Downloaded 49 times
![Nmap – Common Scan Types
TCP Connect Scan ( -sT )
- Complete 3-way handshake
# nmap -sT <target>
TCP SYN Scan ( -sS ) [Default]
- Also known as Half-open scan
# nmap -sS <target>
UDP Scan ( -sU )
- Scan UDP ports, Runs Slow
# nmap -sU <target>](https://image.slidesharecdn.com/reconwithnmap-feb2019-190216172853/85/Recon-with-Nmap-20-320.jpg)
Uploaded byOWASP Delhi
Recon with Nmap
The document discusses using Nmap to perform network scanning and reconnaissance. It provides an overview of Nmap, describing common scan types like TCP and UDP scans. It also covers useful Nmap options for tasks like service and operating system detection. The document demonstrates the Nmap Scripting Engine for tasks like vulnerability scanning and brute force attacks. It provides examples of commands for different scan types and scripts.
More Related Content
Recon with Nmap
- 1. Recon with Nmap -Network scanning for noobs & ninjas
- 2. Who we are? JayvardhanSingh @Silent_Screamr - Web and Mobile Security researcher - Bugbounty and Hall of Fame - Microsoft | Apple | Nokia | Barracuda | Blackberry | Olark | Heroku | Nikhil Raj @0xn1k5 - Web, Network and Wireless pentesting - RHCSA, RHCE & CEH - Dump my tools at github.com/0xn1k5
- 3.
- 4. Enterprise Network Firewall RouterSwitch Hosts Private IP Class A : 10.0.0.0 – 10.255.255.255 Class B : 172.16.0.0 – 172.31.255.255 Class C : 192.168.0.0 – 192.168.255.255 Public IP Internet NAT/PAT
- 5. Find your ownIP Public IP Just Google What is my ip address Or, visit http://whatismyip address.com Private IP Open the cmd/terminal and type: # ipconfig (windows) # ifconfig (Unix/Linux)
- 6.
- 7.
- 8. Who else ison the network? # ping <target ip>
- 9. What Services areavailable? - Each hosts needs to perform multiple networking operations as web, instant messenger, file transfer, video streaming and remote management using RDP or SSH - Can either be TCP or UDP based service associated with unique port number
- 10. Port Numbers ● Portno exists at Transport Layer ● Size: 16 bits unsigned integer ● Range: 0 – 65535 (Both TCP & UDP) – Well known port ( 0 – 1023 ) – Reserved port ( 1024 – 49151 ) – Dynamic or Private port ( 49152 – 65535 )
- 11. Common Services &Ports ● Web Services – tcp/80, tcp/8080, tcp/443 ● FTP – tcp/20 & 21 ● SSH – tcp/22 ● Mail – tcp/25 ● Database – Mysql (tcp/3306), Oracle (tcp/1521) ● DNS - udp/53 ● SNMP –udp/161
- 12. TCP vs UDP •Transmission Control Protocol • Reliable • Connection-oriented (3-way handshake) • Flow control, sequencing and acknowledgement • User Datagram Protocol • Unreliable • Connection less • No retransmission and acknowledgement
- 13. TCP 3 WayHandshake SYN SYN + ACK ACK Service is listening (Open ) DATA
- 14. TCP 3 WayHandshake SYN RST Service is listening (Closed)
- 15.
