
| ► nmap -v -sS scanme.org                                                   |
| You can specify which port to scan by using the dash P option.             |
| You can also use the application name SSH instead of port 22.              |
| ► nmap -v -sS -p22 scanme.org                                              |
| ► nmap -v -sS -p ssh scanme.org                                            |
| You can also scan multiple ports at one time just by separating the ports  |
| with a comma. So -p25,22,80 for instance.                                  |
| ► nmap -v -sS -p25,22,80 scanme.org                                        |
| You can also scan a range of ports by specifying the range, let's say      |
| 8000 through 8010.                                                         |
| ► nmap -v -sS -p8000-8010 scanme.org                                       |
|                                                                            |
| In addition to a TCP scan Nmap also supports UDP port scanning.            |
| To perform this type of scan, we simply use a capital U instead of a S.    |
| ► nmap -v -sU -p8000-8010 scanme.org                                       |
| ► nmap -v -sU -p53,67-68,161-162 scanme.org                                |
| Because UDP is a connectionless protocol, the port or service running on   |
| it isn't obliged to send a response. UDP scanning is often slow.           |
|                                                                            |
| The last basics scan is a protocol scan. This is performed with dash O.    |
| Protocol scan is similar to UDP in that it usually takes a time to perform.|
| ► nmap -v -sO -p25,22,80 scanme.org                                        |
| ► nmap -v -sO -p1,6,17,47,50,110 scanme.org                                |
| Although this doesn't technically qualify as a port scan, it's useful when |
| you want to determine the purpose of a host. For instance, firewalls may   |
| only offer ports like GRE or ESP, used for VPNs.                           |
|                                                                            |

| Scan Techniques                                                            |
| ===============                                                            |
| ► nmap 192.168.1.1 -sS (TCP SYN port scan (Default))                       |
| ► nmap 192.168.1.1 -sT (TCP connect port scan)                             |
| ► nmap 192.168.1.1 -sU (UDP port scan)                                     |
| ► nmap 192.168.1.1 -sA (TCP ACK port scan)                                 |
| ► nmap 192.168.1.1 -sW (TCP Window port scan)                              |
| ► nmap 192.168.1.1 -sM (TCP Maimon port scan)                              |
|                                                                            |
| Using Nmap for Service and Version Detection                               |
| ============================================                               |
| To perform service inversion detection, nmap uses its services database    |
| to detect about 2000 well known services. Usually Nmap reports the         |
| information correctly, however we want to know what versions of these      |
| services are running on these ports, because this information will help us |
| determine what exploits exist for that application.                        |
|                                                                            |
| To run a simple service detection scan, Nmap uses a simple switch dash s   |
| Capital V from the command line with the target host name or IP            |
| ► nmap -v -sV scanme.org                                                   |
| Also attempts to identify the DNS names for the target as well as the      |
| running operating systems and the version of the kernel.                   |
|                                                                            |
| By default Nmap doesn't probe all ports when running this scan. But you    |
| can specify Nmap to scan all ports using the allports option. In addition, |
| you could set the level of probes sent to a port with the version          |
| intensity option by default, Nmap uses a level 7, but you can set the      |
| intensity yourself by using a Number from zero to 9.                       |
| ► nmap -v -sV --allports scanme.org                                        |
| ► nmap -v -sV --allports --version-intensity 9 scanme.org                  |
| ► nmap -v -sV --allports --version-all scanme.org                          |
| --version-all specify intensity of level 9                                 |
| Probes are classified between one and nine, with one being very common and |
| highly useful, and 9 being rare in less useful.                            |
| Usually the higher the intensity scan these take longer since they use     |
| more of the rare probes, but you're more than likely to have services.     |
| --version-trace with the version trace option you can get detailed         |
| information during the detection process.                                  |
| ► nmap -v -sV --allports --version-all --version-trace scanme.org          |
| ► nmap 192.168.1.1 -sV                                                     |
