filmov
tv
Nmap TCP (sT /sS), UDP (sU), OS detection (O), Version Detection (sV) + Wireshark Analysis
Показать описание
Nmap - TCP (-sT -sS) UDP (-sU) OS detection (-O), Version Detection (-sV) and Wireshark Analysis (SYN-SYNACK-ACK-RST)
NMAP - port scanning
TCP (-sT) scan (FW can easily detect) and SYN scan (-sS) (FW can't detect easily)- both uses TCP protocol
NMAP is the most popular scanner for the security professionals.
If we need to import nmap scan data to msfconsole, we must run nmap command with -oX flag to save the report as an XML file.
Use db_import command to import scan results
When using Nmap without specifying the port range, Nmap scans the most common 1,000 ports for each protocol.
TCP -sT (FULL scan)
TCP scan uses operating systems network functions to establish a connection!
TCP scan is more accurate scan - completes 3-way handshake
SYN-SYN/ACK-ACK
nmap -sT -p 10-100 10.0.0.1
SYN -sS (HALF OPEN)
syn-scan is half - open. Also called STEATH scan
SYN scans are difficult to detect by various Firewall devices and IPS/IDS systems
Does not use network function of the OS. It generates raw IP packets to monitor response
Scanner then send RST packet to end connection.
SYN packet is sent
nmap -sS -p 10-100 10.0.0.1
UDP scan [-sU] - CONNECTIONLESS
0-byte UDP packets are sent to the target machine
ICMP port unreachable message shows that the port is closed.
No packet is sent to the hosts
If port is closed, nmap receives "ICMP PORT UNREACHABLE" message.
If no response, then it is considered that the port is open
Can lead to many false positives as FW can block many packets
nmap -sU -p 10-100 10.0.0.1
OS detection [-O]
nmap -O 10.0.0.1
Version detection [-sV]
nmap -sV 10.0.0.1
Decoy Scans with nmap
Decopy option is available with nmap with may improve anonymity.
Decoy option does not hide the attackers IP, but adds bunch of other fake IPs as scanner IP
FW log will show many IPs - as if all of them are scanning the network. However, there will be only one real IP.
nmap -sT 10.0.0.1 -D 10.0.0.100, 10.0.0.101, 10.0.0.102
Using Wireshark to analyze packets
NMAP - port scanning
TCP (-sT) scan (FW can easily detect) and SYN scan (-sS) (FW can't detect easily)- both uses TCP protocol
NMAP is the most popular scanner for the security professionals.
If we need to import nmap scan data to msfconsole, we must run nmap command with -oX flag to save the report as an XML file.
Use db_import command to import scan results
When using Nmap without specifying the port range, Nmap scans the most common 1,000 ports for each protocol.
TCP -sT (FULL scan)
TCP scan uses operating systems network functions to establish a connection!
TCP scan is more accurate scan - completes 3-way handshake
SYN-SYN/ACK-ACK
nmap -sT -p 10-100 10.0.0.1
SYN -sS (HALF OPEN)
syn-scan is half - open. Also called STEATH scan
SYN scans are difficult to detect by various Firewall devices and IPS/IDS systems
Does not use network function of the OS. It generates raw IP packets to monitor response
Scanner then send RST packet to end connection.
SYN packet is sent
nmap -sS -p 10-100 10.0.0.1
UDP scan [-sU] - CONNECTIONLESS
0-byte UDP packets are sent to the target machine
ICMP port unreachable message shows that the port is closed.
No packet is sent to the hosts
If port is closed, nmap receives "ICMP PORT UNREACHABLE" message.
If no response, then it is considered that the port is open
Can lead to many false positives as FW can block many packets
nmap -sU -p 10-100 10.0.0.1
OS detection [-O]
nmap -O 10.0.0.1
Version detection [-sV]
nmap -sV 10.0.0.1
Decoy Scans with nmap
Decopy option is available with nmap with may improve anonymity.
Decoy option does not hide the attackers IP, but adds bunch of other fake IPs as scanner IP
FW log will show many IPs - as if all of them are scanning the network. However, there will be only one real IP.
nmap -sT 10.0.0.1 -D 10.0.0.100, 10.0.0.101, 10.0.0.102
Using Wireshark to analyze packets
0:25:27
0:07:26
0:08:14
0:17:09
0:19:50
0:12:02
0:45:14
0:02:27
0:18:19
0:05:02
0:00:43
0:10:17
0:33:59
1:02:54
0:01:40
1:13:56
0:07:40
0:03:17
0:07:41
0:44:03
0:20:43
0:06:06
0:01:48
0:08:01