Skip to content

Instantly share code, notes, and snippets.

@githubfoam

githubfoam/nmap cheat sheet

Last active January 12, 2024 12:35
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save githubfoam/cc36a1e630a4594993ae5017a19ad25b to your computer and use it in GitHub Desktop.
Save githubfoam/cc36a1e630a4594993ae5017a19ad25b to your computer and use it in GitHub Desktop.
Download ZIP
nmap cheat sheet
Raw
nmap cheat sheet
----------------------------------------------------------------------------------------------------
Wireshark Output for nmap IP Fragment Scan (Sample):
Filter: ip.flags.mf == 1
No. Time Source Destination Protocol Length Info
1 00:00:00.000000 192.168.1.100 192.168.1.200 TCP 40 Fragment 1 of TCP SYN probe to port 22 (SSH)
2 00:00:00.001000 192.168.1.100 192.168.1.200 TCP 32 Fragment 2 of TCP SYN probe to port 22 (SSH)
3 00:00:00.002000 192.168.1.100 192.168.1.201 TCP 40 Fragment 1 of TCP SYN probe to port 80 (HTTP)
4 00:00:00.003000 192.168.1.100 192.168.1.201 TCP 32 Fragment 2 of TCP SYN probe to port 80 (HTTP)
5 00:00:00.004000 192.168.1.100 192.168.1.202 TCP 40 Fragment 1 of TCP SYN probe to port 443 (HTTPS)
... (Similar entries for other ports)
Analysis:
Source: The IP address sending fragmented scan probes.
Destination: The target IP address being scanned.
Protocol: TCP (Transmission Control Protocol).
Length: Fragment lengths (total packet reassembled in Wireshark).
Info: Indicates fragmented TCP SYN scan probes.
MF Flag: ip.flags.mf == 1 filters fragmented packets (More Fragments flag set).
Key Points:
Fragmentation: Packets are intentionally fragmented to bypass basic firewalls that don't reassemble fragments.
Reassembly: Wireshark reassembles fragments, but some firewalls might not.
Response Analysis:
Reassembled Response: Firewall didn't block fragments.
No Response: Firewall might have blocked fragments.
Ethical Considerations: Fragment scanning can be intrusive and can evade security measures. Use with caution and permission.
Remember:
This is a generic example. Actual output varies based on scan parameters and network configuration.
Ethical considerations: Scan only with permission and respect privacy.
IP fragment scanning can be less reliable than other methods due to firewall variations and reassembly inconsistencies.
----------------------------------------------------------------------------------------------------
Wireshark Output for nmap IP Fragment Scan (Sample):
Filter: ip.flags.mf == 1
No. Time Source Destination Protocol Length Info
1 00:00:00.000000 192.168.1.100 192.168.1.200 TCP 40 Fragment 1 of TCP SYN probe to port 22 (SSH)
2 00:00:00.001000 192.168.1.100 192.168.1.200 TCP 32 Fragment 2 of TCP SYN probe to port 22 (SSH)
3 00:00:00.002000 192.168.1.100 192.168.1.201 TCP 40 Fragment 1 of TCP SYN probe to port 80 (HTTP)
4 00:00:00.003000 192.168.1.100 192.168.1.201 TCP 32 Fragment 2 of TCP SYN probe to port 80 (HTTP)
5 00:00:00.004000 192.168.1.100 192.168.1.202 TCP 40 Fragment 1 of TCP SYN probe to port 443 (HTTPS)
... (Similar entries for other ports)
Analysis:
Source: The IP address sending fragmented scan probes.
Destination: The target IP address being scanned.
Protocol: TCP (Transmission Control Protocol).
Length: Fragment lengths (total packet reassembled in Wireshark).
Info: Indicates fragmented TCP SYN scan probes.
MF Flag: ip.flags.mf == 1 filters fragmented packets (More Fragments flag set).
Key Points:
Fragmentation: Packets are intentionally fragmented to bypass basic firewalls that don't reassemble fragments.
Reassembly: Wireshark reassembles fragments, but some firewalls might not.
Response Analysis:
Reassembled Response: Firewall didn't block fragments.
No Response: Firewall might have blocked fragments.
Ethical Considerations: Fragment scanning can be intrusive and can evade security measures. Use with caution and permission.
Remember:
This is a generic example. Actual output varies based on scan parameters and network configuration.
Ethical considerations: Scan only with permission and respect privacy.
IP fragment scanning can be less reliable than other methods due to firewall variations and reassembly inconsistencies.
----------------------------------------------------------------------------------------------------
However, I can provide a generic example of what a Wireshark output might look like for an Nmap UDP scan in a controlled environment:
yaml
Copy code
No. Time Source Destination Protocol Length Info
--------------------------------------------------------------------------------------------
1 0.000000 192.168.1.100 192.168.1.1 UDP 54 [UDP Scan]
Frame 1: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: Scanning_MAC, Dst: Target_MAC
Internet Protocol Version 4, Src: 192.168.1.100, Dst: 192.168.1.1
User Datagram Protocol, Src Port: random, Dst Port: 53, Length: 34
In this simulated example:
A UDP scan is conducted by sending a UDP packet from the source IP address (192.168.1.100) to the destination IP address (192.168.1.1) on port 53 (DNS). Note that UDP scans typically target services that use the UDP protocol.
The packet is 54 bytes in length and contains UDP-specific headers.
The UDP packet is sent with a random source port.
Keep in mind that this is a generic example, and the actual output may vary based on the specific options used in the Nmap scan, the target environment, and other factors. Additionally, UDP scanning can be more challenging and may not always provide accurate results due to the stateless nature of the UDP protocol.
Always ensure that you have explicit authorization before conducting any network scanning activities, as unauthorized scanning can lead to legal consequences.
----------------------------------------------------------------------------------------------------
However, I can provide a generic example of what a Wireshark output might look like for an Nmap UDP scan in a controlled environment:
yaml
Copy code
No. Time Source Destination Protocol Length Info
--------------------------------------------------------------------------------------------
1 0.000000 192.168.1.100 192.168.1.1 UDP 54 [UDP Scan]
Frame 1: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: Scanning_MAC, Dst: Target_MAC
Internet Protocol Version 4, Src: 192.168.1.100, Dst: 192.168.1.1
User Datagram Protocol, Src Port: random, Dst Port: 53, Length: 34
In this simulated example:
A UDP scan is conducted by sending a UDP packet from the source IP address (192.168.1.100) to the destination IP address (192.168.1.1) on port 53 (DNS). Note that UDP scans typically target services that use the UDP protocol.
The packet is 54 bytes in length and contains UDP-specific headers.
The UDP packet is sent with a random source port.
Keep in mind that this is a generic example, and the actual output may vary based on the specific options used in the Nmap scan, the target environment, and other factors. Additionally, UDP scanning can be more challenging and may not always provide accurate results due to the stateless nature of the UDP protocol.
Always ensure that you have explicit authorization before conducting any network scanning activities, as unauthorized scanning can lead to legal consequences.
----------------------------------------------------------------------------------------------------
Wireshark Output for nmap UDP (User Datagram Protocol) Scan (Sample):
Filter: udp
No. Time Source Destination Protocol Length Info
1 00:00:00.000000 192.168.1.100 192.168.1.200 UDP 0 UDP scan probe to port 53 (DNS)
2 00:00:00.001000 192.168.1.100 192.168.1.201 UDP 0 UDP scan probe to port 161 (SNMP)
3 00:00:00.002000 192.168.1.100 192.168.1.202 UDP 0 UDP scan probe to port 67 (DHCP)
4 00:00:00.003000 192.168.1.100 192.168.1.203 UDP 0 UDP scan probe to port 123 (NTP)
5 00:00:00.004000 192.168.1.100 192.168.1.204 UDP 0 UDP scan probe to port 137 (NetBIOS)
6 00:00:00.005000 192.168.1.100 192.168.1.205 UDP 0 UDP scan probe to port 138 (NetBIOS)
7 00:00:00.006000 192.168.1.100 192.168.1.206 UDP 0 UDP scan probe to port 162 (SNMP Trap)
8 00:00:00.007000 192.168.1.100 192.168.1.207 UDP 0 UDP scan probe to port 69 (TFTP)
9 00:00:00.008000 192.168.1.100 192.168.1.208 UDP 0 UDP scan probe to port 1434 (MS-SQL Server)
10 00:00:00.009000 192.168.1.100 192.168.1.209 UDP 0 UDP scan probe to port 5060 (SIP)
Analysis:
Source: The IP address sending UDP scan probes.
Destination: The target IP address being scanned.
Protocol: UDP (User Datagram Protocol).
Length: Packet length (typically short for probes).
Info: Indicates UDP scan probes to various commonly used ports.
Key Points:
No Connection Establishment: UDP doesn't establish connections like TCP, so probes are simply sent to target ports.
Response Analysis:
ICMP Port Unreachable: Suggests a closed port.
No Response: Implies an open, filtered, or rate-limited port.
Application-Specific Response: Confirms an open port and the application running on it.
Filter: Use udp in Wireshark to isolate UDP traffic, including probes.
Actual Responses: Inspect responses to accurately determine port states and firewall presence.
Remember:
This is a generic example. Actual output varies based on scan parameters and network configuration.
Ethical considerations: Scan only with permission and respect privacy.
