Unleashing Advanced Scanning Tactics in Penetration Testing using NMAP

Nmap plays a crucial role in network mapping and vulnerability assessment. Nmap is the go-to tool for network administrators and cybersecurity professionals. I have given all the basic commands for a beginer to get started.

Basic Nmap Commands

• nmap [target]: Simplest way to scan a target.
• nmap -iL [list.txt]: Scan multiple targets from a file.
• nmap -sn [target]: Ping scan to check if the target is up without performing a port scan.
• nmap -Pn [target]: Skip the discovery phase and treat all hosts as online.
• nmap -p [ports] [target]: Scan specified ports. Example: -p 80,443.
• nmap -p- [target]: Scan all 65535 ports.
• nmap -F [target]: Fast scan - scans only the 100 most common ports.

Host Discovery Techniques

• nmap -sL [target]: List scan - simply lists targets to scan without sending any packets to the target hosts.
• nmap -n [target]: Never do DNS resolution.
• nmap -R [target]: Always do reverse DNS resolution.
• nmap --dns-servers [servers] [target]: Specify custom DNS servers.

Scan Techniques

• nmap -sS [target]: SYN scan (also known as stealth scan or half-open scan).
• nmap -sT [target]: Connect scan (full TCP connection).
• nmap -sA [target]: ACK scan (used to map out firewall rulesets).
• nmap -sW [target]: Window scan (checks the window size set by the target system).
• nmap -sM [target]: Maimon scans (a variation of the FIN scan).
• nmap -sU [target]: UDP scan.
• nmap -sN [target]: TCP Null scan (sends a TCP packet with no flags).
• nmap -sF [target]: FIN scan (sends a TCP FIN packet to bypass firewalls).
• nmap -sX [target]: Xmas scan (sets the PSH, FIN, and URG flags, lighting the packet up like a Christmas tree).

Service and Version Detection

• nmap -sV [target]: Probe open ports to determine service/version information.
• nmap -sV --version-intensity [level] [target]: Set intensity level (0-9) for version detection.
• nmap -sV --version-light [target]: Lighter version detection.
• nmap -sV --version-all [target]: Try every single probe (intense).
• nmap -sV --version-trace [target]: Show all version detection activity.

Operating System Detection

• nmap -O [target]: Enable OS detection.
• nmap -O --osscan-limit [target]: Limit OS detection to confirmed open and closed ports.
• nmap -O --osscan-guess [target]: Guess OS more aggressively.

Timing and Performance

• nmap -T[0-5] [target]: Set timing template (higher is faster).
• nmap --min-rate [rate] [target]: Send packets no slower than a given rate per second.
• nmap --max-rate [rate] [target]: Send packets no faster than a given rate per second.

Firewall/IDS Evasion and Spoofing

• nmap -f [target]: Fragment packets.
• nmap -D RND:[number] [target]: Randomize target scan order.
• nmap --source-port [port] [target]: Use a given port number.
• nmap --data-length [number] [target]: Append random data to sent packets.
• nmap --spoof-mac [MAC|0|vendor] [target]: Spoof your MAC address.

Output Options

• nmap -oN [file] [target]: Normal output to a file.
• nmap -oX [file] [target]: XML output to a file.
• nmap -oG [file] [target]: Grepable output to a file.
• nmap -oA [basename] [target]: Output in the three major formats at once.
• nmap -v [target]: Increase verbosity level (use -vv or more for greater effect).
• nmap -d [target]: Increase debugging level (use -dd or more for greater effect).

Advanced Scanning

• nmap --badsum [target]: Send packets with a bad TCP/UDP checksum.
• nmap --top-ports [number] [target]: Scan a number of the most common ports.
• nmap --packet-trace [target]: Show all packets sent and received.
• nmap --iflist: List interfaces and routes (for debugging).
• nmap --script [script.nse] [target]: Execute a specific NSE script.
• nmap --script-args [arg=value] [target]: Provide arguments to scripts.
• nmap --script-updatedb: Update the script database.
• nmap --script-help [script.nse]: Show help about scripts.

Script Scan

• nmap --script [category] [target]: Run scripts from a specific category (safe, intrusive, etc.).
• nmap --script all [target]: Run all scripts against the target.

Scenario-Based Commands

• Scanning a local network for all devices: nmap -sn 192.168.1.0/24.
• Scanning a remote server for open HTTP and HTTPS ports: nmap -p 80,443 example.com.
• Checking for vulnerabilities on a target system: nmap --script vuln 192.168.1.101.
• Performing a stealthy scan to avoid detection: nmap -sS -T4 -Pn 192.168.1.102.
• Aggressively scanning a system to gather as much information as possible: nmap -A 192.168.1.103.