|   Attempts to determine the version of the service running on port         |
| ► nmap 192.168.1.1 -sV --version-intensity 8                               |
|   Intensity level 0 to 9. Higher number increases correctness              |
| ► nmap 192.168.1.1 -sV --version-light                                     |
|   Enable light mode. Lower possibility of correctness. Faster              |
| ► nmap 192.168.1.1 -sV --version-all                                       |
|   Enable intensity level 9. Higher possibility of correctness. Slower      |
| ► nmap 192.168.1.1 -A                                                      |
|   Enables OS detection, version detection, script scanning, and traceroute |
|                                                                            |

| Using Nmap for OS Detection                                                |
| ===========================                                                |
| The operating system is one of the most valuable pieces of information you |
| can discover about your network hosts as internal testers and as attackers.|
| Operating system scans have certain benefits. The first, then maybe the    |
| most obvious is that by detecting the OS you can determine which services  |
| are running in which are good candidates to exploit due to their           |
| vulnerabilities, or if that vote liberally has been patched.               |
| As an internal tester, if you are a Windows 10 shop and a new              |
| vulnerabilities released, you can simply scan the whole network and find   |
| machines that need to be patched before the attackers do.                  |
|                                                                            |
| OS detection can also be helpful because if you do detective vulnerability |
| using this information you may be able to craft exploits for payloads to   |
| match a target OS architecture.                                            |
| OS detection is great for detecting unauthorized and potentially dangerous |
| devices such as rogue access points.                                       |
|                                                                            |
| To perform an Nmap OS detection scan, you simply use the dash capital O    |
| switch and then of course the name or IP address of your target.           |
| Also include the V option for a more verbose output.                       |
| ► nmap -v -O scanme.org (OS detection using TCP/IP stack fingerprinting)   |
| ► nmap -v -sV -O scanme.org                                                |
| ► nmap -v -A scanme.org    (aggressive scan)                               |
| ► nmap 192.168.1.1 -O --osscan-limit                                       |
|   TCP port are not found it will not try OS detection against host         |
| ► nmap 192.168.1.1 -O --osscan-guess                                       |
|   Makes Nmap guess more aggressively                                       |
| ► nmap 192.168.1.1 -O --max-os-tries 1                                     |
|   Set the maximum number x of OS detection tries against a target          |
|                                                                            |
| Nmap has some additional options for OS detection                          |
| The first is OS scan limit --osscan-limit                                  |
| Using this option, users can omit host that don't have at least one open   |
| one close port This can save you a lot of time.                            |
| ► nmap -v -Pn -O --osscan-limit scanme.org                                 |
|                                                                            |
| Next is the OS scan Guess --osscan-guess this option can be useful if you  |
| want Nmap to guess the OS more aggressively.                               |
| ► nmap -v -Pn -O --osscan-guess scanme.org                                 |
|                                                                            |
| Lastly, is Max OS tries. With this option you can specify the amount of    |
| times and nmap tries to fingerprint the OS. The default is trying five     |
| times under favorable OS conditions and two times when they aren't so good.|
|                                                                            |
| A technique that could be quite useful as well as speed up the time nmap   |
| takes to perform host discovery, is to use some DNS options.               |
| The first is the scan list option, which is specified by dash s capital L. |
| ► nmap -v -sL 192.168.1.100                                                |
| Using this option we can list the DNS name for a target host or hosts on a |
| network with this type of scan, though, it doesn't send packets, rather    |
| only resolves their names.                                                 |
| This could ensure that you've got correct names for your targets.          |
| However, we can completely remove DNS resolutions with the dash N option.  |
| This has a result of speeding up nmap considerably.                        |
| To illustrate, let's simply pick 10 hosts at random and see if they're up. |
| ► nmap -v -sn -iR 10                                                       |
| This is a simple ping sweep specifying 10 random hosts. Let's eliminate    |