UDP scanning can be less reliable than TCP scanning for determining port states due to potential firewall interference and lack of inherent acknowledgment mechanisms
----------------------------------------------------------------------------------------------------
Wireshark Output for nmap Inverse TCP Flag Scan (Sample):
Filter: tcp && !(tcp.flags.syn || tcp.flags.ack || tcp.flags.rst)
No. Time Source Destination Protocol Length Info
1 00:00:00.000000 192.168.1.100 192.168.1.200 TCP 0 FIN/PSH/URG scan probe to port 22 (SSH)
2 00:00:00.001000 192.168.1.100 192.168.1.201 TCP 0 Null scan probe to port 80 (HTTP)
3 00:00:00.002000 192.168.1.100 192.168.1.202 TCP 0 FIN scan probe to port 443 (HTTPS)
4 00:00:00.003000 192.168.1.100 192.168.1.203 TCP 0 XMAS scan probe to port 21 (FTP)
5 00:00:00.004000 192.168.1.100 192.168.1.204 TCP 0 Null scan probe to port 25 (SMTP)
6 00:00:00.005000 192.168.1.100 192.168.1.205 TCP 0 FIN/PSH/URG scan probe to port 139 (NetBIOS)
7 00:00:00.006000 192.168.1.100 192.168.1.206 TCP 0 Null scan probe to port 137 (NetBIOS)
8 00:00:00.007000 192.168.1.100 192.168.1.207 TCP 0 FIN scan probe to port 8080 (HTTP alternative)
9 00:00:00.008000 192.168.1.100 192.168.1.208 TCP 0 XMAS scan probe to port 445 (SMB)
10 00:00:00.009000 192.168.1.100 192.168.1.209 TCP 0 Null scan probe to port 4444 (OpenVPN)
Analysis:
Source: The IP address sending scan probes.
Destination: The target IP address being scanned.
Protocol: TCP (Transmission Control Protocol).
Length: Packet length (usually 0 bytes for probes).
Info: Indicates inverse TCP flag scan probes to various ports (FIN, PSH, URG, Null, XMAS).
Key Points:
Unusual Flags: Notice the absence of typical SYN, ACK, and RST flags in probes.
Response Analysis:
No Response: Suggests an open or filtered port.
RST Response: Confirms a closed port.
Filter: Use tcp && !(tcp.flags.syn || tcp.flags.ack || tcp.flags.rst) in Wireshark to isolate inverse TCP probes.
Actual Responses: Inspect responses for accurate port and firewall analysis.
Remember:
This is a generic example. Actual output varies based on scan parameters and network configuration.
Ethical considerations: Scan only with permission and respect privacy.
Inverse scans can be stealthy but might not always be reliable for determining port states.
----------------------------------------------------------------------------------------------------
Wireshark Output for nmap ACK (Acknowledgment) Flag Scan (Sample):
No. Time Source Destination Protocol Length Info
1 0.000000000 192.168.1.1 192.168.1.2 TCP 60 80 → 1234 [ACK] Seq=1 Ack=1 Win=65535 Len=0
Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: 00:11:22:33:44:55 (00:11:22:33:44:55), Dst: 00:11:22:33:44:66 (00:11:22:33:44:66)
Internet Protocol Version 4, Src: 192.168.1.1, Dst: 192.168.1.2
Transmission Control Protocol, Src Port: 80, Dst Port: 1234, Seq: 1, Ack: 1, Len: 0
Flags: .A...., ack 1, win 65535, length 0
----------------------------------------------------------------------------------------------------
Wireshark Output for nmap ACK (Acknowledgment) Flag Scan (Sample):
Filter: tcp && tcp.flags.ack
No. Time Source Destination Protocol Length Info
1 00:00:00.000000 192.168.1.100 192.168.1.200 TCP 0 ACK scan probe to port 22 (SSH)
2 00:00:00.001000 192.168.1.100 192.168.1.201 TCP 0 ACK scan probe to port 80 (HTTP)
3 00:00:00.002000 192.168.1.100 192.168.1.202 TCP 0 ACK scan probe to port 443 (HTTPS)
4 00:00:00.003000 192.168.1.100 192.168.1.203 TCP 0 ACK scan probe to port 21 (FTP)
5 00:00:00.004000 192.168.1.100 192.168.1.204 TCP 0 ACK scan probe to port 25 (SMTP)
6 00:00:00.005000 192.168.1.100 192.168.1.205 TCP 0 ACK scan probe to port 139 (NetBIOS)
7 00:00:00.006000 192.168.1.100 192.168.1.206 TCP 0 ACK scan probe to port 137 (NetBIOS)
8 00:00:00.007000 192.168.1.100 192.168.1.207 TCP 0 ACK scan probe to port 8080 (HTTP alternative)
9 00:00:00.008000 192.168.1.100 192.168.1.208 TCP 0 ACK scan probe to port 445 (SMB)
10 00:00:00.009000 192.168.1.100 192.168.1.209 TCP 0 ACK scan probe to port 4444 (OpenVPN)
Analysis:
Source: The IP address sending scan probes.
Destination: The target IP address being scanned.
Protocol: TCP (Transmission Control Protocol).
Length: Packet length (typically 0 bytes for probes).
Info: Indicates ACK scan probes to various ports.
Key Points:
ACK Flag: Notice only the ACK flag is set in the TCP header of probes.
Response Analysis:
Unfiltered Response: Suggests an unfiltered port (open or closed).
No Response: Implies a filtered port (likely by a firewall).
Filter: Use tcp && tcp.flags.ack in Wireshark to isolate ACK probes.
Actual Responses: Inspect responses to accurately determine port states and firewall presence.
Remember:
This is a generic example. Actual output varies based on scan parameters and network configuration.
Ethical considerations: Scan only with permission and respect privacy.
---------------------------------------------------------------------------------------------------
Wireshark Output for nmap TCP XMAS Scan (Sample):
No. Time Source Destination Protocol Length Info
1 0.000000000 192.168.1.1 192.168.1.2 TCP 60 80 → 1234 [FIN, PSH, URG] Seq=1 Ack=1 Win=65535 Len=0
Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: 00:11:22:33:44:55 (00:11:22:33:44:55), Dst: 00:11:22:33:44:66 (00:11:22:33:44:66)
Internet Protocol Version 4, Src: 192.168.1.1, Dst: 192.168.1.2
Transmission Control Protocol, Src Port: 80, Dst Port: 1234, Seq: 1, Ack: 1, Len: 0
Flags: ...FPU., seq 1, ack 1, win 65535, length 0
----------------------------------------------------------------------------------------------------
Wireshark Output for nmap TCP XMAS Scan (Sample):
Filter: tcp && (tcp.flags.fin || tcp.flags.psh || tcp.flags.urg)
No. Time Source Destination Protocol Length Info
1 00:00:00.000000 192.168.1.100 192.168.1.200 TCP 0 XMAS scan probe to port 22 (SSH)
2 00:00:00.001000 192.168.1.100 192.168.1.201 TCP 0 XMAS scan probe to port 80 (HTTP)
3 00:00:00.002000 192.168.1.100 192.168.1.202 TCP 0 XMAS scan probe to port 443 (HTTPS)
4 00:00:00.003000 192.168.1.100 192.168.1.203 TCP 0 XMAS scan probe to port 21 (FTP)
5 00:00:00.004000 192.168.1.100 192.168.1.204 TCP 0 XMAS scan probe to port 25 (SMTP)
6 00:00:00.005000 192.168.1.100 192.168.1.205 TCP 0 XMAS scan probe to port 139 (NetBIOS)
7 00:00:00.006000 192.168.1.100 192.168.1.206 TCP 0 XMAS scan probe to port 137 (NetBIOS)
8 00:00:00.007000 192.168.1.100 192.168.1.207 TCP 0 XMAS scan probe to port 8080 (HTTP alternative)
9 00:00:00.008000 192.168.1.100 192.168.1.208 TCP 0 XMAS scan probe to port 445 (SMB)
10 00:00:00.009000 192.168.1.100 192.168.1.209 TCP 0 XMAS scan probe to port 4444 (OpenVPN)
Analysis:
Source: The IP address sending scan probes.
Destination: The target IP address being scanned.
Protocol: TCP (Transmission Control Protocol).
Length: Packet length (0 bytes for probes).
Info: Indicates XMAS scan probes to various ports.
Key Points:
XMAS Flags: Notice the FIN, PSH, and URG flags set simultaneously, forming the "XMAS" pattern.
Response Analysis:
No response: Suggests an open port (though firewalls can also silently drop packets).
RST response: Confirms a closed port.
Filter: The tcp && (tcp.flags.fin || tcp.flags.psh || tcp.flags.urg) filter isolates XMAS probes in Wireshark.
Actual Responses: Inspect responses for accurate port analysis and firewall detection.
Remember:
This is a generic example. Actual output varies based on scan parameters and network configuration.
Ethical considerations: Scan only with permission and respect privacy.
----------------------------------------------------------------------------------------------------
Wireshark Output for nmap TCP XMAS Scan (Sample):
Filter: tcp && (tcp.flags.fin || tcp.flags.psh || tcp.flags.urg)
No. Time Source Destination Protocol Length Info
1 00:00:00.000000 192.168.1.100 192.168.1.200 TCP 0 XMAS scan probe to port 22 (SSH)
2 00:00:00.001000 192.168.1.100 192.168.1.201 TCP 0 XMAS scan probe to port 80 (HTTP)
3 00:00:00.002000 192.168.1.100 192.168.1.202 TCP 0 XMAS scan probe to port 443 (HTTPS)
4 00:00:00.003000 192.168.1.100 192.168.1.203 TCP 0 XMAS scan probe to port 21 (FTP)
5 00:00:00.004000 192.168.1.100 192.168.1.204 TCP 0 XMAS scan probe to port 25 (SMTP)
6 00:00:00.005000 192.168.1.100 192.168.1.205 TCP 0 XMAS scan probe to port 139 (NetBIOS)
7 00:00:00.006000 192.168.1.100 192.168.1.206 TCP 0 XMAS scan probe to port 137 (NetBIOS)
8 00:00:00.007000 192.168.1.100 192.168.1.207 TCP 0 XMAS scan probe to port 8080 (HTTP alternative)
9 00:00:00.008000 192.168.1.100 192.168.1.208 TCP 0 XMAS scan probe to port 445 (SMB)
10 00:00:00.009000 192.168.1.100 192.168.1.209 TCP 0 XMAS scan probe to port 4444 (OpenVPN)
Analysis:
Source: The IP address sending scan probes.
