CtrlK

Pentest Notes / Enumeration

Nmap

Host discovery

No port scanning : -sn

nmap -sn [IP_Range]
nmap -sn 192.168.0.1-254 or 192.168.0.1/24

Using ARP: -PR

default if host is in same subnet
-PR: only ARP scan, eg: nmap -sn -PR 192.168.0.1-254 or 192.168.0.1/24
another way: arp-scan [IP_Range]

Using ICMP ping: -PE, -PP, -PM

ICMP echo packet: usually blocked: nmap -sn -PE [IP_Range]
ICMP timestamp packet: nmap -sn -PP [IP_Range]
ICMP address mask query: nmap -sn -PM [IP_Range]

TCP Syn ping: sends syn, expects syn/ack : -PS
TCP Ack ping: sends ack, expects RST if host is up : -PA
UDP ping: expects ICMP port unreachable packet if host is up and closed port : -PU

-Pn: No pinging hosts, treat all as alive and perform host discovery

Port scans

FlagDesc
-sTTCP scan
-sUUDP, very slow, use top ports
-sSSyn (Stealth) half handshake, final ack not sent
-sNNull, no flag bits set, only closed ports
-sFFin, fin bit set, only closed ports
-sXXmas, fin psh urg bits set, only closed ports
-sWWindow, ack flag set, same as -sA, check down
-sMMainmon, fin ack bits set, sometimes dropped for open port
-sAACK, ack flag set, only filtered ports, rule detection
-OOS detection
-sVService detection on open ports
-sCRun default scripts on open ports
-v or -vvVerbosity
-oN or -oASave normal or all formats
-T4 or -T5run faster T3 by default
--min-parallelism [number]no of probes in parallel
--scanflags RSTSYNFINCustom scan, set SYN, RST, and FIN together

udp, null (no flags set), fin (finish flag set) and xmas (psh, urg and fin set: malformed packet) scans respond to only closed ports with RST packet.
Otherwise it is open|filtered
Window scan -sW : checks window field of rst packet, sometimes responds differently according to firewall so it may display as open ports.

NSE: Scripting Engine

Searching:
grep "category_name or protocol or anything specific" /usr/share/nmap/scripts/script.db

Categories of scripts:
• safe : Won't affect the target
• intrusive : Not safe: likely to affect the target
• vuln : Scan for vulnerabilities
• exploit : Attempt to exploit a vulnerability
• auth :-Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)
• brute : Attempt to bruteforce credentials for running services
• discovery : Attempt to query running services for further information about the network (e.g. query an SNMP server).

Firewall Evasion:

https://nmap.org/book/man-bypass-firewalls-ids.html

-f : Fragment the packets ,less likely that the packets will be detected by a firewall or IDS.
--mtu : accepts maximum transmission unit size to use for the packets sent. This must be a multiple of 8.
--scan-delay [time] ms : add a delay between packets sent. useful if the network is unstable and evading time-based firewall/IDS triggers.
--badsum : generates invalid checksum for packets. Any real TCP/IP stack would drop this packet, however, firewalls may potentially respond automatically, without bothering to check the checksum of the packet. As such, this switch can be used to determine the presence of a firewall/IDS.

-D [decoy1], [], [ME] : RND for random; makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. IDS won't know which IP was scanning them and which were innocent decoys. ME position of your IP address
--proxies [Comma-separated list of proxy URLs] (Relay TCP connections through a chain of proxies)
--randomize-hosts (Randomize target host order) : make the scans less obvious to various network monitoring systems, especially when you combine it with slow timing options. Tells Nmap to shuffle each group of up to 16384 hosts before it scans them.

-S [IP_Addres] (Spoof source address)
--spoof-mac [MAC address, prefix, or vendor name] (Spoof MAC address)
--source-port [portnumber] or -g [portnumber] (Spoof source port number) : argument examples are Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco.

-sI [ZOMBIE_IP] [your_IP] : Zombie scan