[go: up one dir, main page]
Scribd
Upload
75 views21 pages

NMAP For Pentester

This document provides an overview of various host discovery techniques in Nmap for penetration testing purposes. It discusses ping sweeps, disabling ARP ping, sending IP packets directly, and different scan types like TCP SYN, TCP ACK, ICMP echo, and UDP ping scans. It also covers TCP flags, traceroute, and concluding that host discovery is an important first step for information gathering on active ports and IP addresses on a network. The document aims to explore different techniques in Nmap to detect hosts in a network that may be secured by firewalls or IPS, in a way that generates less suspicious network traffic.

Uploaded by

Josue Ouattara
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
75 views21 pages

NMAP For Pentester

This document provides an overview of various host discovery techniques in Nmap for penetration testing purposes. It discusses ping sweeps, disabling ARP ping, sending IP packets directly, and different scan types like TCP SYN, TCP ACK, ICMP echo, and UDP ping scans. It also covers TCP flags, traceroute, and concluding that host discovery is an important first step for information gathering on active ports and IP addresses on a network. The document aims to explore different techniques in Nmap to detect hosts in a network that may be secured by firewalls or IPS, in a way that generates less suspicious network traffic.

Uploaded by

Josue Ouattara
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

Nmap for

Pentester
Table of Contents

Table of Contents................................................................................................................................... 2
Abstract................................................................................................................................................... 3
Ping Sweep.................................................................................................................................. 4
Disable-arp-ping ........................................................................................................................ 6
Send-ip ......................................................................................................................................... 8
TCP Flags ..................................................................................................................................... 8
Types of Scans ........................................................................................................................... 9
TCP SYN Ping Scan ................................................................................................................. 10
TCP ACK Ping Scan ................................................................................................................. 11
ICMP Echo Ping Scan.............................................................................................................. 12
ICMP Echo Ping Sweep .......................................................................................................... 13
ICMP Address Mask Scan ...................................................................................................... 14
ICMP ECHO Timestamp Scan .............................................................................................. 14
UDP Ping Scan .......................................................................................................................... 15
IP Protocol Ping Scan ............................................................................................................ 17
No Ping Scan ............................................................................................................................. 18
ARP Ping Scan .......................................................................................................................... 18
SCTP INIT Ping ......................................................................................................................... 20
Traceroute ................................................................................................................................ 20
Conclusion ............................................................................................................................................ 21
References ........................................................................................................................................... 21

Page | 2
Abstract
Nmap has become one of the most popular tools in network scanning by leaving
other scanners behind. Many times, the hosts in some organisations are secured
using firewalls or intrusion prevention systems which result in the failure of
scanning due to the present set of rules which are used to block network traffic.
In Nmap, a pentester can easily make use of alternate host discovery techniques to
prevent this from happening. It consists of certain features that make the network
traffic a little less suspicious. Hence, in this report, various techniques of Host
Discovery will be explored.
Disclaimer: This report is provided for educational and informational
purpose only (Penetration Testing). Penetration Testing refers to legal
intrusion tests that aim to identify vulnerabilities and improve cybersecurity,
rather than for malicious purposes.

Page | 3
Ping Sweep

Let’s begin with scanning the entire network by using the Ping sweep scan (-sP).

nmap –sP 192.168.1.0/24

When you closely observe the packets in the Wireshark, you see that here only ARP packets
are being sent while scanning the network,

Page | 4
Note: Working of –sP and –sn is the same.

Let us try the same by using the no port scanning (-sn) option. In this option, we are also
using –packet-trace option which will enable you to see the detailed packet transfer without
making use of Wireshark. Here you can observe the ARP packets being received.

nmap -sn 192.168.1.0/24 --packet-trace

Page | 5
Now when we have seen that ARP packets are seen in the network, we will make use of –
disable-arp-ping option where you can see that there are 4 packets being sent.

Disable-arp-ping

To disable the ARP discovery, Nmap provides this option.

nmap -sn 192.168.1.108 --disable-arp-ping

Page | 6
And you will see that the ARP packets are not visible

Note: Scanning Local Network with Nmap where nmap sends an ARP packet with every
scan. If an external network is to be scanned; Nmap sends following request packets when –
disable-arp-ping is used:

You can also make use of –send-ip option to get the same results as in the step above.

Page | 7
Send-ip

nmap –sn 192.168.1.108 --packet-trace --send-ip

Host Discovery is considered to be the most primary step in Information Gathering which
provides accurate results on active ports and IP addresses in a network.

TCP Flags

First, let’s get to know the basics about the communication Flags in TCP. The TCP header
mainly consists of six flags which manage the connection between the systems and provide
instructions to them. Each flag is of 1 bit and hence the size of TCP Flags is 6 bits. Now let
us briefly understand each flag.

Page | 8
Types of Scans
To discover the hosts in the network, various ping scan methods can be used.

