Penetration Testing A - Z: Vulnerability Security and Tools by Walter V. Ayres

Author:Walter V. Ayres [V. Ayres, Walter]
Language: eng
Format: azw3
Publisher: UNKNOWN
Published: 2020-10-20T00:00:00+00:00

Normally, we begin our Nmap port scans with a SYN stealth scan looking for selected ports and using OS identification option. By using the stealth scan feature and confining our scan to a few choice ports, we obtain valuable information while significantly improving the chances of remaining undetected. We begin by scanning for ports that support services that we know provide valuable information or that we may be able to exploit. We have

developed a list of some of these ports (seeTable 13-1 ). You should add and delete ports from this list based on what you find to be

successful and the type of systems you are targeting.

The syntax for this stealth scan can be confusing at first. Here is the command you could use to execute the SYN stealth scan we just described (remember, UNIX is case sensitive):

#nmap ​ sS ​ O ​ P0 ​ f ​ p 7,9,13,21,25,135-139,5800,etc. outputfile.txt 10.10.10.10-10.10.10.100

Table 13-1. Sample Ports to Scan

Port Service

7 Echo

9 Discard

13 Daytime

19 Character generator

21 FTP

22 SSH

23 telnet

25 SMTP

37 Time

42 Wins hostname server

53 DNS

69 TFTP

79 Finger

80 HTTP

110 POP

111 SUN RPC

135​139 NT services NetBIOS

143 IMAP

161​162 SNMP

256​258 Check Point Firewall

443 SSL

512​515 r services

2049 NFS

2301 Compaq

5800 VNC

5900 VNC

6000​6023 X Windows

12345 Netbus

32760​32785 RPC services

65301 pcAnywhere

There are several options included in this command.-sS specifies a SYN stealth scan.-O enables OS

identification.-P0 indicates that Nmap should not attempt to ping the target.-P0 is a very important option; if this option is not used, Nmap will attempt to ping the target, and if the target does not respond to ping, Nmap will not scan it.

Therefore, if you want to scan only hosts that respond to ping do not use-P0 , but be aware that you may miss hosts that have disabled or filtered ping. Using-P0 will enable you to scan hosts that do not

respond to ping. The scan will take longer since Nmap will attempt to scan the specified ports on every address even if the host is not active.-f indicates that the scan should be fragmented into small packets to help avoid detection.-p specifies the ports to be scanned. Follow the-p with your list of ports, as demonstrated in the example on page 232. Note that in our example we used ​etc​ to signify that you could continue to add specific ports. If you do not specify the-p option Nmap will scan its default list of ports.-v indicates the verbose setting, which will display all output on the screen. We recommend using the verbose option so that you can examine the output as it is produced and catch problems early.-o allows you to specify an output file so that you can analyze the results later. Finally, enter the IP address range of the systems to be scanned. In our example, we are scanning

10.10.10.10 through 10.10.10.100. We could have easily added another range or individual hosts by adding a comma after each range or host.

Nmap offers some more advanced options that increase the functionality of the tool. Before we start

discussing these options and

providing examples, one word of warning. The decoy option,-D

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.