-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlesson-many-tryhackme-jrpenetrationtester-en.txt
3290 lines (2093 loc) · 133 KB
/
lesson-many-tryhackme-jrpenetrationtester-en.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Introduction
Defensive Security
Preventing intrusions
Detecting intrusions
Security Operations Center
Main areas of interest
Vulnerabilities
Policy violations
Unauthorized activity
Network intrusions
Digital Forensics
File System Analyzing a digital forensic image (low-level copy)
System memory Forensic image too for malicious program in memory (not saved to disk)
System logs Some traces will be left event if the attacker tries to clear their traces
Network logs Logs of the network packets
Incident Response
Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-Incident Activity
Malware Analysis
Static Inspecting the malicious program without running it
Dynamic Running the malware in a controlled environment and monitoring its activities
Rules of Engagement (ROE)
A document created at the initial stages of penetration testing engagement
Permission (legally protect individuals and organisations)
Test Scope (certain servers or applications)
Rules (define exactly the techniques that are permitted)
Penetration Testing Methodologies
General Theme
Information Gathering
Publically accessible information (OSINT and research, does not involve scanning)
Enumeration/Scanning
Discovering applications and services running on the systems
Exploitation
Leveraging vulnerabilities
Privilege Escalation
Once exploited (known as a foothold), expand your access to the system
Horizontally (accessing another account of the same permission group)
Vertically (another permission group)
Post-Exploitation
Other hosts (pivoting)
Other additional information (as a privileged user)
Covering tracks
Reporting
Primary scopes
Black-Box No Knowledge (high-level process)
Grey-Box Partial Knowledge (most popular, saves time)
White-Box Full Knowledge (guarantees the entire attack surface)
Defence in Depth
CIA Triad
Confidentiality Integrity Availability
Principles of Privileges
Primary factors
The individual's role/function within the organisation
The sensitivity of the information being stored on the system
Key concepts
Privileged Identity Management (PIM)
Privileged Access Management (PAM)
Essential
The principle of least privilege
Security Models
The Bell-La Padula Model
Confidentiality
Top Secret
Secret
Confidential
Biba Model
Integrity
Layer 1
Layer 2
Layer 3
Threat Modelling
Process of reviewing, improving, and testing the security protocols
Similar to risk assessment
Preparation
Identification
Mitigations
Review
Frameworks
STRIDE
Spoofing identity
Tampering with data
Repudiation threats
Information disclosure
Denial of service
Elevation of privileges
PASTA
Process for Attack Simulation and Threat Analysis
Incident Response
Computer Security Incident Response Team (CSIRT)
Preparation
Identification
Containment
Eradication
Recovery
Lessons
Network Security
Passive Reconnaissance
These are all publicly available records and hence do not alert the target
whois
To query WHOIS servers (TCP port 43, request and response protocol)
nslookup <options> <domainName> <server>
Name Server Look Up
To query DNS servers and find the IP of a domain name
Options
A IPv4 Addresses
AAAA IPv6 Addresses
CNAME Canonical Name
MX Mail Servers
SOA Start of Authority
TXT TXT Records
DNS Servers
Cloudflare
1.1.1.1
1.0.0.1
Google
8.8.8.8
8.8.4.4
Quad9
9.9.9.9
149.112.112.112
Examples
nslookup -type=A example.false 1.1.1.1
We started from one domain and we could obtain several IPv4 addresses
Each of these IP addresses can be further checked for insecurities
nslookup -type=MX example.false
Looking up the Mail Exchange servers
Preceded by a number representing the order of priority
dig
To query DNS servers
Online services to collect information about a target without directly connecting to it
dnsdumpster.com
Mapping the domain
There is a possibility that one subdomain has been set up and is not updated regularly
Lack of proper regular updates usually leads to vulnerable services
shodan.io
Tries to connect every device reachable online to build a search engine of connected "things"
Summary
PURPOSE CLI
Lookup WHOIS record whois example.false
Lookup DNS A records dig example.false A
nslookup -type=A example.false
Lookup DNS MX records at DNS server dig @1.1.1.1 example.false MX
nslookup -type=MX example.false 1.1.1.1
Lookup DNS TXT records dig example.false TXT
nslookup -type=TXT example.false
Active Reconnaissance
traceroute To map the path to the target
ping To check if the target system responds to ICMP Echo
telnet To check which ports are open and reachable by attempting to connect to them
Any such connection might leave information in the logs showing
The client IP address
Time of connection
Duration of the connection
...