Destination: The target IP address being scanned.
Protocol: TCP (Transmission Control Protocol).
Length: Packet length (0 bytes for probes).
Info: Indicates XMAS scan probes to various ports.
Key Points:
XMAS Flags: Notice the FIN, PSH, and URG flags set simultaneously, forming the "XMAS" pattern.
Response Analysis:
No response: Suggests an open port (though firewalls can also silently drop packets).
RST response: Confirms a closed port.
Filter: The tcp && (tcp.flags.fin || tcp.flags.psh || tcp.flags.urg) filter isolates XMAS probes in Wireshark.
Actual Responses: Inspect responses for accurate port analysis and firewall detection.
Remember:
This is a generic example. Actual output varies based on scan parameters and network configuration.
Ethical considerations: Scan only with permission and respect privacy.
----------------------------------------------------------------------------------------------------
No. Time Source Destination Protocol Length Info
1 0.000000000 192.168.1.1 192.168.1.2 TCP 60 80 → 1234 [FIN, PSH, URG] Seq=1 Ack=1 Win=65535 Len=0
Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: 00:11:22:33:44:55 (00:11:22:33:44:55), Dst: 00:11:22:33:44:66 (00:11:22:33:44:66)
Internet Protocol Version 4, Src: 192.168.1.1, Dst: 192.168.1.2
Transmission Control Protocol, Src Port: 80, Dst Port: 1234, Seq: 1, Ack: 1, Len: 0
Flags: ...FPU., seq 1, ack 1, win 65535, length 0
In a TCP Null Scan, packets are sent without any flags set. This could potentially penetrate some of the firewalls and discover open ports. If we see packets like this in our network, someone is probably performing TCP null scans (e.g. by running nmap -sN <target>).
----------------------------------------------------------------------------------------------------
Wireshark Output
for nmap TCP Null Scan (Sample):
Filter: tcp && !tcp.flags.syn && !tcp.flags.ack && !tcp.flags.fin && !tcp.flags.psh && !tcp.flags.rst && !tcp.flags.urg
No. Time Source Destination Protocol Length Info
1 00:00:00.000000 192.168.1.100 192.168.1.200 TCP 0 Null scan probe to port 22 (SSH)
2 00:00:00.001000 192.168.1.100 192.168.1.201 TCP 0 Null scan probe to port 80 (HTTP)
3 00:00:00.002000 192.168.1.100 192.168.1.202 TCP 0 Null scan probe to port 443 (HTTPS)
4 00:00:00.003000 192.168.1.100 192.168.1.203 TCP 0 Null scan probe to port 21 (FTP)
5 00:00:00.004000 192.168.1.100 192.168.1.204 TCP 0 Null scan probe to port 25 (SMTP)
6 00:00:00.005000 192.168.1.100 192.168.1.205 TCP 0 Null scan probe to port 139 (NetBIOS)
7 00:00:00.006000 192.168.1.100 192.168.1.206 TCP 0 Null scan probe to port 137 (NetBIOS)
8 00:00:00.007000 192.168.1.100 192.168.1.207 TCP 0 Null scan probe to port 8080 (HTTP alternative)
9 00:00:00.008000 192.168.1.100 192.168.1.208 TCP 0 Null scan probe to port 445 (SMB)
10 00:00:00.009000 192.168.1.100 192.168.1.209 TCP 0 Null scan probe to port 4444 (OpenVPN)
Analysis:
This Wireshark output shows packets captured after running an nmap TCP null scan against the IP addresses 192.168.1.200 to 192.168.1.209 from the source IP 192.168.1.100. Each packet (rows 1-10) represents a null scan probe sent to a different common port number on the target machines.
Since no SYN, ACK, FIN, PSH, RST, or URG flags are set in the TCP header, these packets represent null probes. The analysis for each probed port can be based on the response:
No response: Indicates the port might be open (though firewalls can also silently drop packets, making it ambiguous).
RST response: Confirms the port is closed.
In this example, we haven't shown any responses to visualize the scan's results. Based on the actual captured responses, you can further deduce the potential state of each port and note any discrepancies that might point to firewalls or other filtering mechanisms.
Remember, this is just a generic example. The actual Wireshark output will vary depending on the specific scan parameters, target network configuration, and network activity during the capture.
I hope this provides a helpful illustration of what you might encounter while investigating a network capture involving an nmap TCP null scan. If you have any specific questions or want me
----------------------------------------------------------------------------------------------------
#detect if a domain is hosting a Git service, ChatGPT
nmap -sV --script=http-git www.example.com
----------------------------------------------------------------------------------------------------
#detect if a domain is hosting a Git service, ChatGPT
Check the domain's HTTP/HTTPS ports: Git service is typically hosted on port 9418 or 22.
So, you can use a tool like nmap to scan the domain's open ports and see if any of these ports are open.
For example, you can run the following command to scan the domain's open ports:
nmap <domain_name>
----------------------------------------------------------------------------------------------------
#ACK (Acknowledgment) flag scanning
ACK flag scanning, like a digital archaeologist brushing away the dust of forgotten ports, sheds light on closed ports and potential vulnerabilities hiding in the silent corners of your network. Let's explore how Scapy, a powerful Python-based network manipulation tool, empowers you to perform targeted ACK scans and uncover hidden threats.
Crafting the ACK Probe:
Scapy's intuitive syntax allows you to build custom TCP packets with specific flags. Here's how to craft a simple ACK probe aimed at port 22 (SSH) of a target host:
Python
from scapy.all import *
# Define target IP and port
target_ip = "192.168.1.100"
target_port = 22
# Build the ACK packet with no SYN or FIN flag
ack_packet = TCP(dport=target_port, flags="A")
# Send the packet to the target
send(IP(dst=target_ip)/ack_packet)
Use code with caution. Learn more
This code snippet creates a TCP packet with the destination port set to 22 and the ACK flag set, but no SYN or FIN flags. Scapy offers extensive options for customizing this packet, including setting source ports, adding payloads, and modifying other TCP flags.
Interpreting the Responses:
Scapy captures and analyzes the responses to your ACK probes, helping you decipher what's lurking behind the closed port:
RST (Reset) Flag: If the port is truly closed and properly configured, the target will respond with an RST flag, confirming closure.
No Response: A silent response might indicate a filtered port by a firewall or simply a misconfigured system ignoring the unexpected ACK probe.
Unexpected Flags/Data: In rare cases, vulnerable systems might respond with unexpected flags or data, potentially revealing a security flaw or misconfiguration.
Going Beyond Basic ACK Scans:
Scapy's flexibility allows you to perform advanced and targeted ACK scans:
Port Scans: Scan a range of ports or specific services to identify potentially vulnerable closed ports.
Banner Grabbing: Craft specific ACK probes that trigger some systems to return service banners, revealing their identities and potential vulnerabilities.
Vulnerability Testing: Build customized ACK probes based on known vulnerabilities in specific services, like OS fingerprinting or exploiting misconfigurations.
Benefits of Scapy for ACK Flag Scanning:
Customization: Build precise ACK probes tailored to your specific needs and target systems.
Advanced Features: Utilize functionalities like banner grabbing and vulnerability testing for in-depth analysis.
Scripting & Automation: Develop custom scripts for automated and repetitive ACK scanning tasks.
Challenges and Limitations:
Complexity: Scapy requires an understanding of network protocols and Python programming.
False Positives: Interpreting responses can be challenging, and silence might not necessarily indicate a truly closed port.
Evasion Techniques: Attackers might employ techniques to mask their presence from ACK scans, necessitating advanced detection methods.
Conclusion:
Scapy empowers you to become a digital sleuth, delving into the shadows of closed ports and unearthing potential vulnerabilities that traditional tools might miss. By crafting custom ACK probes, analyzing responses, and utilizing advanced features, you can gain valuable insights into your network's security posture and proactively address hidden threats. Remember, silence in the network realm doesn't always signify peace, and by actively probing with Scapy and ACK flag scanning, you can secure your systems and stay ahead of lurking dangers.
Additional Resources:
Scapy Documentation: https://scapy.net/: https://scapy.net/
Scapy Packet Manipulation Tutorial: https://www.studytonight.com/network-programming-in-python/introduction-to-scapy: https://www.studytonight.com/network-programming-in-python/introduction-to-scapy
Network Security with Scapy: https://null-byte.wonderhowto.com/how-to/create-packets-from-scratch-with-scapy-for-scanning-dosing-0159231/: https://null-byte.wonderhowto.com/how-to/create-packets-from-scratch-with-scapy-for-scanning-dosing-0159231/
By mastering Scapy and ACK flag scanning, you can transform the silent shadows of closed ports into a source of security intelligence, safeguarding your network against unforeseen threats lurking in the darkness.
