HTB CPTS: Study Sessin (NMAP - output, scripts, performance, timeouts)
What is Enumeration?
It is one of the most important parts of Penetration Testing process.
It is identifying all of the ways we could attack a target. We must do our best in this phase.
Long story short - enumeration is collecting as much information as possible.
NMAP
Nmap is for scanning, mapping, detecting and analyzing networks. Talking about technical sides, this is how for example TCP-SYN(-sS) scan works:
If our target sends a
SYN-ACKflagged packet back to us, Nmap detects that the port isopen.If the target responds with an
RSTflagged packet, it is an indicator that the port isclosed.If Nmap does not receive a packet back, it will display it as
filtered. Depending on the firewall configuration, certain packets may be dropped or ignored by the firewall.The most effective host discovery method is to use ICMP echo requests
Scan may not work because of the firewall. Later on we’ll check how to evade firewall and IDS/IPS.
The Connect scan (Full TCP Connect scan) is one of the least stealthy techniques, as it fully establishes a connection, which creates logs on most systems and is easily detected by modern IDS/IPS solutions.
There are 6 states that we can obtain from a NMAP scan:
| State | Description |
open | This indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations. |
closed | When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not. |
filtered | Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target. |
unfiltered | This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed. |
| `open | filtered` |
| `closed | filtered` |
Output formats
We can save nmap outputs in many different formats:
Normal output (
-oN) with the.nmapfile extensionGrepable output (
-oG) with the.gnmapfile extensionXML output (
-oX) with the.xmlfile extensionSave the results in all formats
-oA
With the XML output, we can easily create HTML reports that are easy to read, even for non-technical people. This is later very useful for documentation, as it presents our results in a detailed and clear way.
To convert the stored results from XML format to HTML, we can use the tool xsltproc.
Service enumeration
It is really important to determine the application and its version as accurately as possible. We can use this information to scan for known vulnerabilities and analyze the source code for that version if we find it.
This information can help us to search for a more precise exploit that fits the service and the operating system of our target.
Quick port scan is a good way to do it, because if we do more sophisticated scans, IDS can spot us and block out our IP.
sudo nmap IP_ADDRESS_TO_SCAN -p- -sV
-p- - scans all of the ports
-sV - gives us the versions of services
I bet you like to see progress happening. To do this, we can write use —stats-every option.
| Shows the progress of the scan every 5 seconds. |
Scripting in NMAP
There’s a possibility to use scripting in nmap. There are a total of 14 categories into which these scripts can be divided:
| Category | Description |
auth | Determination of authentication credentials. |
broadcast | Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans. |
brute | Executes scripts that try to log in to the respective service by brute-forcing with credentials. |
default | Default scripts executed by using the -sC option. |
discovery | Evaluation of accessible services. |
dos | These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services. |
exploit | This category of scripts tries to exploit known vulnerabilities for the scanned port. |
external | Scripts that use external services for further processing. |
fuzzer | This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time. |
intrusive | Intrusive scripts that could negatively affect the target system. |
malware | Checks if some malware infects the target system. |
safe | Defensive scripts that do not perform intrusive and destructive access. |
version | Extension for service detection. |
vuln | Identification of specific vulnerabilities. |
So these are the categories of the scripts. There are scripts by themselves. For example a really useful script is http-enum. It enumerates directories used by popular web applications and servers.
Performance of scanning
Sometimes network is big, very big. So we need to scan for useful information as fast as possible. There are few options which helps to complete the scan faster.
We can use various options:
how fast (
-T <0-5>),with which frequency (
--min-parallelism <number>),which timeouts (
--max-rtt-timeout <time>) the test packets should havehow many packets should be sent simultaneously (
--min-rate <number>)the number of retries (
--max-retries <number>) for the scanned ports the targets should be scanned.
Timeouts
For a packet to travel, it takes time. Round-Trip-Time - RTT.
Generally, Nmap starts with a high timeout (--min-RTT-timeout) of 100ms.
We can make a scan with adjusted RTT options:
sudo nmap 10.X.X.X/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms
| Scanning Options | Description |
10.X.X.X/24 | Scans the specified target network. |
-F | Scans top 100 ports. |
--initial-rtt-timeout 50ms | Sets the specified time value as initial RTT timeout. |
--max-rtt-timeout 100ms | Sets the specified time value as maximum RTT timeout. |
Of course be careful. If we set the initial RTT timeout too short, we can overlook some useful info.
Max Retries
Another way to increase scan speed is by specifying the retry rate of sent packets (--max-retries). The default value is 10, which is pretty much. We can set it to 2 or even 0 so after not receiving a response from a port, nmap will go to another port.
Example would look like this:sudo nmap 10.X.X.X/24 -F --max-retries 0
Again, like with the timeouts, keep in mind that by making the retries lower, we risk to overlook valuable information about our target.
Rates
When setting the minimum rate (--min-rate <number>) for sending packets, we tell Nmap to simultaneously send the specified number of packets. It will attempt to maintain the rate accordingly.
This method also can save you time when scanning with nmap.
Timing
The default timing template used when we have defined nothing else is the normal (-T 3).
We have 6 different timing templates in NMAP:
-T 0/-T paranoid-T 1/-T sneaky-T 2/-T polite-T 3/-T normal-T 4/-T aggressive-T 5/-T insane
We can find more detailed information about templates in nmap documentation.
Thoughts after the module
Nmap is indeed a very powerful tool. I was thinking about Nmap as a simple scanning tool, I was using it for basic scanning of the targets, to find open ports which I can invite myself inside.
After this module I see that scripts gets nmap to the whole new level. We can find lots of information using scripts.
I have a vision to dive deep into the TCP/IP and I see that the knowledge I’ll gain will be priceless when using tools such as nmap.
After practical rooms I’ve learned that curl is also useful for getting info from certain files on the web.
I’m also surprised how easy it is to adapt the nmap performance by your needs. You can cut the scanning time by half easily using some of the performance and timing options.
OUTRO
On the next blog post we’ll see how to avoid IPS/IDS and Firewalls with nmap.
Nmap makes some network traffic which, if not controlled, Firewalls can capture and block us.
See ya later!
