Scanning with nmap

nmap is the defacto for scanning networks by system administrators and penetration testers. It also provides countless community supported nse (nmap scripting engine) scripts which can perform a range of tasks from discovering services to discovering vulnerabilities within those services. Let's take a look at nmap and some of its features.

nmap's manual is huge. On linux, it can be viewed by executing the terminal command:

man nmap |more

If you're like me though, scrolling through this gets to be a bit of a hassle (I love Ctrl+F). Thankfully, there is a way to export the manual to a text file. It may be done with this command:

man nmap > nmap.txt

As of this writting, there are currently 1,736 lines of text. So its probably easier just to port this to a text file and do a search. nmap is huge and powerful, and it is possible to cause yourself a lot of headache if you are not careful. Take for instance the following command:

nmap --stats-every 5m -p- 192.168.1.1-254

This command states to scan all 65,535 ports on every machine in the subnet range 192.168.1.1 to 192.168.1.254. This scan will take forever and even though we report its stats every 5 minutes (--stats-every 5m), it's likely nmap's ETC will vary quite a bit. Even worse, it is noisy and uses a lot of bandwidth, which can create a denial of service scenario.

If the following command is executed:

iptables -Z && iptables -F | iptables -I INPUT 1 -s <target IPv4> -j ACCEPT | iptables -I OUTPUT 1 -d <target IPv4> -j ACCEPT

All counters and iptables will be reset and all incoming and outgoing traffic to the machine will be measured. Performing the command above (if you're willing to wait forever) and then running:

iptables -vn -L

Will likely yield around 4.5MB of traffic to each target. This is a good segue into Lua. Lua is the programming language for all nse scripts. One interesting note about Lua is that while it supports coroutines (similar to threads in C#), it does not support parallel processing. Perhaps it is for this reason as 4.5MB * 254 = 1.143 GB of data going across the network could easily flood any network device (feel free to leave comments this statement).

Lua can be learned in the links below:
https://www.youtube.com/watch?v=iMacxZQMPXs
https://www.youtube.com/watch?v=y2z8zUanmL4    

Lua is the programming language that nmap scripts are written in. All nse scripts on the machine may be found with the following command:

locate nmap/scripts

These scripts are useful and easy to read (cat any .nse file). But this was a bit of a tangent. Its best to perform discovery in smaller segments like just discovering all hosts on a network:

nmap -sn <IPv4 subnet> -oG ips.txt
grep Up ips.txt | cut -d" " -f2 > list_of_ips.txt

This just pings all hosts on a subnet without doing a port scan and then saves the results to a grepable text file. The second line searches this grepable for hosts that are Up and then extracts just the ip into the list_of_ips text file. Now we have a text file of all pingable hosts to work with.

One useful command for executing all vulnerability scripts on a target machine is the following command:

nmap -p139,445 --script "smb-vuln-*" -iL list_of_ips.txt

Where --script "smb-vuln-*" executes every smb vulnerability script 

If at any point you want to know the status of a scan, press Shift + ? on the keyboard. This brings up options on increasing or decreasing debugging or verbosity (d/Shift + d or v/Shift + v respectively) or pressing a to get estimated time to complete (which is very flaky unfortunately).

Unfortunately, nmap is huge and an entire week (without sleep) could be spent talking about it. So for now I will leave you with links I have found useful and will leave it to you to read the man pages:

https://nmap.org/
https://nmap.org/nsedoc/
https://www.youtube.com/watch?v=iUZ6nTMO8K0&list=PLp6WHZp1xUXNfWJt-ga7xL5lIJr3CRhkD

Comments

Popular posts from this blog

Covering Your Tracks

LDAP Vulnerabilities

Setting Up a Proxy to Protect Your Public IP (An Introduction to Proxies)