Pages

Wednesday, December 30, 2015

Network Testing tools- Nmap

Hello Readers,

Welcome back :) Till now we have understood web application architecture, web applications and its interception techniques. This all possible if we do a whitebox testing. What if you have only domain address or ip address of target in short you need to perform black box testing. So what should be the approach for testing. We will talk about this in this post..
Consider you have target Ip or target url. If you have URL obtain its Ip by intercepting it in burp and analyze its Ip. Now we need to scan this Ip to know its port status. That is Port Scanning. 
"Port is an endpoint of communication in an operating system. While the term is also used for hardware devices, in software it is a logical construct that identifies a specific process or a type of service".
To scan the ports offered by that server Ip we will use Nmap tool (Network Mapper).
Nmap allows us to know which ports are open or closed on a particular system, or to find out what the Operating System in use.

 You can install Nmap on windows and linux, mac etc. Google it for installation. I will summarize  some useful commands of Nmap in this post which you will mostly use in scanning.

Lets start with scanning install Nmap and hit below command in console
> nmap -sS <Your Ip>
You can see I have scanned my virtual machine Ip and result is shown above.
Note: I remind you that you must perform these tests on the systems you have, otherwise it is a criminal offense.

This tool looks simple but lot to explore below I have categorized commands as per purpose.
1) Exploring Host machine:
• -sL: Scanning a list. Easiest method.
• -sP: Ping Scanning. Useful for determining whether a host is online.
• -P0: Avoid at all switching host lookup.
• -PS/PA/PU [portlist]: Send TCP SYN / ACK or UDP ports indicated.

2) Scanning commands:
• -sS/sT/sA: port scans in general with SYN/TCP/Advance flag.
• -sN/sF/sX: Port Scan with Null/FIN/XMAS flag.
• -sO: Allows you to determine which IP protocols are supported.
• -b <ftp relay <host>: Allows you to connect to an FTP server and asks, Then send the files to a  different FTP server.

3) Port sprcification:
• -p <port ranges>: Scan specified ports
       Example:-p22;-p1-65535;-p U: 53,111,137, T :21-25, 80,139,8080
• -F: Fast - Scanning only the ports listed in Nmap-service
• -r: Scanning ports consecutively.

4) Service version discovery:
• -sV: Check open ports to determine current services or information
• - version_light: Version a little 'more limited, useful for speeding up the search
• - version_all: Try every single probe-packet on every port
• - version_trace: Show debugging information about the activities of scanning version.

5) OS detection:
• -O: Enable OS detection
• -osscan_limit: Detect operating limit
• -osscan_guess: Guess OS more "hard"

6) Timing and scan configuration:
• -T [0-6]: Set the model of timing (the higher the value, it's fast).
• --min_hostgroup/max_hostgroup <msec>: Adjusts the size of groups for parallel scans.
• --min_parallelism/max_parallelism <msec>: Changes in parallel scans.
• --min_rtt_timeout/max_rtt_timeout/initial_rtt_timeout <msec>: Edit timeout values.
• - host_timeout <msec>: Stop the search if the host is not respond.
• --scan_delay/--max_scan_delay <msec>: Edit delays.

7) Firewall,IDS,spoofing evasion techniques:
• -f, - mtu <val>: Fragmented Packets
• D-<decoy1,decoy2[,ME],...>: Cloak a scan with decoys
• S-<IP_Address>: Spoofing entire source
• -e <interface>: Use the specified interface
• -g/--source_port <port num>: Use the port number chosen (spoofing)
• -spoof_mac <mac address, prefix, or vendor name>: Spoofing the MAC (hardware).

8) Output options:
• -oN/-oX/-oS/-oG <file>: Output normal, XML, Script Kiddie (XD) and grepable.
• -vv: Verbose Mode (provides more information)
• -d [level]: Increase levels or configure debugging
• -packet_trace: Show all packets sent and received
• -iflist: Show host interfaces
• -append_output: Queue output file
• -<filename> resume: Resume an aborted scan
• --reason: Troubleshooting response errors.

9) Miscellaneous:
• -6: Enable IPv6 scanning with
• -A: Enables OS detection and version detection
• -privileged: Assume the privileges of Total
• -V: Return the version of Nmap
• -h: Displays a list of all available commands.

Reader's listed are almost all commands available (I have not included 3-4 commands because I think they are not very useful). Well see you in next post for some exciting things ;) Stay tuned..

No comments:

Post a Comment