# HTB CPTS: Study Sessin (NMAP - output,  scripts, performance, timeouts)

## What is Enumeration?

It is one of the most important parts of Penetration Testing process.

It is identifying all of the ways we could attack a target. We must do our best in this phase.

Long story short - **enumeration is collecting as much information as possible.**

### NMAP

Nmap is for scanning, mapping, detecting and analyzing networks. Talking about technical sides, this is how for example TCP-SYN(-sS) scan works:

* If our target sends a `SYN-ACK` flagged packet back to us, Nmap detects that the port is `open`.
    
* If the target responds with an `RST` flagged packet, it is an indicator that the port is `closed`.
    
* If Nmap does not receive a packet back, it will display it as `filtered`. Depending on the firewall configuration, certain packets may be dropped or ignored by the firewall.
    
* The most effective host discovery method is to use **ICMP echo requests**
    
* Scan may not work because of the firewall. Later on we’ll check how to evade firewall and IDS/IPS.
    
* The Connect scan (Full TCP Connect scan) is one of the least stealthy techniques, as it fully establishes a connection, which creates logs on most systems and is easily detected by modern IDS/IPS solutions.
    

There are 6 states that we can obtain from a NMAP scan:

| **State** | **Description** |
| --- | --- |
| `open` | This indicates that the connection to the scanned port has been established. These connections can be **TCP connections**, **UDP datagrams** as well as **SCTP associations**. |
| `closed` | When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an `RST` flag. This scanning method can also be used to determine if our target is alive or not. |
| `filtered` | Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target. |
| `unfiltered` | This state of a port only occurs during the **TCP-ACK** scan and means that the port is accessible, but it cannot be determined whether it is open or closed. |
| \`open | filtered\` |
| \`closed | filtered\` |

### Output formats

We can save `nmap` outputs in many different formats:

* Normal output (`-oN`) with the `.nmap` file extension
    
* Grepable output (`-oG`) with the `.gnmap` file extension
    
* XML output (`-oX`) with the `.xml` file extension
    
* Save the results in all formats `-oA`
    

With the XML output, we can easily create HTML reports that are easy to read, even for non-technical people. This is later very useful for documentation, as it presents our results in a detailed and clear way.

To convert the stored results from XML format to HTML, we can use the tool `xsltproc`.

### Service enumeration

It is really important to determine the application and its version as accurately as possible. We can use this information to scan for known vulnerabilities and analyze the source code for that version if we find it.

This information can help us to search for a more precise exploit that fits the service and the operating system of our target.

Quick port scan is a good way to do it, because if we do more sophisticated scans, IDS can spot us and block out our IP.

```bash
sudo nmap IP_ADDRESS_TO_SCAN -p- -sV
```

\-p- - scans all of the ports

\-sV - gives us the versions of services

I bet you like to see progress happening. To do this, we can write use —stats-every option.

<table><tbody><tr><td colspan="1" rowspan="1"><p><code>--stats-every=5s</code></p></td><td colspan="1" rowspan="1"><p>Shows the progress of the scan every 5 seconds.</p></td></tr></tbody></table>

### Scripting in NMAP

There’s a possibility to use scripting in nmap. There are a total of 14 categories into which these scripts can be divided:

| **Category** | **Description** |
| --- | --- |
| `auth` | Determination of authentication credentials. |
| `broadcast` | Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans. |
| `brute` | Executes scripts that try to log in to the respective service by brute-forcing with credentials. |
| `default` | Default scripts executed by using the `-sC` option. |
| `discovery` | Evaluation of accessible services. |
| `dos` | These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services. |
| `exploit` | This category of scripts tries to exploit known vulnerabilities for the scanned port. |
| `external` | Scripts that use external services for further processing. |
| `fuzzer` | This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time. |
| `intrusive` | Intrusive scripts that could negatively affect the target system. |
| `malware` | Checks if some malware infects the target system. |
| `safe` | Defensive scripts that do not perform intrusive and destructive access. |
| `version` | Extension for service detection. |
| `vuln` | Identification of specific vulnerabilities. |

So these are the categories of the scripts. There are scripts by themselves. For example a really useful script is [***http-enum***](https://nmap.org/nsedoc/scripts/http-enum.html). It enumerates directories used by popular web applications and servers.

### Performance of scanning

Sometimes network is big, very big. So we need to scan for useful information as fast as possible. There are few options which helps to complete the scan faster.

We can use various options:

* how fast (`-T <0-5>`),
    
* with which frequency (`--min-parallelism <number>`),
    
* which timeouts (`--max-rtt-timeout <time>`) the test packets should have
    
* how many packets should be sent simultaneously (`--min-rate <number>`)
    
* the number of retries (`--max-retries <number>`) for the scanned ports the targets should be scanned.
    

### Timeouts

For a packet to travel, it takes time. `Round-Trip-Time` - `RTT`.

Generally, `Nmap` starts with a high timeout (`--min-RTT-timeout`) of 100ms.

We can make a scan with adjusted RTT options:

```bash
sudo nmap 10.X.X.X/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms
```

| **Scanning Options** | **Description** |
| --- | --- |
| `10.X.X.X/24` | Scans the specified target network. |
| `-F` | Scans top 100 ports. |
| `--initial-rtt-timeout 50ms` | Sets the specified time value as initial RTT timeout. |
| `--max-rtt-timeout 100ms` | Sets the specified time value as maximum RTT timeout. |

Of course be careful. If we set the initial `RTT` timeout too short, we can overlook some useful info.

### Max Retries

Another way to increase scan speed is by specifying the retry rate of sent packets (`--max-retries`). The default value is `10`, which is pretty much. We can set it to `2` or even `0` so after not receiving a response from a port, nmap will go to another port.

Example would look like this:  
`sudo nmap 10.X.X.X/24 -F --max-retries 0`

Again, like with the timeouts, keep in mind that by making the retries lower, we risk to overlook valuable information about our target.

#### Rates

When setting the minimum rate (`--min-rate <number>`) for sending packets, we tell `Nmap` to simultaneously send the specified number of packets. It will attempt to maintain the rate accordingly.

This method also can save you time when scanning with `nmap`.

### Timing

The default timing template used when we have defined nothing else is the normal (`-T 3`).

We have 6 different timing templates in NMAP:

* `-T 0` / `-T paranoid`
    
* `-T 1` / `-T sneaky`
    
* `-T 2` / `-T polite`
    
* `-T 3` / `-T normal`
    
* `-T 4` / `-T aggressive`
    
* `-T 5` / `-T insane`
    

We can find more detailed information about templates in [nmap documentation.](https://nmap.org/book/performance-timing-templates.html)

### Thoughts after the module

Nmap is indeed a very powerful tool. I was thinking about Nmap as a simple scanning tool, I was using it for basic scanning of the targets, to find open ports which I can invite myself inside.

After this module I see that scripts gets nmap to the whole new level. We can find lots of information using scripts.

I have a vision to dive deep into the TCP/IP and I see that the knowledge I’ll gain will be priceless when using tools such as nmap.

After practical rooms I’ve learned that curl is also useful for getting info from certain files on the web.

I’m also surprised how easy it is to adapt the nmap performance by your needs. You can cut the scanning time by half easily using some of the performance and timing options.

### OUTRO

On the next blog post we’ll see how to avoid IPS/IDS and Firewalls with nmap.

Nmap makes some network traffic which, if not controlled, Firewalls can capture and block us.

See ya later!