| DNS resolution by specifying the dash -n option.                           |
| ► nmap -v -sn -n -iR 10                                                    |
|                                                                            |
| With DNS resolution you can also specify your own DNS servers to resolve   |
| names by using the dash DNS servers options.                               |
| This also has the added benefit of making your queries more stealthy.      |
| ► nmap -v --dns-servers 8.8.8.8,4.4.4.4 scanme.org                         |
|                                                                            |
| There's going to be instance when we need to probe a little bit further to |
| get information back, like if ICMP is blocked by a Firewall.               |
| Nmap can send different ICMP packets via the ping program. Usually these   |
| are blocked by Firewalls However, for internal testing that can be pretty .|
| practical and efficient.                                                   |
| Nmap supports 3 pink types. The Echo reply, ICMP Type 8 and Nmap uses this |
| by default,  but it can be specified using the dash PE option as well as   |
| the time stamp and address mask options dash -PP dash -PM                  |
| ICMP (-PE, -PM, -PP) These are going to be ICMP types 13 15 17. They can   |
| be used for host discovery when admin specifically block echo packets.     |
| If all ICMP probes are blocked you want to try the TCP protocol.           |
| This is going to be a good option because servers must respond to public   |
| services it provides with the TCP syn packet, and we do this by using the  |
| dash PS option and with the dash PA option this is TCP ack packets.        |
| They're pretty good for bypassing stateful firewalls. TCP (-PS, -PA)       |
|                                                                            |
| I recommend using a combination of the two while probing ports for common  |
| services such as HTTP and HTTPS.                                           |
|                                                                            |
| One option you can implement is adding a source port for scanning.         |
| This option is great for pink scanning when administrators make a rule set |
| exception to Port 53 and port 20.                                          |
| To illustrate, this type of scan, let's combine these ICMP probes and      |
| pointed at host which is running a firewall which is blocking ICMP         |
| First, let's confirm our firewall by attempting to ping the host           |
| ► ping -c 192.168.1.110                                                    |
| We will use the dash C option to send three                                |
| The host it's not responding.                                              |
| Let's try host discovery using only ICMP echo requests by specifying the   |
| dash PE option. In addition, we're going to have to specify the send IP    |
| option,  which is the same as disabling arp pings and will use dash reason |
| so that we can see what type of messages Nmap received in response and we  |
| will use the dash dash Packet trace option to look at the packets as their |
| traversing the network.                                                    |
| ► nmap -v -sn -n -PE IPADDRESS --send-ip --reason --packet-trace           |
| Since we are testing a Firewall, so let's add the dash-PM dash -PP options |
| to scan with other types of ICMP probes.                                   |
| ► nmap -v -sn -n -PE -PM -PP IPADDRESS --send-ip --reason --packet-trace   |
| Nmap reports that a timestamp reply has been received and the host is up.  |
|                                                                            |
| Let's perform a simple ping sweep with dash SN will disable DNS with dash  |
| -n and will add ICMP probes with dash -PE and dash -PP next will add syn   |
| scan by using the -PS option and here let's specify ports 80. 443 and 3389 |
| we'll add the dash -PA option on port 21 to attempt a stateful firewall    |
| bypass using ack packets and for optimal effectivness we can use a high    |
| random UDP port of 40025 using a dash -PU option as well as being sure the |
| probe is initiated from our source port 53 and will use dash reason so     |
| that we can see what type of messages Nmap received in response and we     |
| will use the dash dash Packet trace option to look at the packets as their |
| traversing the network.                                                    |
| ► nmap -v -sn -n -PE -PP -PS80,443,3389 -PA21 -PU40025 --source-port 53    |
|   IPADDRESS --send-ip --reason --packet-trace                              |
| ► nmap -v -sn -n -PE -PM -PP -PS80,443,3389 -PA21 -PU40025 --source-port 53|
|   IPADDRESS --send-ip --reason --packet-trace                              |
| Now this is great for scanning for one host, but how do we combine multiple|
| hosts. For example if I knew was going to look for firewalls on my network |
| that were misconfigured to accept ICMP Timestamp packets, I might combine  |
| the dash PE option with this type of scan to return misconfigured host.    |
| As well as combine the ack packet probes to properly respond to configured |
