NMAP ADVANCED SCANS

In this post we will be covering techniques to evade firewalls and IDS systems ad well as more advanced scans and scan options, such as:

  • Null Scan
  • FIN Scan
  • Xmas Scan
  • Maimon Scan
  • Ack Scan
  • Window Scan
  • Custom Scan
We will also cover the following:
  • Spoofing IP
  • Spoofing MAC
  • Decoy Scan
  • Fragmented Packets
  • Idle/Zombie Scan

Null, FIN and XMAS Scans
These scans can be efficient when scanning a target behind a stateless (non-stateful) firewall. A stateless firewall will check if the incoming packet has the SYN flag to detect a connecting attempt. Using a flag combination that does not match the SYN packets could make it possible to deceive a firewall and reach the system behind it. However, a stateful firewall will practically block all such crafted packed and render this kind of scan useless.

Null Scan
Null scan does not set any flag at all; all six flag bits are set to zero. We can use this option with -sN . A TCP Packet with no flags set will not trigger a response when it reaches an open port. A Null scan requires root or sudo .


However, upon reaching a closed port, the target server will respond with a RST response. We can then assume any port that does not respond is potentially open. However, a lack of response from a port could be due to firewall rules.


FIN Scan
The FIN scan works in the same way as the above Null Scan, although using FIN flags instead of no flags. Use option -sF .



Xmas Scan
An Xmas scan sets the FIN, PSH and URG flag simultaneously and can be used with the -sX option. This scan works in the same way as FIN and Null scans.



TCP Maimon Scan
In this scan, the FIN and ACK bits are st and the target should send an RST packet as a response. However, certain BSD-derived (https://en.wikipedia.org/wiki/List_of_BSD_operating_systems) drop the packet if is an open port. This scan wont work on most modern targets. Use the -sM option. 

Most target systems respond with an RST packet regardless of whether the TCP port is open. In such cases, we wont be sable to discover the open ports. The figure below is the expected behaviour of both open and closed TCP ports.


TCP ACK Scan
Use the -sA option for a TCP ACK scan. TCP ACK scans send a TCP packet with an ACK flag and expect a RST response regardless of the state of the port, so will not tell us if ports are open. 

This type of scan is helpful if there is a firewall in front of the target. Consequently, based on which ACK packets resulted in responses, we can learn which ports were not blocked by the firewall. This type of scan is more suitable to discover firewall rule sets and configuration. 

Window Scan
The TCP Window scan is similar to the ACK scan, however it examines the TCP Window field of the RST packets returned. On specific systems, this can reveal if the port is open. Use the option -sW

This type of scan is helpful if there is a firewall in front of the target. Consequently, based on which ACK packets resulted in responses, we can learn which ports were not blocked by the firewall. This type of scan is more suitable to discover firewall rule sets and configuration. 


Custom Scans
Custom scans are available using the --scanflags option. For instance, setting a SYN, RST and FIN flag simultaneously we would use --scanflags RSTSYNFIN .

Finally, it is essential to note that the ACK scan and the window scan were very efficient at helping us map out the firewall rules. However, it is vital to remember that just because a firewall is not blocking a specific port, it does not necessarily mean that a service is listening on that port. For example, there is a possibility that the firewall rules need to be updated to reflect recent service changes. Hence, ACK and window scans are exposing the firewall rules, not the services.


Spoofing and Decoys
In some network setups, we will be able to scan a target system using a spoofed IP address and even a spoofed MAC address. Such a scan is only beneficial in a situation where you can guarantee to capture the response. If we try to scan a target from some random network using a spoofed IP address, chances are we won’t have any response routed to you, and the scan results could be unreliable.

The following image shows the attacker using nmap -S SPOOFED_IP 10.10.60.55 . Nmap will craft all the packets using the provided source IP address SPOOFED_IP . The target machine will respond by sending response packets to SPOOFED_IP . For this scan to work the attacker needs to monitor the network traffic to analyze the replies.


To summarise scanning with a spoofed IP address:
  1. Attacker sends a packet with a spoofed source IP address to the target machine.
  2. Target machine responds to the spoofed IP address.
  3. Attackers capture traffic and figure out open ports.
In general, you expect to specify the network interface using -e and to explicitly disable ping scan -Pn . Therefore, instead of nmap -S SPOOFED_IP TARGET_IP , we use nmap -e NET_INTERFACE -Pn -S SPOOFED_IP TARGET_IP to tell Nmap explicitly which network interface to use and not expect a ping reply. It is worth repeating that this scan is useless if we cannot monitor the network for responses. 

When on the same subnet as the target machine, we are able to spoof our MAC address with --spoof-mac SPOOFED_MAC . This is only possible if the attacker and the target are on the same Ethernet (802.3) network or same WiFi (802.11).

Decoys
Spoofing only works in a minimal number of cases where certain conditions are met. Therefore we can use decoys to make it more difficult to be pinpointed. This is done by making a scan appear to be coming from many IP addresses so the attacker's IP will be lost among them. 


A decoy scan can be launched with the -D tag. We can manually type the IP addresses or use RND to use a random IP address. We must use -D to inidicate our IP adress. For example, nmap -D 10.10.0.1,10.10.0.2,RND,RND, ME 127.0.0.1


Firewall
A firewall is a piece of software or hardware that either allows or blocks packets to pass through it. It functions based on firewall rules, summarised as blocking all traffic with exceptions, or allowing all traffic with exceptions. For instance, blocking all traffic that comes to our server except to our web server. A traditional firewall inspects, at least, the IP header and transport layer header. A more sophisticated firewall would also try to examine the data carried by the transport layer.

