Jimm Wayans

Using Nmap to perform port scanning

Using -sT scanning mode is the default scanning mode of Nmap. The status of the target port is accurately judged through the TCP three-way handshake packet. Since three connections are established, it is extremely easy to be captured by the target firewall.

msf> nmap -sT 127.0.0.1 

The -sS scan mode does not perform three-way handshake, it is called semi-open scan, also known as stealth scan. Compared to TCP scanning, it is faster and more secure.

msf> nmap -sS 127.0.0.1

The –sU scan mode is the fastest scan method, because UDP only sends and receives, but there may be some errors between the scan results and the above two scan methods.

msf> nmap -sU 127.0.0.1

Operating system identification.
Nmap can identify the target operating system in two ways:

1. The commonly used -O parameter, the -O parameter is an advanced parameter provided by Nmap, which is usually used alone.

msf> nmap -O 127.0.0.1

2. The -sV parameter can be used together with the above port scan parameters, and nmap will add the identification result of the system version at the end of the scan result.

msf> nmap -sSV 127.0.0.1

Nmap security scan

Usually, the scan initiated on the target site or host will be recorded by the WAF or IDS, which is extremely insecure for the tester, so the intrusive and deceptive scans are hidden from the tester. IP information is necessary, Nmap provides the -D advanced parameter, if you provide 2 IP addresses, then Nmap will leave 3 IP addresses in the WAF log to confuse the audience and ensure the test as much as possible the safety of the user.

msf> nmap -sS 127.0.0.1 -D 10.10.20.100,10.10.20.101 

1. TCP port scan

msf> use auxiliary/scanner/portscan/tcp 

2. SYN port scan

msf> use auxiliary/scanner/portscan/syn

3. Call nmap

In metasploit-framework use db_nmap to do a complete banner grabbing, use the following command:

msf> db_nmap -Pn -sTV -T4 --open --min-parallelism 64 --version-all 127.0.0.1 -p - 22

The -Pn parameter tells Nmap that the target site has been determined to be online, no further detection is required, and the detection process of whether it is online or not is skipped. -sTV means to scan in TCP mode, and to determine the banner information and version of each port at the same time. The port, the –min-parallelism parameter executes a minimum number of 64 parallelisms, the –version-all parameter indicates that all probes of nmap are used to identify the service details, and the -p parameter is set to – indicates that all ports of the target are scanned.

4. Use ARP for live host scanning

msf> use auxiliary/scanner/discovery/arp_sweep  set RHOST   set THREADS 10  run

5. Use UDP to detect live hosts

msf> use auxiliary/scanner/discovery/udp_sweep  set RHOST   set THREADS 10  run

6. Use SMB to detect live hosts

msf> use auxiliary/scanner/smb/smb_enumshares   set RHOSTS   set THREADS 10  run

7. SMB version scan

msf> use auxiliary/scanner/smb/smb_version 

8. SMB brute force (dictionary required)

msf> use auxiliary/scanner/smb/smb_login

9. SSH version scan

msf> use auxiliary/scanner/ssh/ssh_version

10. FTP version scan

msf> use auxiliary/scanner/ftp/ftp_version

11. SMTP enumeration

msf> use auxiliary/scanner/smtp/smtp_enum

12. SNMP login

msf> use auxiliary/scanner/snmp/snmp_enum

13. SNMP login

msf> use auxiliary/scanner/snmp/snmp_login

14. WinRM scan

msf> use auxiliary/scanner/winrm/winrm_auth_methods

15. WinRM brute force cracking

msf> use auxiliary/scanner/winrm/winrm_cmd