Needful Things‎ > ‎

Nmap - your new old best friend

Nmap So while trying to validate some of the findings that others just toss out the window like they do not have any value in a report I have started to wonder why they choose to do so - many times it is nothing more then an annoyance of the assessor to see numerous TCP Timestamp findings, so they just delete them.

I put forth some time to learn proper validation techniques here and found some things that I actually learned alone the way about mmap that I feel worthy to share with the people who care to know.

Nmap comes default with numerous ICMP ping types as most of us only know of the "P0" switch which disables the pinging of a site.

Below is a list of more ping options, this might not be a full complete list and will be added onto as I find them -

    Nmap Ping ICMP types as follows:

        Pn - Treat all host as online - skip host discovery
        PS - Syn [add port number]
        PY - SCTP discovery to given ports
        PP - Timestamp
        PM - Netmask 
        PE - ICMP Echo
        PA - TCP Ack [add port number]
        PB - ICMP Echo + TCP Ack 
        PU - UDP PING [add port number]
 - IP Protocol Scanning [set protocol by number]

These ping types can also be supplemented to change the default port which mmap uses to test for connectivity, and the default port is: 80/TCP

This means the port in which ping uses to ping a host with can be set to 443/TCP, rather then the default which honestly might not be ideal for some networks.

As well this one could set this to try numerous different ports as well depending on the target networks firewall rules being implemented on their perimeter.

    nmap -sP -PS443

Another useful tactic for Nmap is utilize the source port while pinging to bypass firewall rules or also known as packet crafting where anything from port 53 DNS would/might not be blocked/dropped

    nmap -sP -PA443 -g 53

A new type of stealth scanning known as the Maimon scan (-sM) is similar to the FIN scan however this scanning method enables both the ACK and the FIN flag in the same frame sent to the target networked device. 

    nmap -vvv -sM -p 443 -Pn -d2

This stealth scan is designed to operate much like the FIN scan as in if a RST is received the port is closed and if no response is received the port is open. 

The above command also introduces (-v) verbosity as well as (-d2) debugging level 2 to help follow the scanning and understanding the functions behind the scan types.

When doing reverse dns list from a CIDR range one could use the common dns tools or they could walk the range with the following command which will parse the output of nmap for the dns names

nmap -sn -PS80,443,21,22,25,53 -PU53 | grep "scan report" | sed -r "s/((.*)| (.*)){4} (.*) (.*)/\4/g"

The above command uses two other commands pipped or chained together with the  "|" to create a stream of data which is parsed. The grep command looks for and keeps anything matching "scan report" and then feeds these lines into the sed command which if your unfamiliar with regular expressions or commonly known as regex then me explaining what it's doing will sound confusing, however I will entertain the idea of explaining ...

    ( )  = blocking used to designate groups of characters
     .   = matches any character
     *   = matches any character from zero to infinity times in a row 
    (.*) = match anything and everything utilizing the above three rules used in conjunction 
     |   = logical "OR" used to represent choice
    {4}  = represents how many times a repeat occurs
     \4  = backreference used to display matched characters in () group by location 

I do hope this has expanded your knowledge on nmap and its uses as a validation tool and not just a port scanner. If knowing is half the battle then getting in would be the other half ... Enjoy!