| hosts that are reported as up.                                             |
| We can do this by specifying a file that is hosts.txt with the dash IL     |
| Command and by adding the dash dash send IP option to disable ARP.         |
| ► nmap -v -sn -n -PE -PP -PS80,443,3389 -PA21 -PU40025 --source-port 53    |
|   -iL host.txt --send-ip --reason --packet-trace                           |
|                                                                            |

| Nmap Information Output                                                    |

| =======================                                                    |
| Nmap has a few different ways it can output it scan results to allow us to |
| read it properly.                                                          |
| Nmap offers several formats to present data to its users by default it is  |
| Interactive mode. Using this mode, we can also modify Nmaps behavior while |
| running scans. we can turn on package tracing messages by pressing P or    |
| enable verbose messages by pressing V. Disable packet tracing SHIFT+p or   |
| disable verbose SHIFT+v.                                                   |
|                                                                            |
| The second is normal output. We enable output mode is to append the dash.  |
| -o and capital N option followed by a file name as an argument.            |
| ► nmap -v IPADDRESS -oN scanout.txt                                        |
|                                                                            |
| Nmap also supports a greppable output specified by Dash -o Capital G       |
| ► nmap -v IPADDRESS -oG scanout.txt                                        |
| In addition to out putting information to a file, you also have the chance |
| to send greppable output to the screen using a the dash that is just       |
| replace filename with dash and the display will print the scan details.    |
| This is provided so that you can pipe the output two different tools.      |
| So let's say you're scanning your network for all hosts with port 80 open. |
| You want to gather this information quickly and you want to use it later   |
| in a script or you want to make a list of hosts to investigate further.    |
| Using grepable output we can simply craft our scan this would be probing   |
| for port 80 While piping our output to the Awk command with Awk you can    |
| search for any line that contains the word open of the output and prints   |
| the second field of the line which is the IP address along with our output |
|  string.                                                                   |
| ► nmap -v -Pn -p80 192.168.0.0/24 -oG - | awk '/open/{print                |
|   "Host: " $2 " is open on port 80"}'                                      |
| Dash -Pn to skip host discovery                                            |
| The output will be something like this:                                    |
| Host: 192.168.0.110 is open on port 80                                     |
| Host: 192.168.0.115 is open on port 80                                     |
| Host: 192.168.0.120 is open on port 80                                     |
|                                                                            |
| ► nmap -p80 -sV -oG - --open 192.168.1.1/24 | grep open                    |
| show which IPs are running web servers                                     |
|                                                                            |
| Next is XML output. XML output is specified using the dash -o capital X    |
| option and we can invoke it by using a file name as an argument.           |
| The XML formats pretty powerful, it's flexible, it's stable in It's a      |
| format that can easily be parsed by software such as Python.               |
| ► nmap -v -sV 192.168.0.110 -oX scanxmlout                                 |
| ► nmap -v -sV -p80 192.168.0.0/24 -oX scanxmlout                           |
| ► nmap -v -Pn -p80 192.168.0.0/24 -oX scanxmlout                           |
| XML output is one of the most important output types because it can be     |
| converted to HTML It could be parsed by the nmap GUI and it also can be    |
| imported into databases.                                                   |
|                                                                            |
| ► nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > uphosts.txt  |
| Generate a list of the IPs of live hosts                                   |

| One advantage of using XML is that it's pretty easy to read and understand.|
| However, there's a field or two in the output that I probably should       |
| explain a little. If you look at the port element you can see that there's |
| a method and a conf, field. These fields are telling us how Nmap retrieved |
| this port information. Was it probed, meaning it was gained through        |
| service detection or was it taken from a table which means it was taken    |
| from the Nmap Services file. The Conf field is the confidence that Nmap    |
| has the service correct The value is from one to 10 with 10 being the most |
| confident and map has some powerful options to either display information  |