- 16. Demo with Netcat StartNetcat Listener (Server) # nc -l -p <port> Use Netcat as client # nc <ip> <port> & Inspect traffic in Wireshark
- 17. Nmap ● Open Source ●Fast and efficient ● Supports multiple platforms ● Active community support ● Popular...Featured in Movies as well :-) ● Can be extended by using its Nmap Scripting Engine
- 18. Specifying Input Targets #nmap scanme.nmap.org # nmap 192.168.0.1 # nmap 192.168.0.1-200 # nmap 192.168.0.1/24 # nmap –sn –iL <ip_list>
- 19. Specifying port range #nmap -p 80 192.168.0.1 # nmap –p 21,22,80 192.168.0.1/24 # nmap –p 1-65535 192.168.0.1/24 # nmap --top-ports 200 192.168.0.1/24 # nmap –top-ports 10 192.168.0.1 --reason PS: By default nmap scans only top 1000 most widely used ports which can be changed using –top-ports
- 20. Nmap – CommonScan Types TCP Connect Scan ( -sT ) - Complete 3-way handshake # nmap -sT <target> TCP SYN Scan ( -sS ) [Default] - Also known as Half-open scan # nmap -sS <target> UDP Scan ( -sU ) - Scan UDP ports, Runs Slow # nmap -sU <target>
- 21. Nmap Options - Ifhost is not responding to ping probes! # nmap -Pn <target> - Version Detection # nmap -sS -sV <ip> - OS Detection # nmap -sS -O <ip> - Use Timing template for faster scan (noisy) # nmap –sS –T4 <ip> - Aggressive Scan ( version, os and script scan ) # nmap –sS –A <ip>
- 22. Nmap – SavingOutput - Output Format supported: - Normal ( -oN ) - XML ( -oX ) - Grepable ( -oG ) - All Formats ( -oA ) # nmap -sS -sV -p- <ip> -oA <output_file>
- 23. Nmap scan I −TCP Services # nmap –sS –p- –sV –O –Pn <target> -oA <out_file> - UDP Services # nmap –sU –p U:1-65535 –sV –Pn <target> -oA <out_file> - Combining TCP and UDP Scan # nmap –sU –sS –p U:53,111,137,T:21- 25,80,139,8080 <target> -oA <out_file>
- 24. Nmap Scripting Engine -Script ends with .nse extension - Located at “/usr/share/nmap/scripts” in kali - Invoked using –sC (default) or –-script switch - Categorised as auth, broadcast, brute, default. discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln - Can be used for enumeration, vulnerability detection, exploitation and more.
- 25. NSE Scans - ExecutingDefault script scan # nmap –p 21 –sC –sV <ip> - Executing script scan # nmap -p445 –-script=smb-enum-shares <ip> - Execute all smb scripts # nmap –p445 –-script=smb* <ip> - Execute scripts marked as safe and default # nmap –p445 –-script=safe,default <ip>
- 26. NSE Scans continued -Enumerating services # nmap -p445 –script=smb-enum-shares <ip> - Brute Force Attacks # nmap -p445 --script smb-brute --script-args userdb=users.txt,passdb=passwords.txt <ip> - Vulnerability Scan # nmap -Pn –script=vuln <ip> # nmap -p445 –script=smb-vuln-ms17-010 <ip>
- 27. NSE Scans -Demo
- 28. NSE Scans -Demo
- 29.
- 30. Nmap Scan TypesII - Not all systems are RFC compliant - Responds differently on receiving certain TCP flags - Mostly used in *nix based system - FIN Scan (-sF) - Sets the TCP FIN bit. - XMAS (-sX) - Sets the FIN, PSH, and URG flags - Null Scan (-sN) - Does not set any flags
- 31. Firewalls - Modify sourceport # nmap –g 80 <ip> - Fragment the packet # nmap –f <ip> -Send packet with bad checksum # nmap –-badsum <ip>
- 32.
Editor's Notes
- #4 In a typical home network, all the devices are either connecter by WiFi or Lan to a central router/access point. And a unique IP is assigned to each device.
- #5 While enterprise network is a bit complex, and can have many network devices sitting before your traffic leaves the company’s network. Inside the organization it uses Private IP addressing scheme and is converted into public IP at Gateway device (usually a firewall).
- #6 Ask the audience to find their own public ip?
- #7 Ask the audience to find their own public ip?
- #9 The easiest way to check who else is on the network is to ping the ip(s) sequentially, if they respond it is up else it may down or simply isn’t responding
- #10 When connected on the network, Users may browse the web, stream video, download/upload files with the help of different services. These services are can run on TCP (reliable) , UDP (unreliable) protocol or both on different port numbers.
- #13 TCP – a stable connection must be established before data transfer is initiated via a process known as three-way handshake. UDP is connection less protocol communications are sent without any expectation of a timely confirmation of receipt from the remote end Thus, one has to allow for a longer timeout before it can be assumed that a remote port is closed
- #19 On an network pentest engagement, you will receive a list of ip(s) or network subnet. You have to first identify the alive hosts and confirm the same with the client.
- #20 On an network pentest engagement, you will receive a list of ip(s) or network subnet. You have to first identify the alive hosts and confirm the same with the client.