Nmap/Short Course/Lecture 4
From charlesreid1
Main page: Nmap/Short Course
Summary and Objective
This 30-minute lecture will focus on fine-tuning scans, basic evasion tactics, and an initial look into the Nmap Scripting Engine (NSE).
Objective: To introduce students to Nmap's performance tuning capabilities, fundamental firewall/IDS evasion techniques, and the basics of using the Nmap Scripting Engine (NSE) for enhanced and customized network scanning.
Notes
Recap & Why Optimize/Evade/Customize?
Quick Recap
In our last lecture, we explored advanced TCP scan types like FIN, Xmas, Null, and ACK scans, which are useful for firewall analysis and stealthier probing. We also delved into Nmap's OS detection (-O) capabilities for fingerprinting target operating systems and discussed the importance of managing Nmap's output using formats like Normal (-oN), XML (-oX), Grepable (-oG), and using Ndiff for comparing scan results over time.
Reasons for Optimization, Evasion, and Customization
- Optimization: When scanning large networks (hundreds or thousands of hosts), default Nmap settings might be too slow. Optimizing timing parameters can significantly speed up scans, saving valuable time during assessments. Conversely, on very unstable networks or against sensitive systems, you might need to slow Nmap down to ensure accuracy and avoid overwhelming targets.
- Evasion: Network firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) are designed to block or alert on suspicious scanning activity. Basic evasion techniques can help Nmap probes reach their targets or reduce the likelihood of detection during authorized penetration tests. It's crucial to remember that these techniques should only be used ethically and legally.
- Customization: While Nmap is incredibly powerful out-of-the-box, the Nmap Scripting Engine (NSE) allows users to write (or use pre-written) scripts to automate a vast array of networking tasks. This extends Nmap's capabilities far beyond simple port scanning, enabling deeper discovery, vulnerability detection, and more.
Nmap Timing Controls for Performance
Understanding Nmap's Default Timing & Templates
-T0(paranoid) and-T1(sneaky): Very slow, used for IDS evasion (less relevant for basic host discovery usually).-T2(polite): Slows down to consume less bandwidth and target resources.-T3(normal): Default behavior.-T4(aggressive): Speeds up scans, assuming a reasonably fast and reliable network. Good for quick sweeps when stealth isn't a primary concern.-T5(insane): Very aggressive; may sacrifice accuracy for speed and can overwhelm networks or targets. For initial sweeps, -T4 is often a good balance if you are not worried about detection.
# A fast scan using the aggressive template sudo nmap -sS -T4 192.168.1.0/24 # A very slow, sneaky scan (for IDS evasion, not speed) sudo nmap -sS -T1 <target_IP>
Granular Timing Options for Fine-Tuning
Beyond templates, Nmap offers precise control with a number of timing-related options.
Host Parallelism:
--min-hostgroup <numhosts>,--max-hostgroup <numhosts>: Nmap divides the target IP space into groups and scans one group at a time. These options control the minimum and maximum size of these groups. Larger groups can mean faster scans if your network and host can handle many concurrent probes.
Probe Parallelism:
--min-parallelism <numprobes>,--max-parallelism <numprobes>: Controls how many probes Nmap sends in parallel to a single host (e.g., for port scanning or OS detection). Increasing this can speed things up but might overwhelm less robust hosts or trigger rate-limiting.
Round Trip Time (RTT) Timeouts:
--min-rtt-timeout,--max-rtt-timeout,--initial-rtt-timeout: These control how long Nmap waits for a response before giving up on a probe or retransmitting. Adjusting these can be useful on high-latency or very low-latency networks. Nmap usually does a good job estimating RTT, but manual tuning is possible (e.g., 50ms, 1s).
Retries:
--max-retries <numretries>: Specifies the maximum number of times Nmap will retransmit a probe to a port if no response is received. Default is 10. Reducing this can speed up scans on unreliable networks but may miss ports if packets are dropped.
Scan Delays:
--scan-delay,--max-scan-delay: Instructs Nmap to wait at least the specified time between probes sent to a given host. Useful for rate-limiting evasion or reducing load on sensitive devices. For example,--scan-delay1s waits 1 second between each probe.
# Example: Scanning a large network, optimizing for speed sudo nmap -sS -T4 --min-hostgroup 100 --max-hostgroup 256 --min-parallelism 50 10.0.0.0/16 # Example: Scanning a sensitive device, being very cautious sudo nmap -sS -T2 --max-retries 2 --scan-delay 2s <sensitive_device_IP>
Aggressive timing can be detrimental if the network or target cannot handle the load, leading to inaccurate results. Always test timing options in a controlled environment first.
Firewall/IDS Evasion Techniques
These techniques are designed to make Nmap scans less detectable or to bypass certain types of network defenses. Their effectiveness varies greatly depending on the sophistication of the firewall/IDS.
Packet Fragmentation (-f, --mtu <offset>)
Concept: This technique splits the TCP header of Nmap's probe packets across several small IP fragments. The idea is that some older or poorly configured packet filters might not properly reassemble these fragments for inspection, or they might only inspect the first fragment, potentially missing the crucial TCP flags in subsequent fragments.
Usage: The -f option tells Nmap to use small (8-byte data payload after IP header) fragments. You can specify -f again for 16-byte fragments. The --mtu <offset> option allows you to specify a custom Maximum Transmission Unit size for the fragments. The offset must be a multiple of 8.
# Use 8-byte fragments sudo nmap -sS -f <target_IP> # Use a specific MTU (e.g., 24 bytes per fragment) sudo nmap -sS --mtu 24 <target_IP>
Lab
Flags
