Saturday, 2 May 2015

             NMAP (Network Mapper)
                                                                  using nmap in metasploit

> Nmap is a powerful security scanner developed by Gordon Lyon

Metasploit => How to use metaploit click on me :)

MeterPreter BASics => How to use Meterpreter click one me :)


How nmap works ??

> Whenever Nmap performs a scan, it delivers an ICMP echo request to the destination for checking whether the host is alive or dead. This process saves much time for Nmap when it scans multiple hosts at a time. Sometimes ICMP requests are blocked by firewalls, so as a secondary check namp tries to connect to default open ports such as 80 and 443, which are used by the web server or HTTP..

Working with NMAP in Metasploit

Nmap is used for
> hosts
> service
> open ports detection on a computer network

Nmap has many features
> stealth scan
> aggressive scan
> firewall evasion scan
> has the abiity to fringerprint operating system
>>>>> Nmap has its own Nmap Scripting Engine -> can be used with Lua programming language

Nmap scanning using Metasploit
Nmap with no commands will perform a basic scan on the target address

    nmap <target> <ip_address>

Scan multiple targets
    nmap <target target>

Scan a list of targets
    >> just need to separate all targets by a new line or space
        for example
   and so on

    nmap -iL <list.txt>
    nmap -iL /root/Desktop/list.txt

Nmp Options
> Nmap commands options
©Pprasoon Nigam
Feature                                                                           Options
> Don't ping                                                                        -PN
> Perform a Ping Only Scan                                               -sP
> TCP SYN Ping                                                                -PS
> TCP ACK Ping                                                                -PA
> UDP Ping                                                                         -PU
> SCTP INIT Ping                                                              -PY
> ICMP Timestamp Ping                                                    -PP
> ICMP Echo Ping                                                              -PE
> ICMP Address Mask Ping                                               -PM
> IP Protocol Ping                                                               -PO
> ARP Ping                                                                         -PR
> Traceroute                                                                        -traceroute
> Force Reverse DNS Resolution                                        -R
> Disable Reverse DNS Resolution                                     -n
> ALternative DNS Lookup                                                --system-dns
> Manually Specified DNS Server(S)                                  --dns--servers
> Create a Host List                                                              -sL

> nmap -sP  (Ping only scan)
> nmap -PA  (TCP ACK Ping)
> nmap -PE  (ICMP echo ping)
> nmap -R   (Force reverse DNS resolution)

NMAP advanced scanning options

Features                                                                           Options
> TCP SYN Scan                                                              -sS
> TCP Connect Scan                                                         -sT
> UDP scan                                                                       -sU
> TCP Null Scan                                                               -sN
> TCP Fin Scan                                                                -sF
> Xmas Scan                                                                     -sX
> TCP ACK Scan                                                              -sA
> Custom TCP Scan                                                         -scanflags
> IP Protocol Scan                                                            -sO
> Send Raw Ethernet Packets                                          --send-eth
> Send IP Packets                                                             --send-ip

FLAGS                Usage
> SYN                Synchronize
> ACK                Acknowledgement
> PSH                 Push
> URG               Urgent
> RST                Reset
> FIN                 Finished

> nmap -sS (TCP SYN scan) attempts to identify ports by sending a SYN packet to the target & waititng for a response. A SYN packet is basically  sent to indicate that a new connection is to be established. This type is also know as the stealth scan.
> nmap -sN (TCP null scan) sends packets without TCP flags enabled . This done by setting the header to zero for fooling a firewalled  system in getting a response them

Custom TCP Scan
> nmap -scanflags SYNURG

Port scanning options
Features                                                Options
> Perform a Fast Scan                                    -F
> Scan Specific Ports                                     -p(port)
> Scan Ports by Name                                    -P(name)
> Scan Ports by Protocol                                -p U:(UDP Ports), T:(TCP Ports)
> Scan All Ports                                              -p"*"
> Scan Top Ports                                             --top-porys
> Perform a Sequential Port Scan                   -r

> nmap -F 1962.168.11.46 (Fast scan)
> nmap -p http (scan port by name)
> nmap -r (Performing a Sequential port scan) (useful for evading firewall and Intrusion Prevention System

Nmap has some feature that help to byoass these protection mechanism as well

Feature                                                                   Options
> Fragments Packets                                             -f
> Specify a Specific MTU                                    --mtu
> Use a Decoy                                                      -D
> Idle Zombie Scan                                             -sI
> Manually Specify a Source Port                      --source-port
> Append Random Data                                      --data-length
> Randomize Target Scan Order                          --randomize-hosts
> Spoof MAC Address                                        -spoof-mac
> Send Bad Checksums                                        --basums

> nmap -f (fragment packets) Nmap sends very small 8 byte packets.. useful for evading improperly configured firewall system

> nmap -sI (Idle Zombie scan) very unique scanning technique in which Nmap uses zombie host for scanning the target, In here use 2 IP address

Spoof MAC Address
This technique is useful when a firewalled-system detects a scanning process via the system's MAC address and blacklistes those MAC Address
MAC addresses can be spoofed via three different arguments

Arguments                                     Function
0 (zero)                                        Generates Random MAC Address
Specific Mac Address                  Uses the specified MAC Address
Vendor Name                               Generate a MAC Address from the specifies Vendor
                                                     (such as Apple Dell HP etc)

nmap -sT -Pn --spoof-mac Apple

Save Nmap output results
Features                                                    Options
Save Output to a Text File                            --oN
Save Output to a XML File                          --oX
Grepable Output                                            -oG
Output All Supported File Type                     -oA
Periodically Display statistics                        --stats-every
133t Output                                                     -oS

nmap -oX <scan.xml> <target>

nmap -oN scan.txt


Unknown said...

Really great one. Got some basic information about nmap. Really it was more worth.

Computer Tricks & Latest tech updates