Penetration testing tools Nmap from beginner to advanced

Nmap is a very useful tool for network scanning and host detection. Nmap is not limited to collecting information and enumerations, but can also be used as a vulnerability detector or security scanner. It can be applied to operating systems such as Winodws,linux,mac. Nmap is a very powerful utility that can be used to:

Detecting hosts that live on the network (host discovery)
Detecting open ports on the host (port discovery or enumeration)
Software and versions of the appropriate port (service discovery) detected
Detect operating system, hardware address, and software version
Vulnerability Detection (Nmap script)
Nmap is a very common tool that has a command-line interface and a graphical user interface. I include the following content:

About Nmap

Important parameters in the scan

Operating system detection

Nmap Use Tutorial

Nmap uses different techniques to perform scanning, including: TCP Connect () scan, TCP Reverse ident scan, FTP bounce scan, and so on. All of these types of scans have their own pros and cons, and we'll discuss them next.

The use of Nmap depends on the target host, as there is a simple (basic) scan and the difference between pre-scanning. We need to use some advanced techniques to bypass firewalls and intrusion detection/defense systems to get the right results. Here are some basic commands and examples of their usage:

Scan a single host with the following command:

#nmap nxadmin.com

#nmap 192.168.1.2

Scan the entire subnet with the following command:

#nmap 192.168.1.1/24

To scan multiple targets, the command is as follows:

#nmap 192.168.1.2 192.168.1.5

Scan a range of targets, as follows:

#nmap 192.168.1.1-100 ( scan IP address for all hosts in 192.168.1.1-192.168.1.100)

If you have a list of IP addresses, save this as a TXT file, and Namp in the same directory, scan all hosts within this TXT command as follows:

#nmap-il Target.txt

If you want to see a list of all the hosts you scanned, use the following command:

#nmap-SL 192.168.1.1/24

Scan all subnet hosts except one IP, command:

#nmap 192.168.1.1/24-exclude 192.168.1.1

Scan a subnet host command that is outside the IP in a file

#nmap 192.168.1.1/24-exclude file Xxx.txt (The files in the xxx.txt will be excluded from the scanned host)

Scan the 80,21,23 port on a specific host with the following command

#nmap-p80,21,23 192.168.1.1

From the above we have learned the basic knowledge of nmap, below we have a deep discussion of nmap scanning technology.

TCP SYN Scan (SS)

This is a basic scanning method, which is called semi-open scan, because this technology allows NMAP to obtain remote host information without a full handshake. Nmap sends a SYN packet to the remote host, but it does not generate any sessions. Therefore, no logging occurs on the target host because no session is formed. This is the advantage of SYN scan.

If the type of scan is not indicated in the Nmap command, the default is TCP SYN. But it requires Root/administrator permissions.

#nmap-ss 192.168.1.1

TCP Connect () scan (ST)

If you do not select a SYN scan, the TCP connect () scan is the default scan mode. Unlike the TCP SYN Scan, the TCP connect () scan requires a three-time handshake and calls the system's connect (). The TCP Connect () scan technique is only available for locating TCP and UDP ports.

#nmap-st 192.168.1.1

UDP Scan (SU)

As the name implies, this scanning technique is used to look for UDP ports opened by the target host. It does not need to send any SYN packets because this technique is for UDP ports. The UDP scan sends a UDP packet to the destination host and waits for a response if an ICMP unreachable error message is returned, stating that the port is closed and that the port is open if the appropriate response is received correctly.

#nmap-su 192.168.1.1

FIN Scan (SF)

Sometimes a TCP SYN scan is not the best scan mode because there is a firewall. The target host may sometimes have IDs and IPs systems, and the firewall will stop the SYN packets from being dropped. Sending a packet with the FIN flag set does not require the completion of the TCP handshake.

[email protected]: ~# nmap-sf 192.168.1.8

Starting Nmap 5.51 at 2012-07-08 19:21 PKT

Nmap Scan Report for 192.168.1.8

Host is up (0.000026s latency).

