Task 3: Explore Various Network Scanning Techniques using Nmap

 

Task 3: Explore Various Network Scanning Techniques using Nmap


identify the operating system of the target running a web server
A web server is a computer that runs websites
web server uses port 80 

ex. find OS of web server run a nmap -A 10.10.10.* to scan whole network / wait / if domain comes up like
google.com click and go to host details it waill say the OS ex. MS windwos server 2012. 

NMAP commands

nmap -A 10.10.10.*                              = scans whole subnet 
nmap -O 10.10.10.16                             = finds operating system of device
nmap --script smb-os-discovery.nse 10.10.10.16  = OS, computer name, domain, workgroup, and current time over the SMB
nmap -sT -v 10.10.10.16                         = tcp full open scan 
nmap -sS -v 10.10.10.16                         = stealth scan  This scanning technique can be used to bypass firewall rules, logging mechanisms, and hide under network traffic.
nmap -sX -v 10.10.10.16                         = xmas scan If the target has opened the port, then you will receive no response from the target system. If the target has closed the port, then you will receive a target system reply with an RST.
nmap -sM -v 10.10.10.16                         = Maimon scan  open/filtered on the target machine, which means a firewall has been configured on the target machine.
nmap -sA -v 10.10.10.16                         = The ACK flag probe scan no response implies that the port is filtered (stateful firewall is present), and an RST response means that the port is not filtered.
nmap -sU -v 10.10.10.16                         = 20 minutes scan  sends UDP packets to the target host; no response means that the port is open. If the port is closed, an ICMP port unreachable message is received.
nmap -sN -T4 -A -v 10.10.10.9                   = null scan time template agressive scan 
nmap -sI -v 10.10.10.9                          = scan to send spoof source address to discover avalable services 
nmap -sY -v 10.10.10.9                          = sctp scan chunk response implies port open abort means closed
nmap -sZ -v 10.10.10.9                          = sctp cookie echo scan
nmap -sV 10.10.10.16                            = detects service versions  Service version detection helps you to obtain information about the running services and their versions on a target system. Obtaining an accurate service version number allows you to determine which exploits the target system is vulnerable to.


MySQL port is 3306
Run nmap for port 
nmap -p 3306 192.168.1.0/24    or  nmap -p 3306 10.10.10.*


other NMAP commands
Scan a subnet                            nmap 20.0.20.0/24
Scan targets from a text file        nmap -iL list-of-ips.tx
Scan a single Port                       nmap -p 22 20.0.20.1
Scan a range of ports                  nmap -p 1-100 20.0.20.1
Scan 100 most common ports (Fast)        nmap -F 20.0.20.1
Scan all 65535 ports                   nmap -p- 20.0.20.1
Scan using TCP connect           nmap -sT 20.0.20.1
Scan using TCP SYN scan (default)            nmap -sS 20.0.20.1
Scan UDP ports nmap -sU -p 123,161,162 20.0.20.1
Scan selected ports – ignore discovery     nmap -Pn -F 20.0.20.1
Detect OS and Services nmap -A 20.0.20.1
Standard service detection          nmap -sV 20.0.20.1
PS – Note that the IP address range above is not related to the exam. It is a random IP range used for explanation and clarity
Other useful tags you may find useful:
nmap -O
nmap –packet-trace
nmap -sT -T3 -A
nmap -sA -v -T4
nmap -sP , nmap -D RND
nmap -mtu 8
nmap -v -sS -T5  <IP>
nmap -sV -Pn  <IP>
nmap -sP
nmap -sA
nmap -sV -A -F
nmap -sS
nmap -p- <IP> –max-rtt-timeout 50ms, nmap -v -sS -f -T5 <IP>


Nmap comes with various inbuilt scripts that can be employed during a scanning process in an attempt to find the open ports and services running on the ports. It sends specially crafted packets to the target host, and then analyzes the responses to accomplish its goal. Nmap includes many port scanning mechanisms (TCP and UDP), OS detection, version detection, ping sweeps, etc.

Here, we will use Nmap to discover open ports and services running on the live hosts in the target network.

