Pentest Notes / Enumeration
Nmap
Host discovery
No port scanning : -sn
nmap -sn [IP_Range]
nmap -sn 192.168.0.1-254 or 192.168.0.1/24
Using ARP: -PR
default if host is in same subnet
-PR: only ARP scan, eg: nmap -sn -PR 192.168.0.1-254 or 192.168.0.1/24
another way: arp-scan [IP_Range]
Using ICMP ping: -PE, -PP, -PM
ICMP echo packet: usually blocked: nmap -sn -PE [IP_Range]
ICMP timestamp packet: nmap -sn -PP [IP_Range]
ICMP address mask query: nmap -sn -PM [IP_Range]
TCP Syn ping: sends syn, expects syn/ack : -PS
TCP Ack ping: sends ack, expects RST if host is up : -PA
UDP ping: expects ICMP port unreachable packet if host is up and closed port : -PU
-Pn: No pinging hosts, treat all as alive and perform host discovery
Port scans
| Flag | Desc |
|---|---|
| -sT | TCP scan |
| -sU | UDP, very slow, use top ports |
| -sS | Syn (Stealth) half handshake, final ack not sent |
| -sN | Null, no flag bits set, only closed ports |
| -sF | Fin, fin bit set, only closed ports |
| -sX | Xmas, fin psh urg bits set, only closed ports |
| -sW | Window, ack flag set, same as -sA, check down |
| -sM | Mainmon, fin ack bits set, sometimes dropped for open port |
| -sA | ACK, ack flag set, only filtered ports, rule detection |
| -O | OS detection |
| -sV | Service detection on open ports |
| -sC | Run default scripts on open ports |
| -v or -vv | Verbosity |
| -oN or -oA | Save normal or all formats |
| -T4 or -T5 | run faster T3 by default |
| --min-parallelism [number] | no of probes in parallel |
| --scanflags RSTSYNFIN | Custom scan, set SYN, RST, and FIN together |
udp, null (no flags set), fin (finish flag set) and xmas (psh, urg and fin set: malformed packet) scans respond to only closed ports with RST packet.
Otherwise it is open|filtered
Window scan -sW : checks window field of rst packet, sometimes responds differently according to firewall so it may display as open ports.
NSE: Scripting Engine
Searching:
grep "category_name or protocol or anything specific" /usr/share/nmap/scripts/script.db
Categories of scripts:
• safe : Won't affect the target
• intrusive : Not safe: likely to affect the target
• vuln : Scan for vulnerabilities
• exploit : Attempt to exploit a vulnerability
• auth :-Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)
• brute : Attempt to bruteforce credentials for running services
• discovery : Attempt to query running services for further information about the network (e.g. query an SNMP server).
Firewall Evasion:
https://nmap.org/book/man-bypass-firewalls-ids.html
-f : Fragment the packets ,less likely that the packets will be detected by a firewall or IDS.
--mtu
--scan-delay [time] ms : add a delay between packets sent. useful if the network is unstable and evading time-based firewall/IDS triggers.
--badsum : generates invalid checksum for packets. Any real TCP/IP stack would drop this packet, however, firewalls may potentially respond automatically, without bothering to check the checksum of the packet. As such, this switch can be used to determine the presence of a firewall/IDS.
-D [decoy1], [
--proxies [Comma-separated list of proxy URLs] (Relay TCP connections through a chain of proxies)
--randomize-hosts (Randomize target host order) : make the scans less obvious to various network monitoring systems, especially when you combine it with slow timing options. Tells Nmap to shuffle each group of up to 16384 hosts before it scans them.
-S [IP_Addres] (Spoof source address)
--spoof-mac [MAC address, prefix, or vendor name] (Spoof MAC address)
--source-port [portnumber] or -g [portnumber] (Spoof source port number) : argument examples are Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco.
-sI [ZOMBIE_IP] [your_IP] : Zombie scan