Intro to Nmap - JA Smith

## Scanning Techniques - host discovery - port scanning - service enumeration and detection - OS detection - scriptable interaction with the target service - nmap scripting engine (NSE) ```bash #nmap syntax nmap <scan types> <options> <target> #target may be a single IP, a range of IPs, or a list of IPs ``` ## Common Options - `-sS` for default TCP-SYN scan - if target responds with SYN-ACK, the port is open - if target responds with RST, the port is closed - if no response is received, nmap will display `filtered` - depending on FW settings the incoming request may be dropped or ignored ![[images/Pasted image 20250912191016.png]] - `-sT` for TCP connect scan - attempt threeway TCP handshake - `-sn` to disable port scanning - uses ICMP echo requests in place of TCP-SYN - `-oA` to store results in all formats - `-iL` to specify input file with list of hosts - `-PE` for ping scan with ICMP echo requests - `--packet-trace` shows all packets sent and received - `--reason` displays reason for specific results - `--disable-arp-ping` disables ARP pings - `-n` disables DNS resolution - `-Pn` disables ICMP echo requests - `--top-ports=10` specifies top N ports to scan - `-F` for top 100 ports - `-sV` performs a service scan for version info - `-v` verbose mode - `-vv` extremely verbose mode ```bash #trace TCP packets to target_ip's FTP port using default SYN-ACK scan sudo nmap target_ip -p 21 --packet-trace -Pn -n --disable-arp-ping --reason ``` ## Fingerprint OS based on TTL - different TTL values for ICMP echo replies (ping responses) indicate target OS | OS | TTL value | | ------------------ | --------- | | \*nix (Linux/Unix) | 64 | | Windows | 128 | | Solaris/AIX | 254 | ## Scanned Port States | State | Description | | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | open | connection to scanned port has been established (TCP, UDP, or SCTP) | | closed | packet with RST flag has been received | | filtered | unable to correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code | | unfiltered | only occurs during a TCP-ACK scan; indicates that the port is accessible, but it cannot be determined whether it is open or closed | | open\|filtered | no response; indicates that a FW or PF may protect the port | | closed\|filtered | only occurs with IP ID idle scans; indicates that it was impossible to determine if the scanned port is closed or filtered by a FW | ## Discovering Open UDP Ports - `-sU` performs a UDP scan