# Ports & services scanning ### ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2Fg9Oq33jqqw1pdfjkLg1y%2Fimage.png?alt=media\&token=1085c0a3-3edf-460f-a0cf-a7af7a6bc3be) | Scan Type | Nmap command | | ------------------------------ | ------------------------------------------------ | | TCP Null Scan | `nmap -sN MACHINE_IP` | | TCP FIN Scan | `nmap -sF MACHINE_IP` | | TCP Xmas Scan | `nmap -sX MACHINE_IP` | | TCP Maimon Scan | `nmap -sM MACHINE_IP` | | TCP ACK Scan | `nmap -sA MACHINE_IP` | | TCP Window Scan | `nmap -sW MACHINE_IP` | | Custom TCP Scan | `nmap --scanflags URGACKPSHRSTSYNFIN MACHINE_IP` | | Spoofed Source IP | `nmap -S SPOOFED_IP MACHINE_IP` | | Spoofed MAC Address | `--spoof-mac SPOOFED_MAC` | | Decoy Scan | `nmap -D DECOY_IP,ME MACHINE_IP` | | Idle (Zombie) Scan | `nmap -sI ZOMBIE_IP MACHINE_IP` | | Fragment IP data into 8 bytes | `-f` | | Fragment IP data into 16 bytes | `-ff` | ## Hosts Scanning * ARP from Link Layer * ICMP from Network Layer * TCP from Transport Layer * UDP from Transport Layer ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2FJ3LZRdPrnyzjWeI4B8Kr%2Fimage.png?alt=media\&token=e6b3c0ea-5086-49e8-aa08-771e7a6dd50f) ### ICMP Scan Nmap, by **default**, uses a **ping scan.** ICMP has [many types](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml). ICMP ping uses Type 8 (Echo) and Type 0 (Echo Reply). **ICMP** echo requests tend to be **blocked**, you might also **consider ICMP Timestamp** or **ICMP Address Mask** requests to tell if a system is online. Nmap uses timestamp request (ICMP Type 13) and checks whether it will get a Timestamp reply (ICMP Type 14). Adding the `-PP` option tells Nmap to use ICMP timestamp requests. ``` nmap -PP -sn machina_ip/24 #ICMP TIMESTAMP, no port scan nmap -PM -sn machina_ip/24 #ICMP MASK, no port scan nmap -PE -sn machina_ip/24 #ICMP ECHO, no port scan ``` ### ARP Scan ARP scan is possible only if you are on the **same subnet as the target systems**. ``` nmap -PR -sn machina_ip/24 #arp scan, no port scan ``` ### TCP & UDP Scan #### SYN Scan We can send a packet with the SYN (Synchronize) flag set to a TCP port and wait for a response. An open port should reply with a SYN/ACK (Acknowledge); a closed port would result in an RST (Reset) ``` nmap -PS -sn machina_ip/24 #TCP SYN scan, no port scan ``` ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2FfjiSIy2Z7J22byirEkqj%2Fimage.png?alt=media\&token=aca4ddbb-da8c-4571-8bd3-34750a2fbe54) Privileged users (r00t and sudoers) can send TCP SYN packets and don’t need to complete the TCP 3-way handshake even if the port is open which makes it stealthier. Servers **usually** logs completed connections only. ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2F2VYaINHsFo8bjuxDFMya%2Fimage.png?alt=media\&token=d8c6d34a-b0c4-4e06-9880-c0f8ccd91ffc) #### ACK Scan You must be running Nmap as a privileged user to be able to accomplish this. If you try it as an unprivileged user, Nmap will attempt a 3-way handshake. ``` nmap -PA -sn machina_ip/24 #TCP ACK scan, no port scan ``` ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2FT1Yq4KQqB6vEoCKfjOGC%2Fimage.png?alt=media\&token=0260d871-9f07-4524-b520-2bcd7dd36508) #### UDP Scan Contrary to TCP SYN ping, sending a UDP packet to an open port is not expected to lead to any reply. However, if we send a UDP packet to a closed UDP port, we expect to get an ICMP port unreachable packet; this indicates that the target system is up and available. ``` nmap -PU -sn machina_ip/24 ``` ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2FGYyqLNCOAheuVTTgPbcp%2Fimage.png?alt=media\&token=76a88c87-655b-473e-ad36-aa0286f9006e) ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2FIHYYTKZxdEejY5mcr1XA%2Fimage.png?alt=media\&token=9a1a7f93-a05b-41cc-a229-b733c8384d72) #### NULL Scan The null scan does not set any flag; all six flag bits are set to zero. A tcp packet with no flags set will not trigger any response when it reaches an open port. ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2Fv7pPfbJejsD8qe7cvCsH%2Fimage.png?alt=media\&token=ff90ad21-ff02-41e6-af42-170c828b8143) However, we expect the target server to respond with an RST packet if the port is closed. Consequently, we can use the lack of RST response to figure out the ports that are not closed: open or filtered. ![a](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2F7FzBniwPdDtcusKl1GuL%2Fimage.png?alt=media\&token=9546885b-f04c-4ec9-8c82-d5f52262beb9) ```bash nmap -sN -sn victim_ip ``` #### FIN Scan Similarly, no response will be sent if the TCP port is open. Again, Nmap cannot be sure if the port is open or if a firewall is blocking the traffic related to this TCP port. ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2F5Dym6qRd7cxkBvuYsqWw%2Fimage.png?alt=media\&token=37b1933f-1463-4d4b-9a11-6769fb786594) However, the target system should respond with an RST if the port is closed. Consequently, we will be able to know which ports are closed and use this knowledge to infer the ports that are open or filtered. It's worth noting some firewalls will 'silently' drop the traffic without sending an RST. ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2FDiOND23UyIejGh4i28MH%2Fimage.png?alt=media\&token=e40547c9-afbe-4190-a484-fcb1cf56935f) ``` nmap -sF victim_ip ``` #### XMAS Scan The Xmas scan gets its name after Christmas tree lights. An Xmas scan sets the FIN, PSH, and URG flags simultaneously. And like the Null scan and FIN scan, if an RST packet is received, it means that the port is closed. Otherwise, it will be reported as open|filtered. ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2FBObeueWlGw55R6udeOPF%2Fimage.png?alt=media\&token=2c13c46f-d5e1-4b58-b580-a83ee7345c88) ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2FBnoa0pblmt8c9cRyKG8q%2Fimage.png?alt=media\&token=97512939-d974-48a2-a758-3fb59badb07e) ``` nmap -sX victim_ip ``` {% hint style="info" %} On scenario where these three scan types can be efficient is when scanning a target behind a stateless (non-stateful) firewall. A stateless firewall will check if the incoming packet has the SYN flag set to detect a connection attempt. Using a flag combination that does not match the SYN packet makes it possible to deceive the firewall and reach the system behind it. However, a stateful firewall will practically block all such crafted packets and render this kind of scan useless. {% endhint %} #### Window Scan Another similar scan is the TCP window scan. The TCP window scan is almost the same as the ACK scan; however, it examines the TCP Window field of the RST packets returned. On specific systems, this can reveal that the port is open Similarly, launching a TCP window scan against a Linux system with no firewall will not provide much information. The results of the window scan against a Linux server with no firewall usually do not give any extra information compared to the ACK scan described earlier. ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2FUFfixzypgPJTXffZVkHN%2Fimage.png?alt=media\&token=5dc90da1-9dae-49e2-ab2f-3ec6c88cc88d) ``` nmap -sW machina_ip ``` ### Decoys & Spoofing In some network setups, you will be able to scan a target system using a spoofed IP address and even a spoofed MAC address. Such a scan is only beneficial in a situation where you can guarantee to capture the response. If you try to scan a target from some random network using a spoofed IP address, chances are you won’t have any response routed to you, and the scan results could be unreliable. Spoofing only works in a minimal number of cases where certain conditions are met. Therefore, the attacker might resort to using decoys to make it more challenging to be pinpointed. ![Spoofin](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2FlOM3k8krAKKKtpOyqHkD%2Fimage.png?alt=media\&token=60f7083e-5851-4e31-bc62-813781512f72) ![Decoyin](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2FDA3dEOynk6NktVIWoE08%2Fimage.png?alt=media\&token=2c50fcc8-656a-44aa-b60b-98fa72de0f27) ``` nmap -S SPOOFED_IP MACHINE_IP #UNIQUE SPOOF nmap -D ,,RND,RND,ME #2static decoys + 2 random decoys, then our real ip ``` ### Packet Fragmentation To properly understand fragmentation, we need to look at the IP header in the figure below. It might look complicated at first, but we notice that we know most of its fields. In particular, notice the source address taking 32 bits (4 bytes) on the fourth row, while the destination address is taking another 4 bytes on the fifth row. The data that we will fragment across multiple packets is highlighted in red. To aid in the reassembly on the recipient side, IP uses the identification (ID) and fragment offset, shown on the second row of the figure below. ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2FTBWFBkTfhpvU8qg99vkv%2Fimage.png?alt=media\&token=98bb28f4-2abd-49df-bbf5-b11e013c0bcf) ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2FczgLIhr7DaCOIgmn4W4D%2Fimage.png?alt=media\&token=8ce69a48-8365-4771-b5a6-a6085c7aedab) ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2FV5k5rdpzgGcogCA8KY3I%2Fimage.png?alt=media\&token=7f23e1e1-55aa-43af-9e7f-8e18ec1ce0e0) ### Zombie/Idle Scan The idle scan, or zombie scan, requires an idle system connected to the network that you can communicate with. Practically, Nmap will make each probe appear as if coming from the idle (zombie) host, then it will check for indicators whether the idle (zombie) host received any response to the spoofed probe. This is accomplished by checking the IP identification (IP ID) value in the IP header. We have the attacker system probing an idle machine, a printer. By sending a SYN/ACK, it responds with an RST packet containing its **newly incremented IP ID**. ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2FejroPux8bKkMDaWedVPS%2Fimage.png?alt=media\&token=0479f85c-0942-4f36-b3a9-4ca9842695d5) The attacker will send a SYN packet to the TCP port they want to check on the target machine in the next step. However, this packet will use the idle host (zombie) IP address as the source. Three scenarios would arise. In the first scenario, shown in the figure below, the TCP port is closed; therefore, the target machine responds to the idle host with an RST packet. The idle host does not respond; hence its IP ID is not incremented. ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2FBPCMoxHR1FTB8OwjPVlQ%2Fimage.png?alt=media\&token=a64d8222-bebe-4340-bc09-bd4f43c58fe6) In the second scenario, as shown below, the TCP port is open, so the target machine responds with a SYN/ACK to the idle host (zombie). The idle host responds to this unexpected packet with an RST packet, **thus incrementing its IP ID.** ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mk3RnfEHBP3zuZMsnli%2Fuploads%2F4YSEFjYiowaMUH1hXHkP%2Fimage.png?alt=media\&token=305ff684-b461-410c-ad6d-30f739007243) In the third scenario, the target machine does not respond at all due to firewall rules. This lack of response will lead to the same result as with the closed port; the idle host won’t increase the IP ID. For the final step, the attacker sends another SYN/ACK to the idle host. The idle host responds with an RST packet, incrementing the IP ID by one again. The attacker needs to compare the IP ID of the RST packet received in the first step with the IP ID of the RST packet received in this third step. If the difference is 1, it means the port on the target machine was closed or filtered. However, if the difference is 2, it means that the port on the target was open. ``` nmap -sI zombie_ip victim_ip ``` {% hint style="info" %} It is worth repeating that this scan is called an idle scan because **choosing an idle host** is **indispensable** for the accuracy of the scan. If the “idle host” is busy, all the returned IP IDs would be useless. {% endhint %} ### Port Knocking Sometimes, a certain port will only open after "knocking" on some others. This script will knock on port 1111,2222,3333,4444 respectively. ```bash for PORT in 1111 2222 3333 4444; do nc -vz TARGET_IP $PORT; done; ``` ## Service Scanning You can skip the port scan and just run a full blow full port, full service, full script scan but it **will** take a while and it **will** make noises. I suggest you check manually for popular services and then run a full scan with a temporary device/proxy because you **will** get caught in some way or form(IDS,AV,FIREWALL,ETC) ```bash nmap -A --script vuln -p- -Pn target_ip -oA netscan-sv-A -T5 #Full scan, full speed nmap -p80 -Pn target_ip -oA netscan-80 -T0 #scan p80, russian submarine stealth ``` {% hint style="warning" %} Try to stay low profile when scanning. By using nmap with the *-A* option, it becomes very obvious that a scan is happening (Even with *-T0* enabled) because the requests are sus. E.g: **/nice%20ports%2C/Tri%6Eity.txt%2ebak**\ Which test the server and its aptitude to escape characters. {% endhint %} ![Spike in one specific user agent in a short amount of time](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Mk3RnfEHBP3zuZMsnli%2F-MkPEo30PG7GgUVzLqAo%2F-MkPFQNRXhr9zP_m_w1W%2Fimage.png?alt=media\&token=f95f58aa-643c-4105-ad26-bcb3e53dbd3f) ### HTTP - Web Application #### Directory & File Enumeration You can use the following tools to run different type of scans against your target(s) * dirbuster * gobuster * dirb * wfuzz * ffuf ``` #!/bin/python3 #fuzzer for fun import requests import sys sub_list = open("subdomains.txt").read() subdoms = sub_list.splitlines() for sub in subdoms: sub_domains = f"http://{sub}.{sys.argv[1]}" try: requests.get(sub_domains) except requests.ConnectionError: pass else: print("Valid domain: ",sub_domains) ``` {% hint style="warning" %} Again, you want to keep a low profile while scanning/brute-forcing web apps. Or you **will** get blacklisted. {% endhint %} ![](https://864121778-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Mk3RnfEHBP3zuZMsnli%2F-MkPEo30PG7GgUVzLqAo%2F-MkPFXtn65T6h0g6q1aY%2Fimage.png?alt=media\&token=2613a635-1055-4e17-b0ef-606783d1e9fb) #### Subdomains Enumeration Fuzz subdomain with **wfuzz** or **ffuf** #### Virtual Hosts Enumeration Fuzz the **Host** header. Use **burp** and **intruder**