Red Teaming
Dimitris,
Feb 27
2024
This post is based on the Hack The Box (HTB) Academy module (or course) on Network Enumeration with Nmap. The module provides the fundamentals that will be needed to use the Nmap tool for performing effective network enumeration.
You can learn more by browsing the catalog of free or advanced cybersecurity courses on the HTB Academy!
Network Mapper (Nmap) is an open-source network analysis and security auditing tool. It is designed to scan networks and identify which hosts are available on the network using raw packets, services, and applications.
Nmapcan also identify the operating systems and versions of these hosts. Itoffers scanning capabilities that can determine if packet filters, firewalls, or intrusion detection systems (IDS) are configured as needed.
Every cybersecurity professional should use and understand Nmap. Haven’t used it yet? You can download it here.
Nmap can be divided into the following scanning techniques:
Host discovery.
Port scanning.
Service enumeration and detection.
OS detection.
Scriptable interaction with the target service (Nmap Scripting Engine).
The syntax for Nmap is fairly simple and looks like this:
[!bash!]$ nmap <scan types> <options> <target>
Nmap offers plenty of different scanning techniques, including the following:
$ nmap --help
<SNIP>
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
<SNIP>
We’ll dive into some of the most common and important Nmap scan commands later on in this guide.
Enumeration is the art of information gathering so that we can identify all of the ways we could attack a target. Nmap is a tool we can use to enumerate this information, but we should always prioritize skills and methodology over tools.
After all, we need to know what to do with and how to analyze the information we may find using Nmap. The tools are just tools, and tools alone should never replace our knowledge and our attention to detail.
After using a tool like Nmap to gather as much information as we can, we must then understand how to actually interact with the services found.
Manual enumeration is a critical component. Many scanning tools simplify and accelerate the process. However, these cannot always bypass the security measures of the services.
Learn Network Enumeration with Nmap
Nmap is an important part of network diagnostics and evaluation of network-connected systems. In this interactive module, we will learn the basics of this tool and how it can be used to map out internal networks by identifying live hosts and performing port scanning, service enumeration, and operating system detection.
An overview of Nmap.
Host discovery and port scanning.
Saving scan results.
Service enumeration.
Using the powerful Nmap scripting language.
Firewall and IDS/IPS evasion.
Network administrators, IT security specialists, SOC analysts, and penetration testers all have Nmap as a regular pentesting tool in their arsenal. Here are some of the most common use cases:
Enumeration: uncover information including device types, reverse DNS (Domain Name System) names, MAC addresses, and IP addresses of all active hosts.
Auditing: survey the security aspects of a network.
Testing: simulate penetration tests using Nmap.
Find security issues: Nmap can be used to scan servers and uncover paths attackers may use to exploit.
Detect vulnerabilities: analysts and pentesters can use Nmap to detect any existing vulnerabilities on the network.
Host discovery: discover live hosts within the network.
Identify open ports: Nmap conducts port scanning of target hosts.
OS version detection: discover the operating system (OS) and version of a target system quickly.
Whilst we do develop muscle memory in the world of cybersecurity, we don’t expect you to memorize everything right away. Keep this cheat sheet handy, you never know when you might need it!
Say we’re conducting an internal penetration test for an entire company network. We’ll begin by gaining an overview of which systems are online that we can work with.
To discover active systems on the network, we can use various Nmap host discovery options.
Note:💡Store every single scan. Each one may later be used for comparison, documentation, and reporting. After all, different tools may produce different results.
Scanning a range of networks with this method only works if the firewalls in place allow it.
sudo nmap 10.129.2.0/24 -sn -oA tnet
Nmap command |
Description |
10.129.2.0/24 |
target network range. |
-sn |
disables port scanning. |
-oA tnet |
Stores the results in all formats starting with the name 'tnet'. |
Often, before performing an internal penetration test, you may be provided with an IP list of the hosts we need to test.
Nmap saves us time by allowing us to upload a list, rather than manually tying them in. It looks like this:
sudo nmap -sn -oA tnet -iL hosts.lst
10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28
Nmap command |
Description |
-sn |
Disables port scanning. |
-oA tnet |
Stores the results in all formats starting with the name 'tnet'. |
-iL |
Performs defined scans against targets in provided 'hosts.lst' list. |
In some instances, you may only need to scan a small portion of the network, which means you can manually enter the IP addresses:
sudo nmap -sn -oA tnet 10.129.2.18 10.129.2.19 10.129.2.20| grep for | cut -d" " -f5
10.129.2.18
10.129.2.19
10.129.2.20
Before we scan a single host for open ports and its services, we first have to determine if it is alive or not. For this, we can use the same method as before.
sudo nmap 10.129.2.18 -sn -oA host
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-14 23:59 CEST
Nmap scan report for 10.129.2.18
Host is up (0.087s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
Nmap command |
Description |
10.129.2.18 |
Performs defined scans against the target. |
-sn |
Disables port scanning. |
-oA host |
Stores the results in all formats starting with the name 'host'. |
Once we’ve gathered whether a host is active or not, the next step is to understand what state the scanned port is in. There are six different states:
Open: a connection to the scanned port has been established.
