Scanning Networks
Scanning Networks
Networks
@mmar
1
Network Scanning refers to the set of procedures adopted for
identifying a network’s hosts, ports and services. It is one of the
key components of intelligence gathering that attackers use to
create a profile of the target organization
It has the following main objectives:
Discover live hosts, IP addresses and open ports of all live hosts
Discover OS and system architecture
Discover services running on hosts
Discover vulnerabilities on live hosts
NMAP
Network Mapper (Nmap) is an open-source network analysis and
security auditing tool written in C, C++, Python, and Lua. It is designed
to scan networks and identify which hosts are available on the
network using raw packets, and services and applications, including
the name and version, where possible. It can also identify the
operating systems and versions of these hosts. Besides other
features, Nmap also offers scanning capabilities that can determine if
packet filters, firewalls, or intrusion detection systems (IDS) are
configured as needed
3
Host Discovery
@mmar
4
Host Discovery is the always the first step in ethical hacking. It
involves the enumeration of IP addresses of the systems available
in the environment
Netdiscover
Netdiscover can be used to inspect your network ARP traffic or find
network addresses using auto scan mode, which will scan for
common local networks.
6
Netdiscover
Netdiscover is used to scan for the live hosts on the network
7 @mmar
There are various ways to discover online hosts. When no host
discovery options are provided, Nmap follows the following
approaches to discover live hosts:
When a privileged user tries to scan targets on a local network (Ethernet), Nmap
uses ARP requests.
When a privileged user tries to scan targets outside the local network, Nmap uses
ICMP echo requests
When an unprivileged user tries to scan targets outside the local network, Nmap
resorts to a TCP 3-way handshake by sending SYN packets to ports 80 and 443.
Ping Scan
Ping scan is used to scan for the live hosts on the network
9 @mmar
Arp Scan
Arp scan is another method to scan for the live hosts on the
network
nmap -sn -PR 192.168.18.0-255
10 @mmar
Misc Nmap Scans
Nmap has a vast variety of scans aval. Some of the most
useful scans for host discovery are listed below
11 @mmar
Angry IP Scanner
Angry IP Scanner is an open-source and cross-platform network
scanner designed to be fast and simple to use
12
Angry IP Scanner
You can download and install the tool on Windows from the
official website
https://angryip.org/
13 @mmar
Angry IP Scanner
Open the Preference and ensure that pinging method is set
to UDP+TCP
14 @mmar
Angry IP Scanner
15 @mmar
Angry IP Scanner
16 @mmar
Port States
17
Port States
• At the risk of oversimplification, we can classify ports in two states:
• Open port indicates that there is some service listening on that port.
• Closed port indicates that there is no service listening on that port.
• While many port scanners have traditionally labelled all ports into the open or
closed states, Nmap is much more granular.
• It divides ports into six states: open, closed, filtered, unfiltered, open|filtered, or
closed|filtered
• These states are not intrinsic properties of the port itself, but describe how Nmap sees
them
• For example, an Nmap scan from the same network as the target may show port 135/tcp as
open, while a scan at the same time with the same options from across the Internet might show
that port as filtered
Port States
• open – indicates that an application is listening for connections on the port. The primary goal of port
scanning is to find these.
• closed – indicates that no service is listening on the specified port, although the port is accessible. By
accessible, we mean that it is reachable and is not blocked by a firewall or other security
appliances/programs.
• filtered – means that Nmap cannot determine if the port is open or closed because the port is not
accessible. This state is usually due to a firewall preventing Nmap from reaching that port. Nmap’s packets
may be blocked from reaching the port; alternatively, the responses are blocked from reaching Nmap’s
host.
• unfiltered – means that Nmap cannot determine if the port is open or closed, although the port is
accessible. This state is encountered when using an ACK scan -sA.
• open/filteredIf we do not get a response for a specific port, Nmap will set it to that state. This indicates that
a firewall or packet filter may protect the port.
• closed/filtered – indicates that Nmap is unable to determine whether a port is closed or filtered.
