Target Specification:

Option -iL:

We created a file name test.txt and put three ip addresses in LAN. Than directed Nmap to scan ip addresses listed on that file. -vv used for verbose mode.

Option -iR:

Choosing Random targets for open port.

nmap -vv -iR 0 (will scan unlimited amount of random hosts. You can change the number to limit nmap to number of hosts it scans.)

Option –exclude:

With this option you can exclude hostname, netblocks etc.

Option –excludefile:

Exclude host lists in a file. I created a test.txt with 3 hosts google.com, yahoo.com, microsoft.com

Host Discovery:

Option -sL:

The list scan is a degenerate form of host discovery that simply lists each host of the network(s) specified, without sending any packets to the target hosts. By default, Nmap still does reverse-DNS resolution on the hosts to learn their names.

Option -sP:

This option tells Nmap to only perform a ping scan (host discovery), then print out the available hosts that responded to the scan. No further testing (such as port scanning or OS detection) is performed. This is one step more intrusive than the list scan, and can often be used for the same purposes.

Option -p0:

This option skips the Nmap discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning. By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with -P0 causes Nmap to attempt the requested scanning functions against every target IP address specified.

Option -PS:

This option sends an empty TCP packet with the SYN flag set. The default destination port is 80 (configurable at compile time by changing DEFAULT_TCP_PROBE_PORT in nmap.h), but an alternate port can be specified as a parameter. A comma separated list of ports can even be specified (e.g. -PS22,23,25,80,113,1050,35000), in which case probes will be attempted against each port in parallel.

Option -PA:

The TCP ACK ping is quite similar to the just-discussed SYN ping. The difference, as you could likely guess, is that the TCP ACK flag is set instead of the SYN flag. Such an ACK packet purports to be acknowledging data over an established TCP connection, but no such connection exists. So remote hosts should always respond with a RST packet, disclosing their existence in the process.

Option -PU:

Another host discovery option is the UDP ping, which sends an empty (unless –data-length is specified) UDP packet to the given ports. The portlist takes the same format as with the previously discussed -PS and -PA options. If no ports are specified, the default is 31338. This default can be configured at compile-time by changing DEFAULT_UDP_PROBE_PORT in nmap.h. A highly uncommon port is used by default because sending to open ports is often undesirable for this particular scan type.

For this scan option you have to be root in linux, thus sudo.

Option -PE; -PP; -PM (ICMP Ping Types):

n addition to the unusual TCP and UDP host discovery types discussed previously, Nmap can send the standard packets sent by the ubiquitous ping program. Nmap sends an ICMP type 8 (echo request) packet to the target IP addresses, expecting a type 0 (Echo Reply) in return from available hosts. Unfortunately for network explorers, many hosts and firewalls now block these packets, rather than responding as required by RFC 1122. For this reason, ICMP-only scans are rarely reliable enough against unknown targets over the Internet. But for system administrators monitoring an internal network, they can be a practical and efficient approach. Use the -PE option to enable this echo request behavior.

While echo request is the standard ICMP ping query, Nmap does not stop there. The ICMP standard (RFC 792) also specifies timestamp request, information request, and address mask request packets as codes 13, 15, and 17, respectively. While the ostensible purpose for these queries is to learn information such as address masks and current times, they can easily be used for host discovery. A system that replies is up and available. Nmap does not currently implement information request packets, as they are not widely supported. RFC 1122 insists that “a host SHOULD NOT implement these messages”. Timestamp and address mask queries can be sent with the -PP and -PM options, respectively. A timestamp reply (ICMP code 14) or address mask reply (code 18) discloses that the host is available. These two queries can be valuable when admins specifically block echo request packets while forgetting that other ICMP queries can be used for the same purpose.

Option: -PR (ARP Ping)

One of the most common Nmap usage scenarios is to scan an ethernet LAN. On most LANs, especially those using RFC1918-blessed private address ranges, the vast majority of IP addresses are unused at any given time. When Nmap tries to send a raw IP packet such as an ICMP echo request, the operating system must determine the destination hardware (ARP) address corresponding to the target IP so that it can properly address the ethernet frame. This is often slow and problematic, since operating systems weren’t written with the expectation that they would need to do millions of ARP requests against unavailable hosts in a short time period.

ARP scan puts Nmap and its optimized algorithms in charge of ARP requests. And if it gets a response back, Nmap doesn’t even need to worry about the IP-based ping packets since it already knows the host is up. This makes ARP scan much faster and more reliable than IP-based scans. So it is done by default when scanning ethernet hosts that Nmap detects are on a local ethernet network. Even if different ping types (such as -PE or -PS) are specified, Nmap uses ARP instead for any of the targets which are on the same LAN. If you absolutely don’t want to do an ARP scan, specify –send-ip.

