NETWORK ENUMERATION

PRIMARY CATEGORY → PENTESTING ROOT

RESOURCES
Time To Live (TTL) - OS Identification	See here
Nmap OS Detection	See here

Information 🛈

Nmap - Ports List

Reference

Top 1000 Ports

nmap -sT --top-ports 1000 -v -oG - # TCP
nmap -sU --top-ports 1000 -v -oG - # UDP

Ports ordered by frequency

To list ports sorted by frequency of occurrence based on Historical Nmap Data →

sort -r -k3 /usr/share/nmap/nmap-services | grep -iPv '^#.+$' | less

---

Hosts Discovery

Nmap

By default, nmap detects if the source IP Address is in the same network segment that the target one

In that case, It proceeds to carry out the host discovery via ARP Ping method

INFO

It is always recommended to perform any Nmap Scan on a privilege basis as such scans require elevated privileges and actions

Use --packet-trace and --reason options to see the Host Discovery Method used by Nmap and more information about the Scan

ARP Ping

sudo nmap -sn -n -oA activeHosts <NETWORK_ADDRESS> | grep -iPo -- 'for\s\K\d{1,3}(\.\d{1,3}){3}'

ICMP Echo Request

To disable ARP Ping and specify ICMP Echo Requests as the host discovery method →

sudo nmap -sn -PE -n --disable-arp-ping -oA activeHosts <NETWORK_ADDRESS> | grep -iPo -- 'for\s\K\d{1,3}(\.\d{1,3}){3}'

Use -iL to provide a targets list from an input file

Bash

ICMP (Ping)

Applied to /24 Networks

• Oneliner

for _ip in X.X.X.{1..254} ; do ( ping -c1 -W1 "$_ip" &> /dev/null && printf "Active Host - %s\n" "$_ip" & ) ; done

• Bash Script

#!/usr/bin/env bash
 
sigint_handler ()
{
    printf \
           "\n[+] SIGINT Signal sent to %s. Exiting...\n" \
           "${0##*/}" \
           1>&2
    trap - SIGINT
    kill -SIGINT "$$"
}
 
hostDiscovery ()
{
    local -- _ipRange=${1%.*} _ip=
 
    for _ip in $_ipRange.{1..254}
    do
        ping -c1 -W1 "$_ip" &> /dev/null && printf "Host Active -> %s\n" "$_ip" &
    done ; wait
}
 
trap 'sigint_handler' SIGINT
hostDiscovery "$@"

bash hostDiscovery.bash X.X.X.X/24

CMD

As far as I know, there is no way to implement parallelism in CMD to speed up scanning

for /L %i in (1,1,254) do @ping /n 1 /w 200 X.X.X.%i > NUL && echo 192.168.1.%i - ACTIVE HOST

---

Port Scanning

Nmap

Default Scan as Root → Top 1000 TCP ports via -sS Stealth/Syn Scan

Default Scan as Non-Privileged User → Top 1000 TCP Ports via -sT Connect/TCP Scan

It is always recommended to perform a Port Scan first to get a small overview of the available ports

Stealth/SYN Scan

-sS Option

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping -oG <OUTPUT_FILE> <TARGET>

Connect/TCP Scan

-sT Option

nmap -p- --open -sT --min-rate 5000 -vvv -n -Pn --disable-arp-ping -oG <OUTPUT_FILE> <TARGET>

UDP Scan

-sU Option

nmap -p- --open -sU --min-rate 5000 -vvv -n -Pn --disable-arp-ping -oG <OUTPUT_FILE> <TARGET>

---

Once the initial scan has been done, just proceed to carry out a comprehensive scan for each open port

This scan perform some actions such as:

• Obtain the Service and its Version running on each open port → -sV

• Run a basic set of Nmap Recon Scripts (Default Category) → -sC

Default NSE Category -sC

find / -iname '*.nse' -type f 2> /dev/null | xargs grep --color -iP -- 'categories.+default'

To extract all Nmap NSE Categories →

grep -iPo -- '"\K\w+(?=")' <  <( find / -iname '*.nse' -type f 2> /dev/null -exec grep --color -i -- 'categories' {} + 2> /dev/null ) | sort -u

Comprehensive Scan

nmap -p<PORTS> -sC -sV -n -Pn --disable-arp-ping -oA <OUTPUT_FILE> <TARGET>

Output Formats

Note that there are several formats available for exporting Scan Output in Nmap

• Grepable Format -oG → Use tools like this one to parse the most relevant information

• Normal Format -oN

• XML Format -oX → Use xsltproc to convert the XML output to HTML and get a better overview of the analysis

xsltproc <XML_FILE> --output <HTML_FILE>

python3 -m http.server <PORT>

Bash

PortsScan.bash

#!/usr/bin/env bash
 
getHosts()
{
        local -- _ip=${1%.*} _host= _tmpFile=$( mktemp --tmpdir=. )
        local -n -- _hosts=$2
 
        trap 'rm --force -- "$_tmpFile"' RETURN
 
        for _host in "$_ip".{1..254}
        do
                timeout 1 ping -c1 -W1 "$_host" &> /dev/null && \
                printf "%s\n" "$_host" >> "$_tmpFile" &
        done
 
        wait
 
        while IFS= read -r _ip || [[ $_ip ]]
        do
                _hosts+=("$_ip")
 
        done < "$_tmpFile"
}
 
getPorts()
{
        local -- _ip=$1 _port= _host=
        local -a -- _nodes=()
        #local -a _ports=(21 22 23 25 53 80 135 139 443 445 389 636 3306 5432 1433)
 
        getHosts "$1" _nodes
 
        for _host in "${_nodes[@]}"
        do
                #for _port in "${_ports[@]}"
                for _port in {1..5000}
                do
                        timeout 1 bash -c "echo '' > /dev/tcp/${_host}/${_port}" &> /dev/null && \
                        printf "Host -> %s | Port -> %s\n" "$_host" "$_port" &
                done
        done ; wait
}
 
getPorts "$@"

---

Firewall - IDS/IPS Evasion

Nmap

ACK Scan

-sA Option

nmap -p- --open -sA --min-rate 5000 -vvv -n -Pn --disable-arp-ping -oG <OUTPUT_FILE> <TARGET>

Decoys

-D Option

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping -D RND:6 -oG <OUTPUT_FILE> <TARGET>

CAUTION

Note that hosts related to the IP Addresses used as decoys need to be active to avoid a possible SYN Flood on the target

Source IP/Port

-S and --source-port Options

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping -S <SPOOFED_IP> --source-port <PORT> -oG <OUTPUT_FILE> <TARGET>