----------------------------------------------------------------------------------------------------
#ACK (Acknowledgment) flag scanning
ACK (Acknowledgment) flag scanning involves sending TCP packets with only the ACK flag set to determine the state of TCP ports on a target system. This scanning technique is useful for identifying filtering devices, firewalls, or stateful packet inspection mechanisms. Below is an example of ACK flag scanning using the Scapy library in Python:
python
Copy code
from scapy.all import *
# Define the target IP address
target_ip = "192.168.1.1"
# Define the target port to scan
target_port = 80
# Craft a TCP packet with only the ACK flag set
ack_packet = IP(dst=target_ip) / TCP(dport=target_port, flags="A")
# Send the packet and wait for a response (timeout set to 1 second)
response = sr1(ack_packet, timeout=1, verbose=0)
# Analyze the response
if response:
if response.haslayer(TCP):
if response.getlayer(TCP).flags == 0x04: # RST
print(f"Port {target_port}/TCP is closed")
elif response.getlayer(TCP).flags == 0x14: # RST/ACK
print(f"Port {target_port}/TCP is open")
else:
print(f"Port {target_port}/TCP state is unknown or filtered")
In this example using Scapy:
IP(dst=target_ip): Creates an IP packet with the destination IP address set to the target IP.
TCP(dport=target_port, flags="A"): Creates a TCP packet with the destination port set to the target port and only the ACK flag set.
sr1(ack_packet, timeout=1, verbose=0): Sends the crafted packet and waits for a response. The timeout parameter sets the maximum time to wait for a response.
The script then analyzes the response:
If a TCP RST (Reset) packet is received, it indicates that the port is closed.
If a TCP RST/ACK (Reset/Acknowledgment) packet is received, it suggests that the port is open.
If no response is received, the script considers the port state as unknown or filtered.
Keep in mind that ACK flag scanning may not be as reliable as other scanning techniques, as many firewalls and security devices are configured to detect and handle unexpected or unusual flag combinations. Additionally, the effectiveness of scanning may vary depending on the target system's configuration.
Always ensure that you have proper authorization before conducting any scanning activities, as unauthorized scanning can lead to legal consequences. Compliance with applicable laws and regulations is essential.
----------------------------------------------------------------------------------------------------
#ACK (Acknowledgment) flag scanning
ACK (Acknowledgment) flag scanning is a technique used in network reconnaissance to determine the state of TCP ports on a target system. Unlike regular TCP SYN scans where the SYN flag is set, ACK scans set only the ACK flag in the TCP packet. This type of scan is often used to identify filtering devices, firewalls, or stateful packet inspection mechanisms.
Here's an example of using Nmap for ACK flag scanning:
bash
Copy code
nmap -sA target_ip
In this example:
-sA: This Nmap option specifies the use of ACK flag scanning.
Nmap sends TCP packets with only the ACK flag set and analyzes the responses from the target system. The interpretation of the responses is as follows:
Open Port: If Nmap receives no response, it suggests that the port is unfiltered and open.
Closed Port: If Nmap receives a TCP RST (Reset) packet in response, it indicates that the port is closed.
Filtered Port: If Nmap receives a TCP RST/ACK (Reset/Acknowledgment) packet, it suggests that the port is filtered.
Alternatives to Nmap for ACK scanning include other network scanning tools that support similar functionality. One such alternative is Hping3. Here's an example using Hping3:
bash
Copy code
hping3 -A target_ip
In this example:
-A: This Hping3 option specifies ACK flag scanning.
Similar to Nmap, Hping3 sends TCP packets with only the ACK flag set and analyzes the responses to determine the state of the TCP ports.
Keep in mind that ACK scanning has limitations and may not be as reliable as other scanning techniques. Many modern firewalls and intrusion detection/prevention systems are configured to detect and handle unexpected or unusual flag combinations, including ACK-only packets. Additionally, some operating systems may respond differently to ACK scans.
Always ensure that you have proper authorization before performing any scanning activities, as unauthorized scanning can lead to legal consequences. It's important to comply with applicable laws and regulations.
----------------------------------------------------------------------------------------------------
#Inverse TCP flag scanning, also known as "TCP flag inversion" or "TCP flag flipping,"
Below is a hypothetical example demonstrating the concept of inverse TCP flag scanning using Scapy:
python
Copy code
from scapy.all import IP, TCP, sr1
# Define the target IP address
target_ip = "192.168.1.1"
# Define the target port to scan
target_port = 80
# Craft a TCP packet with inverted flags (e.g., setting the ACK flag)
tcp_packet = IP(dst=target_ip) / TCP(dport=target_port, flags="A")
# Send the packet and wait for a response (timeout set to 1 second)
response = sr1(tcp_packet, timeout=1, verbose=0)
# Analyze the response
if response:
if response.haslayer(TCP):
if response.getlayer(TCP).flags == 0x14: # RST/ACK
print(f"Port {target_port}/TCP is closed")
elif response.getlayer(TCP).flags == 0x04: # RST
print(f"Port {target_port}/TCP is open")
else:
print(f"Port {target_port}/TCP state is unknown or filtered")
In this example, the TCP packet is crafted with the ACK (Acknowledgment) flag set. The script then sends the packet to the target and analyzes the response. If a TCP RST/ACK (Reset/Acknowledgment) is received, it indicates that the port is closed. If a TCP RST (Reset) is received, it suggests that the port is open. If no response is received, the script considers the port state as unknown or filtered.
----------------------------------------------------------------------------------------------------
#Inverse TCP flag scanning, also known as "TCP flag inversion" or "TCP flag flipping,"
Traditional TCP scans focus on identifying open ports, but what about the silent majority - the closed ports? Enter Inverse TCP Flag Scanning, a technique that flips the script, using malformed TCP flags to identify closed ports and potentially uncover hidden vulnerabilities. Let's delve into this intriguing method, exploring its capabilities with nmap and alternative tools.
The Logic of the Inverse:
Instead of seeking responses from open ports, inverse TCP flag scanning sends probes with specific, unusual TCP flags to elicit responses from closed ports:
FIN Probe: Sending a FIN flag (signifying an intent to close a connection) to a closed port should elicit a RST (reset) flag response, confirming the port is indeed closed.
XMAS Probe: Combining FIN, PSH (push data), and URG (urgent data) flags creates a "malformed" packet that shouldn't be accepted by any open or listening service. A closed port, however, might respond with an RST/ACK flag combination as a generic rejection.
NULL Probe: Sending only the ACK flag with no SYN (synchronize) flag triggers a RST/ACK response from closed ports, similar to the XMAS probe.
Unveiling the Shadows:
By analyzing responses to these atypical probes, network defenders can:
Identify Closed Ports: This provides a more complete picture of network services, aiding in vulnerability assessments and intrusion detection.
Uncover Firewalled Services: Some firewalls might block SYN packets (used in traditional scans) while allowing other flags, revealing services hidden from standard scans.
Detect Misconfigured Systems: Certain systems might respond to malformed probes in unexpected ways, potentially indicating vulnerabilities or misconfigurations.
Examples with nmap:
nmap offers the -sF, -sX, and -sN options for FIN, XMAS, and NULL scans, respectively. You can combine these options with other nmap features like port ranges and timing options to tailor your scans.
Alternative Tools:
Hping3: This powerful packet crafting and injection tool allows sending custom TCP probes with specific flag combinations, enabling advanced inverse scans and vulnerability testing.
ZMap: This high-performance scanner can perform large-scale TCP scans, including inverse flag scans, with impressive speed and efficiency.
Scapy: As a Python-based network packet manipulation tool, Scapy provides the flexibility to design and send arbitrary TCP probes with any flag combination, empowering advanced users to craft custom inverse scans.
Benefits of Inverse TCP Flag Scanning:
Complements Traditional Scans: Provides a more comprehensive view of network services and potential vulnerabilities.
Bypasses Firewalls: Can detect services hidden from standard scans due to firewall filtering.
Proactive Defense: Helps identify misconfigured systems and potential attack vectors.
Challenges and Limitations:
False Positives: Some applications might respond to malformed probes in unexpected ways, leading to misinterpretation.
Evasion Techniques: Attackers might employ techniques to mask their presence from inverse scans, requiring advanced detection methods.
Resource Intensive: Certain scanning tools, like ZMap, can be resource-intensive on large networks.
Conclusion:
Inverse TCP flag scanning offers a valuable tool for network defenders by shining a light on the often-ignored realm of closed ports. By employing nmap and its alternatives, you can gain a deeper understanding of your network services, uncover potential vulnerabilities, and strengthen your overall security posture. Remember, knowledge is power, and by mastering the art of inverse scanning, you can become a digital Sh
----------------------------------------------------------------------------------------------------
#Inverse TCP flag scanning, also known as "TCP flag inversion" or "TCP flag flipping,"
Inverse TCP flag scanning, also known as "TCP flag inversion" or "TCP flag flipping," is a technique used in network reconnaissance to determine the state of TCP ports on a target system. Instead of sending regular TCP packets with specific flags set, this technique involves inverting the flags to observe how the target system responds. Inverse TCP flag scanning can help evade some firewall and intrusion detection system (IDS) rules that may be configured to detect specific flag combinations.
Here's an example using Nmap, a popular open-source network scanning tool:
bash
Copy code
nmap -sF target_ip
In this example:
-sF: This Nmap option specifies the use of inverse TCP flag scanning. It sets the FIN (Finish) flag for the scan.
Nmap sends TCP packets with the FIN flag set and analyzes the responses from the target system. The interpretation of the responses is as follows:
Open Port: If Nmap receives a TCP RST (Reset) packet in response, it indicates that the port is open.
Closed Port: If Nmap receives no response or a TCP RST/ACK (Reset/Acknowledgment) packet, it suggests that the port is closed.
