Scanning

Networks
@mmar

1
Network Scanning refers to the set of procedures adopted for
identifying a network’s hosts, ports and services. It is one of the
key components of intelligence gathering that attackers use to
create a profile of the target organization
It has the following main objectives:
 Discover live hosts, IP addresses and open ports of all live hosts
 Discover OS and system architecture
 Discover services running on hosts
 Discover vulnerabilities on live hosts
 NMAP
 Network Mapper (Nmap) is an open-source network analysis and
security auditing tool written in C, C++, Python, and Lua. It is designed
to scan networks and identify which hosts are available on the
network using raw packets, and services and applications, including
the name and version, where possible. It can also identify the
operating systems and versions of these hosts. Besides other
features, Nmap also offers scanning capabilities that can determine if
packet filters, firewalls, or intrusion detection systems (IDS) are
configured as needed

3
Host Discovery
@mmar

4
Host Discovery is the always the first step in ethical hacking. It
involves the enumeration of IP addresses of the systems available
in the environment
 Netdiscover
 Netdiscover can be used to inspect your network ARP traffic or find
network addresses using auto scan mode, which will scan for
common local networks.

6
 Netdiscover
 Netdiscover is used to scan for the live hosts on the network

netdiscover -i (network interface name)

7 @mmar
There are various ways to discover online hosts. When no host
discovery options are provided, Nmap follows the following
approaches to discover live hosts:
 When a privileged user tries to scan targets on a local network (Ethernet), Nmap
uses ARP requests.
 When a privileged user tries to scan targets outside the local network, Nmap uses
ICMP echo requests
 When an unprivileged user tries to scan targets outside the local network, Nmap
resorts to a TCP 3-way handshake by sending SYN packets to ports 80 and 443.
 Ping Scan
 Ping scan is used to scan for the live hosts on the network

>nmap –sn 192.168.18.1/24

9 @mmar
 Arp Scan
 Arp scan is another method to scan for the live hosts on the
network
nmap -sn -PR 192.168.18.0-255

10 @mmar
 Misc Nmap Scans
 Nmap has a vast variety of scans aval. Some of the most
useful scans for host discovery are listed below

nmap -sn -PU 192.168.18.110 //UDP ping scan

nmap -sn -PE 192.168.18.1-255 //ICMP Echo Ping scan
nmap -sn -PM 192.168.18.1-255 //Mask Ping scan (use if ICMP is blocked)
nmap -sn -PP 192.168.18.1-255 //ICMP timestamp scan (use if ICMP is blocked)
nmap -sn -PS 192.168.18.1-255 //TCP Syn ping scan
sudo nmap -PA - 192.168.18.1-255 //TCP Ack ping scan

11 @mmar
 Angry IP Scanner
 Angry IP Scanner is an open-source and cross-platform network
scanner designed to be fast and simple to use

12
 Angry IP Scanner
 You can download and install the tool on Windows from the
official website

https://angryip.org/

13 @mmar
 Angry IP Scanner
 Open the Preference and ensure that pinging method is set
to UDP+TCP

14 @mmar
 Angry IP Scanner

 In display tab, change to display only live hosts

15 @mmar
 Angry IP Scanner

 Now provide the IP range and scan for targets

16 @mmar
Port States

17
 Port States
• At the risk of oversimplification, we can classify ports in two states:
• Open port indicates that there is some service listening on that port.
• Closed port indicates that there is no service listening on that port.

• While many port scanners have traditionally labelled all ports into the open or
closed states, Nmap is much more granular.
• It divides ports into six states: open, closed, filtered, unfiltered, open|filtered, or
closed|filtered
• These states are not intrinsic properties of the port itself, but describe how Nmap sees
them
• For example, an Nmap scan from the same network as the target may show port 135/tcp as
open, while a scan at the same time with the same options from across the Internet might show
that port as filtered
 Port States
• open – indicates that an application is listening for connections on the port. The primary goal of port
scanning is to find these.
• closed – indicates that no service is listening on the specified port, although the port is accessible. By
accessible, we mean that it is reachable and is not blocked by a firewall or other security
appliances/programs.
• filtered – means that Nmap cannot determine if the port is open or closed because the port is not
accessible. This state is usually due to a firewall preventing Nmap from reaching that port. Nmap’s packets
may be blocked from reaching the port; alternatively, the responses are blocked from reaching Nmap’s
host.
• unfiltered – means that Nmap cannot determine if the port is open or closed, although the port is
accessible. This state is encountered when using an ACK scan -sA.
• open/filteredIf we do not get a response for a specific port, Nmap will set it to that state. This indicates that
a firewall or packet filter may protect the port.
• closed/filtered – indicates that Nmap is unable to determine whether a port is closed or filtered.
TCP Header

