THM – NMAP Documentation and Commands – Part 13

Byaghanim

This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing.

NMAP Live Host Discovery

Scan TypeExample Command
ARP Scansudo nmap -PR -sn MACHINE_IP/24
ICMP Echo Scansudo nmap -PE -sn MACHINE_IP/24
ICMP Timestamp Scansudo nmap -PP -sn MACHINE_IP/24
ICMP Address Mask Scansudo nmap -PM -sn MACHINE_IP/24
TCP SYN Ping Scansudo nmap -PS22,80,443 -sn MACHINE_IP/30
TCP ACK Ping Scansudo nmap -PA22,80,443 -sn MACHINE_IP/30
UDP Ping Scansudo nmap -PU53,161,162 -sn MACHINE_IP/30

Remember to add -sn if you are only interested in host discovery without port-scanning. Omitting -sn will let Nmap default to port-scanning the live hosts.

OptionPurpose
-nno DNS lookup
-Rreverse-DNS lookup for all hosts
-snhost discovery only

NMAP Basic Port Scans

  1. Open: indicates that a service is listening on the specified port.
  2. Closed: indicates that no service is listening on the specified port, although the port is accessible. By accessible, we mean that it is reachable and is not blocked by a firewall or other security appliances/programs.
  3. Filtered: means that Nmap cannot determine if the port is open or closed because the port is not accessible. This state is usually due to a firewall preventing Nmap from reaching that port. Nmap’s packets may be blocked from reaching the port; alternatively, the responses are blocked from reaching Nmap’s host.
  4. Unfiltered: means that Nmap cannot determine if the port is open or closed, although the port is accessible. This state is encountered when using an ACK scan -sA.
  5. Open|Filtered: This means that Nmap cannot determine whether the port is open or filtered.
  6. Closed|Filtered: This means that Nmap cannot decide whether a port is closed or filtered.

TCP Flags

  1. URG: Urgent flag indicates that the urgent pointer filed is significant. The urgent pointer indicates that the incoming data is urgent, and that a TCP segment with the URG flag set is processed immediately without consideration of having to wait on previously sent TCP segments.
  2. ACK: Acknowledgement flag indicates that the acknowledgement number is significant. It is used to acknowledge the receipt of a TCP segment.
  3. PSH: Push flag asking TCP to pass the data to the application promptly.
  4. RST: Reset flag is used to reset the connection. Another device, such as a firewall, might send it to tear a TCP connection. This flag is also used when data is sent to a host and there is no service on the receiving end to answer.
  5. SYN: Synchronize flag is used to initiate a TCP 3-way handshake and synchronize sequence numbers with the other host. The sequence number should be set randomly during TCP connection establishment.
  6. FIN: The sender has no more data to send.

Timings

TimingsDescription
T0paranoid (0)
T1sneaky (1)
T2polite (2)
T3normal (3)
T4aggressive (4)
T5insane (5)

Summary

Port Scan TypeExample Command
TCP Connect Scannmap -sT MACHINE_IP
TCP SYN Scansudo nmap -sS MACHINE_IP
UDP Scansudo nmap -sU MACHINE_IP

These scan types should get you started discovering running TCP and UDP services on a target host.

OptionPurpose
-p-all ports
-p1-1023scan ports 1 to 1023
-F100 most common ports
-rscan ports in consecutive order
-T<0-5>-T0 being the slowest and T5 the fastest
–max-rate 50rate <= 50 packets/sec
–min-rate 15rate >= 15 packets/sec
–min-parallelism 100at least 100 probes in parallel