However, not all connections are suspicious
It is possible to let your active reconnaissance appear as regular client activity (Browser)
Browser
Ports
It is possible to use custom ports to access a service
For instance, https://127.0.0.1:8884/
If there is an HTTPS server listening on that port, we will receive a web page
Developer Tools
View and modify the JavaScript
Inspect the cookies
Discover the folder structure
...
Extensions (add-ons)
FoxyProxy
Change the proxy server you are using to access the target website (Burp Suite)
User-Agent Switcher and Manager
Pretend to access the webpage from a different OS or a different browser
Wappalyzer
Provides insights about the technologies used on the websites
ping
Checking whether the remote system is online (if not blocked by a firewall)
Sends an ICMP Echo packet, and the remote system send back an ICMP Echo reply
Internet Control Message Protocol echo/type 8
Used to check network connectivity
Linux ping -c <integer> <ip>
Windows ping -n <integer> <ip>
Host Unreachable
The destination computer is possibly still booting or turned off, or the OS has crashed
It is unplugged from the network, or there is a faulty network device across the path
A firewall is blocking such packets on the system itself or a separate network appliance
MS Windows firewall blocks ping by default
Your system is unplugged from the network
traceroute
Find the IP adresses of the routers or hops that a packet traverses from your system to a target host
Also reveals the number of routers between two systems
The route might change as many routers use dynamic routing protocols that adapt to network changes
Linux
traceroute <ip>
On Unix-like OSs, traceroute send by default a sequence of UDP
with destination port numbers ranging from 33434 to 33534
Our system sends three packets with TTL set to 1, then three
packets with TTL set to 2, and so forth: depending on the
network topology we might get replies up from 3 routers
A star "*" indicate that our system didn't received an
expected ICMP time exceeded in-transit messages
If more than one IP by hop, it's the first
-I Option to use ICMP Echo packet
-P Arbitrary protocol such as UDP, TCP using SYN packets, or ICMP
sudo traceroute -I example.false
Windows
Sends ICMP Echo Request packets
tracert <ip>
telnet
Protocol for remote administration developed in 1969
Sends all the data in clear text
Port 23
Can be used for other purposes
Relies on TCP protocol
Connect to any service running on TCP and grab its banner
Even exchange a few messages unless it uses encryption
telnet <ip> <port>
Copy
From a vim file
Paste
GET / HTTP/1.1
host: telnet
OR
GET /page.htm HTTP/1.1
host: telnet
AND
2 x ENTER
nc (netcat)
Supports both TCP and UDP protocols
It can function as a client that connects to a listenning port
It can act as a server that listens on a port of your choice
Connect
nc -C <ip> <port>
GET / HTTP/1.1
host: netcat
If Shift + Enter does not work
-C Send CRLF as line‐ending
Copy
From a vim file
Paste
GET / HTTP/1.1
host: netcat
Listen
nc <options> <port>
-l Listen mode
-n Numeric only (no resolution of hostnames via DNS, avoid warnings)
-v Verbose output
-vv Very verbose
-k Keep listening after client disconnects
-p Specify the port number (should appear just before the port number)
nc -lnvp 1234
Nmap
1. Enumerate targets
2. Discover live hosts
3. Reverse-DNS lookup
4. Scan ports
5. Detect versions
6. Detect OS
7. Traceroute
8. Scripts
9. Write output
Nmap Live Host Discovery
Trying to port-scan offline systems will only waste time and create unnecessary noise on the network
Which systems are up?
What services are running on these systems?
