Ports & services scanning

Send the scouts first.

Scan TypeNmap command

TCP Null Scan

nmap -sN MACHINE_IP

TCP FIN Scan

nmap -sF MACHINE_IP

TCP Xmas Scan

nmap -sX MACHINE_IP

TCP Maimon Scan

nmap -sM MACHINE_IP

TCP ACK Scan

nmap -sA MACHINE_IP

TCP Window Scan

nmap -sW MACHINE_IP

Custom TCP Scan

nmap --scanflags URGACKPSHRSTSYNFIN MACHINE_IP

Spoofed Source IP

nmap -S SPOOFED_IP MACHINE_IP

Spoofed MAC Address

--spoof-mac SPOOFED_MAC

Decoy Scan

nmap -D DECOY_IP,ME MACHINE_IP

Idle (Zombie) Scan

nmap -sI ZOMBIE_IP MACHINE_IP

Fragment IP data into 8 bytes

-f

Fragment IP data into 16 bytes

-ff

Hosts Scanning

  • ARP from Link Layer

  • ICMP from Network Layer

  • TCP from Transport Layer

  • UDP from Transport Layer

ICMP Scan

Nmap, by default, uses a ping scan. ICMP has many types. ICMP ping uses Type 8 (Echo) and Type 0 (Echo Reply).

ICMP echo requests tend to be blocked, you might also consider ICMP Timestamp or ICMP Address Mask requests to tell if a system is online. Nmap uses timestamp request (ICMP Type 13) and checks whether it will get a Timestamp reply (ICMP Type 14). Adding the -PP option tells Nmap to use ICMP timestamp requests.

nmap -PP -sn machina_ip/24 #ICMP TIMESTAMP, no port scan
nmap -PM -sn machina_ip/24 #ICMP MASK, no port scan
nmap -PE -sn machina_ip/24 #ICMP ECHO, no port scan

ARP Scan

ARP scan is possible only if you are on the same subnet as the target systems. 

nmap -PR -sn machina_ip/24 #arp scan, no port scan

TCP & UDP Scan

SYN Scan

We can send a packet with the SYN (Synchronize) flag set to a TCP port and wait for a response. An open port should reply with a SYN/ACK (Acknowledge); a closed port would result in an RST (Reset)

nmap -PS -sn machina_ip/24 #TCP SYN scan, no port scan

Privileged users (r00t and sudoers) can send TCP SYN packets and don’t need to complete the TCP 3-way handshake even if the port is open which makes it stealthier. Servers usually logs completed connections only.

ACK Scan

You must be running Nmap as a privileged user to be able to accomplish this. If you try it as an unprivileged user, Nmap will attempt a 3-way handshake.

nmap -PA -sn machina_ip/24 #TCP ACK scan, no port scan

UDP Scan

Contrary to TCP SYN ping, sending a UDP packet to an open port is not expected to lead to any reply. However, if we send a UDP packet to a closed UDP port, we expect to get an ICMP port unreachable packet; this indicates that the target system is up and available.

nmap -PU -sn machina_ip/24

NULL Scan

The null scan does not set any flag; all six flag bits are set to zero. A tcp packet with no flags set will not trigger any response when it reaches an open port.

However, we expect the target server to respond with an RST packet if the port is closed. Consequently, we can use the lack of RST response to figure out the ports that are not closed: open or filtered.

nmap -sN -sn victim_ip

FIN Scan

Similarly, no response will be sent if the TCP port is open. Again, Nmap cannot be sure if the port is open or if a firewall is blocking the traffic related to this TCP port.

However, the target system should respond with an RST if the port is closed. Consequently, we will be able to know which ports are closed and use this knowledge to infer the ports that are open or filtered. It's worth noting some firewalls will 'silently' drop the traffic without sending an RST.

nmap -sF victim_ip

XMAS Scan

The Xmas scan gets its name after Christmas tree lights. An Xmas scan sets the FIN, PSH, and URG flags simultaneously. And like the Null scan and FIN scan, if an RST packet is received, it means that the port is closed. Otherwise, it will be reported as open|filtered.

nmap -sX victim_ip

On scenario where these three scan types can be efficient is when scanning a target behind a stateless (non-stateful) firewall. A stateless firewall will check if the incoming packet has the SYN flag set to detect a connection attempt. Using a flag combination that does not match the SYN packet makes it possible to deceive the firewall and reach the system behind it. However, a stateful firewall will practically block all such crafted packets and render this kind of scan useless.

Window Scan

Another similar scan is the TCP window scan. The TCP window scan is almost the same as the ACK scan; however, it examines the TCP Window field of the RST packets returned. On specific systems, this can reveal that the port is open

Similarly, launching a TCP window scan against a Linux system with no firewall will not provide much information. The results of the window scan against a Linux server with no firewall usually do not give any extra information compared to the ACK scan described earlier.

nmap -sW machina_ip

Decoys & Spoofing

In some network setups, you will be able to scan a target system using a spoofed IP address and even a spoofed MAC address. Such a scan is only beneficial in a situation where you can guarantee to capture the response. If you try to scan a target from some random network using a spoofed IP address, chances are you won’t have any response routed to you, and the scan results could be unreliable.

