Nmap Advanced Scan Usage

NMAP provides four basic functions (host discovery, port scanning, service and version detection, OS detection) and a rich scripting library. Nmap can be used for simple network information scanning, but also in high-level, complex, specific environment: such as scanning a large number of hosts on the Internet, bypassing the firewall/ids/ips, scanning web sites, scanning routers and so on.

Briefly review Nmap simple scanning method:
Full Scan: nmap-t4-a Targetip

Host discovery: Nmap-t4-sn Targetip

Port Scan: Nmap-t4 Targetip

Service Scan: NMAP-T4-SV Targetip

OS Scan: Nmap-t4-o targetip

The above scanning method can satisfy the general information gathering demand. If you want to use NMAP to explore specific scenarios in more detail, you need to carefully design the NMAP command line parameters, in order to precisely control the behavior of NMAP scan. The following is a list of more practical and advanced scenarios and techniques.
1 Nmap Advanced Options
1.1 Viewing local routes and interfaces



Nmap provides the –iflist option to view the interface information and routing information for the local host. You can view the network interface information provided in Nmap–iflist when you encounter a target host that cannot be reached or if you want to select a specific network card from a multiple network card to access the target host.

Nmap–iflist
Nmap view local routes and interfaces. png
Uploaded 6 minutes ago
Download accessories (22.86 KB)

1.2 Specifying the network port and IP address



In Nmap you can specify which network port to send data to,-e <interface> options. For more information on the interface, refer to the –iflist option output results.

Example:

NMAP-E eth0 Targetip

Nmap can also explicitly specify the source-side IP address to send. Using the-S <spoofip> option, Nmap will use the specified SPOOFIP as the source-side IP to send the probe packet.

In addition, you can use decoy (trick) to mask the real scan address, such as-D ip1,ip2,ip3,ip4,me, which will produce multiple false IP at the same time to detect the target machine, where ME represents the real address of the machine, so that the other side of the firewall is not easy to identify the identity of the scanner.

Nmap-t4-f-n-pn-d192.168.1.100,192.168.1.101,192.168.1.102,me 192.168.1.1
1.3 Custom Probe Package



Nmap provides the –scanflags option for users to have full control over the flag bits of the TCP probe packet that needs to be sent. You can use numbers or symbols to specify the TCP flag bit: URG, ACK, Psh,rst, Syn,and FIN.

For example

Nmap-sx-t4–scanflags Urgackpshrstsynfintargetip

This command sets the full TCP flag bit to 1 and can be used for detection of certain special scenarios.

In addition, you can customize the options field for IP packets using –ip-options.

Use-S to specify a false IP address,-d specifies a set of spoofed IP addresses (me represents the real address). -e Specifies the network interface that sends the probe packet,-g (–source-port) specifies the source port,-f specifies that the probe packet is sent using IP sharding, and –SPOOF-MAC specifies the MAC address that uses spoofing. – TTL specifies the time to live.
2 Scan Firewall

Firewalls play an important role in today's network security, and it is easier to bypass firewalls or infiltrate firewalls if the firewall system can be probed in detail. So here's a typical usage of using NMAP to get basic information about firewalls.

In order to obtain comprehensive information about the firewall, it is necessary to detect its state as much as possible by combining different scanning methods. When designing command-line parameters, you can refine the timing parameters in a comprehensive network environment to speed up scanning.

SYN Scan

First, the open state of its ports can be detected using a basic SYN scan method.

Nmap-ss-t4 www.fakefirewall.com

1. All 997 ports is filtered
2. PORT State SERVICE
3.80/tcp Open http
4.113/tcp closed Auth
5.507/TCP Open CRS

We can see that the SYN method detects 3 ports open, while 997 ports are filtered. Nmap default scan only scans 1000 most likely open ports, if you want to scan all the ports, use the command nmap-ss-t4-p-www.fakefirewall.com

Fin Scan

You can then use the fin Scan to detect firewall status. The fin scan method is used to identify if the port is closed, and an RST reply indicates that the port is closed, otherwise the description is open or filtered state.

Nmap-sf-t4 www.fakefirewall.com

The scan output is:

1. PORT State SERVICE
2.7/tcp open|filtered Echo
3.9/tcp open|filtered Discard
4.11/tcp open|filtered Systat
5.13/tcp open|filtered Daytime
6.23/tcp open|filtered Telnet
7.25/TCP open|filtered SMTP
8.37/tcp open|filtered Time
9.79/tcp open|filtered Finger
Ten. 80/tcp open|filtered http
11. More ports, omitted here

ACK Scan

The ACK scan is then used to determine if the port is filtered. For an ACK probe packet, the unfiltered port (whether open or closed) replies to the RST packet.