Industry-standard tool for mapping networks, identifying live hosts, and discovering running services
1. ARP scan: ARP requests to discover live hosts
2. ICMP scan: ICMP requests to identify live hosts
3. TCP/UDP ping scan: Sends packets to TCP ports and UDP ports to determine live hosts
+ arp-scan and masscan, two scanners that overlap with part's of Nmap's host discovery
Nmap's Scriting Engine offers functionnalities from fingerprinting services to exploiting vulnerabilities
Subnetworks
Subnetwork refers to a logical connection
In an IP network, a subnetwork is usually the equivalent of one or more network segments
Connected together and configured to use the same router
A subnet has its own IP address range
If you are connected to the same subnet, you would expect your
scanner to rely on ARP queries to discover live hosts
An ARP query aims to get the hardware address (MAC Address)
If your are connected from a different subnet, the ARP queries
won't be routed and hence cannot cross the subnet router
ARP packets are bound to their subnet (link-layer protocol)
Network segment refers to a physical connection
A network segment is a group of computers connected using a shared medium
The medium can be the Ethernet Switch or WiFi Access Point
Enumerating Targets
Generally speaking, you can provide a list, a range, or a subnet
List: <ip> <url> <url>
Range: 10.11.12.15-20
Range: 10.10.0-255.101-125
Subnet: <ip>/30
Providing a file as input for your list of targets
nmap -iL list_of_hosts.txt
Checking the list of hosts that Nmap will scan, without scanning them
Nmap will attempt a reverse-DNS resolution on all the targets to obtain their names
Might reveal various information to the pentester
nmap -sL <target(s)>
-n If you don't want Nmap to the DNS server
Also return how many IP addresses will be scanned
nmap -sL -n 10.10.0-255.101-125
Discovering Live Hosts
Starting from bottom to top
Link Layer ARP
Network Layer ICMP
Transport Layer TCP, UDP
Brief review
ARP has one purpose
Sending a frame to the broadcast address on the network segment
Asking the computer with a specific IP address
to respond providing its MAC (hardware) address
If you want to ping a system on the same subnet
An ARP query should precede the ICMP Echo
ICMP has many types
ICMP ping uses Type 8 (Echo) and Type 0 (Echo Reply)
TCP and UDP for network scanning purposes
Specially-crafted packet to common TCP or UDP ports to check whether the target will respond
Efficient, especially when ICMP Echo is blocked
Nmap Host Discovery Using ARP
A privileged user is root or a user who belongs to sudoers and can run sudo
1. When privileged user tries to scan targets on a local network (Ethernet)
Nmap uses ARP requests
2. When privileged user tries to scan targets outside the local network
Nmap uses ICMP Echo requests, TCP ACK to port 80, TCP SYN to port 443, ICMP Timestamp Request
3. When unprivileged user tries to scan targets outside the local network
Nmap resorts to a TCP 3-way handshake by sending SYN packets to port 80 and 443
By default, Nmap uses ping scan to find live hosts
Then proceeds to scan live host only
Use Nmap to discover online hosts without port-scanning the live systems
nmap -sn <target(s)>
Use Nmap only to perform an ARP scan whithout port-scanning
nmap -PR -sn <target(s)>
arp-scan
arp-scan -l
arp-scan --localnet
Send ARP queries to all valid IP addresses on your local networks
sudo arp-scan -I eth0 -l
When more than one interface, discovering the live hosts on one of them
Send ARP queries for all valid IPs on the eth0 interface
Check the packets generated
tcpdump
Wireshark
To indicate it is a broadcast
ARP Request from "computer1" to "computer1"
Nmap Host Discovery Using ICMP
We can ping every IP address on a network and see who would respond to
our ping (ICMP Type 8/Echo) requests with a ping reply (ICMP Type 0)
It is not always reliable
Many firewalls block ICMP Echo
New versions of MS Windows host firewall block ICMP Echo by default
Remember that ARP query will precede the ICMP request if your target is on the same subnet
To use ICMP Echo Request to discover live hosts
nmap -PE <target(s)>
Remember
-sn If you don't want a port scan
Output example
Nmap scan report for ...
Host is up ...
