Nmap Basics - Network Scanning

TryHackMeNetworking Fundamentals
Written By FightTheWest
 
nmap2.jpeg
 

The link for this lab is located here: https://tryhackme.com/room/furthernmap

This room covers the most important tool a hacker can learn - Nmap. You will learn different types of scans, scripts and firewall evasion

nmap.jpg

Task 2 - Introduction

The more knowledge you have about a target system, the more options you have available. This makes is imperative that proper enumeration and information gathering is carried out before exploitation.

The first stage in establishing a map of our target's landscape is something referred to as "port scanning".

When a compter runs a network service such as a website, it opens something called a port to receive that connection. Ports are necessary for making multiple network requests or having multiple services available. You don't want your web traffic heading for a mailing server as it won't process it correctly as an example.

Network connections made between two ports - open port listening on the server and randomly generated port on your own device. When you connect to a web page, your computer may open port 49534 to connect to the server's port 443.

nmap.png

Every computer in the world has a total of 65535 available ports. Many of these are registered as "standard ports".

An HTTP Webservice can nearly always be found on port 80 and HTTPS can be found on port 443. Windows NetBIOS can be found on port 139 and SMB can be found on port 445.

However, it is NOT uncommon for the standard ports to be altered, making it more imperative that we perform appropriate enumeration

Nmap can be used to perform many different kinds of port scan. The most basic theory is that Nmap will connect to each port of the target in turn and, depending on how the port responds, determine the port as three states - open, closed or filtered (usually by a firewall).

Questions

Q1: What networking constructs are used to direct traffic to the right application on a server? A: Ports

Q2: How many of these are available on any network-enabled computer? A: 65535

Q3: How many of these are considered well-known? A: Doing a quick Google search of well known ports reveals there are 1024

Task 3 - Nmap Switches

There are versions of Nmap available for both Windows and Linux; however, most people will use the Linux version and you should too.

Nmap can be accessed by simply typing nmap into the terminal followed by some of the switches - switches are command arguments which tell a program to do different things)

To answer all the questions, use the commands "nmap -h" or "man nmap".

help.png

Questions

Q1: What is the first switch listed in the help menu for a SYN Scan? A: -sS

Q2: Which switch would you use for a "UDP Scan"? A: -sU

Q3: If you wanted to detect which operating system the target is running on, which switch would you use? A: -O

Q4: Nmap provides a switch to detect the version of the services running on the target. What is the switch? A: -sV

Q5: The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity? A: -v

Q6: Verbosity level one is good, but verbosity level two is better. How would you set the verbosity level to two? A: -vv

Q7: What switch would you use to save the nmap results in three major formats? A: -oA

Q8: What switch would you use to save the nmap results in a "normal" format? A: -oN

Q9: What switch would you use to save results in a "grepable" format? A: -oG

Q10: There is a shorthand switch that activates service detection, OS detection, traceroute and common script scanning. What is it? A: -A

Q11: How would you set the timing template to level 5? A: -T5

Q12: How would you tell nmap to only scan port 80? A: -p 80

Q13: How would you tell nmap to scan ports 1000-1500? A: -p 1000-1500

Q14: How would you tell nmap to scan all ports? A: -p-

Q15: How would you activate a script from the nmap scripting library? A: --script

Q16: How would you activate all of the scripts in the "vuln" category? A: --script=vuln

Task 4 - Scan Types (Overview)

When port scanning with Nmap, there are three basic scan types. These are:

  • TCP Connect Scans (-sT)

  • SYN "Half-open" Scans (-sS)

  • UDP Scans (-sU)

Additionally, there are several less common port scan types. These are:

  • TCP Null Scans (-sN)

  • TCP FIN Scans (-sF)

  • TCP Xmas Scans (-sX)

Most of these (except UDP scans) are used for very similiar purposes but they all work differently.

One of the first three scans will likely be used 99% of the time, it is worth noting that other scan types exist.

Task 5 - TCP Connect Scans

To understand TCP Connect scans (-sT) it is important that you understand the TCP 3-way handshake (this is discussed in the Introductory Networking room)

A TCP Connect scan works by performing the three-way handshake with each target port in turn. Nmap tries to connect to each specified TCP port and determines whether the service is open by the response it receives.

