Understanding the NMAP methodology — Part 3
Understanding the NMAP methodology from beginner to advance
Description :
In today’s article, we will learn about Nmap’s more advanced network mapping techniques. If you haven’t read Part 1 and Part 2, I suggest you go through this article. This will be the last part of this series of Nmap.
Before you start, You can join our discord server to engage with like minded people and share everything that you can share with people to help them and get your queries answered by people.
As We have already seen some basics and some advanced stuff on network mapping in parts one and two, it is worth knowing some more advanced techniques to scan and map a network.
1. Decoy Scan
A decoy scan is important when you wanted to test your IDS and IPS devices to scan your scan traffic. Use this feature to avoid detection with Nmap. You may not want to get caught performing a network scan. In a decoy scan, we provide some decoys to scan the network. Thus their IDS might report 5–10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys.
nmap -D <ip>
-D : DecoysWhile this can be defeated through router path tracing, response-dropping, and other active mechanisms, it is generally an effective technique for hiding your IP address.
2. Zombie/Idle Scan
In a zombie scan, we don’t need to send any single packet to the network to scan the IP address. This technique is more complex than other techniques discussed so far. One way to determine whether a TCP port is open is to send an SYN (Synchronization) packet to the port. The target machine will respond with an SYN/ACK packet if the port is open, and RST (Reset) if the port is closed. This is the basis of the previously discussed SYN scan in Part 1.
nmap -sI <zombie-machine-ip> <ip>-sI : Zombie machine IP address
A machine that receives an unsolicited SYN/ACK packet will respond with an RST. An unsolicited RST will be ignored. Every IP packet on the Internet has a fragment identification number (IP ID). Since many operating systems simply increment this number for each packet they send, probing for the IPID can tell an attacker how many packets have been sent since the last probe. Combining these traits makes it possible to scan a target network while forging your identity so that it looks like an innocent zombie machine did the scanning.
3. More on Nmap flags
Nmap provides so many other options that are very useful to use while scanning a network or a machine. Let’s see them one by one to get a clear picture of them.
a. Service version detection
This option enables service version detection on Nmap. Using this option one may find which open ports are running on which service version. For detection of service version, Nmap needs to connect to the machine completely as like TCP Connect scan.
nmap -sV <ip>-sV : Service version detection
b. OS version detection and verbosity scanning
Using these options of Nmap one may find the OS version of the target and also gives output in a verbose manner.
nmap -O -v <ip>-O : OS version detection
-v : Verbose output (You can increase v up to 3 time to get more verbose output eg. -vv or -vvv)
c. Aggressive scanning
Using this option you can do Service Version detection+ OS version detection + Scanning + Traceroute etc.. together.
nmap -A <ip>-A : Aggressive scan
d. Nmap Script Engine
Nmap by default provides support for automated scripts that are very useful for enumeration and getting known vulnerability information on the target system. There are so many default script support given, you can visit nmap’s official manual to get more about it here.
nmap ---script <ip>-script : Default script run
Using the — script command you can enable default script execution with Nmap.
4. Scan timings
Scan timings are also an essential part of scanning to get avoided by security mechanisms. There are 6 types of scanning timings are available in Nmap by default.
- -T0 : Paranoid (Slowest)
- -T1 : Sneaky
- -T2 : Polite
- -T3 : Normal
- -T4 : Aggressive
- -T5 : Insane
-T0 scans ports one by one after every minute. This is a very slow method but detection of scanning is highly not possible. To avoid IDS detection use -T0 or -T1. The default is -T3 if you do not specify any other while scanning. Where -T1 is more used in real engagements where stealth is more important.
5. More customizable options
Alternatively, you can choose to control the packet rate using ` — min-rate <num>` and ` — max-rate <num>`
ex :- ` — min-rate 10` and ` — max-rate 10` ensures not to send more than 10 packets per second.` — min-parallelism <num>` ensures that how many probes will be done parallelly.
Host timeout
Sometimes destination system does not respond at that time we can set if the victim system does not respond for a particular time and then switch to the next point.
ex :- — host-timeout 500ms <IP>
Scan Delay
If in the destination system there are IDS/IPS available to detect continuous requests and we want to bypass it via send packet → wait → send packet….
ex :- ` — scan-delay 1s <IP>`
This is it for today’s article. If you found it interesting and informative then share it with your friends. Thank you for reading till here. Let me know your query or topic on which you wanted to read an article in the response section. Follow me and subscribe to get juicy articles on your email directly.
You can follow on social media here: LinkedIn, Instagram, Twitter
