NMAP - 1 | FINGERPRINTING | INFORMATION GATHERING | ETHICAL HACKING

NMAP | PART 1

Nmap - Network Mapper

Is a free open source utility for network discovery and security auditing. It is also used to find the vulnerabilities on a network by scanning through different ports.

Port scanning is the Nmap's core functionality but it is also can be used to collect characteristics of a network such as what services are being used and their version number, OS being used and whether there are any firewall rules/packet filters.Knowing this information as a hacker or security expert is an important step in identifying any weeknesses a system may have and the potential exploits can be used.

Not involve in any illegal activities on the third party websites if the administrator catches you, he can take a legal action. So better involve in any CTF's (tryhackme Nmap section) or use scanme.nmap.org as the target website.

HOST DISCOVERY

To discover the hosts on a network use nmap command with -sn flag as below 

$ sudo nmap -sn scanme.nmap.org

It shows the output of hosts up on a specified network.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-13 08:27 IST

Nmap scan report for scanme.nmap.org (45.33.32.156)

Host is up (0.0040s latency).

Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f

Nmap done: 1 IP address (1 host up) scanned in 0.77 seconds

Understanding the port states

• Open - An open port is one that is actively accepting TCP, UDP or SCTP connections. Open ports are what intrests us the most because they are the oens that are vulnerable for attacks. Open ports also show the availble services on a network.
• Closed - A port that receives and responds to Nmap packet but there is no application listening on that port,these are useful for identifying that the host exists and for OS detection.
• Filtered - Nmap can't detemine whether the port is open because packet filtering prevents its probes from reaching the port. Filtering comes from firewalls or router rules. 
• Unfiltered - Port is accessible but Nmap doesn't know if it is open or closed. Only used in ACK scan which id used to map firewall rule sets. 
• Open/Filtered - Nmap is usable to determine between open and filteref. This happens when an open port gives no respons. No response could mean that the probe was dropped by a packet filter or any response is blocked.
• Closed/Filtered - Nmap unble to detmine whether port is closed ir filtered. Only used in IP ID idel scan.

PORT SCANNING TECHNIQUES 

nmap -sS 192.168.1.1 => SYN scan

A SYN scan is very quick and relatively stealthy scince it doen't complete the TCP connection.

nmap -sT 192.168.1.1 => TCP scan

If the SYN scan is unavailble due to privilages then the TCP scan -sT will be used by default. The TCP scan is less efficient and offers less control than the SYN scan.

nmap -sU 192.168.1.1 => UDP scan

A UDP scan works by sending a UDP packet to every targeted port. 

nmap -sY 192.168.1.1 => SCTP scan

Like the SYN scan, SCTP scan is fast, stealthy and clearly defines the port states. It can be performed by using the -sY option.

SCTP combines the architecture of TCP and UDP and includes congestion avoidance, resistance to flooding and features such as multi streaming and multi homing.

nmap -A 192.168.1.1 => Aggressive scan

The aggresive scan option -A combines various different scan types such as operating system detection, script scanning and trace route. Its a good option for when you want a complete scan report without caring how intrusive you are.

ADVANCED PORT SCANNING TECHNIQUES

-sN, -sF, -sX are used to differentiate between open and closed ports by exploiting a loophole in TCP RCF.

• Port = closed when RST packet is received
• Port = opend | Filtered when no response
• Port = Unfiltered when ICMP error

nmap -sA 192.168.1.1 => Ack scan

Ack scan is used primarily for mapping out firewall rules by finding out if they are stateful and which ports are filtered.

nmap -sZ 192.168.1.1 => cookie echo scan

cookie echo scan which is a more obscure method and therefore less likely to be picked up as a port scan or blocked.

A port is open if the packet is dropped or closed if the ABORT flag is sent. One disadvantage is that it can’t differentiate between open|filtered.

nmap -sI 192.168.1.102 -p80,21,22,443 192.168.1.101 => zombiehost scan

192.168.56.102 as zombie device to scan ports 80.21.22 and 443 of the target 192.168.56.101.

It is the best scan for when you don’t want to leave a trace of your IP on a targets system.

nmap -sO 192.168.1.1 => Protocol scan

The protocol scan -sO can be used to identify protocols supported by the targets system.

Let's discuss about 

• Port specification
• Service and version detection
• OS detection
• Firewall Evasion and Spoofing

in the Nmap-2 article. 

Follow Our blog for more content on ethical hacking and tricks.

Thankyou.