If Nmap sends a TCP request with the SYN flag set to a closed port, the target server will respond with a TCP packet with the RST (Reset) flag set. By this response, Nmap can establish the port is closed

rst.png

If the request is sent to an open port, the target will respond with a TCP packet with the SYN/ACK flags set. Nmap then marks the port as being open and completes the handshake.

Many firewalls however are configured to simply drop incoming packets. Nmap sends a TCP SYN request and receives nothing back. This indicates that the port is being protected by a firewall and thus the port is considered to be "filtered"

However, it is very easy to configure a firewall to respond with a RST TCP packet. For example, in IPtables for Linux, a simple version of the command would be as follows:

iptables.png

This can make it extremely difficult to get an accurate reading of the targets

Questions

Q1: Which RFC defines the appropriate behaviour for the TCP protocol? A: RFC 793

Google search for RFC that defines TCP protocol

Q2: If a port is closed, which flag should the server send back to indicate this? A: RST

Task 6 - SYN Scans

SYN Scans (-sS) are used to scan the TCP port-range of a target or targets; however, the two scan types work slightly differently. SYN scans are sometimes referred to as "Half-open" or "Stealth"

SYN Scans send back a RST TCP packet after receiving a SYN/ACK from the server

rstack.png

This has a variety of advantages:

  • Can be used to bypass older IDS as they look for a full handshake (newer IDS will detect it however)

  • SYN scans are often not logged as a full connection is not made

  • SYN scans are significantly faster than a standard TCP Connect scan

SYN Scans are the default scans if Nmap is ran with sudo. If ran without sudo, it defaults to TCP Connect scan

In SYN Scans, if a port is closed then the server responds with a RST TCP packet. If the port is filtered by a firewall then the TCP SYN packet is either dropped, or spoofed with a TCP reset.

Questions

Q1: There are two other names for a SYN scan, what are they? A: Half-Open, Stealth

Q2: Can Nmap use a SYN scan without sudo permissions (Y/N)? A: Y but it will default to a TCP Connect Scan instead of a SYN Scan
ping.png

Task 7 - UDP Scans

Rather than initiating a connection with a handshake, UDP connections rely on sending packets to a target port and hoping they make it which makes UDP significantly more difficult to scan.

When a packet is sent to an open UDP port, there should be no response - if this happens, Nmap reports it as open|filtered meaning it suspects the port is open but it could be firewalled.

If it gets a UDP response (very rare) then the port is marked as open. More commonly there is no response in which case the request is sent a second time. If there is still no response, the port is marked open|filtered.

When a packet is sent to a closed UDP port, the target should respond with an ICMP containing a message that the port is unreachable.

UDP scans are incredibly slow due to this. It's good practice to run an Nmap scan with "--top-ports <number>" to scan the top 20 most commonly used ports as an example.

Nmap usually sends completely empty requests - however, for ports which are usually occupied by well-known services, it will instead send a protocol-specific payload.

Questions

Q1: If a UDP port does not respond to an Nmap scan, what will it be marked as? A: open|filtered

Q2: When a UDP port is closed, by convention the target should send back a "port unreachable" message. Which protocol would it use to do so? A: ICMP

Task 8 - NULL, FIN and XMAS Scans

NULL, FIN and XMAS TCP port scans are less commonly used. All three are interlinked and are used primarily as they tend to be even stealthier than a SYN scan

NULL scans (-sN) are when the TCP request is sent with no flags set at all. The target host should respond with a RST if the port is closed

null.png

FIN scans (-sF) work in an almost identical fashion but instead of an empty packet, it is sent with the FIN flag which is used to gracefully close an active connection. Nmap expects an RST if the port is closed.

fin.png

XMAS scans (-sX) send a malformed TCP packet and expects a RST response for closed ports. It's referred to as an XMAS scan as the flags that it sets (PSH, URG and FIN) give it the appearance of a blinking christmas tree when viewed in Wireshark

xmas.png

The expected response for open ports is also identical and very similiar to a UDP scan. If the port is open, there is no response to the malformed packet which is also the expected behaviour if the port is firewalled

NULL, FIN and XMAS scans will only ever identify ports as being open|filtered, closed or filtered. If a port is identified as filtered with one of these scans, it is usually because the target responded with an ICMP unreachable packet.