TCP Header
20 @mmar
TCP
Handshake
21 @mmar
Connection
termination
22 @mmar
SCAN TYPES
23
Nmap Scan
types
24 @mmar
TCP Connect Scan
TCP scan will scan for TCP ports and ensure for listening
port (open) through a 3-way handshake connection
between the source and destination port
25 @mmar
TCP Connect
Scan/Full Open Scan
• The Scan does this take longer and require more packets to obtain the same
information, but target machines are more likely to log the connection
• If the port is open then source made request with SYN packet, a response
destination sent SYN, ACK packet and then source sent ACK packets, at last
source again sent RST, ACK packets
TCP Syn Scan
This scan is often referred to as half-open scanning because you don't
open a full TCP connection. You send an SYN packet, as if you are going
to open a real connection and then wait for a response
27 @mmar
TCP SYN
Scan/Stealth Scan
• SYN scan is the default and most popular scan option for good reasons. It can be performed
quickly, scanning thousands of ports per second on a fast network not hampered by restrictive
firewalls
• A SYN/ACK indicates the port is listening (open), while RST (reset) is indicative of a non-listener. If
no response is received after several retransmissions, the port is marked as filtered
• The port is also marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is
received
TCP SYN
Scan/Stealth Scan
Probe Response Assigned State
TCP SYN/ACK response open
TCP RST response closed
No response received (even after
filtered
retransmissions)
ICMP unreachable error (type 3, code 1, 2,
filtered
3, 9, 10, or 13)
UDP Scan
UDP scan works by sending a UDP packet to every targeted port. For
most ports, this packet will be empty (no payload), but for a few of the
more common ports a protocol-specific payload will be sent
30
UDP Scan
• UDP is a connectionless protocol and there's no protocol-defined relationship between
packets in either direction
• However, most OS TCP/IP stacks will return an ICMP “Port Unreachable” packet if a UDP
packet is sent to a closed UDP port
• Thus, a port that doesn't return an ICMP packet can be assumed open
• Neither the probe-packet nor its potential ICMP packet are guaranteed to arrive
33 @mmar
FIN Scan
• A FIN bit is used to terminate the TCP connection between the source and
destination port typically after the data transfer is complete
• Here, rat her than even pretending to initiate a standard TCP conn ection, nmap
sends a s ingle FIN (final) packet
• If the tar get's TCP/IP stack is RFC-793-compliant then open ports will drop the
packet an d closed ports will send an RST
NULL and XMAS
Scans
• NULL and XMAS scan types are exactly the same in behavior except for the TCP flags set in
probe packets. If a RST packet is received, the port is considered closed, while no response
means it is open|filtered.
• The port is marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is
received
• XMAS scans are designed to manipulate the PSH, URG and FIN flags of the TCP header, Sets
the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. When source sent
FIN, PUSH, and URG packet to a specific port and if the port is open then destination will
discard the packets and will not send any reply to the source
• A Null Scan is a series of TCP packets which hold a sequence number of “zeros”
(0000000). since there are none flags set, the destination will not know how to
reply the request. It will discard the packet and no reply will be sent, which
indicate that the port is open
NULL, FIN and
XMAS Scans
Probe Response Assigned State
No response received (even after
open|filtered
retransmissions)
TCP RST packet closed
ICMP unreachable error (type 3, code 1, 2,
filtered
3, 9, 10, or 13)
NULL Scan
XMAS Scan
Fine Tuning Scans
You can specify the ports you want to scan instead of the default 1000
ports. Specifying the ports is intuitive by now. Let’s see some examples:
port list: -p 22,80,443 will scan ports 22, 80 and 443
port range: -p 1-1023 will scan all ports between 1 and 1023
inclusive, while –p 20-25 will scan ports between 20 and 25
inclusive
You can control the scan timing using -T<0-5>. -T0 is the slowest
(paranoid), while -T5 is the fastest
You might consider adding --reason if you want Nmap to provide more
details regarding its reasoning and conclusions.
39 @mmar
DETECTION SCANS
40
Service Detection
Once Nmap discovers open ports, you can probe the available port to
detect the running service. Further investigation of open ports is an
essential piece of information as the pentester can use it to learn if
there are any known vulnerabilities of the service
Adding -sV to your Nmap command will collect and determine service
and version information for the open ports. You can control the
intensity with --version-intensity LEVEL where the level ranges between
0, the lightest, and 9, the most complete. -sV --version-light has an
intensity of 2, while -sV --version-all has an intensity of 9
41 @mmar
Service Detection
42 @mmar
OS Detection
Nmap can detect the Operating System (OS) based on its behavior and
any telltale signs in its responses. OS detection can be enabled using -O
43 @mmar
NMAP SCRIPTS
44
Nmap Scripts
Nmap provides support for scripts using the Lua language. A part of
Nmap, Nmap Scripting Engine (NSE) is a Lua interpreter that allows
Nmap to execute Nmap scripts written in Lua language. Nmap default
installation can easily contain close to 600 scripts
/usr/share/nmap/scripts
45 @mmar
Nmap Scripts
There are a total of 14 categories into which these scripts can be
divided:
Category Description
auth Determination of authentication credentials.
broadcast Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the
remaining scans.
brute Executes scripts that try to log in to the respective service by brute-forcing with credentials.
default Default scripts executed by using the -sC option.
discovery Evaluation of accessible services.
dos These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services.
exploit This category of scripts tries to exploit known vulnerabilities for the scanned port.
external Scripts that use external services for further processing.
fuzzer This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time.
intrusive Intrusive scripts that could negatively affect the target system.
