Nmap/Short Course/Lecture 4
From charlesreid1
Main page: Nmap/Short Course
Contents
Summary and Objective
This 30-minute lecture will focus on fine-tuning scans, basic evasion tactics, and an initial look into the Nmap Scripting Engine (NSE).
Objective: To introduce students to Nmap's performance tuning capabilities, fundamental firewall/IDS evasion techniques, and the basics of using the Nmap Scripting Engine (NSE) for enhanced and customized network scanning.
Notes
Recap & Why Optimize/Evade/Customize?
Quick Recap
In our last lecture, we explored advanced TCP scan types like FIN, Xmas, Null, and ACK scans, which are useful for firewall analysis and stealthier probing. We also delved into Nmap's OS detection (-O) capabilities for fingerprinting target operating systems and discussed the importance of managing Nmap's output using formats like Normal (-oN), XML (-oX), Grepable (-oG), and using Ndiff for comparing scan results over time.
Reasons for Optimization, Evasion, and Customization
- Optimization: When scanning large networks (hundreds or thousands of hosts), default Nmap settings might be too slow. Optimizing timing parameters can significantly speed up scans, saving valuable time during assessments. Conversely, on very unstable networks or against sensitive systems, you might need to slow Nmap down to ensure accuracy and avoid overwhelming targets.
- Evasion: Network firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) are designed to block or alert on suspicious scanning activity. Basic evasion techniques can help Nmap probes reach their targets or reduce the likelihood of detection during authorized penetration tests. It's crucial to remember that these techniques should only be used ethically and legally.
- Customization: While Nmap is incredibly powerful out-of-the-box, the Nmap Scripting Engine (NSE) allows users to write (or use pre-written) scripts to automate a vast array of networking tasks. This extends Nmap's capabilities far beyond simple port scanning, enabling deeper discovery, vulnerability detection, and more.
Nmap Timing Controls for Performance
Understanding Nmap's Default Timing & Templates
-T0(paranoid) and-T1(sneaky): Very slow, used for IDS evasion (less relevant for basic host discovery usually).-T2(polite): Slows down to consume less bandwidth and target resources.-T3(normal): Default behavior.-T4(aggressive): Speeds up scans, assuming a reasonably fast and reliable network. Good for quick sweeps when stealth isn't a primary concern.-T5(insane): Very aggressive; may sacrifice accuracy for speed and can overwhelm networks or targets. For initial sweeps, -T4 is often a good balance if you are not worried about detection.
# A fast scan using the aggressive template sudo nmap -sS -T4 192.168.1.0/24 # A very slow, sneaky scan (for IDS evasion, not speed) sudo nmap -sS -T1 <target_IP>
Granular Timing Options for Fine-Tuning
Beyond templates, Nmap offers precise control with a number of timing-related options.
Host Parallelism:
--min-hostgroup <numhosts>,--max-hostgroup <numhosts>: Nmap divides the target IP space into groups and scans one group at a time. These options control the minimum and maximum size of these groups. Larger groups can mean faster scans if your network and host can handle many concurrent probes.
Probe Parallelism:
--min-parallelism <numprobes>,--max-parallelism <numprobes>: Controls how many probes Nmap sends in parallel to a single host (e.g., for port scanning or OS detection). Increasing this can speed things up but might overwhelm less robust hosts or trigger rate-limiting.
Round Trip Time (RTT) Timeouts:
--min-rtt-timeout,--max-rtt-timeout,--initial-rtt-timeout: These control how long Nmap waits for a response before giving up on a probe or retransmitting. Adjusting these can be useful on high-latency or very low-latency networks. Nmap usually does a good job estimating RTT, but manual tuning is possible (e.g., 50ms, 1s).
Retries:
--max-retries <numretries>: Specifies the maximum number of times Nmap will retransmit a probe to a port if no response is received. Default is 10. Reducing this can speed up scans on unreliable networks but may miss ports if packets are dropped.
Scan Delays:
--scan-delay,--max-scan-delay: Instructs Nmap to wait at least the specified time between probes sent to a given host. Useful for rate-limiting evasion or reducing load on sensitive devices. For example,--scan-delay1s waits 1 second between each probe.
# Example: Scanning a large network, optimizing for speed sudo nmap -sS -T4 --min-hostgroup 100 --max-hostgroup 256 --min-parallelism 50 10.0.0.0/16 # Example: Scanning a sensitive device, being very cautious sudo nmap -sS -T2 --max-retries 2 --scan-delay 2s <sensitive_device_IP>
Aggressive timing can be detrimental if the network or target cannot handle the load, leading to inaccurate results. Always test timing options in a controlled environment first.
Firewall/IDS Evasion Techniques
These techniques are designed to make Nmap scans less detectable or to bypass certain types of network defenses. Their effectiveness varies greatly depending on the sophistication of the firewall/IDS.
Packet Fragmentation (-f, --mtu <offset>)
Concept: This technique splits the TCP header of Nmap's probe packets across several small IP fragments. The idea is that some older or poorly configured packet filters might not properly reassemble these fragments for inspection, or they might only inspect the first fragment, potentially missing the crucial TCP flags in subsequent fragments.
Usage: The -f option tells Nmap to use small (8-byte data payload after IP header) fragments. You can specify -f again for 16-byte fragments. The --mtu <offset> option allows you to specify a custom Maximum Transmission Unit size for the fragments. The offset must be a multiple of 8.
