Ceci est une ancienne révision du document !
Website: https://gbhackers.com/external-penetration-testing/
This time, the website is different, to reflect what we want to do with nmap.
Please read this article, and you will be much wiser as to how nmap is used.
Welcome back to another educating experience: ‘demystifying nmap’. So, last issue, we talked about customising your ping sweep, but we did not say how. If you read the linked article, you will know the why. However, if you don’t know how ICMP works, I have good news for you; you will learn something new. You don’t have to remember the whole table, but get an overall feel. Please peruse the table (0-18) here: http://www.informit.com/articles/article.aspx?p=26557&seqNum=5
Now, it is true that you don’t need to know what electricity is to use it, and I suppose the same can be said of nmap. The fact of the matter is, if you knew better, you would not do things like the outlet challenge either: https://www.the-sun.com/news/299433/stupid-tiktok-outlet-challenge-penny-game-deadly/
I will refer to this table, and you can simply look it up if networking is not your thing.
Note: This will be our first nmap query to require root / sudo privileges. (On Linux, only root is generally able to send and receive raw TCP packets.)
Let’s make another ping sweep.. Do you still remember how? In this category, we have PE; PP; PM (ICMP ping types) that we use to modify our query. Like so:
nmap -sP -PP 192.168.1.0/24
Nmap can send the standard packets sent by the ubiquitous ping program. Nmap sends an ICMP type 8 (echo request) packet to the target IP addresses, expecting a type 0 (echo reply) in return from live hosts. Unfortunately for us, many hosts and firewalls now block these packets, rather than responding as they are supposed to. The ICMP standards also specify timestamp request, information request, and address mask request packets as codes 13, 15, and 17, respectively. While the ostensible purpose for these queries is to learn information such as address masks and current times, they can easily be used for host discovery. In our example case, we can use type 13, and we will tailor our request as follows:
sudo nmap -sP -PP 192.168.1.0/24
Go on, try it on your local network. (Again, don’t try it on the police services website?)
Okay, back to our ping sweep. Remember that I told you the ACK flag was set on the TCP packet? We can change that to a SYN, to fool stateful firewalls. The default destination port is 80. Alternate ports can be specified as a parameter. Note that if you specify an alternative port, there is no space between the PS and the port number. The SYN flag suggests to the remote system that you are attempting to establish a connection. Normally the destination port will be closed, and a RST (reset) packet sent back. If the port happens to be open, the target will take the second step of a TCP three-way-handshake by responding with a SYN/ACK TCP packet. Nmap does not care whether the port is open or closed. Either the RST or SYN/ACK response tell nmap that the host is available and responsive. What will that look like? Try this:
nmap -sP -PS 192.168.0.0/24
You are doing great so far if you have been following along. We can also skip the port scan, by specifying -sn. We are also able to spoof our egress port, with the -g switch that we tack on right at the end of our query.
For example: -g137 will tell our target the request came from port 137.
Easy-peasy-lemon-squeezy!
It goes without saying that if -PS is the SYN flag, -PA is the ACK flag.
Our cheat sheet is shown below.
Nmap even allows you to get more creative with your packets! But, more on this in the next issue of FCM. Hope to see you there.
Hope you enjoyed this third demystifying nmap article and I'll see you next issue for something new.
As always, comments, compliments, complaints, all to: misc@fullcirclemagazine.org