Intrusion Detection System (IDS)
An IDS inspects network packets for select patterns or specific content signatures. It raises an alert whenever a malicious rule is met. An IDS inspects the IP header, transport layer and data contents in the transport layer to check if it matches any malicious patterns. It is difficult to make an Nmap scan harder to detect, but it can help to divide packets in to smaller packets. 

Fragmented Packets
We can use the option -f to fragment packets in to 8 bytes or less, -ff will split the data into 16 byte fragments and so on. We can change the default value by using --mtu , although please note we must use a multiple of 8.


To properly understand fragmentation, we need to look at the IP header in the figure below. In particular, notice the source address taking 32 bits (4 bytes) on the fourth row, while the destination address is taking another 4 bytes on the fifth row. The data that we will fragment across multiple packets is highlighted in red. To aid in the reassembly on the recipient side, IP uses the identification (ID) and fragment offset, shown on the second row of the figure below.

On the other hand, if we wish to increase the size of our packets we can use --data-length NUM

Idle/Zombie Scan
Whilst spoofing the source of an IP address can be a great approach to keep a scan stealthy, it requires us to be in a position to monitor the traffic and will only work on specific network setups. These limitations make the practical use of IP address spoofing very limiting.

However, we can upgrade these scans with the idle scan. The idle scan requires an idle system connected to the network that we can communicate with. Nmap will make each probe appear as if it is coming from the idle host, then it will check for indicators whether the idea host received any responses form the spoofed probe. This is achieved by checking the IP identification (IP ID) value in the IP header. An idle scan is run with nmap -sI IDLE_IP TARGET_IP .

The idle scan requires the following to discover whether a port is open:
  • Trigger the idle host to respond so that we can record the current IP ID on the idle host.
  • Send a SYN packet to a TCP port on the target. The packet should be spoofed to appear as if it was coming from the idle host IP address.
  • Trigger the idle machine again to respond so that we can compare the new IP ID with the one received earlier.
In the below figure we have the attacking system probing the idle machine with a a SYN/ACK, the idle machine has responded with RST and its IP ID.


The attacker will then send a SYN packet to the TCP port they want to check using the idle IP_ID as the source. There are three outcomes from this scenario are possible. In the below figure, the target machine's TCP port is closed and responds to the idle host with a RST packet. The idle machine does not respond; hence its IP ID is not incremented.




In the second scenario, as shown below, the TCP port is open, so the target machine responds with a SYN/ACK to the idle host. The idle host responds to this unexpected packet with an RST packet, thus incrementing its IP ID.




In the third scenario the target machine does not respond due to firewall rules. The IP ID does not increment.

The final step is the attacker sending an SYN/ACK to the idle host. The idle host responds with an RST packet, incrementing the IP again. The attacker needs to compare the IP IP of the RST packet received on the first step with the RST packet on the third step. If the difference is 1, then the target port was closed/filtered. However, if the difference is 2 then the target port was open.

NOTE: It is very important to use a machine not in use as the idle machine because if the machine is being used it will have a constantly changing IP ID that is outside of the attackers control. For example, if other people are using the machine, they will be incrementing the IP ID also.

Getting More Details
We can use the --reason option if we want Nmap to provide more details regarding its reasoning and conclusions. We can also use - v or  -vv for verbose output or  -d or  -dd for debugging details.

Comments

Post a Comment

Popular posts from this blog

STARTUP

Image
  Startup is a TryHackMe room where there is a fictional new start up company called Spice Hut, their website is under development and they have some security concerns that they wish to test. I began by heading to the website and began manual enumeration of the site. The site had very minimal functionality, I checked the source code and found nothing of interest. There is a contact link, and I was hoping to be able to get an email address by following it, but it was empty. ' I then performed a Gobuster scan to look for any pages that I may be able to access. There is a page with the name files that is of particular interest.  Here I can see there is an FTP folder, upon opening it I can see that it is empty. I made a note of this as I may be able to upload files to it at a later stage, I then opened important.jpg which seemed to be of no particular interest, and notice.txt had the below text. I made a note of the name Maya, which could be a potential user or username in the future.
Read more

NMAP POST PORT SCANS

In this post we will talk about the steps that follow port-scanning, including service detection, OS detection, Nmap scripting engine and saving the scan results. Service Detection Once Nmap discovers open ports, they can be probed to detect running services and therefore for vulnerabilities. Adding the -sV option to an Nmap scan will collect and determine service and version information for the open ports. --version-intensity LEVEL will specify the intensity of the scan, with 0 being lowest and 9 being highest. Using -sV will force Nmap to use the TCP 3 way handshake. This is because Nmap needs to fully communicate with the target to get information and therefore cannot use the stealth scan -sS . NOTE : In order to run -sV we need root privileges.  OS Detection Nmap can detect the OS based on its behaviour and any telltale signs in its responses by using the -O option. Whilst the OS detection is very convenient, many factors affect its accuracy. In order to have an accurate
Read more

BURPSUITE IN-DEPTH

Image
NOTE: This post will be a much deeper and in-depth dive in to some of the functionality of Burp Suite. If you need a quicker overview, please visit my  Burp Suite Basics  post.  Repeater The repeater function of Burp Suite allows us to take a request captured by Proxy, edit it and send the same request repetitively. This makes repeater ideal for any manual poking around at an endpoint. Basic Usage: The repeater interface can be split in the 6 main sections. Refer to the image above: List of requests that are going through Repeater. Controls for the current request, these allow us to send/cancel a hanging request and go forwards/backwards in a request history. Request/Response view. Requests are edited in the Request view and Responses will show up in the Response view. Allows us to change the layout for the Request and Response view. The inspector allows us to break requests apart and analyse and edit them in a more intuitive way than the raw editor. The IP address or domain that is ou
Read more