Cyber Judo
Cyber Judo
Advanced NMAP Techniques
Advanced NMAP Techniques

Advanced NMAP Techniques

Table of Contents

Introduction

Nmap is among the most well known and reliable security testing tools out there today. For more than two decades it has been a reliable and highly customizable port scanner; but, over time a lot of additional functionality has been added which provides tremendous control over how the scans are conducted and what information can be enumerated. It is free and open sourced, can be easily installed on Windows or Linux, and is the basis for tons of other tools that are built on top of it. There are even a couple of great graphical user interfaces which Nmap scans can be run from (or imported into) which makes sorting the data even easier.

Top Mistakes That Lead To Detection

  1. Your speed is set too aggressively. The speed of nmap scans can be set between T0 (extremely slow) to T5 (insane) with T3(aggressive) being the default if no adjustments are specified. Often times this is actually fast enough to be detected. Consider slowing your scans down by adding either (-T2) or (-T1) to your command. To take it to the next level you can specify a delay between each host being scanned with (--scan-delay <time>); this is awesome when you run into hosts that are rate limiting responses. I like to set it to (--scan-delay 1075ms).
  2. It’s too obvious that you are doing a scan. Nmap has been around for a long time now, 20 years in fact, as a result security products know what nmap traffic looks like. If you want to avoid detection you have to add some obfuscation to your scans. You can fragment the packets with (-f) sure, but there are some other really slick options. A couple of my favorites are randomizing the hosts that get scanned in a subnet with (--randomize-hosts), and appending random data on the end of every packet with (--data-length <number>). This way, you’re sending packet fragments, in a random order and every packet is different due to the randomly appended data.
  3. You scanned the gateway! Just don’t do it. Instead of doing a scan against 10.10.10.0/24 instead specifically skip likely gateways with 10.10.10.1-254. You’ll thank me later.
⚠️
Be careful when running scans with the unsafe argument; it has the potential to impact systems and crash services.

-script-args=unsafe=1

Important Commands to Know

Basic Nmap Flags

FlagWhat Does it Do?PurposeNotes
Service Versioning
Host Discovery
Service and OS Versioning
Host Discovery
Add Verbosity
Quality of Life
You ‘can’ add extra verbosity with -vv but I find that to be useless
Specify Port(s)
Host Discovery
Read Targets from List
Quality of Life
Output Results to a File (.txt, .xml)
Quality of Life
I always output to .xml so you can upload to Zenmap or Legion
Only Display Open ports
Quality of Life
Load an NSE script
Host DiscoveryQuality of LifeVulnerability Analysis
Specify a UDP Port Scan
Host Discovery
Enable IPv6 scanning
Host Discovery
Set Speed
Obfuscation
Likely you do not need to go slower than T2, and should never go faster than T4.
Fragment the Packets — The idea is to split the TCP packet up over several tiny fragmented packets
Obfuscation
Does not work with Windows, NSE scripts, or service versioning
Scan the Target Range in a Random Order
Obfuscation
No good reason not to use this one
Append Bytes of Random Data on Each Packet
Obfuscation
A typical TCP packet is 40 Bytes, I find appending 5 (12.5%) variance is a good amount
Disable ICMP ping
Obfuscation
A lot of networks block ICMP
Disable ARP Ping
Obfuscation
Ignore RST responses from the host
Obfuscation
Specifies a Time for The Scan to Move On
Obfuscation
Specifies How Many Times a Host Should Be Attempted Before Moving On
Obfuscation
Adds a Delay Between Hosts Scanned
Obfuscation
1075ms seems to work well and be plenty of a delay
Excludes Specific Port(s) From the Scan
Obfuscation

Using Custom Nmap Scripts (NSE)

The Nmap Scripting Engine (NSE) is an incredibly powerful addition to Nmap, extending its functionality quite considerably. The NSE is particularly useful for reconnaissance, however can be used to do a variety of things like scanning for vulnerabilities and automating exploits for them.

find scripts:

  1. Look at the Nmap website which contains a list of all official scripts
  2. Or look at the local storage on your attacking machine. Nmap stores its scripts on Linux at /usr/share/nmap/scripts
ls /usr/share/nmap/scripts
image

Many custom scripts can be found on Github and then you can save them locally simply by using nano, gedit, or vi and adding the scripts to /usr/share/nmap/scripts

Example

  1. Identify the script you want
    1. ms-exchange-version-nse/ms-exchange-version.nse at main · righel/ms-exchange-version-nse (github.com)
    2. copy the .nse script and go to your linux box
cd /usr/share/nmap/scripts
sudo nano ms-exchange-version.nse
[PASTE THE SCRIPT FROM GITHUB]
ctrl+x
y