  1. In the Windows 10 machine, navigate to the Desktop and double-click Nmap - Zenmap GUI shortcut.

    222.png

  2. The Nmap - Zenmap GUI appears; in the Command field, type the command nmap -sT -v [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.

    -sT: performs the TCP connect/full open scan and -v: enables the verbose output (include all hosts and ports in the output).

  3. The scan results appear, displaying all the open TCP ports and services running on the target machine, as shown in the screenshot.

    TCP connect scan completes a three-way handshake with the target machine. In the TCP three-way handshake, the client sends a SYN packet, which the recipient acknowledges with the SYN+ACK packet. In turn, the client acknowledges the SYN+ACK packet with an ACK packet to complete the connection. Once the handshake is completed, the client sends an RST packet to end the connection.

    Screenshot

  4. Click the Ports/Hosts tab to gather more information on the scan results. Nmap displays the Port, Protocol, State, Service, and Version of the scan.

    Screenshot

  5. Click the Topology tab to view the topology of the target network that contains the provided IP address and click the Fisheye option to view the topology clearly.

    Screenshot

  6. In the same way, click the Host Details tab to view the details of the TCP connect scan.

  7. Click the Scans tab to view the command used to perform TCP connect/full open scan.

  8. Click the Services tab located in the right pane of the window. This tab displays a list of services.

    You can use any of these services and their open ports to enter into the target network/host and establish a connection.

  9. In this lab, we shall be performing a stealth scan/TCP half-open scan, Xmas scan, TCP Maimon scan, and ACK flag probe scan on a firewall-enabled machine (i.e., Windows Server 2016) in order to observe the result. To do this, we need to enable Windows Firewall in the Windows Server 2016 machine.

  10. Click Windows Server 2016 to switch to the Windows Server 2016 machine.

  11. Click Ctrl+Alt+Delete to activate the machine. By default, Administration user profile is selected, click Pa$$w0rd to paste the password in the Password field and press Enter to login.

    Alternatively, you can also click Pa$$w0rd under Windows Server 2016 machine thumbnail in the Resources pane or Click Type Text | Type Password button under Commands (thunder icon) menu.

    Screenshot

  12. Navigate to Control Panel --> System and Security --> Windows Firewall --> Turn Windows Firewall on or off, enable Windows Firewall and click OK, as shown in the screenshot.

    Screenshot

  13. Now, click Windows 10 switch to the Windows 10 machine. In the Command field of Zenmap, type the command nmap -sS -v [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.

    -sS: performs the stealth scan/TCP half-open scan and -v: enables the verbose output (include all hosts and ports in the output).

  14. The scan results appear, displaying all open TCP ports and services running on the target machine, as shown in the screenshot.

    The stealth scan involves resetting the TCP connection between the client and server abruptly before completion of three-way handshake signals, and hence leaving the connection half-open. This scanning technique can be used to bypass firewall rules, logging mechanisms, and hide under network traffic.

    Screenshot

  15. As shown in the last task, you can gather detailed information from the scan result in the Ports/HostsTopologyHost Details, and Scan tab.

  16. In the Command field of Zenmap, type the command nmap -sX -v [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.

    -sX: performs the Xmas scan and -v: enables the verbose output (include all hosts and ports in the output).

  17. The scan results appear, displaying that the ports are either open or filtered on the target machine, which means a firewall has been configured on the target machine.

    Xmas scan sends a TCP frame to a target system with FIN, URG, and PUSH flags set. If the target has opened the port, then you will receive no response from the target system. If the target has closed the port, then you will receive a target system reply with an RST.

    Screenshot

  18. In the Command field, type the command nmap -sM -v [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.

    -sM: performs the TCP Maimon scan and -v: enables the verbose output (include all hosts and ports in the output).

  19. The scan results appear, displaying either the ports are open/filtered on the target machine, which means a firewall has been configured on the target machine.

    In the TCP Maimon scan, a FIN/ACK probe is sent to the target; if there is no response, then the port is Open|Filtered, but if the RST packet is sent as a response, then the port is closed.