Nmap-sa-t4 www.fakefirewall.com

1. Not shown:997 unfiltered ports
2. PORT State SERVICE
3.135/tcp Filtered Msrpc
4.1434/tcp Filtered Ms-sql-m
5.32777/tcp Filtered Sometimes-rpc17

From the result can 997 ports be unfiltered (unfiltered), while 3 (135/1434/32777) were filtered. So, by combining the ACK with the results of the fin scan, we can find many open ports. For example, Port 7th, the status of fin is: open or filtered, the state from the ACK is unfiltered, then the port can only be open.

Window scan

Of course, the window scanning method can be used to derive some port information, which can be supplemented with the results of previous scan analysis. The window scan method is only valid for certain TCPIP protocol stacks.

The window scanning principle is similar to an ACK, sending an ACK packet to probe the target port and parsing the window size in the reply RST packet. In some TCPIP protocol stack implementations, the closed port sets the window size to 0 in the RST, while the open port sets the window size to a value other than 0.

nmap-sw-p--t4 docsrv.caldera.com

Output Result:

1. PORT State SERVICE
2.7/tcp Open Echo
3.9/tcp Open Discard
4.11/tcp Open Systat
5.13/TCP Open Daytime
6. More ports, omitted here

The application and version detection and OS detection can be further implemented after obtaining the firewall state in many ways.

Don't repeat it here!


3 Scan Router



Nmap maintains a database of systems and equipment (NMAP-OS-DB) internally, capable of identifying thousands of different systems and devices. Therefore, it can be used to scan the main router devices.
3.1 Scanning Cisco routers



nmap-p1-25,80,512-515,2001,4001,6001,9001 10.20.0.1/16

Cisco routers run common services in these ports. Listed above Port open host, can be located to the router device possible IP address and port status.


3.2 Scanning Router tftp



NMAP–SU–P69–NVV Target

Most routers support the TFTP protocol (Simple File Transfer Protocol), which is commonly used to back up and restore the router's configuration files, running on UDP port 69. Use the above command to detect if the router is open for TFTP.
3.3 Scan Router Operating system



Similar to universal PC scanning, use the-o option to scan the router's operating system. -F is used to quickly scan 100 ports that are most likely to open and further fingerprint analysis of the OS based on the port scan results.

Nmap-o-f-n 192.168.1.1
Nmap Scan Router operating system. png
Uploaded 5 minutes ago
Download accessories (45.8 KB)

4 Scanning the Internet



Nmap Interior design is very powerful and flexible, can scan a single host, small LAN, or scan thousands of hosts to discover the user's attention. Scanning a large number of hosts requires careful optimization of parameters such as scan timing.
4.1 Discovering Web servers on the Internet



Nmap-ir 100000-ss-ps80-p 80-og Nmap.txt

Randomly generates 100,000 IP addresses and scans their 80 ports. Prints the scan results to the Nmap.txt file in greppable (available grep command extraction) format.

You can use the grep command to extract the details of care from the output file.
4.2 Statistics Internet host basic data



Fyodor, founder of Nmap, delivered a speech at the Black Hat conference in 2008 on how to use Nmap to scan the Internet (nmap:scanning the Internet), data address: http://nmap.org/ presentations/bhdc08/.

The original intention of the Fyodor for Internet scanning is to calculate the network experience data and use it to optimize the performance of Nmap. For example, depending on the probability that each port is open, it is preferable to scan common ports to save users time.

Generate Random IP Address

Generates 1 million random IP addresses and saves them to a file for easy subsequent scanning.

Nmap-ir 1200000-sl-n | grep "Not scanned" | awk ' {print $} ' | Sort-n | Uniq >! Tp head-25000000 TP >! Tcp-allports-1m-ips; RM TP

The above command means: Randomly generate 1.2 million IP addresses (-ir 120000), and perform a list scan (-SL, enumerate the IP address, do not perform a real scan), do not perform DNS resolution operation (-N), which will produce the results of NMAP list scan. In this result, the non-scanned rows (grep "not scanned") are printed out, the second column of each row (awk ' {print $} ', which is the IP address), then the obtained IP address is sorted (sort-n), and then the duplicate IP address is removed. Save the results to the temp file tp, then remove the first 1 million IP addresses to the tcp-allports-1m-ips file and delete the temporary files.

In summary, 1 million random IP addresses are generated here in the Tcp-allports-1m-ips file.



