THE CU
  • Home
  • Blogs
  • Offense
    • Pen Tester Training Program
    • Offensive Cheat Sheets >
      • Bash Commands
      • Network Enumeration
      • Web Enumeration
      • Windows Post Ex
      • Metasploit
      • Shells
      • PowerShell
    • Offensive Links
  • Defense
    • Junior SOC Analyst Roadmap
    • Intermediate SOC Analyst Training Program
    • Defense Links
  • Land A Job
    • Improve Resume
    • Find a Job
    • Interview Prep
    • Grow as a Practitioner
    • Get Experience
  • FAQS
  • Other
    • Finance Resources
    • CTFs and Cons
    • Training
    • Twitter People to Follow
    • Podcasts
    • Books
    • Twitch Streamers

 

GETTING STARTED WITH RECON (NMAP)

8/3/2020

0 Comments

 
Note: This is just a reposting of a previous post. It was the fastest way I could think to move it to a new location.

Network Recon Summary

Nmap is a fundamental tool that most people with use to conduct network reconnaissance against targets. In addition to the networking capabilities, Nmap has a large library of scripts for attacks, enumeration, password attacks and more.

Breaking down the default scan (no options)

$ nmap 192.168.1.1

Note: We will break down the nmap scan one option at a time. After describing the option we will add it to the command and move on. This process is towards the endeavor that you better understand your tools.

TCP SYN scan
An nmap scan with no options defaults to a TCP SYN scan aka half-open scan, the -sS option (nmap -sS <ip> ). The scan is said to be a stealthier scan as a completed three-way handshake never occurs ( https://www.techopedia.com/definition/10339/three-way-handshake ). This is what the command would look like:

$ nmap -sS 192.168.1.1

Additional Default Options
In addition, according to the man page, “If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request… These defaults are equivalent to the -PE -PS443 -PA80 -PP options.” The interpreted command without options thus far would look like:

$ nmap -sS -PE -PS 443 -PA 80 -PP 192.168.1.1

Top 1,000 Ports
As far as port scanning goes nmap will default to the top 1,000 ports. Making the command now as follows:

$ nmap -sS -PE -PS 443 -PA 80 -PP --top-ports 1000 192.168.1.1

Scanning Ports
Networking can be summed up with two types of traffic TCP (stateful) and UDP (stateless). To read about the differences check out the following link http://www.diffen.com/difference/TCP_vs_UDP . One thing to remember when running UDP scans, they take much longer to run than TCP scans. What this means is that we don’t want to scan all UDP ports. Feel free to scan all 65,535 TCP ports, in CTF's especially admins like to run services on non-standard ports. Both can be scanned at the same time using the following syntax where “T:” is for TCP ports and “U:” is for UDP ports:

$ nmap -p T:1-65535,U:161,162 192.168.1.1

Fingerprinting
Two additional options that are needed for good initial reconnaissance is Service, Service Version, and Operating System. These bits of information will guide what other attacks and recon methods you choose to use. One thing to note is that OS will not always be accurate but the information is great if you can get it.

$ nmap -sV -O 192.168.1.1

Starter SyntaxBelow is a good start for your Nmap network scan command:

Nmap -O -sV -p T:1-65535,U:161,162 192.168.1.1

Conclusion
Hopefully, this has helped you better understand Nmap and how powerful the tool is. Please visit https://nmap.org to learn more and really dig into the great documentation that Fyodor Vaskovich and his team has put together. After you have conquered the basics don’t forget to check out the NSE scripts.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Silverbits
    - Infosec Enthusiast
    - Traveler
    - Future AT Thru-Hiker
    - CTFer
    - Red and Blue Teamer

      signup!

    Subscribe to Newsletter

    Categories

    All
    Book Review
    Certifications
    Coding
    Conferences
    Course Review
    Cracking
    Defense
    Finance
    Fire
    Forensics
    Hacking
    Hashes
    Incident Response
    Job Hunting
    Malware
    Mindset
    OSCP
    Pen Testing
    Tools
    Travel
    Updates
    Web Hacking

    Archives

    January 2023
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    May 2018
    April 2018

    RSS Feed

Home      Blogs    Disclaimers    Copyright Notice   Cookie Policy ​
  • Home
  • Blogs
  • Offense
    • Pen Tester Training Program
    • Offensive Cheat Sheets >
      • Bash Commands
      • Network Enumeration
      • Web Enumeration
      • Windows Post Ex
      • Metasploit
      • Shells
      • PowerShell
    • Offensive Links
  • Defense
    • Junior SOC Analyst Roadmap
    • Intermediate SOC Analyst Training Program
    • Defense Links
  • Land A Job
    • Improve Resume
    • Find a Job
    • Interview Prep
    • Grow as a Practitioner
    • Get Experience
  • FAQS
  • Other
    • Finance Resources
    • CTFs and Cons
    • Training
    • Twitter People to Follow
    • Podcasts
    • Books
    • Twitch Streamers