    Screenshot

  20. In the Command field, type the command nmap -sA -v [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.

    -sA: performs the ACK flag probe scan and -v: enables the verbose output (include all hosts and ports in the output).

  21. The scan results appear, displaying that the ports are unfiltered on the target machine, as shown in the screenshot.

    The ACK flag probe scan sends an ACK probe packet with a random sequence number; no response implies that the port is filtered (stateful firewall is present), and an RST response means that the port is not filtered.

    Screenshot

  22. Now, click Windows Server 2016 to switch to the Windows Server 2016 machine.

  23. If you are logged out of the Windows Server 2016 machine, then click Ctrl+Alt+Delete to activate the machine. By default, Administration user profile is selected, click Pa$$w0rd to paste the password in the Password field and press Enter to login.

    Alternatively, you can also click Pa$$w0rd under Windows Server 2016 machine thumbnail in the Resources pane or Click Type Text | Type Password button under Commands (thunder icon) menu.

  24. Turn off the Windows Firewall from Control Panel.

    Screenshot

  25. Now, click Windows 10 to return to the Windows 10 machine. In the Command field, type the command nmap -sU -v [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.

    -sU: performs the UDP scan and -v: enables the verbose output (include all hosts and ports in the output).

  26. The scan results appear, displaying all open UDP ports and services running on the target machine, as shown in the screenshot.

    This scan will take approximately 20 minutes to finish the scanning process and the results might differ in your lab environment.

    The UDP scan uses UDP protocol instead of the TCP. There is no three-way handshake for the UDP scan. It sends UDP packets to the target host; no response means that the port is open. If the port is closed, an ICMP port unreachable message is received.

    Screenshot

  27. Close the Zenmap window.

  28. You can create your scan profile, or you can also choose the default scan profiles available in Nmap to scan a network.

  29. Double-click the Nmap - Zenmap GUI shortcut from Desktop to launch Nmap.

  30. To choose the default scan profiles available in Nmap, click on the drop-down icon in the Profile field and select the scanning technique you want to use.

    Screenshot

  31. To create a scan profile; click Profile --> New Profile or Command.

    If a User Account Control pop-up appears, click Yes.

    Screenshot

  32. The Profile Editor window appears. In the Profile tab, under the Profile Information section, input a profile name (here, Null Scan) into the Profile name field.

    Screenshot

  33. Now, click the Scan tab and select the scan option (here, Null scan (-sN)) from the TCP scan drop-down list.

  34. Select None in the Non-TCP scans drop-down list and Aggressive (-T4) in the Timing template list. Ensure that the Enable all advanced/aggressive options (-A) checkbox is selected and click Save Changes, as shown in the screenshot.

    Using this configuration, you are setting Nmap to perform a null scan with the time template as -T4 and all aggressive options enabled.

  35. This will create a new profile, and will thus be added to the profile list.

    Screenshot

  36. In this task, we will be targeting the Ubuntu machine (10.10.10.9).

  37. In the main window of Zenmap, enter the target IP address (here, 10.10.10.9) in the Target field to scan. Select the Null Scan profile, which you created from the Profile drop-down list, and then click Scan.

    Screenshot

  38. Nmap scans the target and displays results in the Nmap Output tab, as shown in the screenshot.

    Screenshot

  39. Apart from the aforementioned port scanning and service discovery techniques, you can also use the following scanning techniques to perform a port and service discovery on a target network using Nmap.

    • IDLE/IPID Header Scan: A TCP port scan method that can be used to send a spoofed source address to a computer to discover what services are available.

      # nmap -sI -v [target IP address]

    • SCTP INIT Scan: An INIT chunk is sent to the target host; an INIT+ACK chunk response implies that the port is open, and an ABORT Chunk response means that the port is closed.

      # nmap -sY -v [target IP address]

    • SCTP COOKIE ECHO Scan: A COOKIE ECHO chunk is sent to the target host; no response implies that the port is open and ABORT Chunk response means that the port is closed.

      # nmap -sZ -v [target IP address]

  40. In the Command field, type the command nmap -sV [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.

    -sV: detects service versions.