MAC Address ... (only on the same subnet)
Generally speaking, we don't expect to learn the MAC addresses
of the targets unless they are on the same subnet as our system
On the same subnet, Nmap didn't need to send ICMP packets
as it is confirmed that these host are up based on ARP
Because ICMP Echo requests tend to be blocked, to tell if a system is online you might consider
ICMP Timestamp requests (should be followed by an ICMP Timestamp reply)
nmap -PP -sn <target(s)>
ICMP Address Mask requests (ICMP Type 17, checks whether it gets a ICMP Type 18 reply)
nmap -PM -sn <target(s)>
Nmap Host Discovery Using TCP and UDP
TCP SYN Ping
Send a packet with the SYN (Synchronize) flag set to a TCP port, 80 by default
And wait for a response
An open port should reply with a SYN/ACK (Acknowledge)
A closed port would result in an RST (Reset)
nmap -PS -sn <target(s)>
-PS followed by the port number, range, list, or a combination of them
-PS21
-PS21-25
-PS80,443,8080
Privileged users (root and sudoers) can send TCP SYN packets and
don't need to complete the TCP 3-way handshake even if the port is open
TCP ACK Ping
Send a packet with an ACK flag set
You must be running Nmap as a privileged user to be able to accomplish this
As an unprivileged user, Nmap will attempt a 3-way handshake
nmap -PA -sn <target(s)>
By default, port 80 is used
-PA21
-PA21-25
-PA80,443,8080
Any TCP packet with an ACK flag should get a TCP packet back with an RST flag set
The target responds with the RST flag set because the TCP packet
with the ACK flag is not part of any ongoing connection
Used to detect if the target host is up
Nmap sends each packet twice
UDP Ping
Contrary to TCP SYN Ping, sending a UDP packet to an open port is not expected to lead to any reply
However, if we send a UDP packet to a closed UDP port, we expect
to get an ICMP Destination Unreachable packet (ICMP Type 3, Code 3)
This indicates that the target system is up and available
nmap -PU -sn <target(s)>
Masscan
On a side note, Masscan uses a similar approach to discover the available systems
However, to scan quickly, Masscan is quite aggressive with the rate of packets it generates
masscan <ip/mask> -p443
masscan <ip/mask> -p80,443
masscan <ip/mask> -p22-25
masscan <ip/mask> --top-ports 100
Using Reverse-DNS Lookup
Nmap's default behaviour is to use reverse-DNS online hosts
Because the hostnames can reveal a lot
A reverse DNS lookup is a DNS query for the domain name
associated with a given IP address, the opposite of the
more commonly used forward DNS lookup
-n To skip this step
-R To query the DNS server even for offline hosts
--dns-servers <serv1[,serv2[,...]]> To use a specific DNS server
Nmap Basic Port Scans
TCP and UDP Ports
In the same sense that an IP address specifies a host on a network among many others,
a TCP port or UDP port is used to identify a network service running on that host
A port is usually linked to a service using that specific port number
Administrators might choose other port numbers if neccessary
Results
Open port Service listening Accessible
Closed port No service Accessible Not blocked by a firewall
Filtered Cannot determine if open or closed Not accessible Usually due to a firewall
Unfiltered Cannot determine if open or closed Accessible Using an ACK scan -sA
Open|Filtered Cannot determine if open or fitered
Closed|Filtered Cannot decide if closed or filtered
TCP Flags
The TCP Header is the first 24 bytes of a TCP Segment
Source Port 16 bits (2 bytes)
Destination port 16 bits (2 bytes)
Sequence Number 32 bits (4 bytes)
Acknowledgement Number 32 bits (4 bytes)
...
