Skip to content

Information Gathering and Vulnerability Scanning

Documentation | Nmap.org

Installation:

brew install nmap

Scan Types

  • TCP Connect Scan (-sT)
  • UDP Scan (-sU)
  • TCP FIN Scan (-sF)
  • Host Discovery Scan (-sn)
  • Timing Options (-T 0-5)

TCP Connect Scan ( -sT ): makes use of the underlying operating system’s networking mechanism to establish a full TCP connection with the target device being scanned.

nmap -sT 192.168.88.251

UDP Scan ( -sU ): All services using UDP for communication between client and server [DNS, SMTP, DHCP]. To scan UDP ports, Nmap sends a UDP packet to all ports specified in the command-line configuration.

nmap -sU -p 53 192.168.88.251

TCP FIN Scan ( -sF ) : When a SYN scan is picked up by a network filter or firewall. In such a case, I need to employ a different type of packet in a port scan. With the TCP FIN scan, a FIN packet is sent to a target port. If the port is actually closed, the target system sends back an RST packet. If nothing is received from the target port, you can consider the port open.

nmap -sF -p 80 192.168.88.251

Host Discovery Scan ( -sn ): A host discovery scan is one of the most common types of scans used to enumerate hosts on a network because it can use different types of ICMP messages to determine whether a host is online and responding on a network.

nmap -sn 192.168.88.0/24

Timing Options ( -T 0-5 )

  • T0 (Paranoid) : Very slow, used for IDS evasion
  • T1 (Sneaky) : Quite slow, used for IDS evasion
  • T2 (Polite) : Slows down to consume less bandwidth, runs about 10 times slower than the default
  • T3 (Normal) : Default, a dynamic timing model based on target responsiveness
  • T4 (Aggressive) : Assumes a fast and reliable network and may overwhelm targets.
  • T5 (Insane) : Very aggressive; will likely overwhelm targets or miss open ports

Types of Enumeration

  • Host Enumeration
  • User Enumeration
  • Group Enumeration: Is helpful in determining the authorization roles that are being used in the target environment.
  • Network Share Enumeration: Identifying systems on a network that are sharing files, folders, and printers is helpful in building out an attack surface of an internal network.
  • Additional SMB Enumeration Examples: An easy way to perform additional enumeration and fingerprinting of the applications and operating system running on a host.
  • Web Page Enumeration/Web Application Enumeration
  • Service Enumeration: Is the process of identifying the services running on a remote system, and it is a primary focus of what Nmap does as a port scanner.
  • Exploring Enumeration via Packet Crafting

Enumerating SMB Users

nmap  --script smb-enum-users.nse 192.168.88.251

Enumerating SMB Groups

nmap --script smb-enum-groups.nse --script-args smbusername=vagrant,smbpass=vagrant 192.168.56.3

Network Share Enumeration

nmap --script smb-enum-shares.nse -p 445 192.168.88.251

Additional SMB Enumeration Examples

 nmap -sC 192.168.88.251

enum4linux

Enum4linux is a tool for enumerating information from Windows and Samba systems.

Installation Linux

sudo apt install enum4linux

Portcullis Labs | Research and Development 

enum4linux 192.168.88.251

Enumeration Using smbclient

Documentation

smbclient -L \\\192.168.88.251

Web Page Enumeration/Web Application Enumeration

nmap -sV --script=http-enum -p 80 192.168.88.251

Service Enumeration

nmap --script smb-enum-processes.nse --script-args smbusername=<username>, smbpass=<password> -p445 <host>

Exploring Enumeration via Packet Crafting

Scapy's Documentation : Scapy is a powerful interactive packet manipulation library written in Python.

sudo scapy

Crafting a Simple ICMP Packet Using Scapy:

send(IP(dst="192.168.88.251")/ICMP()/"malicious_payload")