THM Nmap
Notes from THM NMAP room
Introduction
Basically nmap will connect to each port of the target in turn. Depending on how the port responds, it can be determined as being open, closed, or filtered (usually by a firewall). Once we know which ports are open, we can then look at enumerating which services are running on each port — either manually, or more commonly using nmap.
Key points of the Introduction segment:
- Before attacking, understand the target network with proper enumeration like port scanning.
- Port scanning reveals open ports on a target, indicating running services.
- Each port serves a specific purpose.
- Standard ports exist (e.g., HTTP on 80, HTTPS on 443), but custom ports are possible.
- Nmap is a common tool for scanning ports and identifying open services.
- Open ports are crucial for successful attacks, making port scanning essential.
Answers of the questions:
What networking constructs are used to direct traffic to the right application on a server? - ports
How many of these are available on any network-enabled computer? - 65535
How many of these are considered “well-known”? - 1024
Nmap Switches
Nmap is run from the terminal.
Nmap can be accessed by typing nmap into the terminal command line, followed by some of the "switches" (command arguments which tell a program to do different things).
All you’ll need for this is the help menu for nmap (accessed with nmap -h) and/or the nmap man page (access with man nmap). For each answer, include all parts of the switch unless otherwise specified. This includes the hyphen at the start (-).
Answers of the questions:
What is the first switch listed in the help menu for a ‘Syn Scan’?
- sS
Which switch would you use for a “UDP scan”?
- sU
If you wanted to detect which operating system the target is running on, which switch would you use?
- O
Nmap provides a switch to detect the version of the services running on the target. What is this switch?
- sV
The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
-v
Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
-vv
What switch would you use to save the nmap results in three major formats
-oA
What switch would you use to save the nmap results in a "normal" format
-oN
A very useful output format: how would you save results in a "grepable" format?
-oG
Sometimes the results we’re getting just aren’t enough. If we don’t care about how loud we are, we can enable “aggressive” mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.
How would you activate this setting?
-A
Nmap offers five levels of “timing” template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors!
How would you set the timing template to level 5?
-T5
How would you tell nmap to only scan port 80?
-p 80
How would you tell nmap to scan ports 1000–1500?
-p -1000–1500
How would you tell nmap to scan all ports?
-p-
How would you activate a script from the nmap scripting library?
— script
How would you activate all of the scripts in the “vuln” category?
— script=vuln
Scan Types
When port scanning with Nmap, there are three basic scan types. These are:
- TCP Connect Scans (
-sT) - SYN “Half-open” Scans (
-sS) - UDP Scans (
-sU)
Additionally there are several less common port scan types, some of which we will also cover (albeit in less detail). These are:
- TCP Null Scans (
-sN) - TCP FIN Scans (
-sF) - TCP Xmas Scans (
-sX)
Answers of the questions:
Which RFC defines the appropriate behaviour for the TCP protocol? - rfc 9293
If a port is closed, which flag should the server send back to indicate this? - rst
There are two other names for a SYN scan, what are they? — half-open, stealth
Can Nmap use a SYN scan without Sudo permissions (Y/N)? — n
If a UDP port doesn’t respond to an Nmap scan, what will it be marked as? — open|filtered
When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so? — ICMP
Which of the three shown scan types uses the URG flag? — Xmas
Why are NULL, FIN and Xmas scans generally used? — Firewall Evasion
Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port? — Microsoft Windows
How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation) — nmap -sn 172.16.0.0/16
NSE Scripts
The Nmap Scripting Engine (NSE) is an incredibly powerful addition to Nmap, extending its functionality quite considerably. NSE Scripts are written in the Lua programming language, and can be used to do a variety of things: from scanning for vulnerabilities, to automating exploits for them. The NSE is particularly useful for reconnaisance, however, it is well worth bearing in mind how extensive the script library is.
There are many categories available. Some useful categories include:
safe:- Won't affect the targetintrusive:- Not safe: likely to affect the targetvuln:- Scan for vulnerabilitiesexploit:- Attempt to exploit a vulnerabilityauth:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)brute:- Attempt to bruteforce credentials for running servicesdiscovery:- Attempt to query running services for further information about the network (e.g. query an SNMP server).
A more exhaustive list can be found here.
To run a specific script, we would use --script=<script-name>
Multiple scripts can be run simultaneously in this fashion by separating them by a comma. For example: --script=smb-enum-users,smb-enum-shares.
Some scripts require arguments (for example, credentials, if they’re exploiting an authenticated vulnerability). These can be given with the --script-args Nmap switch. An example of this would be with the http-put script (used to upload files using the PUT method). This takes two arguments: the URL to upload the file to, and the file's location on disk. For example:
nmap -p 80 --script http-put --script-args http-put.url='/dav/shell.php',http-put.file='./shell.php'
A full list of scripts and their corresponding arguments (along with example use cases) can be found here.
Answers of the questions:
What language are NSE scripts written in? — lua
Which category of scripts would be a very bad idea to run in a production environment? — intrusive
What optional argument can the
ftp-anon.nsescript take? — maxlistSearch for “smb” scripts in the
/usr/share/nmap/scripts/directory using either of the demonstrated methods.
What is the filename of the script which determines the underlying OS of the SMB server? — smb-os-discovery.nseRead through this script. What does it depend on? — smb-brute
Firewall Evasion
There are a variety of other switches which Nmap considers useful for firewall evasion. We will not go through these in detail, however, they can be found here.
The following switches are of particular note:
-f:- Used to fragment the packets (i.e. split them into smaller pieces) making it less likely that the packets will be detected by a firewall or IDS.- An alternative to
-f, but providing more control over the size of the packets:--mtu <number>, accepts a maximum transmission unit size to use for the packets sent. This must be a multiple of 8. --scan-delay <time>ms:- used to add a delay between packets sent. This is very useful if the network is unstable, but also for evading any time-based firewall/IDS triggers which may be in place.--badsum:- this is used to generate in invalid checksum for packets. Any real TCP/IP stack would drop this packet, however, firewalls may potentially respond automatically, without bothering to check the checksum of the packet. As such, this switch can be used to determine the presence of a firewall/IDS.
Answers of the questions:
Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the
-Pnswitch? — ICMPWhich Nmap switch allows you to append an arbitrary length of random data to the end of packets?- — data-length
