[Nmap](Network scanning & Enumeration)
Objectives:Understanding Network Scanning Using Nmap
Understanding Network Scanning Using Nmap
nmap -O 10.10.10.*
Nmap scans the entire network and shows information for all the hosts that were scanned, along with the open ports, device type, OS details
Ports/Hosts tab, and choose a host’s IP address to view all the open ports
nmap -packet-trace <target>
sends some packets to the intended machine and receives packets in response to the sent packets
Show Comprehensive Scan
Show Comprehensive Scan uses three different protocols -TCP, UDP and SCTP, and helps in determining what OS, services and versions.
It is an intense scan using UDP protocol in addition with some more options
This scan in performed in an attempt to trace the machines on a network, even if thet are configured to block Ping requests.
Various Network Scanning Techniques
TCP Connect Scan/Full open scan (-sT)
TCP Connect Scan is the most basic form of TCP scanning. If port is listening, connect will succeed, otherwise the port isnt reachable Don’t need special privileges
TCP connect scan is the default TCP scan type when SYN scan is not an option.
Stealth scan/Half-open scan (-sS)
abruptly resetting the TCP connection between client and server before the completion of three-way handshake signals. This is for bypassing firewall rules as well as hiding under the appearence of regular network traffic.
UDP Scan (-sU)
This is used to scan the open UDP ports. It sends UDP packets to every ports and waits the response.
“ICMP is unreachable” means the port is closed. If ant response, the port is open.
Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
Attackers send a TCP frame to a target with FIN, URG and PUSH flags
This does not work against any current version of Microsoft Windows.
ACK flag probe scan
Send an ACK probe packet with a random sequence number. No response means the port is filtered (stateful firewall is there) and an unfiltered response means the port is closed.
If the port is not open on the target machine, keep enforcing IDLE scan by probing other ports
- Send SYN + ACL packet to the zombie machine to probe its IPID number.
- The machine does not expect an SYN+ACK packet will send an RST packet. We can guess the IPID
- Send a SYN packet to the target machine (port 80) to spoof the real IP address of the Zombie machine.
- If the port is open, the target will send a SYN+ACK packet to the zombie and it will send an RST to the target in response
- if the port is closed, the target will send an RST to zombie machine but it will not send anything back.
Ping sweep (-sP)
Nmap scans the subnet and shows a list of the alive systems
Avoiding scanning detection using multiple decoy IP address (-D RND: target)
Scan multiple decoy IP address. Nmap will send multiple packets with different IP addresses. Requests come from various unknow IP address.
Transmit smaller packets instead of sending one complete packet at time This means packets with a Maximum Transmission Unit size of 8bytes
- -A: Enable OS detection, version detection, script scanning, and traceroute
Nmap -A target IP address