📆 Join Us Every Wednesday at 9:00PM ET (see our latest events on LinkedIn)
Table of Contents
- Table of Contents
- Introduction
- Top Mistakes That Lead To Detection
- Important Commands to Know
- Using Custom Nmap Scripts (NSE)
- Example of Vulnerability Analysis - Fingerprinting SMB
- Examples of Good Scans
- Useful References
Introduction
Nmap is among the most well known and reliable security testing tools out there today. For more than two decades it has been a reliable and highly customizable port scanner; but, over time a lot of additional functionality has been added which provides tremendous control over how the scans are conducted and what information can be enumerated. It is free and open sourced, can be easily installed on Windows or Linux, and is the basis for tons of other tools that are built on top of it. There are even a couple of great graphical user interfaces which Nmap scans can be run from (or imported into) which makes sorting the data even easier.
Top Mistakes That Lead To Detection
- Your speed is set too aggressively. The speed of nmap scans can be set between T0 (extremely slow) to T5 (insane) with T3(aggressive) being the default if no adjustments are specified. Often times this is actually fast enough to be detected. Consider slowing your scans down by adding either (-T2) or (-T1) to your command. To take it to the next level you can specify a delay between each host being scanned with (--scan-delay <time>); this is awesome when you run into hosts that are rate limiting responses. I like to set it to (--scan-delay 1075ms).
- It’s too obvious that you are doing a scan. Nmap has been around for a long time now, 20 years in fact, as a result security products know what nmap traffic looks like. If you want to avoid detection you have to add some obfuscation to your scans. You can fragment the packets with (-f) sure, but there are some other really slick options. A couple of my favorites are randomizing the hosts that get scanned in a subnet with (--randomize-hosts), and appending random data on the end of every packet with (--data-length <number>). This way, you’re sending packet fragments, in a random order and every packet is different due to the randomly appended data.
- You scanned the gateway! Just don’t do it. Instead of doing a scan against 10.10.10.0/24 instead specifically skip likely gateways with 10.10.10.1-254. You’ll thank me later.
-script-args=unsafe=1
Important Commands to Know
Flag | What Does it Do? | Purpose | Notes |
---|---|---|---|
Service Versioning | Host Discovery | ||
Service and OS Versioning | Host Discovery | ||
Add Verbosity | Quality of Life | You ‘can’ add extra verbosity with -vv but I find that to be useless | |
Specify Port(s) | Host Discovery | ||
Read Targets from List | Quality of Life | ||
Output Results to a File (.txt, .xml) | Quality of Life | I always output to .xml so you can upload to Zenmap or Legion | |
Only Display Open ports | Quality of Life | ||
Load an NSE script | Host DiscoveryQuality of LifeVulnerability Analysis | ||
Specify a UDP Port Scan | Host Discovery | ||
Enable IPv6 scanning | Host Discovery | ||
Set Speed | Obfuscation | Likely you do not need to go slower than T2, and should never go faster than T4. | |
Fragment the Packets — The idea is to split the TCP packet up over several tiny fragmented packets | Obfuscation | Does not work with Windows, NSE scripts, or service versioning | |
Scan the Target Range in a Random Order | Obfuscation | No good reason not to use this one | |
Append Bytes of Random Data on Each Packet | Obfuscation | A typical TCP packet is 40 Bytes, I find appending 5 (12.5%) variance is a good amount | |
Disable ICMP ping | Obfuscation | A lot of networks block ICMP | |
Disable ARP Ping | Obfuscation | ||
Ignore RST responses from the host | Obfuscation | ||
Specifies a Time for The Scan to Move On | Obfuscation | ||
Specifies How Many Times a Host Should Be Attempted Before Moving On | Obfuscation | ||
Adds a Delay Between Hosts Scanned | Obfuscation | 1075ms seems to work well and be plenty of a delay | |
Excludes Specific Port(s) From the Scan | Obfuscation |
Using Custom Nmap Scripts (NSE)
The Nmap Scripting Engine (NSE) is an incredibly powerful addition to Nmap, extending its functionality quite considerably. The NSE is particularly useful for reconnaissance, however can be used to do a variety of things like scanning for vulnerabilities and automating exploits for them.