Worth noting that hosts will not always respond to malformed packets with an RST TCP packet for closed ports and no response for open ports. In particular, Windows (and Cisco network devices) are known to respond with an RST to any malformed TCP packet

Many firewalls are configured to drop incoming TCP packets to blocked ports which have the SYN flag set. By sending requests which do not contain the SYN flag, we effectively bypass this kind of firewall.

However, most modern IDS solutions are savvy to these scan types, so they are not a perfect solution to modern systems.

Questions

Q1: Which of the three shown scan types uses the URG flag? A: XMAS

Q2: Why are NULL, FIN and XMAS scans generally used? A: Firewall Evasion

Q3: Which common OS may respond to a NULL, FIN or XMAS scan with a RST for every port? A: Microsoft Windows

Task 9 - ICMP Network Scanning

Typically, the first object for a penetration test is to obtain a "map" of the network structure - in other words, to find which IP addresses contain active hosts and which do not.

One way is to do what is known as a "ping sweep". Nmap will send an ICMP paket to each possible IP address for the specified network. When it receives a response, it marks the IP address that responded as being alive.

To perform a ping sweep, use the "-sn" switch with IP ranges which can be specified with either a hyphen (-) or CIDR notation:

  • nmap -sn 192.168.0.1-254

  • nmap -sn 192.168.0.0/24

These perform the same thing just different syntax - both will ping each host from 192.168.0.1 to 192.168.1.254

The "-sn" switch tells Nmap not to scan any ports and forces it to rely primarily on ICMP echo packets (or ARP requests on a local network) to identify targets

In addition, the "-sn" switch will also cause nmap to send a TCP SYN packet to port 443 of the target as well as a TCP ACK (or TCP SYN if not run as root) packet to port 80 of the target.

Questions

Q1: How would you perform a ping sweep on the 172.16.x.x network (Netmask 255.255.0.0) using Nmap (CIDR notation)? A: nmap -sn 172.16.0.0/16

Task 10 - NSE Overview

The Nmap Scripting Engine (NSE) is an incredibly powerful addition to Nmap, extending its functionality considerably.

NSE scripts are written in the Lua programming language and are used to do a variety of things:

  • scanning for vulnerabilities

  • automating exploits for them

  • and much more……

The NSE is particularly useful for reconnaissance. There are many categories available. Some useful categories include:

  • safe - won’t affect the target

  • intrusive - not safe and will likely affect the target

  • vuln - scan for vulnerabilities

  • exploit - attempt to exploit a vulnerability

  • auth - attempt to bypass authentication for running services

  • brute - attempt to brute force credentials for running services

  • discovery - attempt to query running services for further information

Questions

Q1: What language are NSE scripts written in? A: Lua

Q2: Which category of scripts would be a very bad idea to run in a production environment? A: Intrusive

Task 11 - Working with the NSE

In task 3, we looked briefly at the "--script" switch for activating NSE scripts from the vuln category using "--script=vuln". Other categories work the same way - if you wanted to run the safe scripts, you would type "--script=safe"

Note however that only scripts which target an active service will be activated.

To run a specific script, we would use “--script=<script-name>". As an example:

--script=http-fileupload-exploiter

Multiple scripts can be run simultaneously by seperating them by a command - as an example "--script=smb-enum-users,smb-enum-shares"

Some scripts require arguments such as credentials. These can be given with the "--script-args" Nmap switch. An example would be the "http-put" script which takes two arguments: the URL to upload the file to and the file's location on disk. For example:

nmap -p 80 --script http-put --script-args http-put.url='/dav/shell.php',http-put.file='./shell.php'

Note that the arguments are seperated by commas, and connected to the corresponding script with periods.

Nmap scripts come with built-in help menus, which can be accessed using "nmap --script-help <script-name>".

Questions

Q1: What optional argument can the "ftp-anon.nse" script take? A: Doing a quick Google search of the script reveals the official Nmap website where we can see the argument.

Google search of ftp-anon Nmap script

Task 12 - Searching for Scripts

We have two options to find scripts. The first is the page on the Nmap website which contains a list of all official scripts. The second is the local storage on your attacking machine.

Nmap stores its scripts on Linux at "/usr/share/nmap/scripts". All of the NSE scripts are stored in this directory by default.