Filtered Port: If Nmap receives no response, it may indicate that a firewall or other network filtering device is blocking the packets, making it difficult to determine the state of the port.
It's important to note that inverse TCP flag scanning is not foolproof. Some firewalls and security devices may be configured to detect and handle unusual or unexpected flag combinations, potentially leading to inaccurate results.
Alternative tools, such as Hping3, also support inverse TCP flag scanning. Here's an example using Hping3:
bash
Copy code
hping3 -F target_ip
In this example:
-F: This Hping3 option sets the FIN flag for the scan, similar to the Nmap example.
Just like with Nmap, Hping3 will send TCP packets with the FIN flag set and analyze the responses to determine the state of the TCP ports.
Keep in mind that the effectiveness of inverse TCP flag scanning may vary depending on the target system's configuration and the network environment. Additionally, using scanning techniques like this should comply with applicable laws and regulations and should only be performed on systems and networks that you have explicit permission to test. Unauthorized scanning can lead to legal consequences.
----------------------------------------------------------------------------------------------------
UDP (User Datagram Protocol) scanning is a technique used in network reconnaissance to discover open UDP ports on a target system. Unlike TCP, UDP is connectionless and doesn't establish a session before exchanging data. As a result, UDP scanning can be more challenging due to the lack of acknowledgment or response from closed ports. Here's an example of UDP scanning using Nmap and its alternatives:
Nmap Example:
To perform a basic UDP scan using Nmap, you can use the following command:
bash
Copy code
nmap -sU target_ip
-sU: Specifies a UDP scan.
This command tells Nmap to scan the target system for open UDP ports. By default, Nmap sends UDP packets to commonly used UDP ports and waits for a response. However, UDP scanning can be slower than TCP scanning because there is no reliable method for determining if a UDP port is open.
Alternative: hping3
Hping is a flexible and powerful packet crafting tool. While it's not a full-fledged port scanner like Nmap, it can be used for specific UDP scanning tasks. Below is a simple example:
bash
Copy code
hping3 -2 -c 5 -p 53 target_ip
-2: Specifies that UDP should be used.
-c 5: Sets the count of packets to send to 5.
-p 53: Specifies the destination port (53 in this example).
In this example, Hping sends 5 UDP packets to port 53 on the target IP. You can change the destination port and packet count as needed.
Alternative: Unicornscan
Unicornscan is another network scanner that supports UDP scanning. It's designed to be fast and efficient. An example UDP scan using Unicornscan:
bash
Copy code
unicornscan -i eth0 -mU -v -l output.txt target_ip:a
-i eth0: Specifies the network interface.
-mU: Sets the scan mode to UDP.
-v: Enables verbose output.
-l output.txt: Logs results to a file.
target_ip:a: Specifies the target IP address and the scan type (a for aggressive).
Mitigation for UDP Scanning:
Firewall Configuration:
Configure firewalls to block unnecessary UDP traffic and allow only required services.
Intrusion Detection/Prevention Systems (IDS/IPS):
Implement IDS/IPS solutions to detect and alert on unusual or suspicious UDP traffic patterns.
Rate Limiting:
Implement rate limiting for UDP traffic to detect and mitigate scanning attempts.
UDP Flood Protection:
Some systems may offer UDP flood protection mechanisms to mitigate the impact of UDP-based attacks.
Network Segmentation:
Segment the network to limit the scope of potential attacks and reduce the impact of open UDP ports.
By understanding UDP scanning techniques and implementing appropriate security measures, organizations can better defend against potential threats. Keep in mind that security practices should be regularly reviewed and updated to adapt to evolving risks.
----------------------------------------------------------------------------------------------------
UDP Scanning: Shining a Light on the Silent Protocol
UDP (User Datagram Protocol) plays a crucial role in network communication, but its stateless nature can offer a haven for hidden vulnerabilities. Enter UDP scanning, a technique used to map open ports and identify potential threats lurking within this silent protocol. Let's explore how tools like nmap can shed light on the UDP realm, along with some alternative options.
Unveiling the Unseen:
nmap and UDP Scanning:
nmap provides the -sU option to perform UDP scanning, sending UDP packets to specific ports on target systems.
You can specify individual ports or ranges with nmap, tailoring the scan to your needs.
nmap analyzes the responses (or lack thereof) to determine whether a port is open, filtered, or closed.
Examples of UDP Vulnerability Detection:
DNS servers: Unsecured DNS servers can be exploited through UDP amplification attacks, which can target other systems.
SNMP (Simple Network Management Protocol): Misconfigured SNMP services accessed via UDP can reveal sensitive information or allow attackers to modify device configurations.
Gaming servers: UDP is often used in online gaming, and vulnerabilities in game servers accessed through UDP can be exploited for remote code execution or privilege escalation.
Beyond nmap: Alternative Tools:
Nmap Scripting Engine (NSE): nmap scripts can be used to perform advanced UDP scanning and service identification, such as detecting specific vulnerabilities or fingerprinting applications.
Scapy: This Python-based tool allows crafting custom UDP packets for targeted vulnerability tests and research.
Benefits of UDP Scanning:
Vulnerability Detection: Identifies potential threats and misconfigurations hiding in the UDP realm.
Network Mapping: Complements TCP scans by providing a complete picture of open ports and services.
Proactive Defense: Helps mitigate risks associated with vulnerable UDP services before attackers exploit them.
Challenges and Limitations:
False positives: Some services might respond to UDP probes even if they are not actively listening, leading to false positives.
Limited information: UDP responses often lack detailed information compared to TCP, making service identification and vulnerability assessment more challenging.
Evasion techniques: Attackers might employ techniques to mask their presence from UDP scanners, requiring advanced methods for detection.
Conclusion:
UDP scanning plays a critical role in securing your network by unveiling potential vulnerabilities that might otherwise go unnoticed. While tools like nmap offer a powerful starting point, exploring alternative options and advanced techniques can further enhance your network threat detection and defense capabilities. Remember, ignoring the silent world of UDP can make your network vulnerable to unforeseen dangers. By shining a light on this crucial protocol, you can proactively safeguard your systems and build a more robust security posture.
----------------------------------------------------------------------------------------------------
UDP Scanning with Scapy: Unmasking the Silent Protocol
UDP scanning, like a detective scouring the shadows, sheds light on the often-ignored UDP protocol, revealing potential vulnerabilities that traditional TCP scans might miss. Let's explore how Scapy, a powerful Python-based network packet manipulation tool, empowers you to perform robust UDP scans and uncover hidden threats.
Delving into the Shadows:
Crafting UDP Packets:
Scapy allows you to build custom UDP packets using its intuitive syntax. Here's how to craft a simple UDP packet aimed at port 22 (SSH) of a target host:
Python
from scapy.all import *
# Define target IP and port
target_ip = "192.168.1.100"
target_port = 22
# Build the UDP packet
udp_packet = UDP(dport=target_port)
# Send the packet to the target
send(IP(dst=target_ip)/udp_packet)
Use code with caution. Learn more
This code snippet creates a UDP packet with the destination port set to 22 and sends it to the target IP. Scapy offers extensive options for customizing this packet, including setting source ports, adding payloads, and crafting specific UDP flags.
Analyzing Responses:
Scapy captures and analyzes the responses to your UDP packets, providing valuable insights into open ports and potential vulnerabilities. Depending on the target system's configuration, you might receive different responses:
Open Port: If the port is open, the target might respond with an ICMP message indicating port unreachable.
Filtered Port: If the port is filtered, the target might not respond at all, leaving you with a silent answer.
Vulnerable Service: In some cases, the target might reveal information about the running service through its UDP response, potentially disclosing vulnerabilities.
Going Beyond Basic Scans:
Scapy's flexibility allows you to perform targeted and advanced UDP scans:
Port Scans: Scan a range of ports or specific services to identify open UDP endpoints.
Banner Grabbing: Extract service banners from responses to identify specific applications and potential vulnerabilities.
Vulnerability Testing: Craft custom UDP packets to probe for specific vulnerabilities in services like DNS or SNMP.
Benefits of Scapy for UDP Scanning:
Customization: Build precise UDP packets tailored to your specific needs and target systems.
Advanced Features: Utilize functionalities like banner grabbing and vulnerability testing for in-depth analysis.
Scripting & Automation: Develop custom scripts for automated and repetitive UDP scanning tasks.
Challenges and Limitations:
Complexity: Scapy requires an understanding of network protocols and Python programming.
False Positives: Interpreting responses can be challenging, and silent targets might not necessarily indicate closed ports.
Evasion Techniques: Attackers might employ techniques to mask their presence from UDP scanners, necessitating advanced detection methods.
Conclusion:
Scapy empowers you to become a digital sleuth, peering into the shadowy world of UDP and uncovering hidden threats. By crafting custom packets, analyzing responses, and utilizing advanced features, you can gain valuable insights into your network's security posture and proactively address potential vulnerabilities. Remember, silence isn't always golden in the network realm, and by actively probing the UDP landscape with Scapy, you can secure your systems and stay ahead of lurking dangers.
Additional Resources:
Scapy Documentation: https://scapy.net/
Scapy Packet Manipulation Tutorial: https://www.studytonight.com/network-programming-in-python/introduction-to-scapy
Network Security with Scapy: https://null-byte.wonderhowto.com/how-to/create-packets-from-scratch-with-scapy-for-scanning-dosing-0159231/
By mastering Scapy and UDP scanning, you can transform the silent protocol from a potential risk into a valuable source of security intelligence, safeguarding your network against unseen threats.
