TRY_HACK_ME : NMAP
Last updated
Last updated
Ports are like designated gateways on a computer or network device that allow different applications and services to communicate with each other. Think of a port as a specific door through which data travels in and out of a device. Computers use ports to organize and manage the flow of information between various programs and services.
Each port is assigned a unique number, ranging from 1 to 65535, to help ensure that data reaches the correct destination. Ports are categorized into three main types: well-known ports (0-1023), registered ports (1024-49151), and dynamic or private ports (49152-65535). Well-known ports are typically associated with widely used services, such as port 80 for HTTP (web browsing) and port 22 for SSH (secure shell).
When data is sent over the internet, it's divided into packets, and each packet is labeled with a port number. The receiving device uses this port number to determine which application or service should handle the incoming data. Understanding and managing ports is crucial for maintaining secure and efficient communication between different devices and services on a network.
Nmap, short for Network Mapper, is an open-source, command-line tool widely used for network exploration and security auditing. It allows users to discover devices connected to a network, identify the services they offer, and gather information about their operating systems. This information is crucial for various purposes, including:
Network administrators: They can use Nmap to gain a complete picture of their network infrastructure, identify potential security vulnerabilities, and ensure smooth operation.
Security professionals: Nmap empowers them to conduct vulnerability assessments, penetration testing, and security audits, helping to identify and mitigate potential threats.
Ethical hackers: With permission, ethical hackers leverage Nmap to test the security of systems and discover weaknesses that can be addressed before attackers exploit them.
Key functionalities of Nmap:
Host discovery: It can scan networks to identify active devices, including computers, servers, routers, and other network appliances.
Service identification: Nmap can determine the services running on each device, such as web servers, email servers, and file sharing services.
Operating system detection: It can often identify the operating system running on a device, providing valuable insights into its potential vulnerabilities.
Port scanning: Nmap can scan specific ports on devices to determine their status (open, closed, filtered) and identify the protocols used.
Vulnerability scanning: While not its primary function, certain Nmap scripts can perform basic vulnerability scanning, highlighting potential weaknesses.
nmap
nmap -h = shows what and how the command works
man nmap - manual for the nmap
. Basic Host Discovery:
nmap <target>: Scans a single host or IP address for basic information like active ports and device name.
nmap -sP <target>: Performs a ping sweep to identify live hosts on a network range.
nmap -sn <target>: Similar to the above, but excludes service detection for faster scans.
2. Port Scanning and Service Identification:
nmap -T4 <target>: Performs a fast TCP scan identifying open ports and associated services.
nmap -sS <target>: Conducts a slower and more thorough TCP SYN scan for detailed service information.
nmap -sU <target>: Focuses on UDP port scanning, often used for services like DNS and DHCP.
3. Operating System Detection (OS Detection):
nmap -O <target>: Attempts to identify the operating system running on a device based on various analysis techniques.
nmap -A <target>: Runs an aggressive scan encompassing OS detection,version detection, script scanning for vulnerabilities, and more.
4. Advanced Customization:
nmap -p <port range> <target>: Scans specific port ranges for open ports and services.
nmap --exclude <IP address>: Excludes specific hosts or IP addresses from the scan.
nmap -oN <filename> <target>: Saves scan results in a specified format (e.g.,Normal text) for future reference.
Three basic Scans :
TCP Connect Scans (-sT)
SYN "Half-open" Scans (-sS)
UDP Scans (-sU)
The TCP follows a three way handshake:
Initiating Connection:
Attacking machine sends a TCP request with SYN flag to target server.
Acknowledgment by Server:
Target server responds with a TCP packet containing SYN and ACK flags.
Completing Handshake:
Attacking machine finalizes the connection by sending a TCP request with ACK flag.
We can simply make our firewall decline the incoming request by using the commnd:
Syn scans are very similar to TCP Connect scans. SYN scans are often referred to as “half-open”, or “stealth” scans. The difference is that SYN scans do not perform a full three-way handshake in the sense that they send back a RST TCP package in the third step, instead of a ACK. This prevents that the server will repeatedly try to make the request.
