How To Use Nmap for advance penetration testing
Nmap for advance penetration testing
Network Mapper commonly known as Nmap is one of the best tools to
gather network information about a target or even about a whole
subnet. Nmap is an information-gathering tool that can gather nearly every piece of information about the target. It is mostly used to gather information about open ports and their services on the target. It is a CLI based tool that comes pre-packaged with most of the Linux distribution such as Kali Linux, parrot os and also ubuntu. Nmap is written in Lua language which is very easy to learn and understand. Nmap also comes with many scripts to gather extensive information related to the configuration of a particular protocol on the target
Network Mapper commonly known as Nmap is one of the best tools to
gather network information about a target or even about a whole
subnet. Nmap is an information-gathering tool that can gather nearly every piece of information about the target. It is mostly used to gather information about open ports and their services on the target. It is a CLI based tool that comes pre-packaged with most of the Linux distribution such as Kali Linux, parrot os and also ubuntu. Nmap is written in Lua language which is very easy to learn and understand. Nmap also comes with many scripts to gather extensive information related to the configuration of a particular protocol on the target
1. It has a GUI based version called ZenMap which has a
beginner-friendly interface.
2. It has easy to use commands and the syntax is very easy.
3. It can easily show the results in the way we want to see.
4. It has a verbose option that can help us to monitor the status
of the scan.
5. The large database of Nmap help us to easily fingerprint
information not only about Windows, Linux, Mac but also about
various IoT devices.
6. We can easily write scripts and customise existing Nmap scripts
to works in the way we want.
7. The larger database of scripts help us to deeply enumerate the
target related to a particular point.
8. Along with the network it can also be used to gather information
related to HTTP(web).
9. It can also be used to detect Eternal Blue, HeartBleed and
many other CVE's targets are vulnerable to.
10. The time support of Nmap help us to increase or decrease the
speed of enumeration according to the version and capacity of the
target server.
nmap <filter/s> (IP/subnet)
Note: The Flags used below are to be put between in
<filter> tag while doing the scanning.
Basic usage of Nmap
1. To gather information about open ports
1.1 -p = Used to scan ports we specify
1.2 -p 22 = Only scan port 22
1.3 -p- = Scan all the ports (65535)
1.4 -p-23 = Scan from port 1 to 23
1.5 -F = Scan only well-known port
1.6 -sS = Do an SYN scan(don't complete handshake)
1.7 -sT = Only scan TCP ports
1.8 -sU = Only scan UDP ports
1.9 -O = Try to detect OS of the target
1.10 -Pn = Do not ping the target(Mostly used for windows
target)
1.11 -A = Perform an Aggressive scan
1.12 -sV = Try to detect service version of open ports
2. Getting desired information
2.1 -oA result = Create 3 output file of the scan. result.txt,
result.xml, result.gnmap
2.2 -oA result.xml = Only create a XML file
2.3 -v = Verbose output
2.4 -vv = Double verbose output
2.5 -vvv = Triple verbose output
3. Firewall detection and Bypassing
3.1 -sA = ACK probing, check if the firewall is present
3.2 -D 12.32.23.43 = Perform the scan with the specific IP as source. Used to hide our IP. The technique is called Decoy.
3.3 -D RND:4 = Perform the scan with any 4 random IP as
source.
3.4 -f = Break the packets into fragments to bypass the firewall.
The technique is called fragmentation.
3.5 --mtu 24 = Make each packet of 24 bytes to evade the firewall.
# If these techniques do not work you may need to add --send-eth
flag after the filter.
For example: nmap -sT -D 12.33.22.64 --send-eth (target
IP/subnet)
#Above technique may not work on modern firewall due to their
extensive functionally of reassembling packets on destination :
4.Time Performance
4.1 -T0 = Paranoid
4.2 -T1 = Sneaky
4.3 -T2 = Polite
4.4 -T3 = Normal
4.5 -T4 = Aggressive
4.6 -T5 = Extreme Aggressive
# The scan is listed on their increasing speed. We sometimes may
have to use -T0 or -T1 when we are dealing with the old machine and
server as if they receive a large number of packets in less time
they may crash.
# You may use the T5 flag when dealing with modern servers and
machines as they can handle a large amount of packet at the same
time and they will not crash and we will also get our results
faster.
## These were some of the basic filters which you can use to scan your target and see the desired results you want.
Now we will move to some advanced Nmap filters and the NSE.
Nmap Scripting Engine (NSE)
The NSE has a huge database of scripts that can be used to enumerate the target.
NSE has scripts to enumerate SSH, FTP, HTTP, SQL, SMB, DOMAIN and many other CVE and Services and Vulnerability.
The Namp scripts are stored in the
/usr/share/nmap/scripts/ directory.
Syntax: --script=<name of scripts>
Some of the most common used scripts are:
1. ftp-anon.nse = To see anon login is enabled
2. ssh-brute.nse = brute force SSH
3. ftp-brute.nse = brute force FTP
4. smb-enum.nse = enumerate SMB
5. mysql-enum.nse = enumerate MySQL
There are many other scripts and it is impossible to remember the
name of all the scripts : )
Advanced Options:
1. --min-parlellism 20 = Scan minimum 20 ports parlelly
2. --max-parlellism 20 = Scan maximum 20 ports parlelly
3. --min-hostgroups 34 = Scan minimum 34 hosts parallelly; when
scanning the whole subnet
4. --max-hostgroups 34 = Scan maximum 34 hosts parallelly; when
scanning the whole subnet
5. --scan-delay 10 = Wait for 10 seconds after scanning
each host; when scanning the whole subnet
6. --host-timeout 20 = Skip the host if it doesn’t respond to the
scan in 20 seconds; when scanning the whole subnet
7. --min-rate 20 = send minimum 20 packets in a second
8. --max-rate 20 = send maximum 20 packets in a second
Note: Nmap is a very vast tool and it is impossible to tell you the whole Nmap as it is very difficult. So I would like to end here. The above blog gives you a detailed overview of Nmap and I hope that now you will be able to use Nmap with your requirements and would be able to take most of out it.
Nice bro it's really helpful for biggner s
ReplyDeleteSuperb
ReplyDeleteGreat bro, I really like it.
ReplyDelete