Posted in Network, Uncategorized

Networking Scanning

   March 23, 2017  Leave a comment

// work in progress: 

Network scanning examples with nmap, netcat and simple bash scripts. Do not scan any networks you do not own!

Scanning port range with netcat

Quick SYN/ACK scan on TCP ports:
1
nc -nvv -w 1 -z 86.42.44.78 1-65535
Quick SYN/ACK scan on UDP ports:
1
nc -unvv -w 1 -z 86.42.44.78 1-65535

Other options:

          -4          Use IPv4
          -6          Use IPv6
          -C          Don’t use cellular connection
          -D          Enable the debug socket option
          -d          Detach from stdin
          -l          Listen mode, for inbound connects
          -n          Suppress name/port resolutions
          -r          Randomize remote ports
          -s addr          Local source address
          -t          Answer TELNET negotiation
          -u          UDP mode
          -v          Verbose

Whois

Check whois namespace:

1
whois -h whois.arin.net n microsoft

List all DNS severs:
1
host -t ns microsoft.com
Query DNS for all entries:
1
dig @ns3.msft.net. any

 

Nmap

Quick ICMP sweep (-sL) and save output into grepable file:
1
nmap -sL 192.168.1.0-255 -oG pingsweep.txt
Ping scan (returns if host is up + MAC address):
1
nmap -sP 192.168.1.0/24
Full initial scan (SYN only, no ACK, kind of stealthy, pretty aggressive, output into file):
1
nmap -sS -p- -PS22,80,113,33334 -PA80,113,21000 -PU19000 -PE -A -T4 -oA homescan 192.168.1.0/24
Disable ping (-PN) to scan ALL specified targets, no matter if they show as up or not. Should be done in a serious pentest, but will take a very long time, but can be run in the background.
Using TCP SYN ping (-PS) to check if host is up. Several ports can be specified. Nmap will send a SYN, waits for a SYN/ACK, then cancels the handshake with RST:
1
nmap -PS21-30,80,110,443 192.168.1.0/24
Using TCP ACK ping (-PA) will send ACK packages to hosts that have not yet received a SYN and therefore will reply with a RST. This might work to trick firewall rules:
1
nmap -PA21-30,80,110,443 192.168.1.0/24
To prevent intrusion detection (IDS) data can be added to the packets using –data-length. 32 bytes make it look like a ping from Windows, 56 like Linux:
1
nmap -sP --data-length 32 192.168.1.0/24
Broad initial scan to catch Windows and Linux hosts behind firewalls. Adding a random high port range in case firewall has sloppy configuration:
1
nmap -PE -PA -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 --source-port 53
Adding –packet-trace will enable verbose output of every single packet.
Port 0 can be specified with -p0 or in combination for a range like -p0-65353. Specifying only -p0 will scan all TCP ports. Timing policy is changed with -T option. Aggressive (fast) would be -T5
Ranges from -T0 to -T5
On macOS the port list file is stored in: /usr/local/Cellar/nmap/7.30/share/nmap/nmap-services
Decoy IP (spoof own IP):
-D 192.168.1.2, 172.16.2.4, 192.168.2.3

Configuring numbers of ports scanned:

Fast scan to scan only 100 most common ports: -F
No option given will scan 1000 most common ports.
Manually specify the number of ports: –top-ports

Scanning methods:

TCP SYN Scan (-sS) | Fastest scan. Only sends SYN, but no ACK or RST if host answers with SYN,ACK
TCP ACK Scan (-sA) | Maps out firewall rulesets and check if firewall is stateful
UDP Scan (-sU)
TCP FIN, Xmas and Null to exploit firewalls, depending on the system used. Non-stateful Firewalls and filtering Routers try to prevent incoming TCP connections, by blocking any TCP packets with the SYN bit set and ACK cleared, but allow outbound ones:
Null Scan (-sN) | Does not set any bits (TCP flag header is 0)
FIN Scan (-sF) | Sets just the TCP FIN bit
Xmas Scan (-sX) | Sets the FIN, PSH and URG flags, lighting the packet up like a Christmas tree