----------------------------------------------------------------------------------------------------
#UDP Scanning
UDP (User Datagram Protocol) scanning is a network reconnaissance technique used to discover open UDP ports on a target system. Unlike TCP (Transmission Control Protocol), UDP is connectionless and does not establish a reliable connection before exchanging data. UDP scanning involves sending UDP packets to various port numbers on a target system and analyzing the responses, if any.
Here's an example of UDP scanning using Scapy, a powerful Python library for packet manipulation:
python
Copy code
from scapy.all import *
# Define the target IP address
target_ip = "192.168.1.1"
# Define the range of UDP ports to scan (for example, ports 1 to 100)
udp_ports = range(1, 101)
# Loop through each port and send a UDP packet
for port in udp_ports:
# Craft a UDP packet with an empty payload
udp_packet = IP(dst=target_ip)/UDP(dport=port)
# Send the packet and wait for a response (timeout set to 1 second)
response = sr1(udp_packet, timeout=1, verbose=0)
# Check if a response was received
if response:
# Analyze the response
if response.haslayer(UDP):
print(f"Port {port}/UDP is open")
elif response.haslayer(ICMP):
if int(response.getlayer(ICMP).type) == 3 and int(response.getlayer(ICMP).code) in [1, 2, 3, 9, 10, 13]:
print(f"Port {port}/UDP is closed")
else:
print(f"Port {port}/UDP state is unknown")
else:
print(f"Port {port}/UDP is open/filtered (no response)")
In this example:
IP(dst=target_ip) creates an IP packet with the destination IP address set to the target IP.
UDP(dport=port) creates a UDP packet with the destination port set to the current port in the loop.
sr1(udp_packet, timeout=1, verbose=0) sends the crafted UDP packet and waits for a response. The timeout parameter sets the maximum time to wait for a response.
The script then analyzes the response. If a UDP response is received, it indicates that the port is open. If an ICMP (Internet Control Message Protocol) response is received with a specific type and code, it may indicate that the port is closed. If no response is received, the port is considered open/filtered.
Keep in mind that UDP scanning can be less reliable than TCP scanning, as UDP is connectionless, and some systems may not respond to UDP packets even if the port is open. Additionally, firewalls may block or filter UDP packets, making it challenging to accurately determine the state of a UDP port.
----------------------------------------------------------------------------------------------------
IP Fragment Scanning with Nmap can be enhanced using the --scanflags option, which allows you to set specific TCP flags to improve the detection of services that might be hidden within fragmented packets. This technique involves manipulating TCP flags in fragmented packets to evade detection by security systems. Below is an example of how to use the --scanflags option in Nmap for IP Fragment Scanning:
bash
Copy code
nmap --scanflags URG,PSH,FIN target_ip
In this example:
--scanflags: This option allows you to set specific TCP flags for the scan.
URG,PSH,FIN: These are the TCP flags (URGent, PuSH, FINish) that will be set in the scan. You can choose different combinations based on your requirements.
The idea is to use specific TCP flags in the scan to observe how the target system handles fragmented packets with these flags set. This can be useful for evading detection and understanding how different network devices and systems respond to such packets.
Keep in mind that while Nmap is a legitimate and widely used network scanning tool, the same techniques could be misused by attackers for malicious purposes. Network defenders should be aware of these evasion techniques and take appropriate measures to secure their networks.
To defend against IP Fragment Scanning using specific TCP flags, network administrators can consider:
Reassembly Handling: Configure firewalls and intrusion detection/prevention systems to reassemble fragmented packets before analysis.
Deep Packet Inspection (DPI): Employ DPI techniques to inspect the entire content of fragmented packets, including their TCP flags.
Rate Limiting: Implement rate limiting for fragmented packets to control the flow and prevent flooding.
Behavioral Analysis: Monitor and analyze the behavior of network traffic over time to detect patterns associated with IP Fragment Scanning.
Regular Updates: Keep network devices, firewalls, and intrusion detection/prevention systems up-to-date to ensure they have the latest capabilities for handling and detecting fragmented packets with specific TCP flags.
These measures collectively contribute to a more robust defense against IP Fragment Scanning and related evasion techniques.
----------------------------------------------------------------------------------------------------
#IP Fragment Scanning is a technique used by attackers to evade detection by sending fragmented IP packets to a target system during network reconnaissance
Suppose an attacker wants to scan a target system for open ports using IP Fragment Scanning. Nmap provides the --mtu option, which allows the user to specify the maximum transmission unit (MTU) for fragmented packets. The following example demonstrates IP Fragment Scanning with Nmap:
bash
Copy code
nmap -f --mtu 8 target_ip
-f: This option tells Nmap to fragment the packets during the scan.
--mtu 8: Specifies the maximum transmission unit for the fragmented packets.
Nmap will send fragmented packets to the target and analyze the responses to gain insights into how the target system handles fragmented traffic. This information can include details about the operating system, firewall settings, and potentially open ports.
----------------------------------------------------------------------------------------------------
#IP Fragment Scanning is a technique used by attackers to evade detection by sending fragmented IP packets to a target system during network reconnaissance
Hping:
Hping is a command-line-oriented TCP/IP packet assembler/analyzer. It allows users to craft and send custom packets, including fragmented ones.
bash
Copy code
hping3 --frag target_ip
The --frag option in Hping sends fragmented packets to the target system.
----------------------------------------------------------------------------------------------------
#IP Fragment Scanning is a technique used by attackers to evade detection by sending fragmented IP packets to a target system during network reconnaissance
Scapy:
Scapy is a powerful Python-based interactive packet manipulation tool. It allows users to craft custom packets, including fragmented ones.
python
Copy code
from scapy.all import IP, ICMP, send
packet = IP(dst="target_ip")/ICMP()
packet[IP].flags = 1 # Set the Don't Fragment (DF) flag
packet[IP].frag = 0 # Set the Fragment Offset to 0
send(packet)
This Scapy script sends a single, unfragmented ICMP packet with the Don't Fragment (DF) flag set.
----------------------------------------------------------------------------------------------------
#To get around this, nmap can also send a TCP ACK packet to (by default) port 80.
#If the remote machine responds with a RST back, then that machine is up
#Another possibility is to send the remote machine a SYN packet and wait for an RST or a SYN/ACK
#detection
#Discovery Options
#nmap service discovery
nmap -p0-65535 --open -sV 10.10.4.59
nmap -sP 192.168.15.1 # “ping scanning,sites now block echo request packets,nmap sends out ICMP echo request packets to every IP address in a network
nmap -Pn 62.233.173.90 #Host seems down. If it is really up, but blocking our ping probes
nmap -Pn --top-ports 20 c # -Pn Don’t ping
nmap -Pn 192.168.1.0-255
#-sn,skip the port scanning,only perform host discovery.
#-PS,use a TCP SYN ping scan
nmap -sn -PS 192.1.1.1/24
nmap -PA 192.168.1.0-255 # -PA TCP ACK ping
nmap -PU 192.168.1.0-255 # -PU UDP ping
nmap -sn -PY scanme.nmap.org #SCTP Init Ping,determine whether a host is online by sending SCTP INIT packets and looking for ABORT or INIT ACK responses
nmap -PE 192.168.15.1 #ICMP echo ping,
nmap -sP -PE --disable-arp-ping 192.168.56.1 # ICMP echo ping local network
nmap -PE -sn 192.168.0.16
nmap -PP 10.10.4.59 #-PP option performs an ICMP timestamp ping
nmap -PP --disable-arp-ping 10.10.4.59 # local network
nmap -PM --disable-arp-ping 10.10.4.59 # -PM option performs an ICMP address mask ping, local network
nmap -PO 192.168.1.1 # do not ping before scanning,many sites now block/filter the ping echo request packets
nmap -PO1 10.10.3.1 #-PO option performs an IP protocol ping,the default protocols 1 (ICMP), 2 (IGMP), and 4 (IP),-PO1,2,4,etc
#ARP ping,much faster than the other ping methods,
#ARP scans cannot be performed on targets that are not on local subnet
#Nmap silently overrides all other discovery options,with the other discovery options use the --disable-arp-ping option
nmap -PR 10.10.3.1 #more accurate because LAN hosts can’t block ARP requests (even if they are running a firewall)
nmap -Pn -T4 --traceroute www.target.com # find IP,reverse-DNS and traceroute scan
nmap -n 74.207.244.221 #Disable Reverse DNS Resolution, reduce scanning times – especially when scanning a large number of hosts
#Manually specify DNS servers
#useful for systems that do not have DNS configured
#prevents your scan lookups from appearing in your locally configured DNS server’s log file
#Using multiple DNS servers is often faster,especially if you choose authoritative servers for your target IP space
#improves stealth, as your requests can be bounced off just about any recursive DNS server on the Internet.
nmap --dns-servers 8.8.8.8,8.8.4.4 scanme.nmap.org
nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn #
nmap -iR 10 -sn -traceroute
# -p0- asks Nmap to scan every possible TCP port
# -A enables aggressive tests such as remote OS detection, service/version detection, and the Nmap Scripting Engine (NSE)
# T4 enables a more aggressive timing policy to speed up the scan.
nmap -p0- -v -A -T4 scanme.nmap.org
#find all machines on a network that have a certain TCP port open.
#Here is a concrete example of searching 4096 IPs for web servers (port 80 open):
#The “%D” in the filename is replaced with the numeric date on which the scan was run (e.g. “090107” on September 1, 2007)
nmap -Pn -p80 -oG logs/pb-port80scan-%D.gnmap 216.163.128.0/20
egrep '[^0-9]80/open' logs/pb-port80scan2-*.gnmap # find the machines with port 80 open
##find all machines on a network that have a certain TCP port open.
