NMAP Basic scan, options, scripts

and hacking
Loi Liang Yang
Certified Information Systems Security
Professional
Certified Ethical Hacker
CompTIA Security+

www.loiliangyang.com 1
2
Banner Grabbing
• Banner grabbing is a technique used to
gain information about a computer system
on a network and the services running on
its open ports. Administrators can use this
to take inventory of the systems and
services on their network. However, an
intruder can use banner grabbing in order
to find network hosts that are running
versions of applications and operating
www.loiliangyang.com

systems with known exploits.

Message Description
Initiate and establish a connection. Synchronize sequence numbers
Syn
between devices.
ACK Confirms to the other computer that it has received the SYN packet.
SYN-ACK SYN message from local device and ACK of the earlier packet.
FIN Terminate a connection.

TCP message types

www.loiliangyang.com 3
 3-way
Handshake

www.loiliangyang.com 4
 TCP – Transmission Control
Protocol

Terms UDP – User Datagram Protocol

Socket - <ip address>:<port

number>

www.loiliangyang.com 5
 What is NMAP?
Network exploration tool and security / port scanner

www.loiliangyang.com 6
 Sweep – Send a series of Trace – Use tools like Port Scanning –
ICMP ping to find hosts traceroute and/or Checking for open TCP
tracert to map network or UDP ports

Scan Types

Fingerprinting – Version Scanning – Vulnerability Scanning

Determine operating Finding versions of
system services and protocols

www.loiliangyang.com 7
 NMAP Port Scan Result
Port State Description

Open An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Finding these is often the primary goal of port scanning.
Security-minded people know that each open port is an avenue for attack. Attackers and pen-testers want to exploit the open ports, while administrators try to
close or protect them with firewalls without thwarting legitimate users. Open ports are also interesting for non-security scans because they show services available
for use on the network.

Closed A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is
up on an IP address (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case
some open. Administrators may want to consider blocking such ports with a firewall. Then they would appear in the filtered state, discussed next.

Filtered Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated
firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond
with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes
without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than
filtering. This slows down the scan dramatically.

Unfiltered The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall
rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the
port is open.

Open|Filtered Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response.
The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open
or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.

Closed|Filtered This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.

https://wiki.onap.org/display/DW/Nmap

www.loiliangyang.com 8
NMAP Manual Page

www.loiliangyang.com 9
 • TARGET SPECIFICATION:
• Can pass hostnames, IP addresses, networks, etc.
• Ex: scanme.nmap.org, 192.168.0.1; 10.0.0-255.1-254
• -iL <inputfilename>: Input from list of hosts/networks
Scan Options - • -iR <num hosts>: Choose random targets
• --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
TARGET • --excludefile <exclude_file>: Exclude list from file
SPECIFICATION

www.loiliangyang.com 10
 Scan Options – HOST
DISCOVERY

• HOST DISCOVERY:
• -sL: List Scan - simply list targets to scan
• -sn: Ping Scan - disable port scan
• -Pn: Treat all hosts as online -- skip host discovery
• -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP
discovery to given ports
• -PE/PP/PM: ICMP echo, timestamp, and netmask
request discovery probes
• -PO[protocol list]: IP Protocol Ping
• -n/-R: Never do DNS resolution/Always resolve
[default: sometimes]
• --dns-servers <serv1[,serv2],...>: Specify custom
DNS servers
• --system-dns: Use OS's DNS resolver
• --traceroute: Trace hop path to each host

www.loiliangyang.com 11
 • SCAN TECHNIQUES:
• -sS/sT/sA/sW/sM: TCP
SYN/Connect()/ACK/Window/Maimon scans
• -sU: UDP Scan
Scan Options – • -sN/sF/sX: TCP Null, FIN, and Xmas scans
SCAN • --scanflags <flags>: Customize TCP scan
flags
TECHNIQUES • -sI <zombie host[:probeport]>: Idle scan
• -sY/sZ: SCTP INIT/COOKIE-ECHO scans
• -sO: IP protocol scan
• -b <FTP relay host>: FTP bounce scan

www.loiliangyang.com 12
 SCAN OPTIONS –
PORT SPECIFICATION
AND SCAN ORDER

• PORT SPECIFICATION AND SCAN ORDER:

• -p <port ranges>: Only scan specified
ports
• Ex: -p22; -p1-65535; -p
U:53,111,137,T:21-25,80,139,8080,S:9
• -F: Fast mode - Scan fewer ports than
the default scan
• -r: Scan ports consecutively - don't
randomize
• --top-ports <number>: Scan <number>
most common ports
• --port-ratio <ratio>: Scan ports more
common than <ratio>
 SCAN OPTIONS –
SERVICE/VERSION
DETECTION
• SERVICE/VERSION DETECTION:
• -sV: Probe open ports to
determine service/version info
• --version-intensity <level>: Set
from 0 (light) to 9 (try all probes)
• --version-light: Limit to most
likely probes (intensity 2)
• --version-all: Try every single
probe (intensity 9)
• --version-trace: Show detailed
version scan activity (for debugging)

www.loiliangyang.com 14
 • SCRIPT SCAN:
• -sC: equivalent to --script=default
• --script=<Lua scripts>: <Lua scripts> is a
SCAN comma separated list of
• directories, script-files or script-

