Author Topic: Learn more about Nmap  (Read 765 times)

0 Members and 1 Guest are viewing this topic.

Offline ba8y

  • /dev/null
  • *
  • Posts: 15
  • Cookies: -3
    • View Profile
Learn more about Nmap
« on: January 28, 2014, 09:35:17 am »

Dare to ignore or neglect
any of them and you could be missing out on the one piece of information that you need to
completely compromise your target.

http://nmap.org/
http://en.wikipedia.org/wiki/Transmission_Control_Protocol
http://en.wikipedia.org/wiki/User_Datagram_Protocol
http://www.iana.org/assignments/port-numbers
http://www.iana.org/assignments/protocol-numbers/
http://www.cyberciti.biz/networking/nmap-command-examples-tutorials/

Nmap Cookbook The Fat-free Guide to Network Scanning.pdf
Nmap 6: Network Exploration and Security Auditing Cookbook  ---- [something timeout]
Nmap in the Enterprise. Your Guide to Network Scanning
Nmap Network Scanning: The Official Nmap Project Guide



Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing.  Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.  Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.  It was designed to rapidly scan large networks, but works fine against single hosts.  Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.  In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

But I want to say that nmap is unreliable at sometimes, please read...

[Lab] Windows 7 + backtrack R3x86_gnome(vbox)

Code: [Select]


************************
Basic Scanning Overview
************************

- Firewalls, routers, proxy servers, and other security devices.
- Some scanning options require elevated privileges.
 
  1. Scan a Single Target
  2. Scan Multiple Targets
  3. Scan a Range of IP Address
  4. Scan an Entire Subnet
  5. Scan a List of Targets
  6. Scan Random Targets
  7. Exclude Targets from a Scan
  8. Exclude Targets Using a List
  9. Perform an Aggressive Scan
  10. Scan an IPv6 Target


1. Scan a Single Target
   //-- nmap 192.168.1.1 --//
   A default Nmap scan will check for the 1000 most commonly used TCP/IP ports.
   Port states:
   open / closed / filtered / unfiltered / open|filtered / closed|filtered
   

2. Scan Multiple Targets
   //-- nmap 192.168.1.1 192.168.1.2 192.168.1.3 --//
   //-  nmap 192.168.1.136,139,150 -//
   Nmap can be used to scan multiple hosts at the same time.
   

3. Scan a Range of IP Address
   //-- nmap 192.168.1.1-10 --//
   //-- nmap 192.168.1-100.* --//
   The asterisk is a wildcard character which represents all valid ranges from 0-255.
   
   
4. Scan an Entire Subnet
   //-- nmap 192.168.1.1/24 --//
   

5. Scan a List of Targets
   //-- nmap -iL hosts_list.txt --//
   --------hosts_list.txt--------
   192.168.1.1
   192.168.1.2
   192.168.1.3

   Each entry in [hosts_list.txt] must be separated by a space, tab, or newline.


6. Scan Random Targets
   //-- nmap -iR 3 --//
   Nmap will randomly generate the specified number of targets and attempt to scan them.
   

7. Exclude Targets from a Scan
   //-- nmap 192.168.1.1/24 --exclude 192.168.1.100,192.168.1.108 --//
   //-- nmap 192.168.1.1/24 --exclude 192.168.1.100-108 --//
   --exclude option acceptes single hosts, ranges, or entire network blocks(using CIDR notation)


8. Exclude Targets Using a List
   //-- nmap 192.168.1.1/24 --excludefile hosts_list.txt --//
   --------hosts_list.txt--------
   192.168.1.10
   192.168.1.20
   192.168.1.30


9. Perform an Aggressive Scan
   //-- nmap -A 192.168.1.1 --//


10. Scan an IPv6 Target
   //-- nmap -6 fe80:29aa:9db9:4164:d80e --//





******************
Discovery Options
******************

Before port scanning a target, Nmap will attempt to send ICMP echo requests to see if the host is "alive".
This can save time when scanning multiple hosts as Nmap will not waste time attemping to probe hosts that
are not online.

Beause ICMP requests are often blocked by firewalls, Nmap will also attempt to connect to port 80 and 443
since these common web server ports are often open (even if ICMP is not).

The default discovery options aren't useful when scanning secured systems and can hinder scanning progress.

  1. Don't ping                       ---- [-Pn]
  2. Perform a Ping Only Scan         ---- [-sn/-sP]
  3. TCP SYN Ping                     ---- [-PS]
  4. TCP ACK Ping                     ---- [-PA]
  5. UDP Ping                         ---- [-PU]
  6. SCTP Ping                        ---- [-PY]
  7. ICMP Echo Ping                   ---- [-PE]
  8. ICMP Timestamp Ping              ---- [-PP]
  9. ICMP Address Mask Ping           ---- [-PM]
  10. IP Protocol Ping                ---- [-PO]
  11. ARP Ping                        ---- [-PR]
  12. Traceroute                      ---- [--traceroute]
  13. Force Reverse DNS Resolution    ---- [-R]
  14. Disable Reverse DNS Resolution  ---- [-n]
  15. Alternative DNS Lookup          ---- [--system-dns]
  16. Manually Specify DNS Server(s)  ---- [--dns-servers]
  17. Create a Host List              ---- [-sL] 


1. Don't Ping
   //-- nmap -Pn 192.168.1.1 --//
   By default, Nmap will first ping the target to see if it is online.
   This feature helps save time when scanning as it causes targets that do not respond to be skiiped.
   By specifying the [-Pn] option, Nmap is able to produce a list of open ports on the unpingable system.