  41. The scan results appear, displaying that open ports and the version of services running on the ports, as shown in the screenshot.

    Service version detection helps you to obtain information about the running services and their versions on a target system. Obtaining an accurate service version number allows you to determine which exploits the target system is vulnerable to.

    Screenshot

  42. In the Command field, type the command nmap -A [Target Subnet] (here, target subnet is 10.10.10.* ) and click Scan. By providing the “*” (asterisk) wildcard, you can scan a whole subnet or IP range.

    -A: enables aggressive scan. The aggressive scan option supports OS detection (-O), version scanning (-sV), script scanning (-sC), and traceroute (--traceroute). You should not use -A against target networks without permission.

  43. Nmap scans the entire network and displays information for all the hosts that were scanned, along with the open ports and services, device type, details of OS, etc. as shown in the screenshot.

    Screenshot

  44. Choose an IP address 10.10.10.16 from the list of hosts in the left-pane and click the Host Details tab. This tab displays information such as Host StatusAddressesOperating SystemPorts usedOS Classes, etc. associated with the selected host.

    Screenshot

  45. This concludes the demonstration of discovering target open ports, services, services versions, device type, OS details, etc. of the active hosts in the target network using various scanning techniques of Nmap.

  46. Close all open windows and document all the acquired information.

Comments

Post a Comment

Popular posts from this blog

Lab 1: Perform S3 Bucket Enumeration using Various S3 Bucket Enumeration Tools

Image
Lab 1: Perform S3 Bucket Enumeration using Various S3 Bucket Enumeration Tools Lab Scenario As an ethical hacker, you must try to obtain as much information as possible about the target cloud environment using various enumeration tools. This lab will demonstrate various S3 bucket enumeration tools that can help you in extracting the list of publicly available S3 buckets. Lab Objectives Enumerate S3 buckets using lazys3 Enumerate S3 buckets using S3Scanner Overview of Enumeration Tools Enumeration tools are used to collect detailed information about target systems to exploit them. Information collected by S3 enumeration tools consists of a list of misconfigured S3 buckets that are available publicly. Attackers can exploit these buckets to gain unauthorized access to them. Moreover, they can modify, delete, and exfiltrate the bucket content. Task 1: Enumerate S3 Buckets using lazys3 lazys3 is a Ruby script tool that is used to brute-force AWS S3 buckets using different permutations. This...
Read more

Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools

Image
Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Module 20: Cryptography Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Task 1: Perform Cryptanalysis using CrypTool CrypTool is a freeware program that enables you to apply and analyze cryptographic mechanisms, and has the typical look and  feel of a modern Windows application. CrypTool includes a multitude of state-of-the-art cryptographic functions and allows you  to both learn and use cryptography within the same environment. CrypTool is a free, open-source e-learning application used in  the implementation and analysis of cryptographic algorithms. Here, we will use the CrypTool tool to perform cryptanalysis. refer to blog  little long --------------------------------------------------------------------------------------------------------------------------------------- Module 20: Cryptography Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Task 2: Perform Cryptanalysis us...
Read more

Task 2: Perform OS Discovery using Nmap Script Engine (NSE)

Image
  Task 2: Perform OS Discovery using Nmap Script Engine (NSE) Module 03: Scanning Networks Lab 3: Perform OS Discovery Task 2: Perform OS Discovery using Nmap Script Engine (NSE) open zenmap nmap -A [Target IP Address]   = -A: to perform an aggressive scan. nmap -O [Target IP Address]   = -O: performs the OS discovery. nmap --script smb-os-discovery.nse [Target IP Address]   = --script: specifies the customized script and smb-os-discovery.nse: attempts to determine the OS, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139). end Nmap, along with Nmap Script Engine (NSE), can extract considerable valuable information from the target system. In addition to Nmap commands, NSE provides scripts that reveal all sorts of useful information from the target system. Using NSE, you may obtain information such as OS, computer name, domain name, forest name, NetBIOS computer name, NetBIOS domain name, workgroup, system time o...
Read more