Spoofing only works in a minimal number of cases where certain conditions are met. Therefore, the attacker might resort to using decoys to make it more challenging to be pinpointed.

nmap -S SPOOFED_IP MACHINE_IP #UNIQUE SPOOF
nmap -D <decoy-1-ip>,<decoy-2-ip>,RND,RND,ME <victim_ip> #2static decoys + 2 random decoys, then our real ip

Packet Fragmentation

To properly understand fragmentation, we need to look at the IP header in the figure below. It might look complicated at first, but we notice that we know most of its fields. In particular, notice the source address taking 32 bits (4 bytes) on the fourth row, while the destination address is taking another 4 bytes on the fifth row. The data that we will fragment across multiple packets is highlighted in red. To aid in the reassembly on the recipient side, IP uses the identification (ID) and fragment offset, shown on the second row of the figure below.

Zombie/Idle Scan

The idle scan, or zombie scan, requires an idle system connected to the network that you can communicate with. Practically, Nmap will make each probe appear as if coming from the idle (zombie) host, then it will check for indicators whether the idle (zombie) host received any response to the spoofed probe. This is accomplished by checking the IP identification (IP ID) value in the IP header.

We have the attacker system probing an idle machine, a printer. By sending a SYN/ACK, it responds with an RST packet containing its newly incremented IP ID.

The attacker will send a SYN packet to the TCP port they want to check on the target machine in the next step. However, this packet will use the idle host (zombie) IP address as the source. Three scenarios would arise. In the first scenario, shown in the figure below, the TCP port is closed; therefore, the target machine responds to the idle host with an RST packet. The idle host does not respond; hence its IP ID is not incremented.

In the second scenario, as shown below, the TCP port is open, so the target machine responds with a SYN/ACK to the idle host (zombie). The idle host responds to this unexpected packet with an RST packet, thus incrementing its IP ID.

In the third scenario, the target machine does not respond at all due to firewall rules. This lack of response will lead to the same result as with the closed port; the idle host won’t increase the IP ID.

For the final step, the attacker sends another SYN/ACK to the idle host. The idle host responds with an RST packet, incrementing the IP ID by one again. The attacker needs to compare the IP ID of the RST packet received in the first step with the IP ID of the RST packet received in this third step. If the difference is 1, it means the port on the target machine was closed or filtered. However, if the difference is 2, it means that the port on the target was open.

nmap -sI zombie_ip victim_ip

It is worth repeating that this scan is called an idle scan because choosing an idle host is indispensable for the accuracy of the scan. If the “idle host” is busy, all the returned IP IDs would be useless.

Port Knocking

Sometimes, a certain port will only open after "knocking" on some others. This script will knock on port 1111,2222,3333,4444 respectively.

for PORT in 1111 2222 3333 4444; do nc -vz TARGET_IP $PORT; done;

Service Scanning

You can skip the port scan and just run a full blow full port, full service, full script scan but it will take a while and it will make noises. I suggest you check manually for popular services and then run a full scan with a temporary device/proxy because you will get caught in some way or form(IDS,AV,FIREWALL,ETC)

nmap -A --script vuln -p- -Pn target_ip -oA netscan-sv-A -T5 #Full scan, full speed
nmap -p80 -Pn target_ip -oA netscan-80 -T0 #scan p80, russian submarine stealth

Try to stay low profile when scanning. By using nmap with the -A option, it becomes very obvious that a scan is happening (Even with -T0 enabled) because the requests are sus. E.g:

/nice%20ports%2C/Tri%6Eity.txt%2ebak Which test the server and its aptitude to escape characters.

https://www.dragos.com/blog/industry-news/threat-hunting-with-python-part-2-detecting-nmap-behavior-with-bro-http-logs/

HTTP - Web Application

Directory & File Enumeration

You can use the following tools to run different type of scans against your target(s)

  • dirbuster

  • gobuster

  • dirb

  • wfuzz

  • ffuf

#!/bin/python3
#fuzzer for fun
import requests 
import sys 

sub_list = open("subdomains.txt").read() 
subdoms = sub_list.splitlines()

for sub in subdoms:
    sub_domains = f"http://{sub}.{sys.argv[1]}" 

    try:
        requests.get(sub_domains)
    
    except requests.ConnectionError: 
        pass
    
    else:
        print("Valid domain: ",sub_domains)

Again, you want to keep a low profile while scanning/brute-forcing web apps. Or you will get blacklisted.

Subdomains Enumeration

Fuzz subdomain with wfuzz or ffuf

Virtual Hosts Enumeration

Fuzz the Host header. Use burp and intruder

PreviousExternal ReconNextWeb Recon

Last updated