Port Scanning, Version Detection & Firewall Evasion Techniques in Nmap which can be used along with other scan options in Nmap.
nmap -F [target] | nmap -F 10.10.1.1
The -F option reduces that number to 100. This can dramatically speed up scanning while still representing the majority of commonly used ports.
Scan Specific Ports
nmap -p [port] [target] | nmap -p 80 10.10.1.44
nmap [port1,port2,etc|range of ports] [target] | nmap -p 20,50,70-100 10.10.1.1
Scan Ports by Name
nmap -p [port name(s)] [target] | nmap -p smtp,http 10.10.1.1
Executing nmap -p “http*” 10.10.1.1 would scan for all ports that start with http.
Scan Ports by Protocol
nmap -p U:[UDP ports],T:[TCP ports] [target] | nmap -sU -sT -p U:53,T:25 10.10.1.1
Using the syntax -p U:53,T:25 instructs Nmap to perform a UDP scan on port 53 and a TCP scan on port 25.
Scan All Ports
nmap -p “*” [target]
Scan Top Ports
nmap --top-ports [number] [target] | nmap --top-ports 10 10.10.1.1
Using the –top-ports option, you can specify any number of top ranked ports to scan.
nmap -r [target] | nmap -r 10.10.1.1
Nmap’s default scanning algorithm randomizes the port scan order. This is useful for evading firewalls and intrusion prevention systems. The -r parameter overrides this functionality and instructs Nmap to sequentially search for open ports in numerical order.
Operating System and Service Detection
The process of identifying a target’s operating system and software versions is known as TCP/IP fingerprinting.
Operating System Detection
nmap -O [target] | nmap -O 10.10.1.1
Operating system detection is performed by analyzing responses from the target for a set of predictable characteristics which can be used to identify the type of OS on the remote system.
When scanning multiple targets, the –osscan-limit option can be combined with -O to instruct Nmap not to OS scan hosts that do not meet this criteria.
Submitting TCP/IP Fingerprints
nmap -O 10.10.1.11
If Nmap is unable to determine the operating system on a target, it will provide a fingerprint which can be submitted to Nmap’s OS database at www.nmap.org/submit/. By submitting the fingerprint generated and correctly identifying the target system’s operating system, you can help improve the accuracy of Nmap’s OS detection feature in future releases.
Attempt to Guess an Unknown Operating System
If Nmap is unable to accurately identify the OS, you can force it to guess by using the –osscan-guess option.
nmap -O --osscan-guess [target] | nmap -O --osscan-guess 10.10.1.1
The –fuzzy option is a synonym that can be used as an easy to remember shortcut for the –osscan-guess feature.
Service Version Detection
nmap -sV [target] | nmap -sV 10.10.1.1
The -sV option will attempt to identify the vendor and software version for any open ports it detects.
Nmap version detection purposely skips some problematic ports (specifically 9100-9107). This can be overridden by combining the –allports parameter with -sV which instructs Nmap not to exclude any ports from version detection.
Troubleshooting Version Scans
nmap -sV --version-trace [target] | nmap -sV --version-trace 10.10.1.1
The –version-trace option can be helpful for debugging problems or to gain additional information about the target system.
nmap -sR [target] | nmap -sR 10.10.1.1
RCP is most commonly associated with Unix and Linux systems specifically for the NFS (Network File System) service.
Firewall Evasion Techniques
nmap -f [target] | nmap -f 10.10.1.1
The -f option is used to fragment probes into 8-byte packets. The -f option instructs Nmap to send small 8-byte packets thus fragmenting the probe into many very small packets. This option isn’t particularly useful in everyday situations; however, it may be helpful when attempting to evade some older or improperly configured firewalls. Some host operating systems may require the use of –send-eth combined with -f for fragmented packets to be properly transmitted.
Specify a Specific MTU
The MTU must be a multiple of 8 (example 8, 16, 24, 32, etc). The –mtu option is similar to the -f option except it allows you to specify your own MTU to be used during scanning. This creates fragmented packets that can potentially confuse some firewalls.
nmap --mtu [number] [target] | nmap --mtu 16 10.10.1.1
Use a Decoy
When performing a decoy scan Nmap will spoof additional packets from the specified number of decoy addresses. This effectively makes it appear that the target is being scanned by multiple systems simultaneously. Using decoys allows the actual source of the scan to “blend into the crowd” which makes it harder to trace where the scan is coming from.
nmap -D [decoy1,decoy2,etc|RND:number] [target] | nmap -D RND:10 10.10.1.48
nmap -D RND:10 instructs Nmap to generate 10 random decoys. You can also specify decoy addresses manually using the following syntax: nmap -D decoy1,decoy2,decoy3, etc. Using too many decoys can cause network congestion and reduce the effectiveness of a scan. Additionally, some internet service providers may filter spoofed traffic which will reduce the effectiveness of using decoys to cloak your scanning activity.
Idle Zombie Scan
The -sI option is used to perform an idle zombie scan. The idle zombie scan is a unique scanning technique that allows you to exploit an idle system and use it to scan a target system for you. The scan works by exploiting the predictable IP sequence ID generation employed by some systems. In order for an idle scan to be successful, the zombie system must truly be idle at the time of scanning.
nmap -sI [zombie host] [target] | nmap -sI 10.10.1.31 10.10.1.202
With this scan no probe packets are sent from your system to the target; although an initial ping packet will be sent to the target unless you combine -PN with -sI.
Manually Specify a Source Port Number
nmap --source-port [port] [target] | nmap --source-port 53 divyendra.com
The –source-port option is used to manually specify the source port number of a probe. Every TCP segment contains a source port number in addition to a destination. By default, Nmap will randomly pick an available outgoing source port to probe a target. The –source-port option will force Nmap to use the specified port as the source for all packets. This technique can be used to exploit weaknesses in firewalls that are improperly configured to blindly accept incoming traffic based on a specific port number. Port 20 (FTP), port 53 (DNS), and 67 (DHCP) are common ports susceptible to this type of scan.
Append Random Data
nmap --data-length [number] [target] | nmap --data-length 25 10.10.1.1
Nmap transmits packets which are generally a specific size. Some firewall vendors know to look for this type of predictable packet size. The –data-length option adds the specified amount of additional data to probes in an effort to circumvent these types of checks.
Randomize Target Scan Order
The –randomize-hosts option is used to randomize the scanning order of the specified targets.
nmap --randomize-hosts [targets] | nmap --randomize-hosts 10.10.1.100-254
The –randomize-hosts option helps prevent scans of multiple targets from being detected by firewalls and intrusion detection systems. This is done by scanning them in a random order instead of sequential.
Spoof MAC Address
The –spoof-mac is used to spoof the MAC (Media Access Control) address of an ethernet device.
nmap --spoof-mac [vendor|MAC|0] [target] | nmap -sT -PN --spoof-mac 0 192.168.1.1
Nmap is instructed to forge a randomly generated 3com MAC address. This makes your scanning activity harder to trace by preventing your MAC address from being logged on the target system.
Send Bad Checksums
The –badsum option is used to send packets with incorrect checksums to the specified host.
nmap --badsum [target] | nmap --badsum 10.10.1.1
The TCP/IP protocol uses checksums to ensure data integrity. Crafting packets with bad checksums can, in some rare occasions, produce a response from a poorly configured system.
Only a poorly configured system would respond to a packet with a bad checksum. Nevertheless, it is a good tool to use when auditing network security or attempting to evade firewalls.