20 @mmar
 TCP
Handshake

21 @mmar
Connection
termination

22 @mmar
SCAN TYPES

23
Nmap Scan
types

24 @mmar
 TCP Connect Scan
 TCP scan will scan for TCP ports and ensure for listening
port (open) through a 3-way handshake connection
between the source and destination port

>nmap –sT 192.168.18.1

25 @mmar
 TCP Connect
Scan/Full Open Scan
• The Scan does this take longer and require more packets to obtain the same
information, but target machines are more likely to log the connection
• If the port is open then source made request with SYN packet, a response
destination sent SYN, ACK packet and then source sent ACK packets, at last
source again sent RST, ACK packets
 TCP Syn Scan
 This scan is often referred to as half-open scanning because you don't
open a full TCP connection. You send an SYN packet, as if you are going
to open a real connection and then wait for a response

>nmap –sS 192.168.18.1

27 @mmar
 TCP SYN
Scan/Stealth Scan
• SYN scan is the default and most popular scan option for good reasons. It can be performed
quickly, scanning thousands of ports per second on a fast network not hampered by restrictive
firewalls
• A SYN/ACK indicates the port is listening (open), while RST (reset) is indicative of a non-listener. If
no response is received after several retransmissions, the port is marked as filtered
• The port is also marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is
received
 TCP SYN
Scan/Stealth Scan
Probe Response Assigned State
TCP SYN/ACK response open
TCP RST response closed
No response received (even after
filtered
retransmissions)
ICMP unreachable error (type 3, code 1, 2,
filtered
3, 9, 10, or 13)
 UDP Scan
 UDP scan works by sending a UDP packet to every targeted port. For
most ports, this packet will be empty (no payload), but for a few of the
more common ports a protocol-specific payload will be sent

>nmap –sU 192.168.18.110

30
 UDP Scan
• UDP is a connectionless protocol and there's no protocol-defined relationship between
packets in either direction
• However, most OS TCP/IP stacks will return an ICMP “Port Unreachable” packet if a UDP
packet is sent to a closed UDP port
• Thus, a port that doesn't return an ICMP packet can be assumed open
• Neither the probe-packet nor its potential ICMP packet are guaranteed to arrive

Probe Response Assigned State

Any UDP response from target port (unusual) open
No response received (even after retransmissions) open|filtered
ICMP port unreachable error (type 3, code 3) closed
Other ICMP unreachable errors (type 3, code 1, 2, 9,
filtered
10, or 13)
UDP Scan
 FIN Scan
 FIN SCAN is one of the port scanning methods in Nmap, which uses the
sheer stupidity of old and stateless firewalls. In fact, when it comes to
FIN Scan, our Port Scanner software sends a packet with a flag in the
form of FIN meaning the end of the session to the destination firewall
or host. If no response is received, it means that the port is open, and if
the return is RST//ACK, it means that the server port is closed

>nmap –sF 192.168.18.110

33 @mmar
 FIN Scan
• A FIN bit is used to terminate the TCP connection between the source and
destination port typically after the data transfer is complete
• Here, rat her than even pretending to initiate a standard TCP conn ection, nmap
sends a s ingle FIN (final) packet
• If the tar get's TCP/IP stack is RFC-793-compliant then open ports will drop the
packet an d closed ports will send an RST
 NULL and XMAS
Scans
• NULL and XMAS scan types are exactly the same in behavior except for the TCP flags set in
probe packets. If a RST packet is received, the port is considered closed, while no response
means it is open|filtered.
• The port is marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is
received
• XMAS scans are designed to manipulate the PSH, URG and FIN flags of the TCP header, Sets
the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. When source sent
FIN, PUSH, and URG packet to a specific port and if the port is open then destination will
discard the packets and will not send any reply to the source
• A Null Scan is a series of TCP packets which hold a sequence number of “zeros”
(0000000). since there are none flags set, the destination will not know how to
reply the request. It will discard the packet and no reply will be sent, which
indicate that the port is open
 NULL, FIN and
XMAS Scans
Probe Response Assigned State
No response received (even after
open|filtered
retransmissions)
TCP RST packet closed
ICMP unreachable error (type 3, code 1, 2,
filtered
3, 9, 10, or 13)
NULL Scan
XMAS Scan
 Fine Tuning Scans
 You can specify the ports you want to scan instead of the default 1000
ports. Specifying the ports is intuitive by now. Let’s see some examples:
 port list: -p 22,80,443 will scan ports 22, 80 and 443
 port range: -p 1-1023 will scan all ports between 1 and 1023
inclusive, while –p 20-25 will scan ports between 20 and 25
inclusive
 You can control the scan timing using -T<0-5>. -T0 is the slowest
(paranoid), while -T5 is the fastest
 You might consider adding --reason if you want Nmap to provide more
details regarding its reasoning and conclusions.