Closed: the TCP protocol indicates that the packet we received back contains an RST flag.
Filtered: Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.
Unfiltered: the port is accessible, but it cannot be determined whether it is open or closed.
Open|filtered: this indicates that a firewall or packet filter may protect the port.
Closed|filtered: impossible to determine if the scanned port is closed or filtered by a firewall.
By default, Nmap scans the top 1000 TCP ports with the SYN scan (-sS). This means that if we do not define ports and scanning methods, these parameters are set automatically.
We can define the ports in the following ways:
One by one (-p 22,25,80,139,445).
By range (-p 22-445).
By top ports (--top-ports=10).
sudo nmap 10.129.2.28 --top-ports=10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 15:36 CEST
Nmap scan report for 10.129.2.28
Host is up (0.021s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
23/tcp closed telnet
25/tcp open smtp
80/tcp open http
110/tcp open pop3
139/tcp filtered netbios-ssn
443/tcp closed https
445/tcp filtered microsoft-ds
3389/tcp closed ms-wbt-server
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
Nmap done: 1 IP address (1 host up) scanned in 1.44 seconds
Nmap command |
Description |
10.129.2.28 |
Scans the specified target. |
--top-ports=10 |
Scans the specified top ports that have been defined as most frequent. |
Here Nmap will display the state the port is in (open, closed, etc.) and also the service it runs on.
Now, we want to find out more information about the open ports, we can do this by running a packet trace scan:
sudo nmap 10.129.2.28 -p 21 --packet-trace -Pn -n --disable-arp-ping
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 15:39 CEST
SENT (0.0429s) TCP 10.10.14.2:63090 > 10.129.2.28:21 S ttl=56 id=57322 iplen=44 seq=1699105818 win=1024 <mss 1460>
RCVD (0.0573s) TCP 10.129.2.28:21 > 10.10.14.2:63090 RA ttl=64 id=0 iplen=40 seq=0 win=0
Nmap scan report for 10.11.1.28
Host is up (0.014s latency).
PORT STATE SERVICE
21/tcp closed ftp
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
Nmap command |
Description |
10.129.2.28 |
Scans the specified target. |
-p 21 |
Scans only the specified port. |
--packet-trace |
Shows all packets sent and received. |
-n |
Disables DNS resolution. |
--disable-arp-ping |
Disables ARP ping. |
The Nmap TCP Connect Scan (-sT) uses the TCP three-way handshake to determine if a specific port on a target host is open or closed.
The scan sends a SYN packet to the target port and waits for a response. It is considered open if the target port responds with a SYN-ACK packet and closed if it responds with an RST packet.
Why do we do this?
Because it’s the most accurate way of determining the true state of a port.
It’s also stealthy.
The connect scan does not leave any unfinished connections or unsent packets on the target host, which makes it less likely to be detected by intrusion detection systems (IDS) or intrusion prevention systems (IPS).
sudo nmap 10.129.2.28 -p 443 --packet-trace --disable-arp-ping -Pn -n --reason -sT
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 16:26 CET
CONN (0.0385s) TCP localhost > 10.129.2.28:443 => Operation now in progress
CONN (0.0396s) TCP localhost > 10.129.2.28:443 => Connected
Nmap scan report for 10.129.2.28
Host is up, received user-set (0.013s latency).
PORT STATE SERVICE REASON
443/tcp open https syn-ack
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
Some system administrators sometimes forget to filter the UDP ports in addition to the TCP ones.
Since UDP is a stateless protocol and does not require a three-way handshake like TCP. We do not receive any acknowledgment. Consequently, the timeout is much longer, making the whole UDP scan (-sU) much slower than the TCP scan (-sS).
Let's look at an example of what a UDP scan (-sU) can look like and what results it gives us:
sudo nmap 10.129.2.28 -F -sU
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 16:01 CEST
Nmap scan report for 10.129.2.28
Host is up (0.059s latency).
Not shown: 95 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
631/udp open|filtered ipp
5353/udp open zeroconf
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
Nmap done: 1 IP address (1 host up) scanned in 98.07 seconds
Nmap command |
Description |
10.129.2.28 |
Scans the specified target. |
-F |
Scans top 100 ports. |
-sU |
Performs a UDP scan. |
When conducting any enumeration, determining the application and its version accurately is essential. We can use this information to scan for known vulnerabilities and analyze the source code.