Optimize host Discovery

Nmap-sp-pe-pp-ps21,22,23,25,80,113,31339-pa80,113,443,10042–source-port 53-t4-il Tcp-allports-1M-IPs

The above command for host discovery: Using the resulting IP address (-il tcp-allports-1m-ips), specify the source port of the sending packet is 53 (–source-port 53, the port is a DNS query port, the general firewall allows packets from this port), Timing Level 4 (-T4, detection speed is relatively fast), TCP SYN packet detection of the target 21,22,23,25,80,113,31339 port, the TCP ACK packet to detect the other 80,113,443,10042 port, also send ICMP echo/ The ICMP timestamp packet probes the other host. As long as a reply is obtained from the above detection packet, the target host can be proved online.



Full Scan command

After preparing the necessary IP address files and optimizing the host discovery parameters, we get the final scan command:

nmap-s [Srcip]-d–max-scan-delay 10-oalogs/tcp-allports-%t-%d-il tcp-allports-1m-ips–max-retries 1–randomize-hosts- P--ps21,22,23,25,53,80,443-t4–min-hostgroup 256–min-rate175–max-rate 300

The above command is used to scan the internet for all of the 1 million host TCP port open conditions.

Using a file containing 1 million IP addresses (-il tcp-allports-1m-ips), the source IP address is set to SRCIP (specify an IP address to ensure that the IP address is on a unified LAN, or you cannot receive a reply packet from the target), the host discovery process uses TCP SYN packet detection target machine 21,22,23,25,53,80,443, the scanning process will randomly disrupt the host sequence (–randomize-hosts, because the IP in the file is sorted, this will be disrupted, to avoid being checked by the firewall), The port scan process checks all TCP ports (-p-, ports 1 through 65535), uses a time series of 4 (-T4, faster), and outputs the results to a file in xml/grepable/normal format (-oa logs/tcp-allports-%t-%d, where% T indicates the scan time, and% d indicates the scan date).

-d means that the debug information is printed.

–max-scan-delay 10 indicates that the bundle is delayed by up to 10 seconds, preventing the waiting time in special scenarios.

–max-retries 1, which indicates that the port scan probe packet is re-transmitted at most, preventing Nmap from repeatedly re-transmitting the detection packet without receiving a reply, of course, this will also reduce the accuracy of detection.

–min-host-group 256 indicates the number of simultaneous probes for port scanning and version detection, where at least 256 host groups are scanned, which speeds up scanning.

–min-rate 175 and –max-rate 300, which indicates that the packet rate is between 175 and 300, ensures that the scan speed is not too slow, and that the target machine is not alerted by the high rate.

Scan results

The Fyodor organization's scan drew many important conclusions, counting the 10 TCP ports most likely to open on the Internet.

* (HTTP)
* (telnet)
* (SSH)
* 443 (HTTPS)
* 3389 (Ms-term-serv)
* 445 (MICROSOFT-DS)
* 139 (NETBIOS-SSN)
* (FTP)
* 135 (MSRPC)
* (SMTP)

The 10 UDP ports that are most likely to open.

* 137 (Netbios-ns)
* 161 (SNMP)
* 1434 (MS-SQL-M)
* 123 (NTP)
* 138 (NETBIOS-DGM)
* 445 (MICROSOFT-DS)
* 135 (MSRPC)
* (DHCPS)
* 139 (NETBIOS-SSN)
* (Domain)


5 Scan Web site



The web is the most extensive application on the Internet, and more and more services tend to be provided in Web form, so it is becoming more and more important for web security regulation. There are many specialized web scanning software (such as AppScan, WebInspect, W3AF) in the security field, which can provide many functions such as port scanning, vulnerability scanning, exploit, analysis report and so on. As an open-source port scanner, NMAP support for Web scanning is becoming more and more powerful, which can complete the basic information probing of the Web: Server version, supported method, and whether it contains typical vulnerabilities. Functionality has been far more than other open source software in the same field, such as Httprint, Httsquash.

Currently, the Web support in Nmap is mainly implemented by LUA scripts, with more than 50 HTTP-related scripts in the NSE script library.

Scan instance:

Nmap-sv-p 80-t4–script http*,defaultscanme.nmap.org
Nmap scans the Web site. png
Uploaded 4 minutes ago
Download accessories (51.38 KB)

The above is a web app that scans scanme.nmap.org to show that NMAP provides Web scanning capabilities, and you can see that the scan results provide richer information.

First is the application and version: Apachehttpd 2.2.14 ((Ubuntu))

The site is then Affiliate-id: The ID can be used to identify different pages of the same owner.

Then output the Http-headers information and see the basic configuration information from it.

From Http-title, you can see the page title. Some page titles may leak important information, so check them out here too.

Nmap Advanced Scan Usage