15
OPTIONS – categories
• --script-args=<n1=v1,[n2=v2,...]>:
provide arguments to scripts
SCRIPT SCAN • --script-trace: Show all data sent and
received
• --script-updatedb: Update the script
database.
www.loiliangyang.com
 SCAN OPTIONS –
OS DETECTION
• OS DETECTION:
• -O: Enable OS detection
• --osscan-limit: Limit OS
detection to promising targets
• --osscan-guess: Guess OS more
aggressively

www.loiliangyang.com 16
 • TIMING AND PERFORMANCE:
• Options which take <time> are in seconds, or append 'ms'
(milliseconds),
• 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g.
30m).
• -T<0-5>: Set timing template (higher is faster)
• --min-hostgroup/max-hostgroup <size>: Parallel host scan
group sizes
Scan Options – • --min-parallelism/max-parallelism <numprobes>: Probe
parallelization

17
TIMING AND • --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout
<time>: Specifies
• probe round trip time.
PERFORMANCE • --max-retries <tries>: Caps number of port scan probe
retransmissions.
• --host-timeout <time>: Give up on target after this long
• --scan-delay/--max-scan-delay <time>: Adjust delay
between probes
• --min-rate <number>: Send packets no slower than
www.loiliangyang.com

<number> per second

• --max-rate <number>: Send packets no faster than
<number> per second
18
• FIREWALL/IDS EVASION AND SPOOFING:
• -f; --mtu <val>: fragment packets (optionally w/given MTU)
• -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys

Scan Options – •
•
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface

FIREWALL/IDS •
•
-g/--source-port <portnum>: Use given port number
--data-length <num>: Append random data to sent packets

EVASION AND • --ip-options <options>: Send packets with specified ip

options

SPOOFING • --ttl <val>: Set IP time-to-live field

• --spoof-mac <mac address/prefix/vendor name>: Spoof your
MAC address
• --badsum: Send packets with a bogus TCP/UDP/SCTP
www.loiliangyang.com

checksum
 SCAN OPTIONS -
OUTPUT
• OUTPUT:
• -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt
kIddi3,
• and Grepable format, respectively, to the given filename.
• -oA <basename>: Output in the three major formats at once
• -v: Increase verbosity level (use -vv or more for greater effect)
• -d: Increase debugging level (use -dd or more for greater effect)
• --reason: Display the reason a port is in a particular state
• --open: Only show open (or possibly open) ports
• --packet-trace: Show all packets sent and received
• --iflist: Print host interfaces and routes (for debugging)
• --log-errors: Log errors/warnings to the normal-format output
file
• --append-output: Append to rather than clobber specified
output files
• --resume <filename>: Resume an aborted scan
• --stylesheet <path/URL>: XSL stylesheet to transform XML
output to HTML
• --webxml: Reference stylesheet from Nmap.Org for more
portable XML
• --no-stylesheet: Prevent associating of XSL stylesheet w/XML
output

www.loiliangyang.com 19
 SCAN OPTIONS - MISC
20
• MISC:
• -6: Enable IPv6 scanning
• -A: Enable OS detection, version detection, script scanning, and traceroute
• --datadir <dirname>: Specify custom Nmap data file location
• --send-eth/--send-ip: Send using raw ethernet frames or IP packets
• --privileged: Assume that the user is fully privileged
www.loiliangyang.com

• --unprivileged: Assume the user lacks raw socket privileges

• -V: Print version number
• -h: Print this help summary page.
21
• The Nmap Scripting Engine (NSE) is one of
Nmap's most powerful and flexible features.
It allows users to write (and share) simple
scripts (using the Lua programming language
NMAP Scripting ) to automate a wide variety of networking
tasks. Those scripts are executed in parallel
Engine (NSE) with the speed and efficiency you expect
from Nmap. Users can rely on the growing
and diverse set of scripts distributed with
Nmap, or write their own to meet custom
needs.
www.loiliangyang.com
Script Categories
• Auth
• Broadcast
• Brute
• Default
• Discovery
• Dos
• Exploit
• External
• Fuzzer
• Intrusive
• Malware
• Safe
• Version
• Vuln

www.loiliangyang.com 22
NMAP Vulnerability Scan

www.loiliangyang.com 23
24
References
• https://linux.die.net/man/1/nmap
• https://nmap.org/
• https://wiki.onap.org/display/DW/Nmap
www.loiliangyang.com
Hacking with NMAP?

www.loiliangyang.com 25