Ports & services scanning
Send the scouts first.
Last updated
Was this helpful?
Send the scouts first.
Last updated
Was this helpful?
TCP Null Scan
nmap -sN MACHINE_IP
TCP FIN Scan
nmap -sF MACHINE_IP
TCP Xmas Scan
nmap -sX MACHINE_IP
TCP Maimon Scan
nmap -sM MACHINE_IP
TCP ACK Scan
nmap -sA MACHINE_IP
TCP Window Scan
nmap -sW MACHINE_IP
Custom TCP Scan
nmap --scanflags URGACKPSHRSTSYNFIN MACHINE_IP
Spoofed Source IP
nmap -S SPOOFED_IP MACHINE_IP
Spoofed MAC Address
--spoof-mac SPOOFED_MAC
Decoy Scan
nmap -D DECOY_IP,ME MACHINE_IP
Idle (Zombie) Scan
nmap -sI ZOMBIE_IP MACHINE_IP
Fragment IP data into 8 bytes
-f
Fragment IP data into 16 bytes
-ff
ARP from Link Layer
ICMP from Network Layer
TCP from Transport Layer
UDP from Transport Layer
Nmap, by default, uses a ping scan. ICMP has many types. ICMP ping uses Type 8 (Echo) and Type 0 (Echo Reply).
ICMP echo requests tend to be blocked, you might also consider ICMP Timestamp or ICMP Address Mask requests to tell if a system is online. Nmap uses timestamp request (ICMP Type 13) and checks whether it will get a Timestamp reply (ICMP Type 14). Adding the -PP option tells Nmap to use ICMP timestamp requests.
ARP scan is possible only if you are on the same subnet as the target systems.
We can send a packet with the SYN (Synchronize) flag set to a TCP port and wait for a response. An open port should reply with a SYN/ACK (Acknowledge); a closed port would result in an RST (Reset)
Privileged users (r00t and sudoers) can send TCP SYN packets and don’t need to complete the TCP 3-way handshake even if the port is open which makes it stealthier. Servers usually logs completed connections only.
You must be running Nmap as a privileged user to be able to accomplish this. If you try it as an unprivileged user, Nmap will attempt a 3-way handshake.
Contrary to TCP SYN ping, sending a UDP packet to an open port is not expected to lead to any reply. However, if we send a UDP packet to a closed UDP port, we expect to get an ICMP port unreachable packet; this indicates that the target system is up and available.
The null scan does not set any flag; all six flag bits are set to zero. A tcp packet with no flags set will not trigger any response when it reaches an open port.
However, we expect the target server to respond with an RST packet if the port is closed. Consequently, we can use the lack of RST response to figure out the ports that are not closed: open or filtered.
Similarly, no response will be sent if the TCP port is open. Again, Nmap cannot be sure if the port is open or if a firewall is blocking the traffic related to this TCP port.
However, the target system should respond with an RST if the port is closed. Consequently, we will be able to know which ports are closed and use this knowledge to infer the ports that are open or filtered. It's worth noting some firewalls will 'silently' drop the traffic without sending an RST.
The Xmas scan gets its name after Christmas tree lights. An Xmas scan sets the FIN, PSH, and URG flags simultaneously. And like the Null scan and FIN scan, if an RST packet is received, it means that the port is closed. Otherwise, it will be reported as open|filtered.
Another similar scan is the TCP window scan. The TCP window scan is almost the same as the ACK scan; however, it examines the TCP Window field of the RST packets returned. On specific systems, this can reveal that the port is open
Similarly, launching a TCP window scan against a Linux system with no firewall will not provide much information. The results of the window scan against a Linux server with no firewall usually do not give any extra information compared to the ACK scan described earlier.
In some network setups, you will be able to scan a target system using a spoofed IP address and even a spoofed MAC address. Such a scan is only beneficial in a situation where you can guarantee to capture the response. If you try to scan a target from some random network using a spoofed IP address, chances are you won’t have any response routed to you, and the scan results could be unreliable.
Spoofing only works in a minimal number of cases where certain conditions are met. Therefore, the attacker might resort to using decoys to make it more challenging to be pinpointed.
To properly understand fragmentation, we need to look at the IP header in the figure below. It might look complicated at first, but we notice that we know most of its fields. In particular, notice the source address taking 32 bits (4 bytes) on the fourth row, while the destination address is taking another 4 bytes on the fifth row. The data that we will fragment across multiple packets is highlighted in red. To aid in the reassembly on the recipient side, IP uses the identification (ID) and fragment offset, shown on the second row of the figure below.
The idle scan, or zombie scan, requires an idle system connected to the network that you can communicate with. Practically, Nmap will make each probe appear as if coming from the idle (zombie) host, then it will check for indicators whether the idle (zombie) host received any response to the spoofed probe. This is accomplished by checking the IP identification (IP ID) value in the IP header.
We have the attacker system probing an idle machine, a printer. By sending a SYN/ACK, it responds with an RST packet containing its newly incremented IP ID.
The attacker will send a SYN packet to the TCP port they want to check on the target machine in the next step. However, this packet will use the idle host (zombie) IP address as the source. Three scenarios would arise. In the first scenario, shown in the figure below, the TCP port is closed; therefore, the target machine responds to the idle host with an RST packet. The idle host does not respond; hence its IP ID is not incremented.
In the second scenario, as shown below, the TCP port is open, so the target machine responds with a SYN/ACK to the idle host (zombie). The idle host responds to this unexpected packet with an RST packet, thus incrementing its IP ID.
In the third scenario, the target machine does not respond at all due to firewall rules. This lack of response will lead to the same result as with the closed port; the idle host won’t increase the IP ID.
For the final step, the attacker sends another SYN/ACK to the idle host. The idle host responds with an RST packet, incrementing the IP ID by one again. The attacker needs to compare the IP ID of the RST packet received in the first step with the IP ID of the RST packet received in this third step. If the difference is 1, it means the port on the target machine was closed or filtered. However, if the difference is 2, it means that the port on the target was open.
Sometimes, a certain port will only open after "knocking" on some others. This script will knock on port 1111,2222,3333,4444 respectively.
You can skip the port scan and just run a full blow full port, full service, full script scan but it will take a while and it will make noises. I suggest you check manually for popular services and then run a full scan with a temporary device/proxy because you will get caught in some way or form(IDS,AV,FIREWALL,ETC)
Try to stay low profile when scanning. By using nmap with the -A option, it becomes very obvious that a scan is happening (Even with -T0 enabled) because the requests are sus. E.g:
/nice%20ports%2C/Tri%6Eity.txt%2ebak Which test the server and its aptitude to escape characters.
You can use the following tools to run different type of scans against your target(s)
dirbuster
gobuster
dirb
wfuzz
ffuf
Again, you want to keep a low profile while scanning/brute-forcing web apps. Or you will get blacklisted.
Fuzz subdomain with wfuzz or ffuf
Fuzz the Host header. Use burp and intruder