# Use 8-byte fragments sudo nmap -sS -f <target_IP> # Use a specific MTU (e.g., 24 bytes per fragment) sudo nmap -sS --mtu 24 <target_IP>
Effectiveness: Modern IDS/IPS systems are generally good at reassembling fragments, so this technique is less effective against up-to-date defenses but might still work against simpler or older devices.
Decoys (-D <decoy1,decoy2,...,ME,...>)
Concept: This technique makes the scan appear to be coming from multiple IP addresses (decoys) in addition to your own. The target will see probes from your real IP address and also from the spoofed decoy IPs.
Purpose: It aims to obscure the true source of the scan by flooding the target's logs with multiple source IPs, making it harder for administrators to pinpoint the actual scanner. The special ME keyword can be used to position your real IP address within the list of decoys. If ME is omitted, Nmap places it in a random position. RND can generate a random non-reserved IP, and RND:<number> generates a number of random decoys.
# Scan with three decoys and your real IP sudo nmap -sS -D decoy1.example.com,decoy2.example.com,ME <target_IP> # Scan with 5 random decoys and your real IP sudo nmap -sS -D RND:5,ME <target_IP>
Caution: Using decoys can be risky. The decoys should ideally be actual live hosts that you have permission to involve, or non-existent IPs. Using IPs of uninvolved third parties without permission is unethical and could cause trouble. Some ISPs may filter packets with spoofed source addresses.
Source Port Manipulation (-g <portnum> or --source-port <portnum>)
Concept: This option allows you to specify the source port Nmap uses for its probes, rather than letting the operating system choose an ephemeral port.
Purpose: Some poorly configured firewalls might have rules that trust or allow traffic originating from well-known source ports, such as DNS (port 53) or HTTP (port 80), assuming it's legitimate reply traffic. By sending probes from these ports, Nmap might bypass such rules.
# Send probes from source port 53 (DNS) sudo nmap -sS -g 53 <target_IP> # Alias for the same sudo nmap -sS --source-port 53 <target_IP>
Note: This technique is less likely to work against modern stateful firewalls but might be effective in specific niche scenarios.
Data Length Appending (--data-length <num>)
Concept: Nmap normally sends minimalist packets containing only a header. This option appends a specified number of random bytes to most sent packets.
Purpose: Some IDS/IPS might look for very small packets as an indicator of scanning activity. Adding random data can make Nmap's packets look more like "normal" data packets, potentially bypassing such simple checks.
# Append 25 random bytes to packets sudo nmap -sS --data-length 25 <target_IP>
It's important to reiterate that no evasion technique is foolproof, and modern security systems are quite sophisticated. These are basic building blocks.
Introduction to Nmap Scripting Engine (NSE) (-sC, --script)
The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features, allowing users to automate a wide variety of networking tasks using Lua scripts.
What is NSE
NSE allows Nmap to go far beyond just host discovery and port scanning. With NSE scripts, Nmap can perform:
- More advanced network discovery.
- Sophisticated version detection.
- Vulnerability detection (checking for specific known flaws).
- Even basic exploitation (with extreme caution and authorization).
- Brute-force attacks against services (again, with authorization). Nmap comes with hundreds of scripts, and users can write their own or download them from the community.
Running Scripts: Categories and default (-sC)
Scripts are organized into categories, such as auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.
The easiest way to use NSE is with the -sC option (or its equivalent --script default). This runs a curated set of scripts known as the "default" category. These scripts are generally considered safe (non-intrusive), useful for discovery and gaining more information, and tend not to be too noisy. -sC is often run alongside version detection (-sV).
# Run default scripts along with SYN scan and version detection sudo nmap -sS -sV -sC <target_IP>
Running Specific Scripts or Categories (--script)
You can run specific scripts by name, scripts from a particular category, scripts matching a wildcard, or even all scripts (though running all scripts is generally not recommended as it can be very slow and intrusive).
# Run all scripts in the 'discovery' category sudo nmap -sV --script discovery <target_IP> # Run a specific script, e.g., http-title (gets web page titles) sudo nmap -sV --script http-title <target_IP> # Run all scripts whose names start with 'smb-' sudo nmap -sV --script "smb-*" <target_IP> # Run scripts from a custom directory sudo nmap --script /path/to/my/custom_scripts/ <target_IP>
[Instructor: Run 'sudo nmap -sS -sV -sC <your_lab_target_with_web_server>' and show output focusing on NSE script results] Starting Nmap X.XX ( https://nmap.org ) at YEAR-MM-DD HH:MM ZONE Nmap scan report for <target_IP> Host is up (0.0XXs latency). Not shown: XXX closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Example Web Page Title Nmap done: 1 IP address (1 host up) scanned in X.XX seconds
The lines prefixed with |_ or | indicate output from NSE scripts like http-server-header and http-title.
Finding Scripts and Getting Help
Nmap scripts are typically located in the scripts subdirectory of your Nmap installation path (e.g., /usr/share/nmap/scripts/ on Linux). You can list scripts or get help on a specific script:
# Get help/description for the http-title script nmap --script-help http-title
IMPORTANT: Always be aware of what a script does before running it, especially those outside the default or safe categories. Scripts in categories like exploit, intrusive, dos, or brute can have negative impacts on target systems or networks and should only be used with explicit authorization in controlled environments. The lab for this lecture will involve experimenting with some safe NSE scripts for discovery and further information gathering.
Lab
Experiment with timing options to speed up scans in the Corporate Network (Scenario 1). Attempt basic firewall evasion techniques against a designated "filtered" segment in any scenario.
Flags