There are two ways to search for installed scripts. One is by using "/usr/share/nmap/scripts/script.db" file. This file is a formatted text file containing filenames and categories for each available script.

script.png

Nmap uses the script.db file to keep track of and utilize scripts for the scripting engine. However, you can also grep through it to look for scripts that match a certain word or string. For example, we can search for the word "ftp" to see all scripts related to FTP.

grep.png

The second way to search for scripts is using the "ls" command. We can get the same results as the grep command by using the command - ls -l /usr/share/nmap/scripts/*ftp* which searches for all scripts that contain FTP anywhere in the file name.

ftp.png

The same technique can also be used to search for categories of script. For example - grep "safe" /usr/share/nmap/scripts/script.db

safe.png

A standard sudo apt update && sudo apt install nmap should fix most problems with missing scripts. However, it is possible to install the scripts manually by downloading the script from Nmap via the command:

sudo wget -O /usr/share/nmap/scripts/<script-name>.nse https://svn.nmap.org/nmap/scripts/<script-name>.nse

This must be followed up with the nmap --script-updatedb command which updates the script.db file to contain the newly downloaded script.

Questions

Q1: Search for "smb" scripts in the /usr/share/nmap/scripts directory. What is the filename of the script which determines the underlying OS of the SMB server? A: We know we want to determine the OS so we can look for the "os" keyword to find the answer - smb-os-discovery.nse

SMB OS NSE Script

Q2: Read through the script in Q1. What does it depend on? A: Use the "less smb-os-discovery.nse" command to read the script. Scrolling down until you see "author" will reveal the dependencies - smb-brute

Dependencies of smb-os-discovery.nse script

Task 13 - Firewall Evasion

There is another very common firewall configuration which we need to know how to bypass not just by using NULL, FIN and XMAS scans.

A typical Windows host will block all ICMP packets. Nmap actually does this by default - it will send a ping to make sure the host is alive before it port scans. This means that Nmap will register a host with this firewall configuration as dead and not bother scanning it.

Fortunately, Nmap provides an option for this - "-Pn" - which tells Nmap to not bother pinging the host before scanning it. This means Nmap will always treat the target hosts as being alive effectively bypassing the ICMP block

However, it comes at the price of potentially taking a long time to complete the scan. Also worth noting that if you are directly on the local network, Nmap can also use ARP requests to determine host activity.

There are a variety of other switches Nmap has which are useful for firewall evasion which can be found here

The following switches are of particular note:

  • -f - used to fragment the packets making it less likely to be detected

  • --mtu <number> - accepts an MTU size to use for the packets, must be multiple of 8

  • --scan-delay <time>ms - used to add delay between packets sent

  • --badsum - generate invalid checksum for packets. Firewalls may potentially respond automatically without bothering to check the checksum

Questions

Q1: Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch? A: ICMP (ping)

Q2: Which Nmap switch allows you to append an arbitrary length of random data to the end of packets? A: Looking through the "--help" page for Nmap, we can see our answer - --data-length

--data-length argument

Task 14 - Practical

Now, we can get to using some of these commands on a live machine.

Questions

Q1: Does the target respond to ICMP (ping) requests (Y/N)? A: Doing a simple ping command to the machine reveals that it blocks ICMP requests - the ping will hang and no response will come back.

Pinging target machine

Q2: Perform an Xmas scan on the first 999 ports of the target -- how many ports are shown to be open or filtered? A: All 999 because there was no response from the target

XMAS Scan Ports Closed

Q3: Perform a TCP SYN scan on the first 5000 ports of the target - how many ports are shown to be open? A: 5 ports are open

TCP SYN first 5000 ports

Q5: Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N) A: Yes, login is successful. You can test it by typing the "ftp 10.10.100.25" command and logging in with user anonymous and password anonymous

Testing FTP-Anon script
celeb.png

Congratulations!

There are lots of great resources for learning more about Nmap on your own. Front and center are Nmaps own (highly extensive) docs. These are a superb resource - it would be highly advisable to use them as a point of reference, should you need it.

I look forward to seeing you in the next room in this path where we will learn about Network Services. I hope you join me.

FightTheWest
Previous

Network Services - Common Services
Next

Introductory Networking