Then you can run your script in nmap like this:

nmap --script=ms-exchange-version.nse [target]

Handy Nmap Scripts

FlagWhat Does it Do?Why Does that Matter?When to Use it? Purpose
Checks the host for SMBv1 signing
If SMB signing is not enabled & required it suggests the host is vulnerable to pass-the-hash attacks
When you see p137, 445 or if there is NBNS/LLMNR traffic on the network
Vulnerability Analysis
Checks the host for SMBv2 signing
If SMB signing is not enabled & required it suggests the host is vulnerable to pass-the-hash attacks
When you see p137, 445 or if there is NBNS/LLMNR traffic on the network
Vulnerability Analysis
Fingerprints specifics about SMB versions
Older versions of SMB are riddled with RCE vulnerabilities (i.e, Eternal Blue)
When analyzing Windows server infrastructure
Vulnerability Analysis
Basic vulnerability scanning against the vulners.com database
You can obfuscate this much more than something like OpenVas
When you have a large amount of data to analyze and need to automate the research process
Vulnerability AnalysisQuality of Life
Enumerates the specific version and build of on prem MS exchange servers
Older exchange servers have several significant exploits available
Anytime you see on prem exchange
Vulnerability Analysis
Enumerates network file shares on a host
It may be possible to mount those shares and parse through potentially sensitive data
When you see p2049
Vulnerability Analysis
Identified instances of Jenkins on the network
Older version of Jenkins have tons of vulnerabilities
As part of initial attack surface analysis
Host DiscoveryVulnerability Analysis

Example of Vulnerability Analysis - Fingerprinting SMB

Description - SMB can allow other applications and users to access files or execute command on a remote server. A client application can read, write and execute files on the server depending upon the configuration of the SMB share. Port for SMB are typically 445 while 135-9 ports are used for RPC calls which are essential for remote management of Windows systems.

  1. Identify available SMB scripts (there are 35 as part of the default NSE)
cd /usr/share/nmap/scripts; ls | grep smb
image
  1. Leverage Discovery scripts to fingerprint the OS and versions
nmap --script smb-os-discovery.nse -p445 <target>
image
  1. SMB Vulnerability detection

By design, nmap comes with various scripts that can be used to detect various vulnerabilities or CVEs. Specifically for SMB, we can use nmap to detect below

CVEs:

  • 2009-3103
  • 2017-7494
  • ms06-025
  • ms07-029
  • ms08-067
  • ms10-054
  • ms10-061
  • ms17-010 (Eternal Blue)

All these vulnerabilities can be detected using single nmap command.

nmap --script smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-cve-2017-7494.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse,smb-vuln-regsvc-dos.nse,smb-vuln-webexec.nse
-p445 <target>

OR

nmap --script smb-enum-* -p445 <target>
image

Considerations - You can add obfuscation to any of these scripts

References -

Nmap SMB Scripts and SMB Enumeration Step-By-Step Pentesting Guide (infosecademy.com) 139,445 - Pentesting SMB - HackTricks

Examples of Good Scans 

nmap -sV -v -p80,443,8080,8443,21,23,25,1098,1099,2049,3786,9100 -iL targets.txt -oX results.xml
The above command will read the targets.txt file and perform a port scan of the specified ports including verbose versioning of what services are running on those ports — then output the results both to the CLI as well as to an .xml document
sudo nmap -T2 -f --data-length 5 --randomize-hosts --max-retries 2 -Pn --open 10.10.10.2-254
The above example will conduct a port scan of the top 1000 most common ports (default) quite slowly (T2) using fragmented packets, each of which have 5 bits of random data appended onto them (--data-length 5). It will scan from 10.10.10.2 to 10.10.10.254 in a random order (--randomize-hosts) and it will not use ICMP to check if the host is alive (Pn). If a host is unreachable, it will only try twice to connect before moving on (--max-retries 2). The results output will only show ports that are listed as open (--open). 
sudo nmap -p 139,445 -Pn --disable-arp-ping --discovery-ignore-rst --open --randomize-hosts -T2 --data-length 5 --max-retries 2 --host-timeout 5s --scirpt smb-security-mode,smb2-security-mode -iL targets.txt
The above scan will analyze the hosts in targets.txt for SMBv1 and SMBv2 singing using slow and obfuscated commands to avoid ICMP or ARP pings, appending random data to the packets, ignoring RST responses, and limiting the number of dead hosts that get scanned. 
sudo nmap -sV -v --data-length 5 --script vulners
he above scan will version services running on the top 1000 ports and compare those versions to the
he above scan will version services running on the top 1000 ports and compare those versions to the Vulners.com vulnerability database and output the results as seen above.