malware Checks if some malware infects the target system.
safe Defensive scripts that do not perform intrusive and destructive access.
version Extension for service detection.
vuln Identification of specific vulnerabilities. 46 @mmar
Nmap Scripts
You can specify to use any or a group of these installed scripts;
moreover, you can install other user’s scripts and use them for your
scans. You can choose to run the scripts in the default category using --
script=default or simply adding -sC
47 @mmar
Nmap Scripts
You can specify to use any or a group of these installed scripts;
moreover, you can install other user’s scripts and use them for your
scans. You can choose to run the scripts in the default category using --
script=default or simply adding -sC
ammarr@kali[/kali]$ sudo nmap 10.129.2.28 -p 25 --script banner,smtp-commands
48 @mmar
Saving the Output
49
You can save your scan in normal format by using -oN FILENAME; N
stands for normal
50 @mmar
Evading Antivirus/ IDS
51
Evasion
Nmap gives us many different ways to bypass firewalls rules and
IDS/IPS. These methods include the fragmentation of packets, the use
of decoys etc
52 @mmar
Evasion
Determine Firewalls and Their Rules
We already know that when a port is shown as filtered, it can have several reasons. In
most cases, firewalls have certain rules set to handle specific connections. The packets can
either be dropped, or rejected. The dropped packets are ignored, and no response is
returned from the host.
This is different for rejected packets that are returned with an RST flag. These packets
contain different types of ICMP error codes or contain nothing at all. Such errors can be:
Net Unreachable
Net Prohibited
Host Unreachable
Host Prohibited
Port Unreachable
Proto Unreachable
53 @mmar
ACK SCAN
• TCP ACK Scan sends an ACK packet to the target port in order to determine
whether the port is filtered or unfiltered
• For unfiltered ports a RST reply packet will be sent for both open and closed ports.
• Filtered ports will result in either no response or an ICMP destination unreachable
reply packet.
• This approach is useful to get through stateless firewalls which block incoming
connections by blocking incoming SYN packets but allowing ACK packets to get
through to allow internal hosts to communicate with the rest of the internet.
• TCP ACK will not work with stateful firewalls
ACK SCAN
56
Decoys
There are cases in which administrators block specific subnets from
different regions in principle. This prevents any access to the target
network. Another example is when IPS should block us. For this reason,
the Decoy scanning method (-D) is the right choice. With this method,
Nmap generates various random IP addresses inserted into the IP
header to disguise the origin of the packet sent. With this method, we
can generate random (RND) a specific number (for example: 5) of IP
addresses separated by a colon (:). Our real IP address is then randomly
placed between the generated IP addresses
57
Decoys
ammar@kali[/kali]$ sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5
58
Changing Source
we can also manually specify the source IP address (-S) to test if we get
better results with this one. Decoys can be used for SYN, ACK, ICMP
scans, and OS detection scans
59
Changing Port
By default, Nmap performs a reverse DNS resolution unless otherwise
specified to find more important information about our target. These DNS
queries are also passed in most cases because the given web server is
supposed to be found and visited. The DNS queries are made over the UDP
port 53. The TCP port 53 was previously only used for the so-called "Zone
transfers" between the DNS servers or data transfer larger than 512 bytes.
More and more, this is changing due to IPv6 and DNSSEC expansions.
These changes cause many DNS requests to be made via TCP port 53. we
can use TCP port 53 as a source port (--source-port) for our scans. If the
administrator uses the firewall to control this port and does not filter
IDS/IPS properly, our TCP packets will be trusted and passed through
60
Changing Port
ammartiger@htb[/htb]$ sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --
source-port 53
61
Zombie/ IPID Scan
One way to determine whether a TCP port is open is to send a SYN
(session establishment) packet to the port. The target machine will
respond with a SYN/ACK (session request acknowledgement) packet if
the port is open, and RST (reset) if the port is closed. This is the basis of
the previously discussed SYN scan
A machine that receives an unsolicited SYN/ACK packet will respond
with a RST. An unsolicited RST will be ignored
Every IP packet on the Internet has a fragment identification number (IP
ID). Since many operating systems simply increment this number for
each packet they send, probing for the IPID can tell an attacker how
many packets have been sent since the last probe
62 @mmar
Zombie/ IPID Scan
63 @mmar
Zombie/ IPID Scan
Step-1
64 @mmar
Zombie/ IPID Scan
Step-2.1 Open Port
65 @mmar
Zombie/ IPID Scan
Step-2.2 Closed Port
66 @mmar
Zombie/ IPID Scan
Step-3
67 @mmar
Zombie/ IPID Scan
Open Port
68 @mmar
Zombie/ IPID Scan
Closed Port
69 @mmar
NMAP
CHEATSHEET
NMAP
CHEATSHEET
THANKS
73