2. Ping Only Scan
   //- nmap -sn 192.168.1.1 -//
   //- nmap -sP 192.168.1.1 -//
   //- nmap -sn -PE -PP -PS443 -PA80 192.168.1.1 -//
   ICMP Ping + TCP[SYN--->443]+TCP[ACK---->80]
   
   [-sn] is much power than [-sP]. For Example:
   ------------ [-sP] -------------
   Starting Nmap 6.01 ( http://nmap.org ) at 2014-01-21 08:21 EST
   Nmap scan report for localhost (192.168.1.1)
   Host is up (0.0062s latency).
   MAC Address: 78:A1:06:xx:xx:xx (Unknown)
   Nmap scan report for localhost (192.168.1.100)
   Host is up (0.00058s latency).
   MAC Address: 60:D8:19:xx:xx:xx (Hon Hai Precision Ind. Co.)
   Nmap scan report for localhost (192.168.1.107)
   Host is up.
   Nmap scan report for localhost (192.168.1.198)
   Host is up (0.0085s latency).
   MAC Address: EC:17:2F:xx:xx:xxF (Unknown)
   Nmap done: 256 IP addresses (4 hosts up) scanned in 2.90 seconds

   
   ------------ [-sn] -------------
   Starting Nmap 6.01 ( http://nmap.org ) at 2014-01-21 08:21 EST
   Nmap scan report for localhost (192.168.1.1)
   Host is up (0.0083s latency).
   MAC Address: 78:A1:06:xx:xx:xx (Unknown)
   Nmap scan report for localhost (192.168.1.100)
   Host is up (0.00049s latency).
   MAC Address: 60:D8:19:xx:xx:xx (Hon Hai Precision Ind. Co.)
   Nmap scan report for localhost (192.168.1.102) -------------------- [Attention Here]
   Host is up (0.056s latency).
   MAC Address: E0:CA:94:xx:xx:xx (Askey Computer)
   Nmap scan report for localhost (192.168.1.107)
   Host is up.
   Nmap scan report for localhost (192.168.1.198)
   Host is up (0.028s latency).
   MAC Address: EC:17:2F:xx:xx:xx (Unknown)
   Nmap done: 256 IP addresses (5 hosts up) scanned in 6.04 seconds


3. TCP SYN Ping
   //- nmap -PS22,25,80,443 192.168.1.1 -//
   The TCP SYN ping sends a SYN packet to the target system and listens for a response.
   This alternative discovery method is useful for systems that are configured to block standard ICMP pings.
   The default port for [-PS] is 80. Twice for 80.
   

4. TCP ACK Ping
   //- nmap -PA 192.168.1.1 -//     -----> port scan
   //- nmap -sn -PA 192.168.1.1 -// -----> no port scan
   This method attempts to discover hosts by responding to TCP connections that are nonexistent in an attempt
   to solicit a response from the target. It is useful in situations where standard ICMP pings are blocked.
   The default port for [-PA] is 80.

5. UDP Ping
   //- nmap -sn -PU 192.168.1.1 -// ------> port: 40125
   //- nmap -PU22,25,80,443 192.168.1.1 -//
   //- nmap -sn -PU135,137,138,445 192.168.1.1 -//
   While most firewalled systems will block this type of connection,
   some poorly configured systems may allow it if they are only configured to filter TCP connections.
   The default port for [-PU] is 40125.


6. SCTP INIT Ping
   //- nmap -PY 192.168.1.1 -//
   This discovery method attempts to locate hosts using the Stream Control Transmission Protocol (SCTP).
   SCTP is typically used on systems for IP based telephony.
   The default port for [-PY] is 80.

7. ICMP Echo Ping
   //- nmap -PE 192.168.1.1 -//

   //- nmap -sn -PE www.baidu.com/24 -//              ----- XXXXXXX
   //- fping -c 1 -g 119.75.217.1 119.75.217.255 -//  ----- more avaliable hosts
   [-PE] option is automatically implied if no other ping options are specified.
   
8. ICMP Timestamp Ping
   //- nmap -sn 192.168.1.1 -//      ----- port scan
   //- nmap -sn -PP 192.168.1.1 -//  ----- no port scan
   When most firewalled systems are configured to block ICMP echo requests,
   some improperly configured systems may still reply to ICMP timestamp requests.
   