39 @mmar
DETECTION SCANS

40
 Service Detection
 Once Nmap discovers open ports, you can probe the available port to
detect the running service. Further investigation of open ports is an
essential piece of information as the pentester can use it to learn if
there are any known vulnerabilities of the service
 Adding -sV to your Nmap command will collect and determine service
and version information for the open ports. You can control the
intensity with --version-intensity LEVEL where the level ranges between
0, the lightest, and 9, the most complete. -sV --version-light has an
intensity of 2, while -sV --version-all has an intensity of 9

41 @mmar
Service Detection

42 @mmar
 OS Detection
 Nmap can detect the Operating System (OS) based on its behavior and
any telltale signs in its responses. OS detection can be enabled using -O

43 @mmar
NMAP SCRIPTS

44
 Nmap Scripts
 Nmap provides support for scripts using the Lua language. A part of
Nmap, Nmap Scripting Engine (NSE) is a Lua interpreter that allows
Nmap to execute Nmap scripts written in Lua language. Nmap default
installation can easily contain close to 600 scripts

/usr/share/nmap/scripts

 There are hundreds of scripts conveniently named starting with the

protocol they target and arranged in categories like auth, broadcast,
brute, default, discovery, dos, exploit, external, fuzzer, intrusive,
malware, safe, version, and vuln

45 @mmar
 Nmap Scripts
 There are a total of 14 categories into which these scripts can be
divided:
Category Description
auth Determination of authentication credentials.
broadcast Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the
remaining scans.
brute Executes scripts that try to log in to the respective service by brute-forcing with credentials.
default Default scripts executed by using the -sC option.
discovery Evaluation of accessible services.
dos These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services.

exploit This category of scripts tries to exploit known vulnerabilities for the scanned port.
external Scripts that use external services for further processing.
fuzzer This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time.

intrusive Intrusive scripts that could negatively affect the target system.
malware Checks if some malware infects the target system.
safe Defensive scripts that do not perform intrusive and destructive access.
version Extension for service detection.
vuln Identification of specific vulnerabilities. 46 @mmar
 Nmap Scripts
 You can specify to use any or a group of these installed scripts;
moreover, you can install other user’s scripts and use them for your
scans. You can choose to run the scripts in the default category using --
script=default or simply adding -sC

47 @mmar
 Nmap Scripts
 You can specify to use any or a group of these installed scripts;
moreover, you can install other user’s scripts and use them for your
scans. You can choose to run the scripts in the default category using --
script=default or simply adding -sC
ammarr@kali[/kali]$ sudo nmap 10.129.2.28 -p 25 --script banner,smtp-commands

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 23:21 CEST

Nmap scan report for 10.129.2.28
Host is up (0.050s latency).

PORT STATE SERVICE

25/tcp open smtp
|_banner: 220 inlane ESMTP Postfix (Ubuntu)
|_smtp-commands: inlane, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS,
ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

48 @mmar
Saving the Output

49
 You can save your scan in normal format by using -oN FILENAME; N
stands for normal

50 @mmar
Evading Antivirus/ IDS

51
 Evasion
 Nmap gives us many different ways to bypass firewalls rules and
IDS/IPS. These methods include the fragmentation of packets, the use
of decoys etc

52 @mmar
 Evasion
Determine Firewalls and Their Rules

 We already know that when a port is shown as filtered, it can have several reasons. In
most cases, firewalls have certain rules set to handle specific connections. The packets can
either be dropped, or rejected. The dropped packets are ignored, and no response is
returned from the host.
 This is different for rejected packets that are returned with an RST flag. These packets
contain different types of ICMP error codes or contain nothing at all. Such errors can be:
 Net Unreachable
 Net Prohibited
 Host Unreachable
 Host Prohibited
 Port Unreachable
 Proto Unreachable
53 @mmar
 ACK SCAN
• TCP ACK Scan sends an ACK packet to the target port in order to determine
whether the port is filtered or unfiltered
• For unfiltered ports a RST reply packet will be sent for both open and closed ports.
• Filtered ports will result in either no response or an ICMP destination unreachable
reply packet.
• This approach is useful to get through stateless firewalls which block incoming
connections by blocking incoming SYN packets but allowing ACK packets to get
through to allow internal hosts to communicate with the rest of the internet.
• TCP ACK will not work with stateful firewalls
 ACK SCAN