With and ARP ping scan we get the MAC address of the host in a LAN.

Option -n:

Never do DNS resolution.

Option -R:

Always do DNS resolution.

Option –dns-servers:

Specify custom DNS server.

Option –system-dns:

Use OS’s DNS resolver.

Scan Techniques:

Option -sS:

SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls. SYN scan is relatively unobtrusive and stealthy, since it never completes TCP connections. It also works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap’s Fin/Null/Xmas, Maimon and Idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states.

It’s the default scan, so it behaves the same way the previous scan did. So you won’t see any differances in the screenshot.

Option -sT:

TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges or is scanning IPv6 networks. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect() system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt.

When SYN scan is available, it is usually a better choice. Nmap has less control over the high level connect() call than with raw packets, making it less efficient. The system call completes connections to open target ports rather than performing the half-open reset that SYN scan does. Not only does this take longer and require more packets to obtain the same information, but target machines are more likely to log the connection.

Option -sU:

While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don’t ignore the whole protocol. Fortunately, Nmap can help inventory UDP ports.

UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run.

Option -sN:

Does not set any bits (tcp flag header is 0), TCP Null.

Option -sF:

Sets just the TCP FIN bit.

Option -sX:

Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

Option –scanflags (Custom TCP scan):

Truly advanced Nmap users need not limit themselves to the canned scan types offered. The –scanflags option allows you to design your own scan by specifying arbitrary TCP flags. Let your creative juices flow, while evading intrusion detection systems whose vendors simply paged through the Nmap man page adding specific rules!

The –scanflags argument can be a numerical flag value such as 9 (PSH and FIN), but using symbolic names is easier. Just mash together any combination of URG, ACK, PSH, RST, SYN, and FIN. For example, –scanflags URGACKPSHRSTSYNFIN sets everything, though it’s not very useful for scanning. The order these are specified in is irrelevant.

In addition to specifying the desired flags, you can specify a TCP scan type (such as -sA or -sF). That base type tells Nmap how to interpret responses. For example, a SYN scan considers no-response to indicate a filtered port, while a FIN scan treats the same as open|filtered. Nmap will behave the same way it does for the base scan type, except that it will use the TCP flags you specify instead. If you don’t specify a base type, SYN scan is used.

In our example we used URG, ACK, PSH, RST, FIN scanflag. We can do the same with values, ie 8.

Option -sI <zombie host[:probeport]> (Idlescan):

This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side-channel attack exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target. IDS systems will display the scan as coming from the zombie machine you specify (which must be up and meet certain criteria). This fascinating scan type is too complex to fully describe in this reference guide, so I wrote and posted an informal paper with full details at http://insecure.org/nmap/idlescan.html.

Besides being extraordinarily stealthy (due to its blind nature), this scan type permits mapping out IP-based trust relationships between machines. The port listing shows open ports from the perspective of the zombie host. So you can try scanning a target using various zombies that you think might be trusted (via router/packet filter rules).

You can add a colon followed by a port number to the zombie host if you wish to probe a particular port on the zombie for IPID changes. Otherwise Nmap will use the port it uses by default for tcp pings (80).

Option -sO (IP protocol scan):

IP Protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn’t technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers. Yet it still uses the -p option to select scanned protocol numbers, reports its results within the normal port table format, and even uses the same underlying scan engine as the true port scanning methods. So it is close enough to a port scan that it belongs here.

Option -b<ftp relay host> (FTP bounce scan)

An interesting feature of the FTP protocol (RFC 959) is support for so-called proxy ftp connections. This allows a user to connect to one FTP server, then ask that files be sent to a third-party server. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it. One of the abuses this feature allows is causing the FTP server to port scan other hosts. Simply ask the FTP server to send a file to each interesting port of a target host in turn. The error message will describe whether the port is open or not. This is a good way to bypass firewalls because organizational FTP servers are often placed where they have more access to other internal hosts than any old Internet host would. Nmap supports ftp bounce scan with the -b option. It takes an argument of the form username:password@server:port. Server is the name or IP address of a vulnerable FTP server. As with a normal URL, you may omit username:password, in which case anonymous login credentials (user: anonymous password:-wwwuser@) are used. The port number (and preceding colon) may be omitted as well, in which case the default FTP port (21) on server is used.

This vulnerability was widespread in 1997 when Nmap was released, but has largely been fixed. Vulnerable servers are still around, so it is worth trying when all else fails.

I don’t know how good this scan option was. But theoritically it worked. But the shown open ports were wrong.

Hacking Hacking Linux News News Software Review Hacking Tools News Nmap Software Review

Continue Reading This Post:12345678