A quick port scan with show us a small overview of the available ports and what versions they are.
sudo nmap 10.129.2.28 -p- -sV
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 19:44 CEST
[Space Bar]
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 3.64% done; ETC: 19:45 (0:00:53 remaining)
Nmap command |
Description |
10.129.2.28 |
Scans the specified target. |
-p- |
Scans all ports. |
-sV |
Performs service version detection on specified ports. |
Once the scan is complete, we will see all TCP ports with the corresponding service and their versions that are active on the system.
sudo nmap 10.129.2.28 -p- -sV
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 20:00 CEST
Nmap scan report for 10.129.2.28
Host is up (0.013s latency).
Not shown: 65525 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
110/tcp open pop3 Dovecot pop3d
139/tcp filtered netbios-ssn
143/tcp open imap Dovecot imapd (Ubuntu)
445/tcp filtered microsoft-ds
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
995/tcp open ssl/pop3 Dovecot pop3d
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
Service Info: Host: inlane; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.73 seconds
Nmap looks at the banners of the scanned ports and prints them out. If it cannot identify versions through the banners, Nmap attempts to identify them through a signature-based matching system.
The issue here is that the automatic scan can miss some information because sometimes Nmap does not know how to handle it.
So, what can we do about this?
We can manually connect to the SMTP server using nc, grab the banner, and intercept the network traffic using tcpdump. Then we can see what Nmap did not show us.
Tcpdump
sudo tcpdump -i eth0 host 10.10.14.2 and 10.129.2.28
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Nc
nc -nv 10.129.2.28 25
Connection to 10.129.2.28 port 25 [tcp/*] succeeded!
220 inlane ESMTP Postfix (Ubuntu)
Tcpdump - Intercepted Traffic
18:28:07.128564 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [S], seq 1798872233, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 331260178 ecr 0,sackOK,eol], length 0
18:28:07.255151 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [S.], seq 1130574379, ack 1798872234, win 65160, options [mss 1460,sackOK,TS val 1800383922 ecr 331260178,nop,wscale 7], length 0
18:28:07.255281 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], ack 1, win 2058, options [nop,nop,TS val 331260304 ecr 1800383922], length 0
18:28:07.319306 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [P.], seq 1:36, ack 1, win 510, options [nop,nop,TS val 1800383985 ecr 331260304], length 35: SMTP: 220 inlane ESMTP Postfix (Ubuntu)
18:28:07.319426 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], ack 36, win 2058, options [nop,nop,TS val 331260368 ecr 1800383985], length 0
These first three lines are showing us the three-way handshake.
After that, the target SMTP server sends us a TCP packet with the PSH and ACK flags. PSH states that the target server is sending data to us;ACK simultaneously informs us that all required data has been sent.
Another handy feature of Nmap is the Nmap Scripting Engine (NSE). It provides us with the possibility to create scripts in Lua for interaction with certain services.
These scripts fit into the following categories:
Category |
Description |
auth |
Determination of authentication credentials. |
broadcast |
Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans. |
brute |
Executes scripts that try to log in to the respective service by brute-forcing with credentials. |
default |
Default scripts executed by using the -sC option. |
discovery |
Evaluation of accessible services. |
dos |
These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services. |
exploit |
This category of scripts tries to exploit known vulnerabilities for the scanned port. |
external |
Scripts that use external services for further processing. |
fuzzer |
This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time. |
intrusive |
Intrusive scripts that could negatively affect the target system. |
malware |
Checks if some malware infects the target system. |
safe |
Defensive scripts that do not perform intrusive and destructive access. |
version |
Extension for service detection. |
vuln |
Identification of specific vulnerabilities. |
One key benefit of the NSE is the ability to use the vuln category to find and identify known vulnerabilities. Below, you can see that CVE-2019-0211, CVE-2018-1312, and CVE-2017-15715 were discovered using this scan:
sudo nmap 10.129.2.28 -p 80 -sV --script vuln
Nmap scan report for 10.129.2.28
Host is up (0.036s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
| /wp-login.php: Possible admin folder
| /readme.html: Wordpress version: 2
| /: WordPress version: 5.3.4
| /wp-includes/images/rss.png: Wordpress version 2.2 found.
| /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
| /wp-includes/images/blank.gif: Wordpress version 2.6 found.
| /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
| /wp-login.php: Wordpress login page.
| /wp-admin/upgrade.php: Wordpress login page.
|_ /readme.html: Interesting, a readme.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| vulners:
| cpe:/a:apache:http_server:2.4.29:
| CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715
<SNIP>
Nmap command |
Description |
10.129.2.28 |
Scans the specified target. |
-p 80 |
Scans only the specified port. |
-sV |
Performs service version detection on specified ports. |
--script vuln |
Uses all related scripts from specified category. |
Nmap gives us many different ways to bypass firewalls and IDS/IPS.
