Hello friends. I am CodeNinja a.k.a. Aakash Choudhary.
Now we will learn all about nmap which is friend for pentester. In my upcoming post i will post solution of CTF and their we will learn practical usage of nmap.
So lets start :->
<====================NMAP Tutorial =======================>
Nmap is a network scanning and host detection tool that is very useful during several steps of penetration testing. Nmap is not limited to merely gathering information and enumeration, but it is also powerful utility that can be used as a vulnerability detector or a security scanner.
NMAP can be use for :->
1. host discovery
2. port discovery
3. service discovery
4. os,software version discovery
5. detect vulnerability and security holed etc
Techniques uses by nmap :->
1. TCP Connect Scanning
2. TCP Reverse ident Scanning
3. FTP Bounce Scanning etc etc
Some time during testing of website we dnt get any vulneability but still might be it vulnerable in case of might be important port might be open and vulnerable which can lead to serious problem
So nmap is the best tool and friend of PENTESTER which can be help to find ports and others uses etc.
<========= Practical USAGE of NMAP ========>
NOTE :-> For starting use virtual machine's ip. In my case i use OWASP Broken Web App VM
1. Simple scan :-> nmap 192.168.56.101
2. If want to scan entire subnet or range [0-255]
nmap 192.168.1.*
or
nmap 192.168.1.0-255
NOTE :-> We can also use netdiscover :->
netdiscover -i vboxnet0 -P -r 192.168.56.0/24
Where
-i interface like eth0,wlan,vboxnet0
-P send no packets out the network
-r range to scan
Why to use ?
When i solving vulnos2 CTF VM then i see that i can't see ip address then i use netdiscover to find ip address of vulnerable machine vulnos2
3. nmap 192.168.56.0/cidr ===> nmap 192.168.56.0/24
24 is cidr
CIDR ? => Classless Inter-Domain Routing => https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
4. Multiple Target Scan =>
nmap 192.168.56.100 192.168.56.101 etc
or
nmap 192.168.56.100-101
5. Suppose you have some lists of IP for testing then save them in txt files and then use this command :->
nmap -iL targetip.txt
or
nmap -iL /home/ninja/AAKASH/nmap/targetip.txt
This will scan entire list of ip you saved in that text file
SCENARIO :->
Suppose i have a site for testing. I use knockknock python file to scan subdomains of this site.I got some subdomains and their ip addresses. I saved those ip in file and then scan using above command " -iL "
6. Scanning lists of all hosts => -sL
nmap -sL 192.168.56.101/24
7. Suppose if during scanning entire subnet i want to not scan a specific ip address then use this command
nmap 192.168.56.101/24 --exclude 192.168.56.102
For exclude files which you not want to scan :-> --exclude file target.txt
8. Scanning of some known PORTS like HTTP , FTP, TELNET
nmap -p80,21,23 192.168.56.101
NMAP SCANNING TECHNIQUES
======================================
1. -sS [SYN Scan] => also called half-open scanning
It get information from the remote host without the complete TCP handshake process, Nmap sends SYN packets to the destination, but it does not create any sessions.
nmap -sS 192.168.56.101
2. -sT [Connect Scan]
It completes the normal TCP three way handshake process.
It find out the TCP ports, not the UDP ports.
nmap -sT 192.168.56.101
3. -sU [ UDP Scan ]
It is used to find an open UDP port of the target machine.
UDP scans send the UDP packets to the target machine, and waits for a response—if an error message arrives saying the ICMP is unreachable, then it means that the port is closed; but if it gets an appropriate response, then it means that the port is open.
nmap -sU -sS 192.168.56.101
I use -sS along with -sU because to make it more effective
4. -sF [ FIN Scan ]
Sometimes a normal TCP SYN scan is not the best solution because of the firewall. IDS and IPS scans might be deployed on the target machine, but a firewall will usually block the SYN packets. A FIN scan sends the packet only set with a FIN flag, so it is not required to complete the TCP handshaking.
nmap -sF 192.168.56.101
We can also perform xmas scan (-sX) and Null scan (-sN)
Differences between FIN Scan & XMAS Scan & Null Scan
the FIN scan sends the packets containing only the FIN flag
the xmas sends FIN, PSH, and URG flags
the Null scan does not send any bit on the packet
What is FIN Flag , PSH Flag , URG Flag ?
Better to learn some networking concepts to know better about them.
http://stackoverflow.com/questions/9153566/difference-between-push-and-urgent-flags-in-tcp
I can't give answer in detail as much like that above link give :P
5. -sP [Ping Scan]
Just like we do ping google.com we can do Ping Scan using nmap
it is only used to find out whether the host is alive or not
nmap -sP 192.168.56.101
6. -sV [ Version Detection]
It is used to find out what software version is running on the target computer and on the respective ports.
nmap -sV 192.168.56.101
7. -sI [Idle Scan]
Advance scan which provide completely anonymity.
In idle scan, Nmap doesn’t send the packets from your real IP address—instead of generating the packets from the attacker machine, Nmap uses another host from the target network to send the packets
nmap -sI zombieHost targetHost
nmap -sI 192.168.56.1 192.168.56.101
zombie host :-> 192.168.56.1
target host :-> 192.168.56.101
8. -O [OS Detection]
Use to find out OS
nmap -O 192.168.56.101
Nmap OS fingerprinting technique discovers the:
Device type (router, work station, and so on)
Running (running operating system)
OS details (the name and the version of OS)
Network distance (the distance in hops between the target and attacker)
If target system use IDS IPS then use -PN
nmap -O -PN 192.168.56.101/24
We can also guess operating system using :-> --oscan-guess
9. To scan faster use :-> -T option like
nmap -T5 192.168.56.101/24
and for depth scan :-> -v
nmap -v 192.168.56.101
=======================================================================
<=== NSE [ Nmap Script Engine ] ===>
================================================
NSE is the most powerfull feature of Nmap Scanner.
The Nmap scripting engine allows us to write scripts that we can use with Nmap to automate any task
The Nmap main page contains the following regarding the Nmap scripting engine commands:
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=: is a comma separated list of directories, script-files or script-categories
--script-args=: provide arguments to scripts
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-trace command is used for debugging purposes to show all sent and received data
SCRIPT CATEGORIES :->
1. -auth : scripts that work with authentication credentials
2. -broadcast : scripts that discover active hosts by broadcasting on a local network
and adding them to a target list.
3. -brute : scripts that bruteforce the credentials of the remote hosts
4. -default : scripts that automatically run with -sC or -A options
5. -discovery : try to get more information about the target network
6. -dos : that may crash the target application and therefore cause a denial of service to the target.
7. -exploit :scripts that may be able to exploit the target application
8. - external: scripts that send data to a third party server over the network (whois)
9. - fuzzer: scripts that send invalid random data to the target to find undiscovered bugs
10. - intrusive: scripts that can cause the target to fail
11. - malware: scripts that test whether the target is infected by malware or backdoors
12. - safe: scripts that can be run safely, so they will not crash a server
13. - version: scripts that can determine the version of the application running on a target (they are run only when -sV option is specified)
14. - vuln: scripts that can check whether the target is vulnerable to specific attacks
======================================================================
dear tut awesome he but agar iske saaath pics bhi hoti to zyada bheter smjh ata so plz iske saaath pics add krde ap :)
ReplyDelete