This can have different advantages:
Avoids detection. Some older intrusion detection system are only looking for a full three-way handshake.
Avoids logging. Standard practice is to log a connection once it has been fully established.
Quicker. Because we do not bother to establish a full connection, we increase port scan speed.
There are also two disadvantages:
They require sudo permissions.
They can bring down unstable services.
UDP scans, in contrast to TCP, operate without establishing a formal state through a three-way handshake. The stateless nature of UDP connections allows for quick transmission but introduces challenges in verification due to the absence of guarantees in packet delivery.
Executing UDP Scans with Nmap:
Nmap facilitates UDP scans using the -sU switch. Given the inherent slowness of UDP scans, optimization is achieved by employing --top-ports , as demonstrated in the command nmap -sU --top-ports 20 <target>. This approach focuses on scanning the 20 most common ports, enhancing speed and efficiency.
Analyzing UDP Responses:
In UDP scans, open ports typically yield no response, leading Nmap to infer that the port is either open or filtered, possibly indicating the presence of a firewall. Conversely, closed ports trigger a response in the form of an ICMP (ping) packet, signaling port unreachability. However, responses from closed UDP ports are infrequent, underscoring the complexities associated with UDP scanning.
NULL, FIN and Xmas TCP port scans are not used as commonly as the previously discussed port scan types. What these three scan types have in common are that they are even stealthier than a SYN scan.
As the name suggests, NULL scans (-sN) are when the TCP request is sent with no flags set at all. As per the RFC, the target host should respond with a RST if the port is closed.
FIN scans (-sF) work in an almost identical fashion; however, instead of sending a completely empty packet, a request is sent with the FIN flag Once again, Nmap expects a RST if the port is closed.
As with the other two scans in this class, Xmas scans (-sX) send a malformed TCP packet and expects a RST response for closed ports.
The expected response for open ports with these scans is also identical, and is very similar to that of a UDP scan. If the port is open then there is no response to the malformed packet. Unfortunately (as with open UDP ports), that is also an expected behavior if the port is protected by a firewall, so NULL, FIN and Xmas scans will only ever identify ports as being open|filtered, closed, or filtered. If a port is identified as filtered with one of these scans then it is usually because the target has responded with an ICMP unreachable packet.
That said, the goal here is, of course, firewall evasion. Many firewalls are configured to drop incoming TCP packets to blocked ports which have the SYN flag set (thus blocking new connection initiation requests). By sending requests which do not contain the SYN flag, we effectively bypass this kind of firewall. However, most modern IDS solutions can deal with these scan types.
When initiating a connection to a system, the primary goal is to acquire a network map that outlines the structure of the network. Essentially, we aim to identify which IP addresses host active hosts and which ones do not. Nmap efficiently accomplishes this task by executing a "ping sweep." In this process, Nmap dispatches ICMP packets to each conceivable IP address within the specified network range. Upon receiving a response, the corresponding address is recognized as active or "alive."
To execute a ping sweep with Nmap, the -sn switch is employed in conjunction with specified IP ranges. This method provides a quick and effective means of mapping the live hosts on the network by leveraging ICMP packets to ascertain their responsiveness.
NSE (Nmap Scripting Engine) in Nmap is a powerful feature that allows users to automate tasks during network scanning. Written in Lua, these scripts cover various categories such as discovery, exploitation, and vulnerability scanning. Users can customize scans, integrating specific scripts to gather detailed information about services, versions, and potential vulnerabilities on a network. NSE scripts enhance Nmap's flexibility and functionality, providing a dynamic way to extend its capabilities and adapt scans to specific objectives. The collaborative nature of the Nmap community ensures a continually growing repository of scripts, making it a valuable tool for network exploration and security assessments.
To run a specific script, we would use --script=<script-name>
For example: --script=smb-enum-users,smb-enum-shares
Nmap stores its scripts on Linux at /usr/share/nmap/scripts
