Introduction to Nmap and Portscanning

This post reviews usage of Nmap and demonstrates various use cases using Nmap command line options. This post uses practical scenarios covered in two TryHackMe rooms.

Room one

Room two

Get OSCP Certificate Notes

When it comes to hacking, knowledge is power. The more knowledge you have about a target system or network, the more options you have available. This makes it imperative that proper enumeration is carried out before any exploitation attempts are made.

Say we have been given an IP (or multiple IP addresses) to perform a security audit on. Before we do anything else, we need to get an idea of the “landscape” we are attacking. What this means is that we need to establish which services are running on the targets. For example, perhaps one of them is running a webserver, and another is acting as a Windows Active Directory Domain Controller. The first stage in establishing this “map” of the landscape is something called port scanning. When a computer runs a network service, it opens a networking construct called a “port” to receive the connection.  Ports are necessary for making multiple network requests or having multiple services available. For example, when you load several webpages at once in a web browser, the program must have some way of determining which tab is loading which web page. This is done by establishing connections to the remote webservers using different ports on your local machine. Equally, if you want a server to be able to run more than one service (for example, perhaps you want your webserver to run both HTTP and HTTPS versions of the site), then you need some way to direct the traffic to the appropriate service. Once again, ports are the solution to this. Network connections are made between two ports – an open port listening on the server and a randomly selected port on your own computer. For example, when you connect to a web page, your computer may open port 49534 to connect to the server’s port 443.

Every computer has a total of 65535 available ports; however, many of these are registered as standard ports. For example, a HTTP Webservice can nearly always be found on port 80 of the server. A HTTPS Webservice can be found on port 443. Windows NETBIOS can be found on port 139 and SMB can be found on port 445. It is important to note; however, that especially in a CTF setting, it is not unheard of for even these standard ports to be altered, making it even more imperative that we perform appropriate enumeration on the target.

When port scanning with Nmap, there are three basic scan types. These are:

  • TCP Connect Scans (-sT)
  • SYN “Half-open” Scans (-sS)
  • UDP Scans (-sU)

Additionally there are several less common port scan types, some of which we will also cover (albeit in less detail). These are:

  • TCP Null Scans (-sN)
  • TCP FIN Scans (-sF)
  • TCP Xmas Scans (-sX)

Most of these (with the exception of UDP scans) are used for very similar purposes, however, the way that they work differs between each scan. This means that, whilst one of the first three scans are likely to be your go-to in most situations, it’s worth bearing in mind that other scan types exist.

The Nmap Scripting Engine (NSE) is an incredibly powerful addition to Nmap, extending its functionality quite considerably. NSE Scripts are written in the Lua programming language, and can be used to do a variety of things: from scanning for vulnerabilities, to automating exploits for them. The NSE is particularly useful for reconnaisance, however, it is well worth bearing in mind how extensive the script library is.

There are many categories available. Some useful categories include:

  • safe:- Won’t affect the target
  • intrusive:- Not safe: likely to affect the target
  • vuln:- Scan for vulnerabilities
  • exploit:- Attempt to exploit a vulnerability
  • auth:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)
  • brute:- Attempt to bruteforce credentials for running services
  • discovery:- Attempt to query running services for further information about the network (e.g. query an SNMP server).

A more exhaustive list can be found here.

Firewall Evasion with Nmap

There are a variety of other switches which Nmap considers useful for firewall evasion. We will not go through these in detail, however, they can be found here.

The following switches are of particular note:

  • -f:- Used to fragment the packets (i.e. split them into smaller pieces) making it less likely that the packets will be detected by a firewall or IDS.
  • An alternative to -f, but providing more control over the size of the packets: --mtu <number>, accepts a maximum transmission unit size to use for the packets sent. This must be a multiple of 8.
  • --scan-delay <time>ms:- used to add a delay between packets sent. This is very useful if the network is unstable, but also for evading any time-based firewall/IDS triggers which may be in place.
  • --badsum:- this is used to generate in invalid checksum for packets. Any real TCP/IP stack would drop this packet, however, firewalls may potentially respond automatically, without bothering to check the checksum of the packet. As such, this switch can be used to determine the presence of a firewall/IDS.

Answers to questions from room one

What networking constructs are used to direct traffic to the right application on a server?

How many of these are available on any network-enabled computer?

[Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)

First, how do you access the help menu?

Often referred to as a stealth scan, what is the first switch listed for a ‘Syn Scan’?

Not quite as useful but how about a ‘UDP Scan’?

What about operating system detection?

How about service version detection?

Most people like to see some output to know that their scan is actually doing things, what is the verbosity flag?

What about ‘very verbose’? (A personal favorite)

Sometimes saving output in a common document format can be really handy for reporting, how do we save output in xml format?

Aggressive scans can be nice when other scans just aren’t getting the output that you want and you really don’t care how ‘loud’ you are, what is the switch for enabling this?

How do I set the timing to the max level, sometimes called ‘Insane’?

What about if I want to scan a specific port?

How about if I want to scan every port?

What if I want to enable using a script from the nmap scripting engine? For this, just include the first part of the switch without the specification of what script to run.

What if I want to run all scripts out of the vulnerability category?

What switch should I include if I don’t want to ping the host?

Let’s go ahead and start with the basics and perform a syn scan on the box provided. What will this command be without the host IP address?

After scanning this, how many ports do we find open under 1000?

What communication protocol is given for these ports following the port number?

Perform a service version detection scan, what is the version of the software running on port 22?

Perform an aggressive scan, what flag isn’t set under the results for port 80?

Perform a script scan of vulnerabilities associated with this box, what denial of service (DOS) attack is this box susceptible to? Answer with the name for the vulnerability that is given as the section title in the scan output. A vuln scan can take a while to complete. In case you get stuck, the answer for this question has been provided in the hint, however, it’s good to still run this scan and get used to using it as it can be invaluable.

Answers to room two

Which RFC defines the appropriate behaviour for the TCP protocol?

If a port is closed, which flag should the server send back to indicate this?

There are two other names for a SYN scan, what are they?

Can Nmap use a SYN scan without Sudo permissions (Y/N)?

If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?

When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?

Which of the three shown scan types uses the URG flag?

Why are NULL, FIN and Xmas scans generally used?

Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?

How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)
What language are NSE scripts written in?

Which category of scripts would be a very bad idea to run in a production environment?

What optional argument can the ftp-anon.nse script take?

Search for “smb” scripts in the /usr/share/nmap/scripts/ directory using either of the demonstrated methods.
What is the filename of the script which determines the underlying OS of the SMB server?

Read through this script. What does it depend on?

Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?

[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?

Does the target (MACHINE_IP)respond to ICMP (ping) requests (Y/N)?

Perform an Xmas scan on the first 999 ports of the target — how many ports are shown to be open or filtered?

There is a reason given for this — what is it?

Note: The answer will be in your scan results. Think carefully about which switches to use — and read the hint before asking for help!

Perform a TCP SYN scan on the first 5000 ports of the target — how many ports are shown to be open?

Open Wireshark (see Cryillic’s Wireshark Room for instructions) and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what’s going on.

Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)

Full Video Walk-Through