| or save it to a file for later use.                                        |
|                                                                            |

| Advanced TCP Scans                                                         |
| ==================                                                         |
| So now let's take a look at some advance scans that go beyond what Nmap is |
| doing by default. The first type of scan is the TCP connect scan.          |
| Technically the TCP connect scan isn't in advance can. However I mention   |
| it here because we're going to be manipulating TCP packets just a little   |
| bit, and it's useful to know in which situations a TCP SYN scan and a TCP  |
| connect scan is best to use.                                               |
|                                                                            |
| So typically we use a TCP connect scan when a TCP syn scan is not a viable |
| option due to the lack of raw packet privileges with a TCP connect scan    |
| Nmap doesn't craft packets itself.                                         |
| Rather it uses the base OS to establish a connection with the target       |
| machine, typically a TCP syn scan is a better choice when available, but   |
| with TCP connect scans it's important to note that these scans complete    |
| with the entire 3 way handshake, Known as a full connection with full      |
| connections, the first 2 steps the syn in the syn ack happened first, but  |
| instead of Nmap aborting the half open connection by sending a reset flag, |
| as with syn scans, it responds with its own acknowledgement packet to      |
| complete the connection.                                                   |
| Why are we talking about this? Well, as we are doing some internal testing,|
| we may want to test and see what is logged to our firewall or syslog.      |
| A SYN scan is a bit more stealthy, so if as an administrator you see a lot |
| of connects scans in your logs, you may conclude that a connection scan    |
| was targeting your host or network.                                        |
|                                                                            |
| To perform a TCP connect scan will use the dash -s capital T target.       |
| ► nmap -v -sT 192.168.0.10                                                 |
| If we do SYN scan the time to finish the scan will be less than connect.   |
| ► nmap -v -sS 192.168.0.10                                                 |
|                                                                            |
| Nmap gives us away to manipulate a raw packet. So to solicit a response    |
| from a target, the FIN, NULL and Xmas scans. We do this by using nmap to   |
| change the flags in the TCP header and indicate to the target what it      |
| should do with a particular connection.                                    |
| Now the most commonly used flags are SYN, ACK, RST and FIN.                |
| The FIN flag is used to request a connection termination.                  |
| This is typically the last packet sent by sender in normal communication.  |
| However, SYN scan nmap is going to terminate its connection using the      |
| reset flag, which is the half open connection. This is similar to the FIN, |
| however the termination is more abrupt in the data used in the connection  |
| is discarded.                                                              |
| The last two flags we can manipulate is the push an urgent flag.           |
| This is part of the Xmas scan. These are used for packet processing.       |
|                                                                            |
| To implement a null, Fin, or Xmas scan. All we need to do is specify their |
| command line options. so we use dash -s capital N for null. We use the dash|
| capital F for a Fin flag, and we use dash -s Capital X.                    |
| Here is Xmas scan command                                                  |
| ► nmap -v -sX -p80,443,445 192.168.0.10 --reason --packet-trace            |
|                                                                            |

| Optimizing Timing                                                          |
| =================                                                          |
| I will cover controls that are available so that we can speed up Nmap and  |
| run scans that are effective for internal tests in larger networks.        |
| if you're scanning a network for the first time in the only thing you're   |
| trying to do is determine if hosts are up. You can simply use a ping       |
| sweep scan. This limits the number of packets sent to the host.            |
| Instead of performing a full port scan that scans the full 65 thousand or  |
| first 1000, which in nmap does by default you can limit yourself to the    |
| top 100 ports with the dash F option.                                      |
| This can make scans go up to 10 times faster.                              |
|                                                                            |
| Nmap offers 6 timing templates to allow how aggressive a scan should be,   |
| and allows nmap to pick exact timing values.                               |