Not shown:999 closed ports

PORT State SERVICE

111/tcp open|filtered Rpcbind

The fin scan also does not create logs on the target host (one of the benefits of fin scanning). Each type of scan is differentiated, and a fin scan sends packets that contain only the fin identity, the null scan does not send any bytes on the packet, and the Xmas scans the packets that send the FIN, PSH, and Urg identities.

PING Scan (SP)

The ping scan differs from other scanning methods because it is used only to find out if the host is present in the network. It is not used to discover whether the port is open or not. The ping scan requires root privileges, and if the user does not have root privileges, the ping scan will use the Connect () call.

#nmap-SP 192.168.1.1

Version Detection (SV)

Version detection is used to scan the version of the software that is running on the target host and port. Unlike other scanning techniques, it is not intended to scan open ports on a target host, but it needs to obtain information from an open port to determine the version of the software. The ports that you need to open with the TCP SYN scan before using the version detection scan.

#nmap-SV 192.168.1.1

Idle Scan (SL)

The Idle scan is an advanced scanning technology that does not send packets with your real host IP, but instead uses a host of other target networks to send packets.

#nmap-SL 192.168.1.6 192.168.1.1

The Idle scan is an ideal anonymous scanning technology that sends data to the host 192.168.1.1 via 192.168.1.6 in the target network to get 192.168.1.1 open ports

There is a need for other scanning techniques, such as FTP Bounce (FTP bounce), fragmentation scan (fragment scanning), IP protocol scan (IP protocol scanning), discussed above are several of the most important scanning methods.

Nmap OS Detection (O)

One of the most important features of NMAP is the ability to remotely detect operating systems and software, NMAP's OS detection technology used in penetration testing to understand the remote host's operating system and software is very useful, by obtaining information you can know the known vulnerabilities. Nmap has a nmap-os-db database called the database that contains more than 2600 operating system information. Nmap sends TCP and UDP packets to the target machine, and then checks the results against the database.

Initiating SYN Stealth Scan at 10:21
Scanning localhost (www.nxadmin.com) [Ports]
Discovered open port 111/tcp on www.nxadmin.com
Completed SYN Stealth Scan at 10:21, 0.08s elapsed (all ports)
Initiating OS Detection (try #1) against localhost (www.nxadmin.com)
Retrying OS Detection (try #2) against localhost (www.nxadmin.com)

The above example clearly shows that Nmap first discovered an open port and then sent a packet to discover the remote operating system. Operating system detection parameter is O (capital O)

Nmap's operating system fingerprint identification technology:

Device type (router, workgroup, etc.)
Running (running operating system)
Operating system details (name and version of the operating system)
Network distance (the distance between the target and the attacker jumps)

If the remote host has firewalls, IDS and IPs systems, you can use the-PN command to ensure that the remote host is not ping, because sometimes the firewall organizes the ping requests. The-PN command tells Nmap not to ping the remote host.

# Nmap-o-PN 192.168.1.1/24

The above command tells the sending host that the remote host is alive on the network, so there is no need to send a ping request, using the-PN parameter can bypass the ping command, but does not affect the host's system discovery.

Nmap's operating system detection is based on having open and closed ports, and if OS scan cannot detect at least one open or closed port, the following error is returned:

Warning:osscan results May is unreliable because we could not find at least 1 open and 1 closed port

The results of OS scan are unreliable because there is no least one open or closed port found.

This situation is very unsatisfactory, should be the remote host to do for the operating system to detect the protection. If NMAP cannot detect the remote operating system type, then it is not necessary to use-osscan_limit detection.

It is difficult to think of the remote operating system through NMAP to accurately detect, need to use to nmap guessing function options, –osscan-guess guess the closest to the target of the matching operating system type.

# nmap-o–osscan-guess 192.168.1.1

Summarize

Nmap is a very powerful tool that has the ability to cover the first aspect of penetration testing, including information collection and statistics. This article explains the use of the Nmap Intrusion Scanning tool from beginner to advanced. I hope to help you.

Penetration testing tools Nmap from beginner to advanced