Although I am a security student, I am not a security expert. Please read my general disclaimer.
What are Nmap and Zenmap?
Nmap is a command-line network scanner used to detect hosts and services. Zenmap is a GUI version of nmap. Both programs work by sending packets to a user-specified host and analyzing the host’s response or lack thereof.
Images source: https://nmap.org/
Below is a noisy nmap scan I use for CTFs and other informal environments. This scan will be saved to a text file, so that it can be easily refereed to later.
sudo nmap -sC -sV -Pn -T5 -n -O -A -oN /path/filename.txt ip_address
- sC – scans with default NSE scripts
- sV – version of service
- Pn – disables host discovery, scans ports only
- T5 – fast scan, assumes fast network
- n – never DNS resolution
- O – remote OS detection
- A – OS detection, script scanning
🌸👋🏻 Let’s take this to your inbox. You’ll receive occasional emails about whatever’s on my mind—offensive security, open source, academics, boats, software freedom, you get the idea.
There are other options you can choose as well, but these are some common options:
|sS||TCP SYN scan||Most basic scan. Stealthy because it doesn’t complete the TCP connection.|
|sT||TCP connect scan||Completes TCP connection (3-way handshake), requesting a response from each host it scans. Usually more reliable than TCP SYN scan.|
|sU||UDP scans||Completes UDP process. Queries DNS, SNMP, and DHCP ports. Useful for vulnerability scanning.|
|sY||SCTP INIT scan||SS7 and SIGTRAN. Stealthy on external networks because it does not complete the SCTP process.|
|sN||TCP NULL||Great when there is a firewall because it can reveal port status without directly querying the port.|
Learn more: Nmap Cheat Sheet by Nathan House
Noise refers to the amount of disruption your scan creates on target machines. Noisier scans are easier for the target to detect that it is being scanned and enable intrusion detection systems or administrators to prevent further intrusion. For example, a TCP scan connects to the target machine using a three-way handshake; a potentially better alternative would be to use TCP with SYN (-sS), which does not complete the three-way handshake.
Many default options that Nmap provides operate on ignoring stealth. For instance, the -A option—which enables operating system detection, version detection, script scanning, and traceroute—uses banner grabbing, a technique used to connect to every open port and retrieves to determine the daemon and its version.
Other Nmap options may help avoid specific detection (i.e., connection throttling, idle or zombie scanning, packet fragmentation, and source port spoofing), but the scans often aren’t holistic.
If you are a red teamer trying to avoid detection, consider running scripts built for stealth. Scrips also help thwart silly mistakes like forgetting to include -P0, which prevents the default ping Nmap sends and often alerts firewalls of the scan.
Testing against IDS
One of the most common IDS is Snort. It is open source and free to download. Since Snort is common, studying its methods is a great way to determine how you should create your Nmap scan. By testing if Snort detects your scans, you can better determine how to build them.
An example of this is scanning below the preset threshold for detection. For example, Snort’s default threshold is 15 ports, so if you scan below that, it is less likely to be detected.
– Why is nmap being so noisy with “-A” option? – Stack Exchange
– They see me scannin’; they hatin’ – Heisenbugs and other unobservables
– How to Perform Stealthy Reconnaissance on a Protected Network – Wonder How To
– How to Evade a Network Intrusion Detection System (NIDS) Using Snort – Wonder How To
This post is part of IGME 599, an Honors FOSS Independent Study at the Rochester Institute of Technology.