Port Scanning and Discovery

I'm knocking on every door

Nmap

Nmap is ubiquitous for scanning and rightfully so. Exceptionally powerful and tons of impressive backend scripts. Useful to determine potential services and versions of software running on a host.

nmap 192.168.1.1       # Scans 192.168.1.1 with top 100 ports
sudo nmap 192.168.1.1  # Can perform stealth scans
nmap 10.0.0.1 -p-      # Scans all TCP ports on 10.0.0.1 with verbose output
nmap 10.0.0.1 -p1-99   # Scans only TCP ports 1-99
nmap 10.0.0.1 -pU:53,U:110,T20-445    # Scans UDP ports 53 + 110, then TCP 20 thru 445
nmap 10.0.0.1 -iL targets.txt    # Scans all of the hosts in the targets.txt file

Straightforward, quick, and easy way to determine a large amount of info on an IP

sudo nmap 10.0.0.1 -vv -A    # Scans top 100 ports, attempt OS Detection, Versions, and Tracert, very verbose

Nmap scripts have some really interesting capabiltiies

locate *.nse       # Find all nmap scripting files on the host
nmap 10.0.0.1 -sC  # Run default scripts 
nmap --script-updatedb    # Update the script database

Scan Types

Switch

Description

-sn

Probe only, host discovery and no port scanning

-sS

SYN scan (aka stealth, does not establish 3-way handshake)

-sT

TCP connect scan (full 3-way connection)

-sU

UDP scan

-sV

Version scan

-O

OS Detection

--scanflags

Set a custom list of TCP flags using URGACKPSHRSTSYNFIN in any order

Probing Options

Switch

Description

-Pn

Don't ICMP probe, assume all targets are up. Useful if target is known to be on the network, but blocking ICMP

-PB

Default probe (TCP 80, 445, & ICMP)

-PE

ICMP Echo Request

-PP

ICMP Timestamp Request

-PM

ICMP Netmask Request

Timing Options

Switch

Description

-T0

Paranoid: very slow, potential IDS evasion

-T1

Sneaky: Slow, IDS evasion again

-T2

Polite: Slows down to consume less bandwidth, runs about 10 times slower than default

-T3

Normal: Default value, dynamic timing model based on target responsiveness

-T4

Aggressive: Assumes a fast and reliable network

-T5

Insane: Very aggressive, likely to miss open ports and may overwhelm targets

Most of this info gathered from SANS cheat sheet https://www.sans.org/blog/the-ultimate-list-of-sans-cheat-sheets/

While the scan is running, can view additional information about the scan with the buttons below:

Button

Meaning

p

Turn on packet tracing

P [Uppercase!]

Turn off packet tracing

v

Increase verbosity

V [Uppercase!]

decrease verbosity

d

Increase debugging level

D [Uppercase!]

decrease debugging level

Masscan

Masscan is capable of asynchronous transmission, which is a fancy way of saying that it doesnt have to wait for replies when sending out probes. Wicked fast scanning!

masscan 10.11.0.0/16 -p443    # Scans the entire subnet for TCP 443
masscan 10.11.0.0/16 -p22-25  # Scans subnet for TCP 22, 23, 24, & 25
masscan 10.11.0.0/16 ‐‐top-ports 100    # Nmap's top 100 ports

Options can be found with the --echo switch. Default scanning rate is 100 pkts/sec, which is slow. Increase the rate with the --rate switch. Typically, 15,000 pkts/sec is a safe limit.

masscan 10.11.0.0/16 ‐‐top-ports 100 ––rate 10000
masscan 10.0.0.1/32 -p0-65535 --rate 10000    # Scan all ports on a host

masscan 45.33.32.156 -p 0-65535 --rate 1000     # Slower rate when scanning over the Internet
masscan 45.33.32.156 -p U:0-65535 --rate 1000     # UDP scanning over the Internet
masscan 45.33.32.156 -p0-65535,U:0-65535 --rate 1000     # Scan UDP and TCP at the same time!

We can also gather information from banners, and even spoof the source IP.

--banner                # For "supported protocols"
-source-ip 10.1.1.2     # To change the source

Info gathered from Daniel Miessler, https://danielmiessler.com/study/masscan/

Netcat

Can use netcat to run as a scanner if necessary, gets information back if a port is open or not.

echo "" | nc -nvw2 10.10.1.2 20-80

Tcpdump

Useful to watch scanning while it occurs on tcpdump, to help validate correct scanning and potential issues.

sudo tcpdump -w - | tee file.pcap | tcpdump -r -        # Allows pcap to be printed to screen and saved at the same time

Gobuster

Gobuster can be used to enumerate vhosts, dns, directories, and S3 buckets. Requires many different subcommands to work properly.

DNS

DNS mode looks for subdomains. -d is domain, -w is wordlist, --wildcard ignores wildcards, and -r specifies a resolver.

gobuster dns -d m4lwhere.org -w ./wordlist.txt --wildcard -r 8.8.8.8

Directory

A more "classic" use of the program, where forced browsing is used to try and uncover hidden files/folders.

gobuster dir -u https://m4lwhere.org/ -w ./wordlist.txt -q -n -e

S3 Buckets

We can try to identify S3 buckets now. The wordlist of bucket names does NOT need to be a FQDN, as the tool can append to the bucket name as needed. A "pattern" can be used as well, this replaces {GOBUSTER} with the wordlist.

The "patterns" file can contain items such as {GOBUSTER}-dev, {GOBUSTER}-01, {GOBUSTER}-backup and more.

gobuster s3 -w list_of_buckets.txt
gobuster s3 -w list_of_buckets.txt -p patterns.txt

EyeWitness

EyeWitness is an exceptional tool to help quickly identify and display potentially vulnerable systems. Imagine having over 3,000 responding systems on a network, how do you know which ones are vulnerable?

EyeWiteness makes this easy by grabbing screenshots of web services and saving them into an HTML report. This allows an analyst to view and scroll through the screenshots, making it easier to quickly identify potentially vulnerable systems.

The workflow should involve masscan -> nmap for services -> eyewitness for info.

python3 EyeWitness.py --web -f urls.txt --prepend-https
PreviousLayer 2 Config and AnalysisNextPort Attacks

Last updated