Probe Response Assigned State

TCP RST response unfiltered
No response received (even after
filtered
retransmissions)
ICMP unreachable error (type 3, code 1, 2, 3, 9,
filtered
10, or 13)
 Fragmented Scan
 Nmap provides the option -f to fragment packets. Once chosen, the IP
data will be divided into 8 bytes or less. Adding another -f (-f -f or -ff)
will split the data into 16 byte-fragments instead of 8. You can change
the default value by using the --mtu; however, you should always
choose a multiple of 8. The scan can be used to bypass firewalls

sudo nmap -sS -p80 -f 10.20.30.144

56
 Decoys
 There are cases in which administrators block specific subnets from
different regions in principle. This prevents any access to the target
network. Another example is when IPS should block us. For this reason,
the Decoy scanning method (-D) is the right choice. With this method,
Nmap generates various random IP addresses inserted into the IP
header to disguise the origin of the packet sent. With this method, we
can generate random (RND) a specific number (for example: 5) of IP
addresses separated by a colon (:). Our real IP address is then randomly
placed between the generated IP addresses

sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

57
 Decoys
ammar@kali[/kali]$ sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 16:14 CEST

SENT (0.0378s) TCP 102.52.161.59:59289 > 10.129.2.28:80 S ttl=42 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
SENT (0.0378s) TCP 10.10.14.2:59289 > 10.129.2.28:80 S ttl=59 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
SENT (0.0379s) TCP 210.120.38.29:59289 > 10.129.2.28:80 S ttl=37 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
SENT (0.0379s) TCP 191.6.64.171:59289 > 10.129.2.28:80 S ttl=38 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
SENT (0.0379s) TCP 184.178.194.209:59289 > 10.129.2.28:80 S ttl=39 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
SENT (0.0379s) TCP 43.21.121.33:59289 > 10.129.2.28:80 S ttl=55 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
RCVD (0.1370s) TCP 10.129.2.28:80 > 10.10.14.2:59289 SA ttl=64 id=0 iplen=44 seq=4056111701 win=64240 <mss 1460>
Nmap scan report for 10.129.2.28
Host is up (0.099s latency).

PORT STATE SERVICE

80/tcp open http
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

58
 Changing Source
 we can also manually specify the source IP address (-S) to test if we get
better results with this one. Decoys can be used for SYN, ACK, ICMP
scans, and OS detection scans

sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

ammartiger@hkali[/kali]$ sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-22 01:16 CEST

Nmap scan report for 10.129.2.28
Host is up (0.010s latency).

PORT STATE SERVICE

445/tcp open microsoft-ds
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 3.4 - 3.10 (95%),
Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Synology DiskStation Manager 5.2-
5644 (94%), Linux 2.6.32 - 2.6.35 (94%), Linux 2.6.32 - 3.5 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

59
 Changing Port
 By default, Nmap performs a reverse DNS resolution unless otherwise
specified to find more important information about our target. These DNS
queries are also passed in most cases because the given web server is
supposed to be found and visited. The DNS queries are made over the UDP
port 53. The TCP port 53 was previously only used for the so-called "Zone
transfers" between the DNS servers or data transfer larger than 512 bytes.
More and more, this is changing due to IPv6 and DNSSEC expansions.
These changes cause many DNS requests to be made via TCP port 53. we
can use TCP port 53 as a source port (--source-port) for our scans. If the
administrator uses the firewall to control this port and does not filter
IDS/IPS properly, our TCP packets will be trusted and passed through

sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

60
 Changing Port
ammartiger@htb[/htb]$ sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --
source-port 53

SENT (0.0482s) TCP 10.10.14.2:53 > 10.129.2.28:50000 S ttl=58 id=27470 iplen=44

seq=4003923435 win=1024 <mss 1460>
RCVD (0.0608s) TCP 10.129.2.28:50000 > 10.10.14.2:53 SA ttl=64 id=0 iplen=44 seq=540635485
win=64240 <mss 1460>
Nmap scan report for 10.129.2.28
Host is up (0.013s latency).

PORT STATE SERVICE

50000/tcp open ibm-db2
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

61
 Zombie/ IPID Scan
 One way to determine whether a TCP port is open is to send a SYN
(session establishment) packet to the port. The target machine will
respond with a SYN/ACK (session request acknowledgement) packet if
the port is open, and RST (reset) if the port is closed. This is the basis of
the previously discussed SYN scan
 A machine that receives an unsolicited SYN/ACK packet will respond
with a RST. An unsolicited RST will be ignored
 Every IP packet on the Internet has a fragment identification number (IP
ID). Since many operating systems simply increment this number for
each packet they send, probing for the IPID can tell an attacker how
many packets have been sent since the last probe

62 @mmar
Zombie/ IPID Scan

63 @mmar
 Zombie/ IPID Scan
Step-1

64 @mmar
 Zombie/ IPID Scan
Step-2.1 Open Port

65 @mmar
 Zombie/ IPID Scan
Step-2.2 Closed Port

66 @mmar
 Zombie/ IPID Scan
Step-3

67 @mmar
Zombie/ IPID Scan
Open Port

68 @mmar
Zombie/ IPID Scan
Closed Port

69 @mmar
 NMAP
CHEATSHEET
 NMAP
CHEATSHEET
THANKS

73