Output format:

Can be combined with multiple outputs at the sane time and has to be given a filename for outputs
Normal: -oN
Grepable: -oG
XML: -oX
All at once: -oA

Example Scenarios:

A specific networks with 4096 possible hosts needs to be quickly scanned for port 80 being open. Limiting round-trip time for faster scanning. Ping the target and check for round-trip time before:
1
nmap -n -T4 -PN -p80 --max-rtt-timeout 200 --initial-rtt-timeout 150 --min-hostgroup 512 -oG ~/scans/port80scan-%D.gnmap 216.163.128.0/20
-n = no reverse DNS lookup
%D = add the current date to filename
-PN = Skip ping test, just scan every host
-T4 = pretty aggressive timeout
Full SYN scan against all TCP and UDP Ports, with decoy and high aggression, no DNS resolution
1
nmap -sS -p0-65535 -n -D 10.11.1.72,10.11.1.74,10.11.1.75,10.11.1.76,10.11.1.77,10.11.1.78 -sUV --version-intensity 0 -T4 -v --max-rtt-timeout 900ms --initial-rtt-timeout 230ms --min-hostgroup 4 -oA ~/Documents/Pentest01/nmapFull-%D -iL ~/Documents/Pentest01/HostsUp.list

Measuring the traffic produced by a port scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
root@kali:~# iptables -I INPUT 1 -s 10.0.0.54 -j ACCEPT
root@kali:~# iptables -I OUTPUT 1 -d 10.0.0.54 -j ACCEPT
root@kali:~# iptables -Z
root@kali:~# nmap -sT 10.0.0.54
 
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-02-15 06:48 EST
Nmap scan report for ad.moshpit.local (10.0.0.54)
Host is up (0.00036s latency).
Not shown: 981 filtered ports
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49159/tcp open  unknown
MAC Address: 00:50:56:A7:BE:75 (VMware)
 
Nmap done: 1 IP address (1 host up) scanned in 4.12 seconds
 
root@kali:~# iptables -vn -L
Chain INPUT (policy ACCEPT 171 packets, 12129 bytes)
pkts bytes target     prot opt in     out     source               destination
   20  1238 ACCEPT     all  --  *      *       10.0.0.54            0.0.0.0/0
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
 
Chain OUTPUT (policy ACCEPT 92 packets, 15464 bytes)
pkts bytes target     prot opt in     out     source               destination
2031  122K ACCEPT     all  --  *      *       0.0.0.0/0            10.0.0.54

122kb data have been sent through the network to scan this single IP address

1
2
3
4
5
6
7
8
9
10
11
12
root@kali:~# nmap -sT -p 1-65535  10.0.0.54
root@kali:~# iptables -vn -L
Chain INPUT (policy ACCEPT 79 packets, 5817 bytes)
pkts bytes target     prot opt in     out     source               destination
  139  8378 ACCEPT     all  --  *      *       10.0.0.54            0.0.0.0/0
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
 
Chain OUTPUT (policy ACCEPT 44 packets, 5576 bytes)
pkts bytes target     prot opt in     out     source               destination
197K   12M ACCEPT     all  --  *      *       0.0.0.0/0            10.0.0.54

A full portscan against the same IP address produced 12MB of traffic

Performance Tweaking

Defining the maximum number of packet retransmission (the lower, the fast, but result can be inacurate):
–max-retries 0

The minimum rate of packets per second. A rate too high can have negative effects as being disconnected, dropped by firewalls or detected by IDS:
–min-rate 100

aaa:
–min-hostgroup 0

aaa:
–min-parallelism 0

aaa:
-T4

aaa:
–max-rtt-timeout 200

Author: kimbo

Leave a Reply

Your email address will not be published. Required fields are marked *