Setting a flag bit means setting its value to 1 (1 bit)
URG A TCP Segment with this flag is processed immediately, before any previously sent TCP segments
ACK Used to acknowledge the receipt of a TCP segment
PSH Asking TCP to pass the data to the application promptly
RST To reset the connection
Another device, such as a firewall, might send it to tear a TCP connection
Also when data is sent to a host and there is no service on the receiving end to answer
SYN To initiate a TCP 3-way handshake and synchronize sequence numbers
FIN The sender has no more data to send
TCP Connect Scan
Standard TCP connection establishment
The client sends a TCP packet with SYN flag set
The server responds with SYN/ACK if the port is open
The client completes the 3-way handshake by sending an ACK
If your are not a privileged user (root or sudoers)
TCP Connect Scan is the only possible option to discover open TCP ports
We are interested in learning whether the TCP port is open, not establishing a TCP connection
Hence the connection is torn as soon as its state is confirmed
By sending a RST/ACK
nmap -sT <target(s)>
By default, Nmap will attempt to connect to the 1000 most common ports
-F To enable fast mode and decrease scanned ports from 1000 to 100
-r In consecutive order instead of random order (for instance, when a target boots up)
IF TCP port is open
Client Server
SYN -->
<-- SYN, ACK
ACK -->
RST, ACK -->
A closed TCP port responds with RST/ACK to indicate that it is not open
TCP SYN (Stealth) Scan
The default scan mode when running Nmap as a privileged user
Running as root or using sudo
Unprivileged users are limited to TCP Connect Scan
TCP SYN Scan does not need to complete the TCP 3-way handshake
It tears down the connection once it receives a response
This decreases the chances of the scan being logged
nmap -sS <target(s)>
IF TCP port is open
Client Server
SYN -->
<-- SYN, ACK
RST -->
UDP Scan
Connectionless protocol, it does not require any handshake
If UDP port is open, no response is expected
nmap -sU <target(s)>
Client Server
UDP Packet -->
A closed UDP port leads to ICMP Destination Unreachable (Port Unreachable)
nmap -sU <target(s)>
Client Server
UDP Packet -->
<-- ICMP Type 3, Code 3
Fine-Tuning Scope and Performance
Specifying the ports
-p- All 65535 ports
-F Fast mode, 100 most common ports
--top-ports <number> Scan <number> most common ports
-p22,80,443 Port list
-p1-1023 Port range, inclusive
Scan timing
-T<0-5>
0 Paranoid
1 Sneaky
2 Polite
3 Normal
4 Aggressive
5 Insane
To avoid IDS alerts
-T0 scans one port at a time and waits 5 minutes between sending each probe
-T1 is often used during real engagements where stealth is more important
Default
-T3 if you don't specify any timing
Practice targets and CTFs
-T4
Speed
-T5 can affect the accuracy due to the increased likelihood of packet loss
Packet rate
--min-rate <number>
--max-rate <number>
--max-rate=10
Controls the sending of packets per second
Probe parallelization
--min-parallelism <numprobes>
--max-parallelism <numprobes>
--max-parallelism=512
Nmap Advanced Port Scans
Null Scan
Does not set any flag, all six flag bits are set to zero
A TCP packet with no flag set will not trigger any response when it reaches an open port
However, we expect the target server to respond with an RST packet if the port is closed
Consequently, the lack of RST response indicates ports that are not closed: Open or Filtered
nmap -sN <target(s)>
If TCP port is open
Client Server
NULL (no flags set)-->
If TCP port is closed
Client Server
NULL (no flags set)-->
<-- RST, ACK
FIN Scan
Sends a TCP packet with the FIN flag set
Similarly, no response will be sent if the TCP port is open
Again, Nmap cannot be sure if the port is open or if a firewall is blocking the traffic
nmap -sF <target(s)>
If TCP port is open
Client Server
FIN -->
If TCP port is closed
Client Server
FIN -->
<-- RST, ACK
Some firewalls will silently drop the traffic without sending an RST
Xmas Scan
Sets the FIN, PSH and URG flags simultaneously (Christmas tree lights)
nmap -sX <target(s)>
If TCP port is open
Client Server
FIN, PSH, URG -->
If TCP port is closed
Client Server
FIN, PSH, URG -->
<-- RST, ACK
Maimon Scan
FIN and ACK bits are set
The target should send an RST packet as a response, regardless of whether the TCP port is open
This scan won't work on most targets encountered in modern networks
BSD-derived systems drop the packet (exposing open ports)
nmap -sM <target(s)>
Client Server
FIN/ACK -->
<-- RST
ACK Scan
TCP packet with the ACK flag set
The target would respond to the ACK with RST regardless of the state of the port
Because TCP packet with ACK flag set should be sent only in response to a received packet
nmap -sA <target(s)>
Client Server
ACK -->
<-- RST
Helpful if there is a firewall
Based on which ACK packets resulted in responses, you
will learn which ports were not blocked by the firewall
Window Scan
Almost the same as the ACK Scan, gets an RST packet in reply to our "uninvited" ACK packets
However, it examines the TCP Window field of the RST packets returned
On specific systems, this can reveal that the port is open
Similarly, against a system with no firewall it will not provide much information
nmap -sW <target(s)>
Client Server
ACK -->
<-- RST
Custom Scan
TCP flag combination beyond the built-in TCP scan types
--scanflags RSTSYNFIN If you want to set SYN, RST, FIN
--scanflags URGACKPSHRSTSYNFIN Sets all flags
Spoofing and Decoys
In some network setups
Able to scan a target system using a spoofed IP address an even a spoofed MAC address
Only beneficial in a situation where you can guarantee to capture the response
From some random network using a spoofed IP address
Chances are you won't have any response routed to you
The scan results could be unreliable, useless
nmap -S <spoofedIP> <target>
Nmap will craft all the packets using the provided source IP address
The attacker needs to monitor the network traffic to analyze the replies
1. Attacker sends a packet with a spoofed source IP address to the target machine
2. Target machine replies to the spoofed IP address as the destination
3. Attacker captures the replies to figure out open ports
nmap -e <interface> -Pn -S <spoofedIP> <target>
In general, you expect to
Specify the network interface using -e
Explicitly disable ping scan -Pn
--spoof-mac <MAC>
When you are on the same subnet as the target machine
nmap -D <decoyIP1>,<decoyIP2>,<attackerIP>,<decoyIP3> <target>
Spoofing only works in a minimal number of cases where certain conditions are met
Therefore, the attacker might resort using decoys to make it more challenging to be pinpointed
The concept is simple
Make the scan appear to be coming from many IP addresses
so that the attacker's IP address would be lost among them
nmap -D RND,<decoyIP1>,RND,ME,RND:<number> <target>
ME
To represent your real IP address
RND:<number>
To generate <number> random addresses
Fragmented Packets
Firewall
A piece of software or hardware that permits packets to pass through or blocks them
A tradidional firewall inpects, at least, the IP header and the transport layer header
A more sophisticated firewall would also try to examine the data carried by the transport layer
IDS
Inspects network packets for certain behavior patterns or specific content signatures
IP header, transport layer header and the data contents in the transport layer
Fragmented Packets
How can you make it less likely for a traditional firewall/IDS to detect your Nmap activity?
You might benefit from dividing the packet into smaller packets
sudo nmap -sS -p80 -f <target(s)>
-f To fragment across multiple packets
The IP data will be divided into 8 bytes or less
IP uses the Identification and Fragement Offset to aid in the reassembly
-ff
-f -f
The fragmentation of the data will be multiples of 16
The 24 bytes of the TCP header will be 16 and then 8 bytes
Idle/Zombie Scan
Requires an idle system connected to the network
Nmap will make each probe appear as if coming from the idle (zombie) host
Then it will check for indicators whether the idle host received any response to the spoofed probe
This is accomplished by checking the IP identification value in the IP header
nmap -sI <zombieIP> <target>
1. Trigger the idle host to respond so that you can record the current IP ID on the idle host
Attacker Idle
SYN/ACK -->
<-- RST packet containing its newly incremented IP ID
2. Send a SYN packet to a TCP port on the target
The packet should be spoofed to appear as if it was coming from the idle host IP address
Port is closed
Attacker Target Idle
SYN (source equals Idle) --> RST -->
Port is open
Attacker Target Idle
SYN (source equals Idle) --> SYN/ACK -->
<-- RST