NMAP Advanced Port Scans

Port Scan TypeExample Command
TCP Null Scansudo nmap -sN MACHINE_IP
TCP FIN Scansudo nmap -sF MACHINE_IP
TCP Xmas Scansudo nmap -sX MACHINE_IP
TCP Maimon Scansudo nmap -sM MACHINE_IP
TCP ACK Scansudo nmap -sA MACHINE_IP
TCP Window Scansudo nmap -sW MACHINE_IP
Custom TCP Scansudo nmap --scanflags URGACKPSHRSTSYNFIN MACHINE_IP
Spoofed Source IPsudo nmap -S SPOOFED_IP MACHINE_IP
Spoofed MAC Address--spoof-mac SPOOFED_MAC
Decoy Scannmap -D DECOY_IP,ME MACHINE_IP
Idle (Zombie) Scansudo nmap -sI ZOMBIE_IP MACHINE_IP
Fragment IP data into 8 bytes-f
Fragment IP data into 16 bytes-ff
OptionPurpose
--source-port PORT_NUMspecify source port number
--data-length NUMappend random data to reach given length

These scan types rely on setting TCP flags in unexpected ways to prompt ports for a reply. Null, FIN, and Xmas scan provoke a response from closed ports, while Maimon, ACK, and Window scans provoke a response from open and closed ports.

OptionPurpose
–reasonexplains how Nmap made its conclusion
-vverbose
-vvvery verbose
-ddebugging
-ddmore details for debugging

NMAP Post Port Scans

OptionMeaning
-sVdetermine service/version info on open ports
-sV –version-lighttry the most likely probes (2)
-sV –version-alltry all available probes (9)
-Odetect OS
–tracerouterun traceroute to target
–script=SCRIPTSNmap scripts to run
-sC or –script=defaultrun default scripts
-Aequivalent to -sV -O -sC --traceroute
-oNsave output in normal format
-oGsave output in grepable format
-oXsave output in XML format
-oAsave output in normal, XML and Grepable formats

Similar Posts

  • THM – Active Directory Basics – Part 18

    Byaghanim

    This is a continued series where I document my path through different tryhackme courses. I recommend everyone that wants to learn cyber security to subscribe to tryhackme.com and take the courses there. Table Of ContentsIntroductionPhysical Active DirectoryThe ForestUsers + GroupsTrusts + PoliciesActive Directory Domain Services + Authentication Introduction Active Directory is the directory service for…

  • THM – File Inclusion – Part 8

    Byaghanim

    This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Table Of ContentsIntroductionWhat is File inclusion?Why do File inclusion vulnerabilities happen?What is the risk of File inclusion?Path TraversalPath traversalWhat function causes path traversal vulnerabilities in PHP?Local File Inclusion – LFILocal…

  • THM – Windows Privilege Escalation – Part 16

    Byaghanim

    This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Table Of ContentsIntroductionInformation GatheringPermissionsUser enumerationCollection System InformationSearching filesCommand breakdown:Path LevelNetwork ConnectionsScheduled TasksDriversAntivirusTools of the tradeWinPEASPowerUpWindows Exploit SuggesterMetasploitVulnerable SoftwareDLL HijackingIntroduction to DLL FilesFinding DLL Hijacking VulnerabilitiesCreating a malicious DLL fileUnquoted Service…

  • THM – How Websites Work – Part 9

    Byaghanim

    Table Of ContentsHow websites work HTML JavaScript Sensitive Data Exposure HTML Injection  How websites work  When you visit a website, your browser makes a request to a web server asking for information about the page you’re visiting and will respond with data that your browser uses to show you the page; a web server is just a dedicated computer that handles your requests.  …

  • THM – Command Injection – Part 11

    Byaghanim

    This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Table Of ContentsWhat is Command Injection?Discovering Command InjectionExploiting Command InjectionDetecting Blind Command InjectionLinux WindowsRemediating Command InjectionVulnerable FunctionsInput sanitisationBypassing FiltersPractical: Command InjectionWhat user is this application running as?What are the contents of…

  • THM – Upload Vulnerabilities – Part 13

    Byaghanim

    This is a continued series where I document my path through different tryhackme courses. I recommend everyone that wants to learn cyber security to subscribe to tryhackme.com and take the courses there. Table Of ContentsIntroductionMethodology – EnumerationOverwriting Existing FilesRemote Code ExecutionFilteringClient-side filteringServer-side filteringExtension ValidationFile Type FilteringFile Length FilteringFile Name FilteringFile Content FilteringBypassing Client-side FilteringBypassing Server-Side…