Page | 9
TCP SYN Ping Scan

It is a method of host discovery which helps in looking for discovering if the ports are open
and to also make sure if it matches the rules of the firewall. The Pentester can hence, send an
empty SYN flag to the target to check where it is alive. Multiple ports can be defined in this
scan type.

The -sP command in Nmap only allows discovering online hosts. Whereas SYN Ping (-PS)
sends a TCP SYN packet to the ports and if it is closed, the host responds with an RST
packet. And if the ports requested are open there will be the response of TCP SYN/ACK and
there will be a reset packet which will be sent to reset the connection.

nmap -sn -PS 192.168.1.108 --disable-arp-ping

The packets captured using Wireshark can be overserved

Page | 10
The advantage of TCP SYN Ping scan is that the pentester can get the active/inactive status
of the host without even creating a connection and hence it does not even create a log in the
system or the network.

TCP ACK Ping Scan


It is a method of host discovery which is similar to TCP SYN Ping scan but slightly differs.
This scan also makes use of Port 80. The pentester sends an empty TCP packet to the target
and as there is no connection between them, it will receive an Acknowledgement packet and
will then reset and terminate the request

This command is used to determine the target’s response and also check if the SYN packets
or ICMP echo requests are blocked as of in the latest firewalls

nmap -sn -PA 192.168.1.108 --disable-arp-ping

Page | 11
The Packets captured in the Wireshark can be observed here.

Some firewalls are configured to block on SYN ping packets, hence, in this case, this scan
would be effective to bypass the firewall easily.

ICMP Echo Ping Scan

The ICMP Ping scan can be used to gather information about the target systems which makes
it different from port scanning. The pentester can send an ICMP ECHO request to the target
and getting an ICMP Echo reply in return.

ICMP is now ineffective on remote ICMP packets which have been blocked by admins. It can
still be used to monitor local networks.

Page | 12
nmap -sn -PE 192.168.1.108 --disable-arp-ping

The packets captured in the Wireshark can be observed.

ICMP Echo Ping Sweep

It is similar to Echo Ping Scan and is used to scan the active hosts from a given range of IP
addresses. It sends ICMP requests to a huge number of targets and if a particular target is
alive then it will return an ICMP reply.

nmap -sn -PE 192.168.1-10

Page | 13
ICMP Address Mask Scan

It is an older method of ICMP ECHO ping scanning. It gives out the information about the
system and its subnet mask.

nmap -sn -PM 192.168.1.108 --disable-arp-ping

ICMP ECHO Timestamp Scan

Page | 14
The pentester can adopt this technique in a particular condition when the system admin
blocks the regular ICMP timestamp. It is usually used in synchronization of time.

nmap -sn -PP 192.168.1.108 --disable-arp-ping

The packets captured using Wireshark can be observed.

UDP Ping Scan

The UDP Ping Scans uses a highly uncommon default port number 40125 to send packets to
the target. It is similar to TCP Ping scan. The Pentester will send the UDP Packets to the
target and if there is a response in return which means that the host is alive or else it is offline

Page | 15
The advantage of UDP scan is that it can detect the systems which have firewalls with strict
TCP rules and leaving UDP rules at ease.

nmap -sn -PU 192.168.1.108 --disable-arp-ping

Page | 16
You can observe the packets sent using Wireshark.

IP Protocol Ping Scan


In this method, the pentester sends various packets using different IP protocols and hopes to
get a response in return if the target is alive.

nmap -sn -PO 192.168.1.108 --disable-arp-ping

Page | 17
The packets captured can be observed using Wireshark.

No Ping Scan

In this method, host discovery is completely skipped. The pentester can use it to determine
active machines for heavier scanning and to increase the speed of the network.

nmap -sn -PN 192.168.1.108 --disable-arp-ping

ARP Ping Scan

In this method, the ARP packets are sent to all the devices I the network although they are
invisible due to the firewall. It is considered to be extremely efficient than other host
discovery. It is mainly used for system discovery. It also mentions the latency.

Page | 18
nmap -sn -PR 192.168.1.108

You can see the packets being captured in wireshark.

Page | 19
SCTP INIT Ping

It sends SCTP packet containing a minimal INIT chunk. Its default destination port is 80. The
INIT chunk provides suggestion to the remote system that the pentester is attempting to
establish an association.

nmap -sn -PY 192.168.1.108 --disable-arp-ping

The packets that are captured can be observed.

Traceroute

Traceroutes are used after finishing scanning, by using the information from the scan results
and to determine the port and protocol which will reach the target.

nmap -sn --traceroute 8.8.8.8

Page | 20
Conclusion
Hence, one can make use of these commands as a cybersecurity professional to assess
vulnerabilities on systems and keep these systems away from threat.

References
• https://www.hackingarticles.in/nmap-for-pentester-host-discovery/
• https://nmap.org/book/man-host-discovery.html

Page | 21

You might also like