find scripts:
- Look at the Nmap website which contains a list of all official scripts
- Or look at the local storage on your attacking machine. Nmap stores its scripts on Linux at /usr/share/nmap/scripts
ls /usr/share/nmap/scripts
Many custom scripts can be found on Github and then you can save them locally simply by using nano, gedit, or vi and adding the scripts to /usr/share/nmap/scripts
Example
- Identify the script you want
- ms-exchange-version-nse/ms-exchange-version.nse at main · righel/ms-exchange-version-nse (github.com)
- copy the .nse script and go to your linux box
cd /usr/share/nmap/scripts
sudo nano ms-exchange-version.nse
[PASTE THE SCRIPT FROM GITHUB]
ctrl+x
y
Then you can run your script in nmap like this:
nmap --script=ms-exchange-version.nse [target]
Flag | What Does it Do? | Why Does that Matter? | When to Use it? | Purpose |
---|---|---|---|---|
Checks the host for SMBv1 signing | If SMB signing is not enabled & required it suggests the host is vulnerable to pass-the-hash attacks | When you see p137, 445 or if there is NBNS/LLMNR traffic on the network | Vulnerability Analysis | |
Checks the host for SMBv2 signing | If SMB signing is not enabled & required it suggests the host is vulnerable to pass-the-hash attacks | When you see p137, 445 or if there is NBNS/LLMNR traffic on the network | Vulnerability Analysis | |
Fingerprints specifics about SMB versions | Older versions of SMB are riddled with RCE vulnerabilities (i.e, Eternal Blue) | When analyzing Windows server infrastructure | Vulnerability Analysis | |
Basic vulnerability scanning against the vulners.com database | You can obfuscate this much more than something like OpenVas | When you have a large amount of data to analyze and need to automate the research process | Vulnerability AnalysisQuality of Life | |
Enumerates the specific version and build of on prem MS exchange servers | Older exchange servers have several significant exploits available | Anytime you see on prem exchange | Vulnerability Analysis | |
Enumerates network file shares on a host | It may be possible to mount those shares and parse through potentially sensitive data | When you see p2049 | Vulnerability Analysis | |
Identified instances of Jenkins on the network | Older version of Jenkins have tons of vulnerabilities | As part of initial attack surface analysis | Host DiscoveryVulnerability Analysis |
Example of Vulnerability Analysis - Fingerprinting SMB
Description - SMB can allow other applications and users to access files or execute command on a remote server. A client application can read, write and execute files on the server depending upon the configuration of the SMB share. Port for SMB are typically 445 while 135-9 ports are used for RPC calls which are essential for remote management of Windows systems.
- Identify available SMB scripts (there are 35 as part of the default NSE)
cd /usr/share/nmap/scripts; ls | grep smb
- Leverage Discovery scripts to fingerprint the OS and versions
nmap --script smb-os-discovery.nse -p445 <target>
- SMB Vulnerability detection
By design, nmap comes with various scripts that can be used to detect various vulnerabilities or CVEs. Specifically for SMB, we can use nmap to detect below
CVEs:
- 2009-3103
- 2017-7494
- ms06-025
- ms07-029
- ms08-067
- ms10-054
- ms10-061
- ms17-010 (Eternal Blue)
All these vulnerabilities can be detected using single nmap command.
nmap --script smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-cve-2017-7494.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse,smb-vuln-regsvc-dos.nse,smb-vuln-webexec.nse
-p445 <target>
OR
nmap --script smb-enum-* -p445 <target>
Considerations - You can add obfuscation to any of these scripts
References -
Examples of Good Scans
nmap -sV -v -p80,443,8080,8443,21,23,25,1098,1099,2049,3786,9100 -iL targets.txt -oX results.xml
sudo nmap -T2 -f --data-length 5 --randomize-hosts --max-retries 2 -Pn --open 10.10.10.2-254
sudo nmap -p 139,445 -Pn --disable-arp-ping --discovery-ignore-rst --open --randomize-hosts -T2 --data-length 5 --max-retries 2 --host-timeout 5s --scirpt smb-security-mode,smb2-security-mode -iL targets.txt
sudo nmap -sV -v --data-length 5 --script vulners