9. ICMP Address Mask Ping
   //- nmap -PM 192.168.1.1 -//      ----- port scan
   //- nmap -sn -PM 192.168.1.1 -//  ----- no port scan
   This type of ping can occasionally sneak past a firewall that is configured to block standard echo requests.

10. IP Protocol Ping
   //- nmap -PO1,2,4 192.168.1.1 -//
   An IP protocol ping sends packets with the specified protocol to the target.
   If no protocols are specified, the default protocols 1(ICMP), 2(IGMP), 4(IP-in-IP) are used.
   A complete list of Internet Protocol numbers ----
   http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

11. ARP Ping  ---- option removed
   //- nmap -PR 192.168.1.1 -//
   ARP scans cannot be performed on targets that are not on your local subnet.

12. Traceroute
   //- nmap --traceroute scanme.insecure.org --//
   The information displayed is similar to the traceroute or tracepath commands.

13. Force Reverse DNS Resolution
   //- nmap -R 173.194.127.56 -//
   +++++++++++++++++++++++++++++++++++++++++++++++++
   Nmap scan report for hkg03s10-in-f24.1e100.net (173.194.127.56)
   Host is up (0.012s latency).
   Not shown: 998 filtered ports
   PORT    STATE SERVICE
   80/tcp  open  http
   443/tcp open  https

   Nmap done: 1 IP address (1 host up) scanned in 4.59 seconds
   +++++++++++++++++++++++++++++++++++++++++++++++++

   By default, Nmap will only do reverse DNS for hosts that appear to be online.
   The [-R] option is useful when performing reconnaissance on a block of IP address
   as Nmap will try to resolve DNS information of every IP address.
   The reverse DNS information can reveal interesting information about the target IP
   address (even if it is offline or blocking Nmap's probes).

14. Disable Reverse DNS Resolution
    //- nmap -n 173.194.127.56 -//
    ++++++++++++++++++++++++++++++++++++++++++++++
    Nmap scan report for 173.194.127.56
    Host is up (0.011s latency).
    Not shown: 998 filtered ports
    PORT    STATE SERVICE
    80/tcp  open  http
    443/tcp open  https

    Nmap done: 1 IP address (1 host up) scanned in 5.06 seconds
    ++++++++++++++++++++++++++++++++++++++++++++++
   
    Using the -n option greatly reduces scanning times -
    especially when scanning a large number of hosts.
   
15. Alternative DNS Lookup Method
    //- nmap --system-dns 173.194.127.56 -//
    Use the host system's DNS resolver instead of its own internal method.
    This option is rarely used as it is much slower than the default method.
    It can be useful when troubleshooting DNS problems with Nmap.

    The system resolver is always used for IPv6 scans
    as Nmap has not yet fully implemented its own internal IPv6 resolver.


16. Manually Specify DNS Server(s)
    //- nmap --dns-servers 8.8.8.8,8.8.8.4 173.194.127.56-//
    Nmap's default behavior will use the DNS servers configured on your local system for name resolution.
   
17. Create a Host List
    //- nmap -sL 173.194.127.1/24 -//
    This scan is useful for identifying the IP addresses and DNS names for the specified targets without
    sending any packets to them. Many DNS names can reveal interesting information about an IP address including
    what it used for or where it is located.
   
   
   
   
*************************
Advanced Scanning Options
*************************

Nmap supports a number of user selectable scan types. By default, Nmap will perform a basic TCP scan on each system.
In some situations, it may be necessary to perform more complex TCP (or even UDP) scans in an attempt to find
uncommon services or evade a firewall.

You must login with root/administrator privileges to execute many of the scans discussed in this section.

At Default, Nmap sends some signal characters. For Example:
nmap -sU -p 135 192.168.1.1        ------------ signal characters [Malformed Packet: BT-uTP]
nmap -sU -p 135 --data-length 40 192.168.1.1


  1. TCP SYN Scan        --------- [-sS]
  2. TCP Connect Scan    --------- [-sT]
  3. UDP Scan            --------- [-sU]
  4. TCP NULL Scan       --------- [-sN]
  5. TCP FIN Scan        --------- [-sF]
  6. Xmas Scan           --------- [-sX]
  7. TCP ACK Scan        --------- [-sA]
  8. Custom TCP Scan     --------- [--scanflags]
  9. IP Protocol Scan    --------- [-sO]
  10. Send Raw Ethernet Packets --------- [--send-eth]
  11. Send IP Packets           --------- [--send-ip]


1. TCP SYN Scan
   //- nmap -sS 192.168.1.1 -//
   The TCP SYN scan is default option for privileged users (root or administrators).
   The default TCP SYN scan attempts to identify the 1000 most commonly used TCP ports by sending SYN packet
   to he target and listening for a response.
   This type of scan is said to be stealthy because it does not attempt to open a full-fledged connection to
   the remote host.
   This prevents many systems from logging a connection attempt from your scan.
   
2. TCP Connect Scan
   //- nmap -sT 192.168.1.1 -//
   The [-sT] scan is the default scan type for non-privileged users.


3. UDP Scan
   //- nmap -sU 192.168.1.1 -//
   While TCP is the most commonly used protocol, many network services (like DNS, DHCP, and SNMP) still utilize UDP.

4. TCP NULL Scan
   //- nmap -sN 192.168.1.1 -//
   A TCP NULL scan causes Nmap to send packets with no TCP flags enabled.
   This is done by setting the packet header to 0. Sending NULL packets to a target is a method of tricking a firewalled
   system to generate a respomse.

5. TCP FIN Scan
   //- nmap -sF 192.168.1.1 -//
   In a [-sF] scan, Nmap marks the TCP FIN bit active when sending packets in an attempt to solicit a TCP ACK from the target.
   This is another method of sending unexpected packets to a target in an attempt to produce results from a system protected
   by a firewall.
   
6. Xmas Scan
   //- nmap -sX 192.168.1.1 -//
   Nmap sends packets with URG, FIN, and flags activted. This has the effect of "lighting the packet up like a Christmas tree"
   and can occasionally solicit a response from a firewalled system.
   Not all systems will respond to probes to this type.

7. Custom TCP Scan
   //- nmap --scanflags SYNURG 192.168.1.1 -//
   +++++++++++++++++++++++++++++++++++++++++++
   [ Flag ]        [Usage]
     SYN           Synchronize
     ACK           Acknowledgment
     PSH           Push
     URG           Urgent
     RST           Reset
     FIN           Finished

8. TCP ACK Scan
   //- nmap -sA 192.168.1.1 -//
   When performing a TCP ACK scan, Nmap will probe a target and look for RST responses.
   If no responses is received the system is considered to be filtered.
   If the system does return an RST packet, then it is labeled as unfiltered.

9. IP Protocol Scan
   //- nmap -sO 192.168.1.1 -//
   The IP protocol scan displays the IP protocols that are supported on the target system.
   The most commonly found protocols on modern are ICMP, TCP, UDP.
   Using the [-sO] option is helpful for quickly identifying what types of scans you want
   to perform on the selected target system based on its supported protocols.

10. Send Raw Ethernet Packets
    //- nmap --send-eth 192.168.1.1 -//
    Enabling this option instructs Nmap to bypass the IP layer on your system and send raw
    ethernet packets on the data link layer. This can be used to overcome problems with
    your system's IP stack.

11. Send IP Packets
    //- nmap --send-ip 192.168.1.1 -//
    Enabling this option forces Nmap to scan using the local system's IP stack instead of
    generating raw ethernet packets.



*********************
Port Scanning Options
*********************

There are a total of 131,070 TCP/IP ports (65,535 TCP and 65,535 UDP).
Nmap, by default, only scans 1,000 of the most commonly used ports.
This is done to save time when scanning multiple targets as the majority of ports outside the top
1000 are rarely used. Sometimes, however, you may want to scan outside the default range of ports
to look for uncommon services or ports that have been forwarded to a different location.

  1. Perform a Fast Scan       ------  [-F]
  2. Scan Specific Ports       ------  [-p port]
  3. Scan Ports by Nmae        ------  [-p name]
  4. Scan Ports by Protocol    ------  [-p U:[UDP ports],T:[TCP ports]]
  5. Scan All Ports            ------  -p "*"
  6. Scan Top Ports            ------  --top-ports [number]
  7. Perform a Sequential Port Scan  ------ -r
  8. Scan ports more common than <ratio -- decimal number between 0 and 1>  ------  [--port-ratio]


1. Perform a Fast Scan
   //- nmap -F 192.168.1.1 -//
   Nmap scans the top 1000 commonly used ports by default.
   The [-F] option reduces that number to 100.

2. Scan Specific Ports
   //- nmap -p 80 192.168.1.1 -//
   //- nmap -p 25,53,80-200 192.168.1.1 -//
   //- nmap -p- 192.168.1.1 -//

3. Scan Ports by Name
   //- nmap -p ftp,smtp,http 192.168.1.1 -//
   //- nmap -p "http*" 192.168.1.1 -//
   The name(s) specified must match a service in the nmap-services file.
   [/usr/local/share/nmap] or [C:\Program Files\Nmap]
   
4. Scan Ports by Protocol
   //- nmap -sU -sT -p U:53,T:25 192.168.1.1 -//
   Specifying a [T:] or [U:] prefix with the -p option allows you to search for a specific port and protocol combination.
   Nmap, by default, will only scan TCP ports. In order to scan both TCP and UDP ports,
   you will need to enable additional scan types such as [-sU] and [-sT].

5. Scan All Ports
   //- nmap -p "*" 192.168.1.1 -//

6. Scan Top Ports
   //- nmap--top-ports 10 192.168.1.1 -//
   By default, Nmap will scan the 1000 most commonly used ports.
   
7. Perform a Sequential Port Scan
   //- nmap -r 192.168.1.1 -//
   Nmap's default scanning algorithm randomizes the port scan order.
   This is useful for evading firewalls and intrusion prevention systems.

8. Scan ports more common than <ratio -- decimal number between 0 and 1>
   //- nmap --port-ratio 0.5 192.168.1.1 -//

***************************************
Operating System and Service Detection
***************************************

The process of identifying a target's operating system and software version is known as TCP/IP fingerprinting.

  1. Operating System Detection       ------   [-O]
  2. Attempt to Guess an Unknown OS   ------   [--osscan-guess]
  3. Service Version Detection        ------   [-sV]
  4. Troubleshooting Version Scans    ------   [--version-trace]
  5. Perform an RPC Scan              ------   [-sR]
  6. Set from 0 (light) to 9 (try all probes)   ------  [--version-intensity]
  7. Limit to most likely probes (intensity 2)  ------  [--version-light]
  8. Try every single probe (intensity 9)       ------  [--version-all]



1. Operating System Detection
   //- nmap -O 192.168.1.1 -//
   In order for OS detection to work properly there must be at least one open and one closed port on the target
   system. When scanning multiple targets, the [--osscan-limit] option can be combined with [-O] to instruct Nmap
   not to OS scan hosts that do not meet this criteria.

   If Nmap is unable to determine the operating system on a target, it will provide a fingerprint which can be to
   Nmap's OS database at www.nmap.org/submit/
   
2. Attempt to Guess an Unknown Operating System
   //- nmap -O --osscan-guess 192.168.1.1 -//
   If Nmap is unable to identify the OS, you can force it to guess by using the option.

3. Service Version Detection
   //- nmap -sV 192.168.1.1 -//
   Nmap version detection purposely skips some problematic ports (specifically 9100-9107).
   
4. Troubleshooting Version Scans
   //- nmap -sV --version-trace 192.168.1.1 -//

5. Perform an RPC Scan
   WARNING: -sR is now an alias for -sV and activates version detection as well as RPC scan.

6. Set from 0 (light) to 9 (try all probes)
   //- nmap -Pn -sS -sV --version-intensity 0 -p 135 192.168.1.1 -//

**************
Timing Options
**************

When scanning a large number of hosts on a fast network you may want to increase the number
of parallel operations to get faster results.

When scanning show networks (or across the internet) you may want to slow down a scan to get
more accurate results or to evade intrusion detection systems. This section discusses the option
available for these timing features.

  1. Timing Templates                  ------  -T[0-5]
  2. Set the Packet TTL                ------  --ttl
  3. Minimun # of Parallel Operations  ------  --min-parallelism
  4. Maximum # of Parallel Operations  ------  --max-parallelism
  5. Minimum Host Group Size           ------  --min-hostgroup
  6. Maximum Host Group Size           ------  --max-hostgroup
  7. Maximum RTT Timeout               ------  --max-rtt-timeout
  8. Initial RTT Timeout               ------  --initial-rtt-timeout
  9. Maximum Retries                   ------  --max-retries
  10. Host Timeout                     ------  --host-timeout
  11. Minimum Scan Delay               ------  -scan-delay
  12. Maximum Scan Delay               ------  --max-scan-delay
  13. Minimum Packet Rate              ------  --min-rate
  14. Maximum Packet Rate              ------  --max-rate
  15. Defeat Reset Rate Limits         ------  --defeat-rst-ratelimit


Timing Parameters

Nmap timing parameters are accepted as millseconds by default.
You can also specify parameters in seconds, minutes, or hours by appending a qualifier to the time argument.
(none)  ---- Milliseconds [500,  500 milliseconds]
    s   ---- Seconds      [300s, 300 seconds]
    m   ---- Minutes      [5m,  5 minutes]
    h   ---- hours        [1h,  1 hour]


1. Timing Templates
   //- nmap -T[0-5] 192.168.1.1 -//
   -T0  ---- paranoid ---- Extremely slow
   -T1  ---- sneaky   ---- Useful for avoiding intrusion detection systems
   -T2  ---- polite   ---- Unlikely to interfere with the target system
   -T3  ---- normal   ---- This is the default timing template
   -T4  ---- aggressive ---- Produces faster results on local networks
   -T5  ---- insane   ---- Very fast and aggressive scan

2. Set the Packet TTL
   //- nmap --ttl 500 scanme.insecure.org -//
   This option is useful when scanning targets on slow connections where normal packets may time out before receiving a response.

3. Minimum Number of Parallel Operations
   //- nmap -sn -PE --min-parallelism 100 192.168.1.1/24 -//
   The [--min-parallelism] option is used to specify the minimum number of parallel port scan operations
   Nmap should perform at any given time.
   Nmap automatically adjusts parallel scanning options based on network conditions.
   While manually setting the [--min-parallelism] option may increase scan performance,
   setting it too high may produce inaccurate results.

4. Maximum Number of Parallel Operations
   //- nmap -sn -PE --max-parallelism 10 192.168.1.1/24 -//
   
5. Minimum Host Group Size
   //- nmap --min-hostgroup 30 192.168.1.1/24 -//
   Nmap will perform scans in parallel to save time when scanning multiple targets such as a range or entire subnet.
   
6. Maximum Host Group Size
   //- nmap --max-hostgroup 10 192.168.1.1/24 -//
   In contrast to the --min-hostgroup option, the --max-hostgroup option controls the maximum number of hosts in a group.
   This option is helpful if you want to reduce the load on a network or to avoid triggering any red flags with various
   network security products.

7. Initial RTT Timeout
   //- nmap --initial-rtt-timeout 5000 scanme.insecure.org -//
   The default timming template (-T3) has an --initial-rtt-timeout value of 1000 milliseconds.
   Increasing the value will reduce the number of packet retransmissions due to timeouts.
   By decreasing the value you can speed up scans; but do so with caution.
   Setting the RTT timeout value too low can negate any potential performance gains and lead to
   inaccurate results.
   
8. Maximum RTT Timeout
   //- nmap --max-rtt-timeout 400 scanme.insecure.org -//
   Nmap dynamically adjusts RTT timeout options for best results by default.
   The default maximum RTT timeout is 10 seconds. Manually adjusting the maximum RTT timeout lower will allow for faster scan
   times (especially when scannning large blocks of addresses).
   Specifying a high maximum RTT timeout will prevent Nmap from give up too soon when scanning over slow/unreliable connections.
   
9. Maximum Retries
   //- nmap --max-retries 2 scanme.insecure.org -//
   By default, Nmap will automatically adjust the number of probe retransmissions based on network conditions.
   
10. Host Timeout
   //- nmap --host-timeout 1m 192.168.1.1 -//
   A host may take a long time to scan if it is located on a slow or unreliable network.
   Systems that are protected by rate limiting firewalls may also take a considerable amount of time to scan.

   In the above example, the scan takes longer than one minute to complete which causes Nmap to terminate the scan.

11. Minimum Scan Delay
   //- nmap --scan-delay 5s scanme.insecure.org -//
   
12. Maximum Scan Delay
   //- nmap --max-scan-delay 300 scanme.insecure.org -//

13. Minimum Packet Rate
   //- nmap --min-rate 30 scanme.insecure.org -//
   The [--min-rate] option is used to specify the minimum number of packets Nmap should send per second.
   
14. Maximum Packet Rate
   //- nmap --max-rate 30 scanme.insecure.org -//
   //- nmap --max-rate 0.1 scanme.insecure.org -//  ----- send one packet every ten seconds.
   The [--max-rate] option is used to specify the maximum number of packets Nmap should send per second.

15. Defeat Reset Rate Limits
   //- nmap --defeat-rst-ratelimit scanme.insecure.org -//
   The [--defeat-rst-ratelimit] is used to defeat targets that apply rate limiting to RST (reset) packets.
   



******************
Evading Firewalls
******************
Firewalls and Intrusion prevention systems are designed to prevent tools like Nmap from getting an accurate picture of the systems.

  1. Fragment Packets               ----    [-f]
  2. Specify a Specific MTU         ----    [--mtu]
  3. Use a Decoy                    ----    [-D]
  4. Idle Zombie Scan               ----    [-sl]
  5. Manually Specify a Source Port ----    [--source-port]
  6. Append Random Data             ----    [--data-length]
  7. Randomize Target Scan Order    ----    [--randomize-hosts]
  8. Spoof MAC Address              ----    [--spoof-mac]
  9. Send Bad Checksums             ----    [--badsum]


1. Fragment Packet
   //- nmap -f 192.168.1.1 -//
   The [-f] option instructs Nmap to send small 8-byte Packets thus fragmenting the probe into many very small packets.
   This option isn't particularly useful in everyday situations; it may be helpful when attempting to evade some older
   or improperly configured firewall.

   Some host operating systems may require the use of [--send-eth] combined with [-f] for fragmented packets to be properly transmitted.

2. Specify a Specific MTU
   //- nmap --mtu 16 192.168.1.1 -//
   The [--mtu] option is similar to the [-f] option except it allows you to specify your own MTU to be used during scanning.
   This creates fragemented packets that can potentially confuse some firewalls.
   The MTU must be a multiple of 8 (example 8,16,24,32, etc)
   
3. Use a Decoy
   //- nmap -D RND:10 192.168.1.1 -//
   When performing a decoy scan Nmap will spoof additional packets from the specified number of decoy addresses. This effectively makes it
   appear that the target is being scanned by nultiple systems simultaneously. Using decoys allows the actual source of the scan to "blend
   into the crowd" which makes it harder to trace where the scan is coming from.

   In the above example [nmap -D RND:10] instructs Nmap to generate 10 random decoys.
   Using too many decoys can cause network congestion and reduce the effectiveness of a scan.
   Additionally, some internet service providers may filter spoofed traffic which will reduce the effectiveness of using decoys to cloak scanning.
   
4. Idle Zombie Scan
   //- nmap -sI 192.168.1.100 192.168.1.1 -//
   
   The idle zombie scan is a unique scanning technique that allows you to exploit an idle system and use it to scan a target for you.
   In order for an idle scan to be successful, the zombie system must truly be idle at the time of scanning.

5. Manually Specify a Source Port Number
   This technique can be used to exploit weaknesses in firewalls that are improperly configured to blindly accept incoming traffic based
   on a specific port number.

6. Append Random Data
   //- nmap --data-length 25 192.168.1.1 -//
   Nmap transmits packets which are generally a specific size. Some firewall vendors know to look for this type of predictable packet size.
   
7. Randomize Target Scan Order
   //- nmap --randomize-hosts 192.168.1.1/24 -//
   The [--randomize-hosts] option helps prevent scans of multiple targets from being detected by firewalls and intrusion detection systems.
   This is done by scanning them in a random order instead of sequential.

8. Spoof MAC Address
   //- nmap --spoof-mac [vendor|MAC|0] 192.168.1.1 -//
   
   [0                    ]  --------  Generate a random MAC address
   [Specific MAC Address ]  --------  Uses the specified MAC address
   [Vendor Name          ]  --------  Generates a MAC address from the specified vendor (such as Apple, Dell, 3Com, etc)

9. Send Bad Checksums
   //- nmap --badsum 192.168.1.1 -//
   The TCP/IP protocol uses checksums to ensure data integrity. Crafting packets with bad checksums can, in some rare occasions, produce a
   response from a poorly configured system.
   Only a poorly configured system would respond to a packet with a bad checksum. Nevertheless, it is a good tool to use when auditing network
   security or attempting to evade firewalls.




***************
Output Options
***************

    Save Output to a Text File    -------- [-oN]
    Save Output to a XML File     -------- [-oX]
    Grepable Output               -------- [-oG]
    Output All Supported File Types -------- [-oA]
    133t Output                     -------- [-oS]

   
*****************************
Troubleshooting and Debugging
*****************************

    Getting Help             ----------  -h
    Display Nmap Version     ----------  -V
    Verbose Output           ----------  -v
    Debugging                ----------  -d
    Display Port State Reason----------  --reason
    Only Display Open Ports  ----------  --open
    Trace Packets            ----------  --packet-trace
    Display Host Networking  ----------  -iflist
    Specify a Network Interface ---------- -e



****************************
Nmap Scripting Engine (NSE)
****************************
Network discovery
More sophisticated Version detection
Vulnerability detection
Backdoor detection
Vulnerability exploitation




   1. Gathering Additional Host Information
   2. Auditing Web Servers
   3. Auditing Databases
   4. Auditing Mail Servers
   5. Scanning Large Networks
   6. Generating Scanning Reports
   7. Writing Your Own NSE Scripts


1. Gathering Additional Host Information
   1.1 Geolocating an IP address
   1.2 Getting information from WHOIS records
   1.3 Checking if a host is known for malicious activities
   1.4 Collecting valid e-mail accounts
   1.5 Discovering hostnames pointing to the same IP address
   1.6 Brute forcing DNS records
   1.7 Fingerprinting the Operating system of a host
   1.8 Discovering UDP services
   1.9 Listing protocols supported by a remote host
   1.10 Discovering stateful firewalls by using a TCP ACK scan
   1.11 Matching services with known security vulnerabilities
   1.12 Spoofing the origin IP of a port scan




1. Gathering Additional Host Information
 
1.1 Geolocating an IP address
   ip-geolocation-maxmind, ip-geolocation-ipinfodb, ip-geolocation-geobytes, ip-geolocation-geoplugin

   ip-geolocation-geobytes  ---- http://nmap.org/nsedoc/scripts/ip-geolocation-geobytes.html
   ip-geolocation-geoplugin ---- http://nmap.org/nsedoc/scripts/ip-geolocation-geoplugin.html
   ip-geolocation-ipinfodb  ---- http://nmap.org/nsedoc/scripts/ip-geolocation-ipinfodb.html
   ip-geolocation-maxmind   ---- http://nmap.org/nsedoc/scripts/ip-geolocation-maxmind.html

   //- nmap --script ip-geolocation-* <target> -//


1.2 Getting Information from WGOIS records
   whois  ----  http://nmap.org/nsedoc/scripts/whois.html

   //- nmap --script whois scanme.nmap.org -//
   //- nmap --script whois --script-args whois.whodb=arin+ripe+afrinic scanme.nmap.org -//
   //- nmap -sn --script whois -v -iL hosts.txt -//
   //- nmap -sn --script whois --script-args whois.whodb=nocache scanme.nmap.org -//


1.3 Checking if a host is known for malicious activities
   //- nmap -p80 --script http-email-harvest exploit-db.com -//
   //- nmap -p80 --script http-email-harvest --script-args httpspider.maxpagecount=50 exploit-db.com -//
   //- nmap -p80 --script http-email-harvest --script-args httpspider.url=/welcome.php <target> -//

   //- nmap -p80 --script http-google-email --script-args domain=insecure.org scanme.nmap.org -//
   //- nmap -p80 --script http-google-email --script-args pages=10 scanme.nmap.org -//
   

1.5 Discovering hostnames pointing to the same IP address



+++++++++++++++++++++++++++++++++++++++++++++++
nmap -Pn -p 135 -S 127.0.0.1 192.168.1.136    # [LAN] ip spoof, but real MAC address.


+++++++++++++++++++++++ [ Host Discovery --- examples ] ++++++++++++++++++++++++
//- nmap -sn -PE -T3 192.168.1.100-120 -//  -----> 2 hosts up
//- nmap -sn -PE -T2 192.168.1.100-120 -//  -----> 3 hosts up

root@AA:~/Desktop# nmap -sn -PE -T3 192.168.1.100-120

Starting Nmap 6.01 ( http://nmap.org ) at 2014-01-27 13:29 CST
Nmap scan report for 192.168.1.102
Host is up (0.00086s latency).
Nmap scan report for 192.168.1.112
Host is up (0.0020s latency).
Nmap done: 21 IP addresses (2 hosts up) scanned in 1.77 seconds   ------ 2 hosts up

root@AA:~/Desktop# nmap -sn -PE -T2 192.168.1.100-120

Starting Nmap 6.01 ( http://nmap.org ) at 2014-01-27 13:30 CST
Nmap scan report for 192.168.1.101
Host is up (0.0012s latency).
Nmap scan report for 192.168.1.102
Host is up (0.0025s latency).
Nmap scan report for 192.168.1.112
Host is up (0.0018s latency).
Nmap done: 21 IP addresses (3 hosts up) scanned in 19.78 seconds  ------ 3 hosts up


----------------------------============================================
root@AA:~# fping -a -c 2 -g 119.75.218.1/24             ------------------------  5 hosts
119.75.218.11  : xmt/rcv/%loss = 2/1/50%, min/avg/max = 9.99/9.99/9.99
119.75.218.45  : xmt/rcv/%loss = 2/2/0%, min/avg/max = 13.0/16.6/20.2
119.75.218.70  : xmt/rcv/%loss = 2/2/0%, min/avg/max = 3.58/5.04/6.51
119.75.218.77  : xmt/rcv/%loss = 2/2/0%, min/avg/max = 7.49/7.87/8.26
119.75.218.143 : xmt/rcv/%loss = 2/2/0%, min/avg/max = 11.8/12.3/12.8
root@AA:~# fping -a -c 4 -g 119.75.218.1/24             ------------------------  6 hosts
119.75.218.11  : xmt/rcv/%loss = 4/4/0%, min/avg/max = 3.41/12.2/21.9
119.75.218.45  : xmt/rcv/%loss = 4/4/0%, min/avg/max = 2.96/10.2/30.6
119.75.218.70  : xmt/rcv/%loss = 4/4/0%, min/avg/max = 3.41/9.08/18.0
119.75.218.77  : xmt/rcv/%loss = 4/4/0%, min/avg/max = 3.54/5.31/9.04
119.75.218.143 : xmt/rcv/%loss = 4/4/0%, min/avg/max = 8.42/11.7/15.2
119.75.218.254 : xmt/rcv/%loss = 4/1/75%, min/avg/max = 19.8/19.8/19.8

root@AA:~# nmap -sn -PE -T2 192.168.1.100-120          ------------------------- 3 hosts

Starting Nmap 6.01 ( http://nmap.org ) at 2014-01-27 13:30 CST
Nmap scan report for 192.168.1.101
Host is up (0.0012s latency).
Nmap scan report for 192.168.1.102
Host is up (0.0025s latency).
Nmap scan report for 192.168.1.112
Host is up (0.0018s latency).
Nmap done: 21 IP addresses (3 hosts up) scanned in 19.78 seconds


----------------------------============================================
root@AA:~# nmap -n -sn --data-length 56 --ttl 64 -PE 119.75.217.1/24  -------- 0 hosts up

Starting Nmap 6.01 ( http://nmap.org ) at 2014-01-28 15:35 CST
Nmap done: 256 IP addresses (0 hosts up) scanned in 52.15 seconds

root@AA:~# nmap -n -sn --data-length 56 --ttl 64 -PE 119.75.217.26    -------- 1 host up

Starting Nmap 6.01 ( http://nmap.org ) at 2014-01-28 15:38 CST
Nmap scan report for 119.75.217.26
Host is up (0.0045s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
« Last Edit: January 28, 2014, 02:52:03 pm by Phage »