But first, let’s define what these security measures are:
Firewall: a firewall is a security measure against unauthorized connection attempts from external networks. It checks whether individual network packets are being passed, ignored, or blocked. This mechanism is designed to prevent unwanted connections that could be potentially dangerous.
IDS/IPS: IDS scans the network for potential attacks, analyzes them, and reports any detected attacks. IPS complements IDS by taking specific defensive measures if a potential attack should have been detected.
Firewalls can either drop or reject packets when performing an Nmap scan. The dropped packets are ignored, and no response is returned from the host.
This is different for rejected packets that are returned with an RST flag. These packets contain different types of ICMP error codes:
Net Unreachable.
Net Prohibited.
Host Unreachable.
Host Prohibited.
Port Unreachable.
Proto Unreachable.
Nmap's TCP ACK scan (-sA) makes it harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or connect scans (sT) because they send a TCP packet with only the ACK flag.
When a port is closed or open, the host must respond with an RST flag.
Unlike outgoing connections, all connection attempts (with the SYN flag) from external networks are usually blocked by firewalls.
However, the packets with the ACK flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network.
The detection of IDS/IPS using Nmap is much more challenging as these are passive traffic monitoring systems.
IDS systems examine all connections between hosts. If the IDS finds packets containing the defined contents or specifications, the administrator is notified and takes appropriate action in the worst case.
So, how can we detect whether these systems are in place during a penetration test?
We’d recommend using several virtual private servers (VPS) with different IP addresses.
Therefore, if at any time this host is blocked and has no access to the target network, we know that the administrator has taken some security measures. Accordingly, we can continue our penetration test with another VPS.
If we detect that IDS/IPS exists, then the decoy scanning method (-D) is the right choice.
With this method, Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet sent.
Here’s a decoy scan in action:
sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 16:14 CEST
SENT (0.0378s) TCP 102.52.161.59:59289 > 10.129.2.28:80 S ttl=42 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
SENT (0.0378s) TCP 10.10.14.2:59289 > 10.129.2.28:80 S ttl=59 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
SENT (0.0379s) TCP 210.120.38.29:59289 > 10.129.2.28:80 S ttl=37 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
SENT (0.0379s) TCP 191.6.64.171:59289 > 10.129.2.28:80 S ttl=38 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
SENT (0.0379s) TCP 184.178.194.209:59289 > 10.129.2.28:80 S ttl=39 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
SENT (0.0379s) TCP 43.21.121.33:59289 > 10.129.2.28:80 S ttl=55 id=29822 iplen=44 seq=3687542010 win=1024 <mss 1460>
RCVD (0.1370s) TCP 10.129.2.28:80 > 10.10.14.2:59289 SA ttl=64 id=0 iplen=44 seq=4056111701 win=64240 <mss 1460>
Nmap scan report for 10.129.2.28
Host is up (0.099s latency).
PORT STATE SERVICE
80/tcp open http
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
Nmap command |
Description |
10.129.2.28 |
Scans the specified target. |
-p 80 |
Scans only the specified ports. |
-sS |
Performs SYN scan on specified ports. |
-Pn |
Disables ICMP Echo requests. |
-n |
Disables DNS resolution. |
--disable-arp-ping |
Disables ARP ping. |
--packet-trace |
Shows all packets sent and received. |
-D RND:5 |
Generates five random IP addresses using a decoy that indicates the source IP the connection comes from. |
Nmap is an extremely powerful tool for all infosec professionals, whether you’re using it to protect your network or perform penetration tests, these commands are essential for all cybersecurity professionals to have at hand.
However, remember it’s important to not only rely on tools to do your job. You need to also understand how and why these tools work and what the information you find actually means.
Ready to dive in?
Find out everything you need to know about Nmap with our Academy module:
Author bio: Dimitrios Bougioukas (Dimitris), Senior Director of IT Security Training Services, Hack The Box Dimitrios has extensive experience in upskilling the IT security teams of Fortune 100/500 tech companies and government organizations. He enjoys analyzing the threat landscape as well as interpreting market and data analytics to assist Hack The Box in devising its training strategy and roadmaps, from go-to-market all the way to the syllabus level. Prior to Hack The Box, Dimitrios directed the development of training and certifications through eLearnSecurity/INE and was behind certifications like eCPTX, eWPT, and eCIR. You can connect with him on LinkedIn here. |
Blue Teaming
Odysseus (c4n0pus), Dec 20, 2024