This tutorial is designed for educational purposes only and emphasizes responsible and authorized testing practices.

Objective: The goal is to discover live hosts, open ports, services running, and any potential security weaknesses that could be exploited by an attacker.

Pre-assessment Setup

Before starting, ensure you have written authorization from the corporate management to perform the assessment. Define the scope of the penetration test, schedule the test during off-peak hours to minimize impact on business operations, and inform all stakeholders about the test.

Phase 1: Network Mapping and Discovery

• Discover Live Hosts:

  shell

  nmap -sn -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 10.0.0.0/16

  This command is a combination of advanced host discovery techniques that uses different types of packets to discover live hosts across all subnets in the corporate network.

• DNS and Reverse-DNS Sweep:

  shell

  nmap -sL -R 10.0.0.0/16

  This command lists all hosts in the target range and performs reverse-DNS lookups to gather hostnames, which can help map the network infrastructure.

Phase 2: Port Scanning and Service Enumeration

• Detailed Port Scan on Target Subnets:

  shell

  nmap -p 1-65535 -T4 -A -v 10.0.0.0/24

  This comprehensive scan checks all ports with aggressive timing and verbosity, including OS and version detection, script scanning, and traceroute on a specific subnet.

• Version Detection on Critical Assets:

  shell

  nmap -sV --version-intensity 9 10.0.0.50-100

  This command focuses on a range of critical assets, such as servers, to detect service versions with the highest intensity for thoroughness.

Phase 3: Vulnerability Assessment

• NSE Script Scan for Vulnerabilities:
  shell

  nmap --script vuln -iL critical-assets.txt
  This command runs vulnerability-related scripts against a list of critical assets provided in the critical-assets.txt file.

Phase 4: Firewall and IDS Evasion Techniques

• Firewall and IDS Evasion Scanning:
  shell

  nmap -sS -f --data-length 200 -T2 --randomize-hosts --spoof-mac Cisco 10.0.0.0/24
  This stealthy SYN scan uses packet fragmentation, appends random data to packets, slows down the scan to avoid tripping alarms, randomizes the order of target scanning, and spoofs the MAC address to appear as a Cisco device.

Phase 5: OS Detection and Misconfiguration Identification

• Aggressive OS Detection:
  shell

  nmap -O --osscan-guess -p T:21-25,80,443,8080 10.0.1.0/24
  This command attempts to guess the operating systems of devices on another subnet, targeting the most common ports that could reveal valuable OS information.

Phase 6: Result Analysis and Reporting

• Saving and Organizing Scan Results:
  shell

  nmap -oA corporate_scan_results 10.0.0.0/16
  This command saves the results in all formats (normal, XML, and scr!ptk!ddy) for further analysis, which is essential for reporting and auditing purposes.

Scanning a Standard Windows Machine

• Basic scan for open ports:
  shell

  nmap -p- -sV -O 192.168.1.101
  This command scans all ports (-p-), tries to determine service versions (-sV), and detects the operating system (-O) on a Windows machine with the IP 192.168.1.101.

Scanning a Windows Machine with Firewall

• Stealthy SYN scan to bypass firewall without logging:
  shell

  nmap -sS -T4 -f --randomize-hosts 192.168.1.102
  This uses a stealth SYN scan (-sS) with fragmented packets (-f) to sneak past firewall packet filters and randomizes the order of hosts scanned to obscure the scan source.

Scanning a Windows Machine with Antivirus

• Scan with decoys and evasion techniques:
  shell

  nmap -sS -D RND:10 192.168.1.103 --script=firewall-bypass
  Use decoys (-D RND:10) and the firewall-bypass Nmap script to evade antivirus detection and firewalls.

Scanning a Remote Windows Machine (WAN)

• Aggressive scan with version detection:
  shell

  nmap -A -p- -v 203.0.113.5
  Perform an aggressive scan (-A) on all ports for a remote machine with verbose output (-v) to get detailed information.

Scanning a Windows Machine Connected to VPN

• Detect VPN with script scanning:
  shell

  nmap -sV --script=banner 192.168.1.104
  Run version detection (-sV) and use the banner NSE script to identify VPN banners and services.

Scanning a Windows Machine with SIEM Solutions

• Slow and stealthy scan to avoid SIEM detection:
  shell

  nmap -sS -T1 --min-rate 1 --max-retries 1 192.168.1.105
  Slow down the scan (-T1) to one packet per second (--min-rate 1) with a single retry (--max-retries 1) to evade SIEM tools that trigger on multiple retries and fast scans.

Scanning Behind Firewalls and Intrusion Detection Systems

• Fragmented scan with evasion:
  shell

  nmap -sS -f --data-length 200 --script=firewall-bypass 192.168.1.106
  Use fragmented packets (-f) with additional random data (--data-length 200) and the firewall-bypass Nmap script to attempt to bypass IDS/IPS.