#Excluding reverse-DNS resolution by adding -n reduces the 4096-host scan time to 193 seconds
nmap -T4 -Pn -p80 --max-rtt-timeout 200ms --initial-rtt-timeout 150ms --min-hostgroup 512 -oG logs/pb-port80scan2-%D.gnmap 216.163.128.0/20
egrep '[^0-9]80/open' logs/pb-port80scan2-*.gnmap # find the machines with port 80 open
#network discovery scan with version detection
nmap -O --osscan-guess 192.168.15.1 # -O Operating system detection
nmap -O -PE 192.168.15.1
#The TCP connect scan (-sT) is the default TCP scan type when the TCP SYN scan (-sS) is not an option
#The -O option detects the operating system of the host
nmap -sT -O 192.168.122.65
nmap -sR 192.168.122.65 #Perform a RPC scan
nmap
linuxhint.com # -sV Service version detection
nmap -sV --version-trace linuxhint.com # Troubleshooting version scan
nmap -sV -sX -T4 linuxhint.com #Xmas scan Aggressive: -T4, fast scan -sV for version detection on specific ports and distinguish between filtered and filtered ports,
nmap -sO 62.233.173.90 para #IP protocol scan of a router and a typical Linux 2.4 box
nmap --open -sO 10.100.0.14
nmap -PO 192.168.1.1 # do not ping before scanning,many sites now block/filter the ping echo request packets
nmap -sS -A -P0 moonshine.ecn.purdue.edu #The ’-P0’ option (the second letter is ’zero’),do not use ping whether a machine is up
nmap -sS 192.168.1.1 # Stealthy scan
nmap 10.100.0.14 -sS -pN -n --max-rate 10000 --open -p 20,21,22,53,137,139,161,445,902,1433,3306,3389,4443,5432,5900,8080,8443,9001 #scan critical ports at fastest rate
nmap -sS 10.100.0.14 -p-
nmap -sS localhost #carry out a port scan of your own machine,The “-sS” option carries out a SYN scan
#If the target machine has the DenyHosts shield running to ward off the dictionary attacks
#-A’ option turned on, IP address may become quarantined on the target machine,assuming that port 22 is included in the range of the ports scanned
nmap -sS -A moonshine.ecn.purdue.edu #an “aggressive” SYN scan,
nmap -sT 187.36.24.156 # TCP connect scan,establish the TCP connection with the target to get the ports’ status
#Port Scanning Techniques
Open Port:
Description:
An open port indicates that a service or application actively accepts connections on that port.
It means an application is running on the target system and accessible through that port.
Nmap usually determines a port is open when it receives a SYN-ACK response during a TCP scan, or an ICMP Echo Reply during a UDP scan.
Nmap Output:
When Nmap detects an open port, it typically labels it as "open" in the scan results. For instance: PORT 80/tcp open http
Closed Port:
Description:
A closed port means that there is no service listening on that port, and attempts to connect will be met with a refusal.
Nmap Output:
Nmap labels closed ports as "closed" in the scan results. For example: PORT 23/tcp closed telnet
A closed port means there's no service listening on it.
The port is accessible, but there's no application ready to respond to connections.
Nmap typically identifies a closed port when it receives a RST (Reset) packet in response to its probes
Filtered Port:
Description:
A filtered port implies that Nmap cannot determine the port's state because it did not receive a response from the target system.
A filtered port means Nmap couldn't determine its state due to a firewall or other network device blocking probes.
It's uncertain whether the port is open or closed because the probes were prevented from reaching the target
Nmap might report a port as filtered if it receives no response, an ICMP unreachable message,
or an ICMP response indicating administrative filtering.
Possible Causes:
Filtered ports might result from firewalls, network congestion, or the target system's configuration.
Nmap Output:
If Nmap detects a filtered port, it usually labels it as "filtered" or "unfiltered."
For instance:
PORT 135/tcp filtered msrpc
PORT 22/tcp open|filtered ssh
Open Ports: They represent potential entry points into the target system and are likely running services.
Closed Ports: Typically considered safe as they don't provide entry to the system.
Filtered Ports:
These ports are in an uncertain state, making it harder to determine their accessibility.
They might be open or closed, but Nmap couldn't conclusively determine due to the lack of response
#relatively unobtrusive and stealthy since it never completes TCP connections, referred to as half-open scanning
#does not open a full TCP connection,sends a SYN packet, as if it s going to open a real connection and then wait for a response.
#A SYN/ACK indicates the port is listening (open)
#while a RST (reset) is indicative of a non-listener.
#If no response is received after several retransmissions, the port is marked as filtered.
#The port is marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received
# The port is considered open if a SYN packet (without the ACK flag) is received in response,
can be due to TCP feature known as a simultaneous open or split handshake connection
Half-Open Scan (SYN Stealth Scan) TCP SYN Scan
Description: Initiates a SYN packet to the target port but does not complete the handshake,
providing information without establishing a full connection.
Sends a SYN packet and immediately checks for a SYN-ACK response without completing the handshake.
It doesn't send an RST, leaving the connection half-open.
Use Case: Faster than a full connection scan but may leave traces in target system logs.
Discerning between open and filtered ports.
Circumventing firewalls that only log full TCP connections.
Less intrusive scanning, as it doesn't fully establish connections
nmap -sS [target] nmap -sS 192.168.0.1
UDP Scan nmap -sU [target] nmap -sU 192.168.0.1
TCP FIN Scan nmap -sF [target] nmap -sF 192.168.0.1
TCP ACK Scan nmap -sA [target] nmap -sA 192.168.0.1
Custom TCP Scan nmap –scanflags [flags] [target] nmap –scanflags SYNFIN 192.168.0.1
IP Protocol Scan nmap -sO [target] nmap -sO 192.168.0.1
Send Raw Ethernet Packets nmap –send-eth [target] nmap –send-eth 192.168.0.1
Send IP Packets nmap –send-ip [target]
Xmas Scan
Description: Sets multiple TCP flags (FIN, URG, PSH) in the packet sent to the target port.
The target's response (or lack of response) indicates the port's status.
If the port is open, it might respond differently based on its state. A lack of response might indicate a closed or filtered port.
Use Case: Another evasive scanning technique that might bypass certain firewall configurations and reveal additional information.
Identifying firewall or IDS configurations.
Mapping unusual port behavior.
Fingerprinting older operating systems
nmap -sX [target] nmap -sX 192.168.0.1
Open Scan (TCP Connect Scan)
Description: It involves establishing a full TCP handshake with the target port.
If the port is open, it responds with a SYN-ACK, indicating readiness to establish a connection
Use Case: Provides reliable results but may be easily detected due to its straightforward nature.
nmap -sT [target] nmap -sT 192.168.0.1
TCP NULL Scan
Description: Sends TCP packets without any flags set (null packets) to the target port.
The response (or lack thereof) helps determine if the port is open, closed, or filtered.
Evasive scanning technique as it might not trigger some intrusion detection systems due to the absence of flags
Evading firewalls or intrusion detection systems (IDS) that might not filter null packets.
Probing systems that implement strict firewall rules.
Gathering OS fingerprinting information.
nmap -sN [target] nmap -sN 192.168.0.1
nmap -p 1-1024 -sT moonshine.ecn.purdue.edu #only the first 1024 ports
nmap -p 1-65535 localhost #Scan specific ports or scan entire port ranges on a local or remote server
nmap -p80 -sV -oG – –open 192.168.1.1/24 | grep open #search web servers
nmap -sX -T2 linuxhint.com #Xmas scan Polite: -T2, neutral.
nmap -sX -T4 linuxhint.com #Xmas scan Aggressive: -T4, fast scan
nmap 1.1.1.1 8.8.8.8 #scan multiple IP addresses
nmap 1.1.1.1,2,3,4 #scan consecutive IP addresses
nmap 8.8.8.0/28 #scan entire CIDR IP ranges, from 8.8.8.1 to 8.8.8.14
nmap 8.8.8.1-14 #from 8.8.8.1 to 8.8.8.14
nmap 8.8.8.* #scan 256 IP addresses from 8.8.8.1 to 8.8.8.256
nmap 8.8.8.* --exclude 8.8.8.1
nmap 192.168.1.0-255
nmap 192.168.1.1-255 --exclude 192.168.1.15
nmap 192.168.1.1-255 --exclude 192.168.1.1,192.168.1.2
$ cat bigmac.txt
192.168.1.1
192.168.1.254
$ nmap --exclude-file bigmac.txt 192.168.1.1-255
Perform a Fast Scan nmap -F [target] nmap -F 192.168.0.1
Scan Specific Ports nmap -p [port(s)] [target] nmap -p 21-25,80,139,8080 192.168.1.1
Scan Ports by Name nmap -p [port name(s)] [target] nmap -p ftp,http* 192.168.0.1
Scan Ports by Protocol nmap -sU -sT -p U: [ports],T:[ports] [target] nmap -sU -sT -p U:53,111,137,T:21- 25,80,139,8080 192.168.0.1
Scan All Ports nmap -p '*' [target] nmap -p '*' 192.168.0.1
Perform a Sequential Port Scan nmap -r [target] nmap -r 192.168.0.1
Scan Top Ports nmap --top-ports 20 192.168.1.106 #scan the top X most common ports for that host
#Troubleshooting And Debugging
nmap --iflist #Display Host Networking
nmap --packet-trace 192.168.1.106
nmap -e eth0 192.168.0.1 #Specify a Network Interface
nmap --open 192.168.0.1 #Only Display Open Ports
nmap --reason 192.168.0.1 #Display Port State Reason
nmap -d 192.168.0.1 #debug
#List all IPs in Subnet with Nmap
nmap -sL 8.8.4.4 8.8.8.8 74.207.244.221 # host list, 3 IPs
nmap -sL -n 192.168.1.0/30 # list the IP addresses in the target subnet -sL with no reverse DNS lookups -n
#The target list can contain hostnames, IP addresses, subnets or a range of IPs such as 192.168.1.1-5.
