Nmap

Nmap Phases

The following provides the order in which Nmap operates. Phases are used, and certain phases utilize information gathered from previous phases. Many phases are optional and not performed by default, such as verion and OS detection. Understanding the phases and the consequences of performing them can help perform better scans.

1. Target Enumeration resolves input to a list of IPv4 or IPv6 addresses provided by the user.
2. Host Discovery interacts with targets to determine if they are up. This step is optional, and there are many methods to choose from (i.e. ICMP, ARP, TCP).
3. Reverse DNS Resolution iterates over the list of targets to get DNS names via DNS servers. This step is optional, and can be set to resolve unresponsive hosts as well.
4. Port Scanning iterates over the targets and performs scanning techniques based on user-specified requests.
5. Version Detection utilizes techniques to determine versions of software, these techniques include banner fetching, fingerprinting, etc.
6. OS Detection uses thousands of stored OS responses to help determine what OS is running on the remote system.
7. Traceroute traces hops to your target and prints the routes out beautifully.
8. Script Scanning utilizes the Nmap scripting Engine (NSE) allowing users to specify scripts to run against targets, even exploits.
9. Output collects info gathered and outputs it to a file or stdout. Different ouput formats are available.

Port States

Nmap provides granular port states, 6 in total. These states reflect how Nmap sees the ports. Scanning techniques can be used to determine actual states of ports when firewalls are in place.

• open: an application is actively accepting TCP connections or UDP packets.
• closed: accessible, but no applications are actively listening on it. Can be useful for host discovery, OS detection, or if services eventually do come up.
• filtered: Nmap cannot determine whether port is open. Filtering prevents probes from reaching the port. Packets are commonly dropped and filtered ports slow down scans dramatically.
• unfiltered: only the ACK scan classifies ports in this state. Port is accessible, undetermined whether port is open or closed. Other scan types may provide more info.
• open/filtered: undetermined if port is open or filtered. Occurs for scan types which give no response, i.e. UDP, IP, FIN, Null, Xmas.
• closed/filtered: undetermined if port is closed or filtered. Occurs for scan type IP ID Idle.

Target Enumeration

Enumeration is the management of address inputs for Nmap, it can be a hostname, hostname followed by the subnet, ip address / range of ip's via subnet, and comma-seperated values. Provided are flags that relate to user-specified enumeration and their effects.

• -iL Pass list of hosts to Nmap via filename or stdin (specify - when piping list).
• -iR Choose targets at random, specify number of targets or 0 for never ending scan. Undesirable IPs are ignored by default.
• --exclude Exclude hosts or networks from the scan.
• --excludefile List of hosts and/or networks to be excluded.

Host Discovery

Discovery is the initial stage regarding interacting with targets. This is the stage where Nmap determines what hosts are up and the user can specify different methods for identifying responsive targets. For example, on a LAN -PR flag is used by default, utilizing layer 2 ARP requests to resolve hosts.

• -sL Dry run listing hosts to scan, performs reverse DNS by default. Unobtrusive
• -sn (formerly -sP) only Ping scan, and traceroute / NSE if added. light reconnaisance, more intrusive than list scan
• -Pn (formerly -PN) disable host discovery (ping), perform scan on every host
• -PS (TCP) sends empty TCP packet with SYN flag, defaults to port 80, you can provide a port(s) (i.e. -PS8000). Does not require root priveleges.
• -PA (TCP) same as -PS but sends an ACK flag (if unprivileged, sends a SYN flag). Used to bypass firewalls blocking incoming SYN requests. Stateful firewalls will typically block due to illegitimate connection.
• -PU (UDP) sends an empty UDP packet, unless --data-length flag is specified, requires root. Default port is 40125 because it is likely to be closed, eliciting an ICMP port unreachable response.
• -PE (ICMP) sends an ICMP type 8 packet (echo request), expects 0. Less reliable as systems may not adhere to this.
• -PP (ICMP) sends an ICMP type 13 packet (timestamp request), expects 14. Could test if echo requests only are blocked.
• -PM (ICMP) sends an ICMP type 17 packet (address mask request), expects 18. Could test if echo requests only are blocked.
• -PO (IP) sends multiple protocol packets, defauting to ICMP (1), IGMP (2), and IP-in-IP (4). TCP (6) and UDP (17) can be sent with proper protocol headers by default.
• -PR (ARP) sends Layer 2 who-has packets to resolve hosts, implemented by default when nmap determines host is on the same LAN.
• -T Level 0-5 for scanning speed, -T4 is recommended when connection is fast and reliable. Can be used for stealth.
• --send-ip Send IP level packets rather than raw ethernet frames when on the same LAN.
• --send-eth Send raw ethernet frames rather than IP level packets when on the same LAN, implemented by default when nmap determines host is on the same LAN.
• --spoof-mac Spoof your MAC address, must provide mac address, prefix, or vendor.
• -S Spoof IP address, must provide address to use. Useful if Nmap cannot determine your source address, responses will be directed to the spoofed address.
• --source-port / -g Setting a constant source port, can be set to port 53 (DNS) for example.
• --data-length Add random bytes to packets (works with TCP, UDP, ICMP). Can avoid triggering IDS set up to alert on 0 byte packets. 32 simulates Windows echo, 64 simulates Linux ping.
• --ttl Requires sudo privileges, limits hops in case of loops, makes discovery more convincingly not invasive.
• --randomize-hosts shuffling order can make scan more conspicuous, but will result in less organized outputs.
• --reason provides details of how the connection was made (i.e. ARP, ICMP, etc.).
• --packet-trace shows every packet sent and received in the scan, includes sequence numbers, TTL, and TCP flags.
• -D add decoys to obfuscate your address, RND:5 will generate 5 random IP addresses. Specify by IP if in LAN, otherwise it will be obvious to find your address since you are the only address not on the LAN.
• -6 specify using the IPv6 protocol as opposed to IPV4.

DNS Resolution

The DNS Resolution stage is where users can alter how Nmap handles DNS. Reverse lookups can be performed for all hosts, up or down, or the stage can be completely skipped. Multiple DNS servers can be used to balance requests across servers making your actions more difficult to detect.

• -n Never do reverse DNS resolution on hosts, reduces scanning times.
• -R Always do reverse DNS resolution on hosts, unresponsive hosts included.
• --dns-servers Specify the DNS servers to use. Can be faster as well as increase stealth, spreading requests across a range of DNS servers. Can be used on private networks combined with -sL flag to determine the DNS server that works.
• --system-dns Uses the system getnameinfo() call, very slow and rarely used.

Port Scanning

Nmap provides many options for how users can scan ports. Some options are provided below, by default the SYN scan is used. You can try different scanning options to see if targets return different results based on the response, and different scans can be used to bypass firewalls if they are configured a certain way.

• -sS TCP SYN stealth, most popular scan. Fast and most popular protocol (TCP).
• -sA TCP ACK used to determine if firewalls are statefull or stateless, cannot distinguish between open and closed ports.
• -sW TCP Window scan is like the ACK scan, but can determine open and closed ports for certain machines.
• -sT TCP Connect uses connect system call, ideal when running without admin privileges.
• -sN TCP Null scan, sneak past firewalls. Sets no TCP flags.
• -sF TCP FIN scan, sneak past firewalls. Sets FIN flag. Reliant on target behavior that service may not provide.
• -sX TCP Xmas scan, sneak past firewalls. Sets FIN, URG, and PSH flags. Useful against Unix systems mainly.
• -sM TCP Maimon scan, sneak past firewalls. Sets FIN and ACK flags, works on fewer systems than FIN scan.
• -sI TCP Idle scan, stealthiest scan and requires a zombie host. Slow, more details here.
• -b TCP FTP bounce, tricks FTP servers to perform port scans by proxy. Useful to bypass firewalls but has been largely fixed.
• -A aggressive scan options, should seek permission from target prior to use. Performs OS detection (-O), version scanning (-sV), script scanning (-sC), and traceroute (--traceroute). Requires admin privileges.
• -sU UDP scan, can be combined to run with TCP scans. Can be slow if performed on all hosts in a network.
• -sY SCTP Init scan, mostly used for SS7/SIGTRAN services, relatively stealthy, performs like a SYN scan.
• -sZ SCTP Cookie scan, less obvious than Init scan (-sY), can bypass firewalls blocking Init scans, cannot differentiate between open and filtered ports.
• -sO IP scan, not technically a port scan. Determines which IP protocols are supported (TCP, ICMP, IGMP, etc.).
• --scanflags specify the desired flags, combine with scan type (i.e. -sA) to specify how to interpret responses.
• --badsum can be useful when trying to determine if a firewall is sending responses without checking the checksum of the packet, since virtually all IP hosts would drop those packets.

Version Detection

Nmap utilizes databases containing many expected probe responses based on services and their versions, this allows the version scan to provide more information about services running on ports. It will also attempt to gather further information about ports in states that do not provide info (i.e. open|filtered).

• -sV performs probes on discovered ports to more accurately determine the underlying service and version.
• -A performs version detection as well as several other scans such as traceroute and OS detection.
• --version-intensity allows users to specify intensity between 0 and 9. Default is 7, when intensity is increased the scan will take longer but it is more likely the service will be correctly identified.
• --version-trace prints out extensive debugging information regarding the scan.

OS Detection

Nmap utilizes databases containing many expected probe responses based on Operating Systems. There are thousands of OS fingerprints in the database, if you encounter an OS that is not in the database Nmap will notify you and request you add the info to the database, assuming you know exactly the OS and version running on the target. Fingerprints include OS details, vendor name, OS version, and the device type (i.e. general purpose, router, switch, etc.).

• -O OS detection, Nmap gathers responses from target and performs tests on responses, then compares those tests to its OS database containing over 2,600 known OS fingerprints.
• --osscan-limit host must meet a minimum of one open and one closed port in order to attempt OS detection, saving significant time.
• --osscan-guess / --fuzzy aggressively guess the OS, provide imperfect match with confident level (percentage).
• --max-os-tries specify number of retries, reduce for speed and increase for more attempts. Default retries are 5 when favorable, 2 when not favorable.

Script Scanning

Nmap provides many scripts created by the community over the years. Some scripts can be very obtrusive and even exploit vulnerabilities on targets so use with caution. Nmap scripts are organized via categories and the default category is applied when the user does not specify, obtrusive/exploitative scripts do not fall under default.

• -sC performs an NSE scan with the default scripts category
• --script Allows users to specify the script(s) or script category(s) to run, can be a directory path
• --script-help Accepts input like the --script flag and provides helpful descriptions. For example, you can run against the default category and get info about the scripts that will be run.
• --script-args Specify arguments for scripts to ingest
• --script-trace Application level tracing prints output
• --script-updatedb Updates DB after adding / removing scripts, run by itself (i.e. nmap --script-updatedb)

Output

Users can specify how output data is displayed, as well as save the output to several different files. Output in xml format is useful when being ingested by other programs such as metasploit.

• --verbose / -v Includes down hosts and additionial info about up hosts in output.
• --open Only show open ports.
• -d Debugging provides more output depending on the level (1-9), can be used to see what is going on and detailed reporting.
• -oN Default output, similar to the standard output you see when run with no output specification.
• -oX XML output, can be used by scripts or programs to parse and display data.
• -oG Greppable format, puts hosts info on individual lines making it good for quick searches.
• -oA Create files for all 3 formats, specify base file name and extensions are auto added.
• --resume Point to an existing grep / normal file where scan was interupted, add no additional flags and the scan will resume where it left off.
• --append-output Append to preexisting file rather than writing over it.

Nmap Scripting Engine

• description is a brief description (it can also span multiple paragrahs, but first paragraph should be a brief description) of what the script does
• author is the author of the script
• license can be the default Nmap license or BSD License
• categories is a list the script falls under
• runlevel is used when certain scripts depend on other scripts to be run first

Nmap Example Script

local comm = require "comm"
local shortport = require "shortport"
local oops = require "oops"

description = [[
Retrieves the day and time from the Daytime service.
]]

---
-- @output
-- PORT   STATE SERVICE
-- 13/tcp open  daytime
-- |_daytime: Wed Mar 31 14:48:58 MDT 2010

author = "Diman Todorov"

license = "Same as Nmap--See https://nmap.org/book/man-legal.html"

categories = {"discovery", "safe"}


portrule = shortport.port_or_service(13, "daytime", {"tcp", "udp"})

action = function(host, port)
  return oops.output(comm.exchange(host, port, "dummy", {lines=1}))
end

Useful Commands

• nmap --iflist
• nmap -n -sn -PE -T4 --packet-trace 10.10.10.0/24
• nmap --script whois-ip blog.michaelolson.io
• nmap -sUV -p0- -T4 -v --version-intensity 0 --max-rtt-timeout 200 -oA ~/metasploitable_reports/%D-report <target>
• nmap --script-help metasploit-info, default

References

• Nmap Reference Guide
• Nmap Network Scanning Book
• Nmap Download
• Nmap Scripting Engine Categories
• PTES Technical Guidelines
• Netcraft Site Report
• Domain Name Service Lookup
• DNS for Rocket Scientists
• Shodan Dashboard
• Top 125 Security Tools
• The Internet Registry System
• List of Country Codes and RIRs