Detecting Software Running on a Remote Machine

• Service version detection with default scripts:
  shell

  nmap -sV --script=default 192.168.1.107
  Detect service versions (-sV) and run default Nmap scripts (--script=default) to identify software running on the target.

Scanning a Machine with Advanced Evasion Techniques

• Using source port and decoys:
  shell

  nmap -sT -p 80 --source-port 53 -D 192.168.1.108,me.fake.com,RND:20
  Conduct a TCP connect scan (-sT) on port 80 using a common source port (--source-port 53) and a combination of real and decoy IP addresses to confuse network monitoring systems.

Scanning a Highly Secured Server

• Advanced timing and evasion:
  shell

  nmap -sS -T2 --scan-delay 500ms --spoof-mac Cisco 192.168.1.109
  Use a stealthy SYN scan (-sS) with a slower timing option (-T2), a delay between probes (--scan-delay 500ms), and spoof a common MAC address (--spoof-mac Cisco) to scan a high-security server.

Detecting Live Hosts on a Subnet with Rate Limiting

• Advanced host discovery:
  shell

  nmap -sn --min-rate 100 --max-rate 500 192.168.1.0/24
  Discover live hosts using a ping scan (-sn) with a controlled rate of sent packets to avoid triggering rate-based intrusion prevention mechanisms.

Windows Machine with Advanced Security

 

nmap -sS -sV --script "(safe or default) and not broadcast" --version-intensity 9 --osscan-guess -f --data-length 64 --spoof-mac 0 -D decoy1,decoy2,decoy3,me -T2 192.168.1.110

• -sS: SYN stealth scan to reduce the chance of detection by simple IDS/IPS.
• -sV: Enable version detection.
• --script "(safe or default) and not broadcast": Run scripts classified as safe or default, but exclude broadcast scripts which can be noisy.
• --version-intensity 9: The highest level of version detection, attempting every single probe.
• --osscan-guess: Guess the OS more aggressively.
• -f: Fragment packets to make it harder for packet filters to detect the scan.
• --data-length 64: Add 64 bytes of random data to packet payloads to potentially confuse IDS/IPS signatures.
• --spoof-mac 0: Spoof your MAC address to a randomly generated one.
• -D: Use decoys to confuse the network logs, with 'me' indicating your true IP address.
• -T2: Slower timing to avoid triggering rate-based IDS/IPS.

Linux Machine with Advanced Security

 

nmap -sU -sS --script "default and not (broadcast or dos or external or fuzzer)" --open -p U:53,111,137,T:21-25,80,443,8080 -T4 --min-rate 10 --max-retries 1 --defeat-rst-ratelimit 192.168.1.111

• -sU: UDP scan, since Linux systems often run important services on UDP.
• -sS: SYN scan for TCP ports.
• --script: Exclude scripts that are noisy or dangerous.
• --open: Show only open or possibly open ports.
• -p: Scan for specific UDP and TCP ports which are commonly used.
• -T4: Aggressive timing, increasing the speed of the scan.
• --min-rate 10: Send at least 10 packets per second.
• --max-retries 1: Only retry once per port to reduce scan time and log footprint.
• --defeat-rst-ratelimit: Some Linux kernels rate-limit ICMP error messages. This option helps to avoid this control.

Android Device with Advanced Security

 

nmap -sS -sU -p T:443,10080,U:5060 --script "default or safe" --version-all -T4 --badsum 192.168.1.112

• -sS: Stealth scan to avoid simple security measures.
• -sU: UDP scan, useful for SIP services or other UDP-based applications commonly used by Android devices.
• -p: Target specific ports that are more likely to be open.
• --script: Run default or safe scripts for general discovery.
• --version-all: Try all version detection probes.
• -T4: Aggressive timing to speed up the scan.
• --badsum: Send packets with an incorrect checksum; some systems and security tools will ignore these packets, while others might process them, revealing information.

iOS Device with Advanced Security

 

nmap -sS -p T:62078,62080 --script "default and safe" -O --version-light -T4 --spoof-mac Apple 192.168.1.113

• -sS: SYN scan, which is less likely to be logged by iOS’s packet filter.
• -p: Scan specific TCP ports used by iOS devices for services like lockdownd (62078) and diagnostics (62080).
• --script: Run only default and safe scripts to gather general information without causing disruption.
• -O: Attempt to identify the operating system.
• --version-light: Light version detection to minimize the chance of detection.
• -T4: Aggressive timing for faster scanning.
• --spoof-mac Apple: Spoof MAC address to appear as an Apple device, which may be trusted on the network.