Notes

Footprinting & Scanning

Network Mapping

Prerequisite: IP, ICMP, IPv4, IPv6, TCP, UDP, TCP_IP_3_way_handshake

Objective

Discovery of live hosts
Identify open ports and services
Network topology mapping
OS fingerprinting
service version detection
identify filtering and security measures

nmap is predominantly used for network mapping and diagnostics.

Command to check all open TCP connections

Linux> Netstat  -antp

Windows> Netstat -ano

Host discovery technique

ping sweeps / ICMP Ping
- Firewall may block ICMP packets
Arp scanning
TCP SYN scan
- Firewall/Security measures may block
UDP ping
TCP ACK
SYN ACK

Read nmap to learn about host discovery using ICMP sweep, ARP sweep and multiple other ways.

Port Scanning

Port scanning using nmap.

Use Stealth scan to avoid getting detected. Use TCP scan in verification.

Use -Pn to avoid sending ping to system and clarify nmap not to verify if host is up or not.

Use -p- to scan all possible port range.

Use timing templates to adjust scan duration and avoid detection.

Once all open ports are identified, we can move on to service version and OS detection.

Service Version & OS Detection

Use nmap to gather information regarding service versions and OS of machine. After detecting active machines, its better to perform OS detection before port detection so you target specific ports. After detecting open ports , perform service version detection on found open port.

Use -sV for version detection on open ports. Provide open ports number to perform scan faster.

Use -O for detection of host operating system. Use ‘–osscan-guess’ to get more info if nmap is not giving proper output.

Use -sC for running nmap scripts for further enumeration

Evasion : Firewall , IDS & other security measures

Read nmap and Nmap Documentation.

If pings are blocked or scans are getting timeout, that indicates presence of firewall , IDS or other security measures. To avoid getting detected we can apply few methods.

Packet fragmentation

Using -f and --mtu option in nmap to sent fragmented packets and set custom MTU ( Maximum Transmission Unit ).

Decoy IP

We can set decoy IPs to avoid repeating or revealing our own IP address. We need to have either network logs or access to decoy machines to fetch response. We can use -D flag in nmap to set multiple decoy IPs.

Port Number

We can also spoof port number from our end to evade firewall blocking request from repeative port number. We can use -g option in nmap to spoof port number.

Spoof IP

In some circumstances, Nmap may not be able to determine your source address. In this situation, use -S with the IP address of the interface you wish to send packets through. This is replace spoofed IP in place of actual.

Optimising nmap

Optimizing Nmap scan is also important as getting result in short time while creating less traceable traffic is necessary. We should use timing template to red

We can use --host-timeout 5s to reduce timeout value. We can also delay scan to avoid flooding systems with --scan-delay.