NMAP Cheatsheet
Nmap’s TCP ACK scan (-sA) method is much harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or Connect scans (sT) because they only send a TCP packet with only the ACK flag. When a port is closed or open, the host must respond with an RST flag. Unlike outgoing connections, all connection attempts (with the SYN flag) from external networks are usually blocked by firewalls. However, the packets with the ACK flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network.
Decoys There are cases in which administrators block specific subnets from different regions in principle. This prevents any access to the target network. Another example is when IPS should block us. For this reason, the Decoy scanning method (-D) is the right choice. With this method, Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet sent. With this method, we can generate random (RND) a specific number (for example: 5) of IP addresses separated by a colon (:). Our real IP address is then randomly placed between the generated IP addresses. In the next example, our real IP address is therefore placed in the second position. Another critical point is that the decoys must be alive. Otherwise, the service on the target may be unreachable due to SYN-flooding security mechanisms.
Scan by Using Decoys Firewall and IDS/IPS Evasion forhau@htb[/htb]$ sudo nmap 10.129.2.28 -p 80 -sS -Pn -n –disable-arp-ping –packet-trace -D RND:5
Scan by Using Different Source IP Firewall and IDS/IPS Evasion forhau@htb[/htb]$ sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0
DNS Proxying By default, Nmap performs a reverse DNS resolution unless otherwise specified to find more important information about our target. These DNS queries are also passed in most cases because the given web server is supposed to be found and visited. The DNS queries are made over the UDP port 53. The TCP port 53 was previously only used for the so-called “Zone transfers” between the DNS servers or data transfer larger than 512 bytes. More and more, this is changing due to IPv6 and DNSSEC expansions. These changes cause many DNS requests to be made via TCP port 53.
However, Nmap still gives us a way to specify DNS servers ourselves (–dns-server ,). This method could be fundamental to us if we are in a demilitarized zone (DMZ). The company’s DNS servers are usually more trusted than those from the Internet. So, for example, we could use them to interact with the hosts of the internal network. As another example, we can use TCP port 53 as a source port (–source-port) for our scans. If the administrator uses the firewall to control this port and does not filter IDS/IPS properly, our TCP packets will be trusted and passed through.
SYN-Scan of a Filtered Port Firewall and IDS/IPS Evasion forhau@htb[/htb]$ sudo nmap 10.129.2.28 -p50000 -sS -Pn -n –disable-arp-ping –packet-trace –source-port 53
Scanning Options
| Nmap Option | Description |
|---|---|
| 10.10.10.0/24 | Target network range. |
| -sn | Disables port scanning. |
| -Pn | Disables ICMP Echo Requests |
| -n | Disables DNS Resolution. |
| -PE | Performs the ping scan by using ICMP Echo Requests against the target. |
| –packet-trace | Shows all packets sent and received. |
| –reason | Displays the reason for a specific result. |
| –disable-arp-ping | Disables ARP Ping Requests. |
| –top-ports= | Scans the specified top ports that have been defined as most frequent. |
| -p- | Scan all ports. |
| -p22-110 | Scan all ports between 22 and 110. |
| -p22,25 | Scans only the specified ports 22 and 25. |
| -F | Scans top 100 ports. |
| -sS | Performs an TCP SYN-Scan. |
| -sA | Performs an TCP ACK-Scan. |
| -sU | Performs an UDP Scan. |
| -sV | Scans the discovered services for their versions. |
| -sC | Perform a Script Scan with scripts that are categorized as “default”. |
| –script | Performs a Script Scan by using the specified scripts. |
| -O | Performs an OS Detection Scan to determine the OS of the target. |
| -A | Performs OS Detection, Service Detection, and traceroute scans. |
| -D RND:5 | Sets the number of random Decoys that will be used to scan the target. |
| -e | Specifies the network interface that is used for the scan. |
| -S 10.10.10.200 | Specifies the source IP address for the scan. |
| -g | Specifies the source port for the scan. |
| –dns-server | DNS resolution is performed by using a specified name server. |
Output Options
| Nmap Option | Description |
|---|---|
| -oA filename | Stores the results in all available formats starting with the name of “filename”. |
| -oN filename | Stores the results in normal format with the name “filename”. |
| -oG filename | Stores the results in “grepable” format with the name of “filename”. |
| -oX filename | Stores the results in XML format with the name of “filename”. |
Performance Options
| Nmap Option | Description |
|---|---|
| –max-retries | Sets the number of retries for scans of specific ports. |
| –stats-every=5s | Displays scan’s status every 5 seconds. |
| -v/-vv | Displays verbose output during the scan. |
| –initial-rtt-timeout 50ms | Sets the specified time value as initial RTT timeout. |
| –max-rtt-timeout 100ms | Sets the specified time value as maximum RTT timeout. |
| –min-rate 300 | Sets the number of packets that will be sent simultaneously. |
| -T <0-5> | Specifies the specific timing template. |