| This templates we specify them at the command line by using the dash       |
| capital -T option Followed by the speeds zero through 5.                   |
| The first 2 are paranoid in sneaky, and these are typically used for IDs,  |
| evasion and avoiding IDs alerts, but they're slow so use them with caution.|
| Next, we have polite in normal mode Polite mode slows down scans to use    |
| less bandwidth and it's the default, so T3 does nothing.                   |
| Aggressive and insane mode These make the assumption that you're on an     |
| extremely fast network, which we typically are on these days. However,     |
| because of the speed and times of the probes, sometimes we sacrificed some |
| accuracy, but more so with the insane scan rather than aggressive.         |
|                                                                            |
| If you're conducting internal test, you would stick with using the         |
| aggressive or insane modes. With these modes we can achieve a very high    |
| level of performance and conduct your assessments quicker.                 |
| ► nmap -v -n -F -T5 192.168.0.0/24                                         |
| ► nmap -F -T4 192.168.0.0/24                                               |
| ► nmap -F -T5 192.168.0.0/24                                               |
| ► nmap -sS -F -T5 192.168.0.0/24                                           |
| ► nmap -sU -F -T5 192.168.0.0/24                                           |
|                                                                            |
| ► nmap -sn 192.168.0.0/24 -oX or -oG <outfilename>                         |
| ► nmap -F -iL targets.txt (contain a list of hosts to scan)                |
| ► nmap 192.168.1.1 --top-ports 2000 (Port scan the top x ports)            |
| ► nmap 192.168.1.1 -F (Fast port scan (100 ports))                         |
| ► nmap 192.168.1.1-1/24 -PR -sn -vv (Arp discovery local network, no scan) |
| ► nmap -iR 10 -PS22-25,80 -v -sn (Discovery only ports x, no port scan)    |
| ► nmap 192.168.1.1-50 -sL --dns-server 192.168.1.1 (Query DNS for hosts)   |
|                                                                            |
| ► nmap 192.168.1.1 -T0 (Paranoid (0) Intrusion Detection System evasion)   |
| ► nmap 192.168.1.1 -T1 (Sneaky (1) Intrusion Detection System evasion)     |
| ► nmap 192.168.1.1 -T2 (Polite (2) use less bandwidth and resources)       |
| ► nmap 192.168.1.1 -T3 (Normal (3) which is default speed)                 |
| ► nmap 192.168.1.1 -T4 (Aggressive (4) speeds scans)                       |
| ► nmap 192.168.1.1 -T5 (Insane (5) speeds scan)                            |
|                                                                            |
| NSE nmap scripting engine                                                  |
| =========================                                                  |
| Nmap scripting engine allows users to write simple scripts to Automate     |
| a lot of different types of networking tasks. Tt can perform network       |
| discovery, enhanced version vulnerability and backdoor detection as well   |
| as vulnerability exploitation.                                             |
| Nmap scripts are written in the lua scripting language, which is similar   |
| to Python, but actually it's pretty easy to learn.                         |
|                                                                            |
| To invoke scripts, you can use the dash -sC option, or you can use the     |
| dash scripts target. The difference is that with SC there's a set of       |
| default or common scripts that are involved, and when you use the --       |
| script name, you can specify a certain script that's included with nmap    |
| or you can use a script of your own.                                       |
| ► -Sc or -script <script name>                                             |
| ► nmap -sC 192.168.1.110                                                   |
| ► nmap 192.168.1.1 -sC (Scan with default NSE scripts)                     |
| ► nmap 192.168.1.1 --script default (Scan with default NSE scripts)        |
| ► nmap 192.168.1.1 --script=banner (Scan with a single script. e.g. banner)|
| ► nmap 192.168.1.1 --script=http* (Scan with a wildcard. Example http)     |
| ► nmap 192.168.1.1 --script=http,banner (two scripts. e.g. http and banner)|
| ► nmap 192.168.1.1 --script "not intrusive"(default, not intrusive scripts)|
| ► nmap --script whois* domain.com (Whois query)                            |
| ► nmap --script snmp-sysdescr --script-args snmpcommunity=admin 192.168.1.1|
|   (NSE script with arguments)                                              |
| ► nmap -Pn --script=http-sitemap-generator scanme.org                      |
|   (http site map generator)                                                |
| ► nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000    |
|   Fast search for random web servers                                       |
| ► nmap -Pn --script=dns-brute domain.com                                   |
|   Brute forces DNS hostnames guessing subdomains                           |
| ► nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb-mbenum,             |
|   smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1                 |