nmap -sL -n 192.168.2.1/32, 192.168.1.0/30 | grep 'Nmap scan report for' | cut -f 5
nmap -iL list.txt
cat list.txt
192.168.1.106
cloudflare.com
microsoft.com
securitytrails.com
nmap -oN output.txt securitytrails.com
nmap -oX output.xml securitytrails.com
nmap -iR 3 10 -PS22-25,80,113,1050,35000 -v -sn -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt #Generate a list of the IPs of live hosts
nmap -iR 10 -n -oX out2.xml | grep "Nmap" | cut -d " " -f5 >> live-hosts.txt #Append IP to the list of live hosts
nmap -oA output.mnm securitytrails.com # -oA [path/filename],Output all supported file types
ndiff scanl.xml scan2.xml #Compare output from nmap using the ndif
ndiff -v scanl.xml scan2.xml
ndiff -xml scanl.xml scan2.xml
xsltproc nmap.xml -o nmap.html #Convert nmap xml files to html files
nmap -6 1aff:3c21:47b1:0000:0000:0000:0000:2afe #IPv6 Target
#Iptables rules to block Xmas scan
iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
nmap -sN 192.168.100.11 #TCP Null scan Does not set any bits (TCP flag header is 0)
nmap -sF 192.168.100.11 #FIN scan (-sF) Sets just the TCP FIN bit.
nmap -sW -T4 docsrv.caldera.com #TCP Window Scan
nmap -Pn -sSV -T4 –F 192.168.100.11 #SSL Post-processor scan,
#Filtered port,A few ports may be filtered to restrict access of the running services to a few IP addresses
nmap 192.168.100.11 #firewall presence, "filtered ports" in the output
traceroute 192.168.100.11 # asterisks (*) in the output
#evade/bypass firewall
#Source Defragmenting:not posible to send highly fragmented packets,e.g: IPTables,ensure that nmap uses raw ethernet frames
#Fragment Queuing:some firewall defrags (aka reassembles) the packets before sending them to destination,fragmentation doesn't work
nmap -f 192.168.100.11 #a fragmentation of 8 byte chunks
nmap -f -p22 192.168.100.11
nmap -ff vg-ubuntu-02 #16 byte chunks,
nmap -ff --scan-delay 10 vg-ubuntu-02 #add a delay between packets sent
nmap -mtu 24 192.168.100.11 #similar to the packet fragmentation,create 24-byte packets,MTU is multiple of 8 (8,16,24,32..)
nmap -v -sS -f -mtu 32 --send-eth --data-length 50 --source-port 8965 -T5 192.168.0.22
nmap -D RND:11 192.168.100.11 # RND generates a random and non-reserved 11 IP addresses,harder to determine from which system the scan starts
nmap -D 192.168.100.11,192.169.42.3,etc. #specify the IP addresses of the decoys
nmap -sT -Pn –-spoof-mac 0 vg-ubuntu-02 # "0" option automatically assigns random MAC for bypassing firewall
nmap -sT -PN --spoof-mac cisco vg-ubuntu-02
nmap --randomize-hosts 192.168.100.11-44 # avoid multiple port scanning detection
nmap vg-ubuntu-02 --data 0xdeadbeef #Binary data as payload
nmap vg-ubuntu-02 --data-string "nmap test"
nmap vg-ubuntu-02 --data-length 6
nmap –source-port 10 192.168.0.1
nmap --badsum 192.168.100.11 #all hosts should drop these packets,if response is received, response comes from a firewall
nmap -sI 192.168.100.11 vg-ubuntu-02 # use as zombie host (aka idle system), 192.168.100.11 is zombie,vg-ubuntu-02 is target
Nmap –Pn –sI –v 192.168.100.11 vg-ubuntu-02
#TCP ACK scan,sends acknowledgment packets instead of SYN packets
#firewall does not create logs of ACK packets as it treats ACK packets as responses to SYN packets
#The ACK scan shows unfiltered and filtered ports instead of open ones
#block unsolicited ACK packets (as sent by the Nmap ACK scan), while allowing ACK packets belonging to legitimate connections,
#firewalls must statefully watch every established connection to determine whether a given ACK is appropriate
nmap -sA -T4 scanme.nmap.org
nmap -sA -p1-100 -T4 scanme.nmap.org
nmap -sA -v -Pn 144.122.219.0/24
#NSE scripts define a list of categories
auth, broadcast, brute, default. discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln
all, auth, default, discovery, external, intrusive, malware, safe, vuln
Location: <nmap directory>/share/nmap/scripts/*
$ locate *.nse
$ nmap --script-help=scriptname #get help on which arguments may be accepted by a script
$ nmap --script-updatedb #upgrade scripts to the latest
$ nmap --script=smb-vuln-cve-2017-7494 host #check if a host is vulnerable to Eternal Blue
nmap --script banner.nse 192.168.0.1 #Individual Scripts
nmap -Pn --script banner.nse 192.168.0.1 #Individual Scripts
#The argument to --script had to be in quotes to protect the wildcard from the shell
nmap --script 'not intrusive' 192.168.0.1 #Scripts by Category
nmap --script 'default or safe' 192.168.0.1 #Multiple Script Categories
nmap -p80,443 --script http-methods scanme.nmap.org
nmap -p80,443 --script http-methods --script-args http-methods.retest scanme.nmap.org #check for the HTTP methods
#By default, the script http-methods uses the root folder as the base path ( / )
#set a different base path
nmap -p80,443 --script http-methods --script-args http-methods.urlpath=/mypath/ scanme.nmap.org
#some packet filtering products that block requests that use Nmap’s default HTTP User Agent
#use a different HTTP User Agent
nmap -p80 --script http-methods --script-args http.useragent=”Mozilla 5″ <target>
#HTTP pipelining,if the web server supports it
nmap -p80 --script http-methods --script-args http.pipeline=25 <target>
nmap --script http-open-proxy -p8080 <target> #Detecting HTTP proxies
nmap --script http-open-proxy --script-args http-open-proxy.url=http://whatsmyip.org,http-open-.pattern=”Your IP address is” -p8080 <target>
nmap --script http-enum -p80 <target> # file and directory discovery
#display all the entries that returned a status code that could possibly indicate a page exists,
nmap script http-enum http-enum.displayall -p80 — <target>
#dictionary attacks against HTTPAuth protected resources,home routers, IP webcams, and even web applications still rely on HTTP authentication
nmap -p80 --script http-brute --script-args http-brute.path=/admin/ <target>
nmap -p80 --script http-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
#some packet filtering products that block requests made using Nmap’s default HTTP User Agent.
#use a different User Agent value by setting the argument http.useragent
nmap -p80 --script http-brute --script-args http.useragent=”Mozilla 5″ <target>
#user: In this mode, for each user listed in userdb, every password in passdb will be tried.
nmap --script http-brute --script-args brute.mode=user <target>
#pass: In this mode, for each password listed in passdb, every user in usedb will be tried.
nmap --script http-brute --script-args brute.mode=pass <target>
#fcreds: This mode requires the additional argument brute.credfile.
nmap --script http-brute --script-args brute.mode=creds,brute.credfile=./creds.txt <target>
#Apache’s module UserDir provides access to the user directories by using URIs with the syntax /~username/
#perform dictionary attacks and determine a list of valid usernames on the web server.
nmap -p80 --script http-userdir-enum <target> #
#Often default credentials are found in the web applications
nmap -p80 --script http-default-accounts <target>
#identify a web application firewall/IDS
nmap --script=http-waf-fingerprint targetwebsite.com
nmap p80 --script http-waf-detect <target> #detect a Web Application Firewall or Intrusion Prevention System
nmap -p80 --script http-waf-detect --script-args=”http-waf-detect.detectBodyChanges” <target>
nmap -p80 --script http-waf-detect --script-args=”http-waf-detect.aggro” <target>
#some packet filtering products that block requests made using Nmap’s default HTTP User Agent
nmap -p80 --script http-waf-detect --script-args http.useragent=”Mozilla 42″ <target>
#Detecting XST Vulnerabilities
nmap -p80 --script http-methods,http-trace --script-args http-methods.retest <target>
#Detecting XSS Vulnerabilities
nmap -p80 --script http-unsafe-output-escaping <target>
#Detecting SQL Injection
nmap -p80 --script http-sql-injection <target>
nmap -p80 --script http-sql-injection --script-args httpspider.maxpagecount=200 <target>
nmap -p80 --script http-sql-injection --script-args httpspider.withinhost=false <target>
nmap -p80 --script http-sql-injection --script-args http.useragent=”Mozilla 42″ <target>
nmap --script smb-os-discovery.nse 10.10.10.16
#script tries to discover firewall rules using an IP TTL expiration
nmap --script=firewalk --traceroute <host>
nmap --script=firewalk --traceroute --script-args=firewalk.max-retries=1 <host>
nmap --script=firewalk --traceroute --script-args=firewalk.probe-timeout=400ms <host>
nmap --script=firewalk --traceroute --script-args=firewalk.max-probed-ports=7 <host>
----------------------------------------------------------------------------------------------------
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment