Use Nmap for DOS attacks, brute force, firewall bypass and more.

[Lord777]

Nmap is the benchmark among port scanners and one of the most important penetration tester tools. But can you say that you thoroughly studied all its features and methods of application? In this article, you will learn how to use Nmap to scan hosts behind a firewall, improve scan performance, find holes in HTTP server settings, launch a DoS attack, and even bring up a web server.

Basic features.
Before we get into a discussion of the advanced features of Nmap, let's take a moment to focus on using Nmap at a basic level. You may argue that there is nothing to talk about here - all you need to do is set Nmap to the desired host, and after a while it will display information about open ports on the screen:

$ nmap 192.168.0.1

This is true, but there are two things to keep in mind about the Nmap implementation. First, running Nmap as a regular user is extremely inefficient. At the same time, the entire scanning process actually boils down to trying to establish a full-fledged connection with each of the ports. For TCP, this means that Nmap will send a SYN packet to the far end; if the requested port is open, the machine will respond with a SYN / ACK packet, after which Nmap will send an ACK packet and only then close the connection with a FIN packet.

This whole process is carried out using the connect () system call and, in fact, falls entirely on the OS network stack. As a result, both scan performance and stealth suffer (services hanging on scanned ports will actively log connections).

Nmap behaves quite differently when run as root:

$ sudo nmap 192.168.0.1

In this case, it takes full responsibility for packet formation and connection management. Connecting to open ports will look like this: Nmap sends a SYN, the machine responds with a SYN / ACK, Nmap sends a FIN, halving the open connection (this is called a TCP SYN scan). As a result, the service hanging on the port does not log the connection attempt, and Nmap is able to detect a firewall that simply drops SYN packets instead of sending SYN / ACK (port open) or FIN (port closed) in response, as it should. operating system by default. In addition, this scanning method is much more efficient.

The second feature of Nmap is that in fact it does not scan the entire range of ports (65,536), but only 1000 ports of typical services defined in the file /usr/share/nmap/nmap-services. So, if someone hangs a service on a non-standard port, which is simply not in this file, Nmap will not see it. You can change this behavior using the following command:

$ sudo nmap -sS -sU -p 1-65535 192.168.0.1

Nmap will use TCP SYN scan and UDP scan for the entire port range.

We determine the name and version of the service on the port.
One of the interesting features of Nmap is that it is able not only to determine the state of a port (open, closed, filtered), but also to identify the name of the daemon / service on that port, and in some cases even its version. To do this, Nmap can use several different techniques, such as connecting to port 80 and sending an HTTP request to identify the name and version of the web server, or using information about how the service responds to certain packets and requests.

All the rules for identifying services and their versions are defined in the <span class = "nobr"> file /usr/share/nmap/nmap-service-probes, and will force Nmap to apply a flag -sV:

$ sudo nmap -sV 192.168.0.1

And it is even possible to strengthen Nmap's attempts to define a service using a flag --version-all:

$ sudo nmap -sV --version-all 192.168.0.1

However, this usually does not improve the recognition quality.

Nmap was unable to determine the version of the HTTP server, but it learned its name.

We determine the name and version of the OS.
This is probably one of the most famous Nmap features. By sending non-standard packets to the machine and comparing its response (response time, TTL, MTU, ACK and much more) with the OS fingerprint database ( /usr/share/nmap/nmap-os-db), Nmap is able to accurately determine the OS running on the machine. All you need to do is start Nmap with the flag -O:

$ sudo nmap -O 192.168.0.1

However, Nmap is not always able to guess the OS 100% correctly. If this does not work, Nmap will display the ones that are closest to the correct one, carefully supplying them with a "hit percentage": 90%, 82% ...

Moreover, you can go even further and use a flag -Ato force Nmap to try to determine the OS version, the service version, and even perform a more detailed analysis of the services using NSE scripts (more on that later):

$ sudo nmap -A 192.168.0.1

Nmap assumptions about the OS version of the scanned machine

Increasing the scanning speed.
Nmap is known for its phenomenal performance, which has continued to improve for over twenty years. The scanner uses many techniques and hacks, multi-threaded mode with a dynamically variable number of ports per thread, and can use multiple processor cores. But even with a trainload of optimizations in its default code, Nmap isn't as fast as it actually could be.

Nmap supports a dozen flags that allow you to fine-tune parameters such as the delay between connection attempts to a port or the number of connection attempts. Dealing with them on the sly is quite difficult, so Nmap has a set of predefined patterns of scan aggressiveness. There are six of them (from 0 to 5), and you can make a choice using the option -T:

$ sudo nmap -T3 192.168.0.1

In this case, we chose template number 3. This is the default value, a kind of compromise between speed and accuracy of scanning in slow networks. However, in modern conditions, when the minimum speed of wired access to the network has already exceeded 30 Mbit / s, the best choice would be -T4or even -T5. The latter should be used only in stable networks without speed drops.

Lower values are intended to bypass intrusion detection systems. For example, -T0disables multithreaded scanning and sets the delay between port probes to five minutes; after spending all day (night) scanning, you can hope that the scan attempt itself will not be noticed (especially since Nmap tries ports in a random order). Template -T1- faster mode with 15 s delay, -T2- 0.4 s, -T3- 10 ms, -T4- 5 ms.

The -T5 mode is one and a half times more productive than the default one.

We hide the traces.
Increasing the delay between port probes is not the only way to hide that a machine is being scanned. Another interesting method is to run multiple scan threads at the same time, spoofing the reverse IP address in all but one case. The point here is to confuse the IDS and the machine administrator. In the IDS logs, there will be several scanning attempts from different addresses at once, among which there will be only one real one.

This method is quite simple to use:

$ sudo nmap -D address1, address2, address3 192.168.0.1

You can specify as many bogus addresses as you want, or let Nmap generate random addresses for you (ten addresses in this case):

$ sudo nmap -D RND: 10 192.168.0.1

However, it must be borne in mind that random addresses will often point to non-existent or disabled machines. IDS and a good admin will be able to weed them out to figure out the real address.

A more complex way is to organize the so-called Idle scan. This is a very interesting technique based on three simple facts:

1. When performing a SYN scan, the remote side sends a SYN / ACK packet if the port is open, and a RST packet if not.
2. A machine that receives an unsolicited SYN / ACK MUST respond with an RST, and if it receives an unsolicited RST, ignore it.
3. Every IP packet sent by the machine has an IPID, and many OSes just increment the IPID when they send the packet.

The technique itself is to find an inactive network machine that simply does nothing (Idle), but is still operational and capable of responding to network requests. Moreover, the machine should run on an ancient OS that increments the IPID of packets instead of randomizing like modern OSes. This can be done using the same -O -vNmap flags (the IP ID Sequence Generation line in the output) or using the Metasploit Framework (this is more convenient and faster):

> use auxiliary / scanner / ip / ipidseq
> set RHOSTS 192.168.0.1-192.168.0.255
> run

Next, you run a port scan:

$ sudo nmap -sI IP-Idle-machine 192.168.0.1

For each port probe, Nmap will first send a request to the Idle machine, record the IPID of the packet, then send a SYN packet to the victim, replacing the return address with the IP of the Idle machine, then send the request to the Idle machine again and check the IPID against the previously saved one. If the IPID has increased since the last check, then the machine was sending packets, and, as we know from the second point above, this means that it replied with an RST packet. This, in turn, says that the victim's port being checked is open. If the IPID has not increased, then the port is closed.

In the modern world where Windows 95 is no longer left, this is a really difficult technique to implement, but it allows you to completely remove suspicions about scanning from yourself. IDS will blame the Idle machine for scanning.

Bypassing IDS and firewalls.
I'll make a reservation right away: today's IDS and firewalls are much smarter than those that existed at the time when Nmap had tools to combat them. Therefore, many of the techniques presented here may no longer work, but this is not a reason not to use them, the web is full of prehistoric equipment.

To begin with, even without additional options, Nmap is already able, though not to bypass, but detect a firewall. This is because, during a SYN scan, the open / closed state is determined by analyzing the response of the machine: SYN / ACK - open, FIN - closed. However, firewalls often just drop packets addressed to filtered ports to minimize CPU resources (even when setting up iptables on Linux, it is standard practice to drop a packet using -j DROP). Nmap keeps track of which ports tried and did not receive a response, and flags those ports filtered.

Another firewall detection technique is to force Nmap to generate "fancy packets" such as unflagged packets ( -sN), FIN packets ( -sF), and Xmas packets containing the FIN, PSH, and URG flags ( -sX). The RFC describes all of these situations, so any discrepancy with the RFC is interpreted by Nmap as a firewall.

Many firewalls can be bypassed to determine exactly whether a port is being filtered or not. To do this, you can use ACK scan:

$ sudo nmap -sA 192.168.0.1

The theory is as follows: the firewall should discard all new TCP connections to the port, but it should also not interfere with the passage of packets within the already established connections. An easy way to do this is to discard all SYN packets (used to establish a connection), but not interfere with ACK packets (used to send packets within an already open connection).

But there is one subtlety. The point is that there are so-called stateful firewalls. They know how to monitor the state of the connection and check the packet fields such as IP address and TCP sequence number to track which packets actually came as part of a previously opened connection, and which were sent by Nmap as part of an ACK scan (iptables on Linux can work in both modes, but by default it is not stateful, this is a more productive option).

You can find out what type of firewall is in use by performing a SYN scan followed by an ACK scan:

$ sudo nmap -sS 192.168.0.1
$ sudo nmap -sA 192.168.0.1

If, in the second case, the ports marked as filtered during the SYN scan become unfiltered, then you are not facing a stateful firewall.

Alternatively, you can try to bypass the firewall by changing the outgoing port number:

$ sudo nmap --source-port 53 192.168.0.1

This is an exploitation of an old firewall configuration bug where an admin allows all incoming traffic (including TCP) to be accessed from port 53 to allow applications to perform DNS queries unimpeded. Today this is rare, but, as practice shows, incompetence does not disappear over time.

Among other things, Nmap has tools to hide the fact of the scan from the eyes of firewalls and IDS:

$ sudo nmap -f 192.168.0.1

In this case, Nmap will split packets into tiny 8-byte chunks. He does this in the hope that the firewall or IDS will not be able to assemble the packet from fragments and parse its header (due to poor implementation or for the sake of performance) and will simply pass the packet or drop it.

$ sudo nmap --mtu 16 192.168.0.1

The same story, only with the ability to control the packet size (in this case, 16). Can be used against firewalls and IDS, which can catch Nmap scans by analyzing the fragment size.

$ sudo nmap --data-length 25 192.168.0.1

Appends the specified number of random bytes to the end of the packet. The goal is the same as in the previous case: to trick the IDS, which may be able to detect the scan by analyzing the packet size (Nmap always sends 40-byte packets when using the TCP protocol).

Using Nmap to discover machines on the network.
Although nmap is known as a port scanner, it is also a great tool for discovering machines on a network. It can be set on any number of hosts and in just a few seconds you can get the result of pinging thousands of hosts. It's just that it pings hosts in a completely different way from the well-known ping utility. By default, before starting a port scan, Nmap sends several packets to make sure the host is available:

• ICMP Echo request - analogous to how ping works;
• SYN packet on port 443;
• ACK packet on port 80;
• ICMP timestamp request.

So many checks are needed to bypass firewalls and situations where, for example, the OS or network equipment is disabled to respond to ICMP Echo requests (this is a common practice today).

Accessibility checking is easy to disable using an option -PNthat Nmap itself will report if it cannot verify the port is available:

$ sudo nmap -PN 192.168.0.1

This usually makes little sense, but the reverse operation, that is, disabling the port scanner, is very useful for checking the availability of many hosts:

$ sudo nmap -sn 192.168.0.1-255

This command will force Nmap to scan for addresses 192.168.0.1 through 192.168.0.255. Its more convenient counterpart:

$ sudo nmap -sn 192.168.0. *

Alternatively, you can ask Nmap to scan the entire subnet:

$ sudo nmap -sn 192.168.0.0/24

Well, or write the necessary addresses into a file and ask them to scan them:

$ sudo nmap -sn -iL / path / to / file

If you omit the flag -sn, nmap will not only check for host availability, but also scan ports.

There are also quite a few ping techniques themselves. Nmap supports determining whether a host is available by sending a SYN packet to a specified port:

$ sudo nmap -sn -PS80 192.168.0.1

ACK packet:

$ sudo nmap -sn -PA80 192.168.0.1

UDP packet:

$ sudo nmap -sn -PU53 192.168.0.1

ICMP Echo request:

$ sudo nmap -sn -PE 192.168.0.1

ICMP timestamp:

$ sudo nmap -sn -PP 192.168.0.1

All of them can be combined:

$ sudo nmap -sn -PE -PS443 -PA80 -PP 192.168.0.1

Nmap only found one host on the local network.

We carry out brute-force, dirbasting (directory enumeration), DoS and other attacks.
A relatively new feature of Nmap is support for scripts that extend the functionality of the scanner. Nmap comes with over 500 scripts that can fall into one or more of fourteen categories:

• auth - check for login capabilities. For example, the ftp-anon script tries to anonymous login to the FTP server and lists the files, marking the files available for writing;
• broadcast - various types of detection of hosts on the network. Example: broadcast-upnp-info - a script for searching for UPnP services;
• brute is an implementation of password brute-force techniques. Example: http-brute - brute force passwords from a web server;
• default - scripts that are launched automatically when the -Aor option is specified -sC. Usually these are simple quick scripts that collect additional information about the machine, like the above ftp-anon;
• discovery - almost analogous to broadcast. Example: smb-enum-shares - search for disks shared using the SMB protocol;
• dos - scripts for organizing DoS attacks. Example: smb-vuln-regsvc-dos - disables Windows 2000 by exploiting the MSRC8742 vulnerability;
• exploit - exploitation or vulnerability testing. Example: smb-vuln-ms06-025 - scan Windows machines for vulnerability MS06-025;
• external - scripts that use external resources to get additional information about the machine. Example: whois;
• fuzzer - scripts that send unexpected and malformed data to the remote side in order to search for vulnerabilities or try to perform DoS. Example: dns-fuzz;
• intrusive - scripts that perform proactive actions against the machine. Example: snmp-brute - brute force SNMP server;
• malware - checking for a machine infected with viruses and backdoors. Example: smtp-strangeport - search for an SMTP server on a non-standard port, which may be evidence of a machine infected with a Trojan sending spam;
• safe - "safe" scripts that do not take active actions against the machine, do not clog the channel with packets and do not exploit vulnerabilities. Example: ssh-hostkey - gets the public keys of the SSH server;
• version - get versions of running services. Example: pptp-version - displays additional information about the PPTP server on the screen;
• vuln - check services for vulnerabilities.

If you specify the options -Aor -sC, category scripts defaultwill run automatically. To run scripts of other categories, you can use the option --script:

$ sudo nmap --script "default and safe" 192.168.0.1

The selection can be reversed by forcing Nmap to run all scripts except those in the specified category:

$ sudo nmap --script "not intrusive" 192.168.0.1

Or you can specify the name of the script you want (http-enum performs dirbasting of the HTTP server):

$ sudo nmap -p80 --script "http-enum" 192.168.0.1

Or ask Nmap to run all HTTP-related scripts:

$ sudo nmap -p80 --script "http- *" 192.168.0.1

The scripts themselves, along with a description and examples of use, can be found in the catalog /usr/share/nmap/scripts.

Deerbusting with Nmap.

Bringing up the web server (all of a sudden).
Not many people know, but Nmap comes with the ncat utility. This is an analogue of the famous netcat - a universal network tool with which you can test network services, execute remote commands, transfer files, stream audio through the network, listen to ports and do many other interesting things.

With its help, you can run the simplest web server:

$ ncat -lk -p 8080 --sh-exec "echo -e 'HTTP / 1.1 200 OK'; cat index.html"

Nmap's six port states
open - the port is open;
closed - the port is closed;
filtered - the port is filtered, unknown, closed or open;
unfiltered - the port is not filtered, it is unknown whether it is closed or open (only ACK scanning can give such a result);
open | filtered - the port is either open or filtered;
closed | filtered - the port is either closed or filtered (only Idle scanning can give such a result).

Instead of conclusions.
This article describes only a subset of Nmap's functions, albeit the most useful ones. As you can see, Nmap's functionality goes far beyond port scanning. It is a powerful and complex tool, whose code has been cleaned up for decades. It's fast, reliable, and incredibly functional. And most importantly, it is completely free and works almost everywhere.