|   Safe SMB scripts to run                                                  |
| ► nmap -p80 --script http-unsafe-output-escaping scanme.nmap.org           |
|   Detect cross site scripting vulnerabilities                              |
| ► nmap -p80 --script http-sql-injection scanme.nmap.org                    |
|   Check for SQL injections                                                 |
|                                                                            |
| Let me show you how this works by a script scan against 192.168.1.110      |
| We start by running a port scan, will do this because if we know what the  |
| open ports are and the services that run on those ports, then we can       |
| exploit them using our scripts.                                            |
| So we start with nmap dash -sS will do a syn scan and will do a version    |
| scan and we will make it really fast and will point to our box.            |
| ► nmap -sS -sV -T5 192.168.1.110                                           |
| I want to attack a specific service, let's say SSH. We want to exploit, we |
| need to see what scripts we have for SSH so we can do that using the       |
| locate command.                                                            |
| ► locate *.nse | grep "ssh"                                                |
| So here we have all of our SSH scripts that we can run.                    |
| I will use a SSH brute force attack against the SSH service.               |
| All we need to do is use the dash dash script target with the script name  |
| as an argument.                                                            |
| ► nmap --script ssh-brute 192.168.1.110 -vv                                |
| We are emulating a brute force attack against our SSH server and it will   |
| keep trying until we tell it to stop.                                      |
|                                                                            |

| Firewall Scanning                                                          |
| =================                                                          |
| We need to conduct an assessment on how attackers could possibly subvert   |
| our security appliances. We can do this using the TCP ack scan -sA, this   |
| creates and sends a packet to the target with only the active flag being   |
| set. In response, unfiltered systems are going to respond with a reset     |
| packet for both open in close ports and nmap labels them as unfiltered.    |
| This means that ports are reachable by the ack packet, but Nmap can't tell |
| if the ports are open or closed, so if the ack packet is dropped, or an    |
| ICMP messages received a response, this means the port is filtered and nmap|
| is unable to tell if the port is open or closed.                           |
|                                                                            |
| So the main purpose for the ACK scan is the scan Firewalls to determine    |
| their connection state in Rule sets, now how is this possible.?            |
| This is because of how firewalls are able to filter certain packets.       |
| Ack packets are harder to filter because it's difficult to determine which |
| side of the communication had initiated the conversation.                  |
| Firewalls must state fully watch established connections to determine      |
| whether a given act response is appropriate to determine whether a firewall|
| is stateful or stateless.                                                  |
|                                                                            |
| We could scan the host first with the SYN Scan. Now usually this is the    |
| first step towards appliance evasion. First we try to understand the host  |
| as much as possible so that we can bypass it.                              |
| So we will ahead and run a syn scan against our host and determine if      |
| there's any type of firewall, so Nmap Dash s Capital S Dash F and will     |
| make it really fast Dash T5 and will use the reason target..               |
| ► nmap -sS -F -T5 192.168.1.110 --reason                                   |
| ► nmap -sA -F -T5 192.168.1.110 --reason                                   |
| if by using -sA we get all ports are filtered, we can assume the target    |
| host is a windows box and it has a firewall. To confirm we run scan with   |
| service and version identification and put some ports.                     |
| ► nmap -sS -F -sV -O -p22,139,445 192.168.1.110 --reason                   |
|                                                                            |
|                                                                            |

 
.----------------------------------------------------------------------------.
|   NMAP Bible #1                                                            |
|   Main focus: Research attack and defense in information warfare.          |
|   In my free time I work with Leather and I shot slingshots.               |
|_                                                           Adonis Sawan   _|
   \________________________________________________________________________/
   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

THIS WILL CONTINUE ON NMAP BIBLE #2