- 2.4 Given a scenario, perform vulnerability scanning.
- Considerations of vulnerability scanning
- Scan identified targets for vulnerabilities
- Set scan settings to avoid detection
- Scanning methods
- Nmap
- Nmap Scripting Engine (NSE) scripts
- Common options
- -A
- -sV (Version detection)
- -sT (TCP connect scan)
- -Pn (Disable Ping)
- -O (Enable OS detection)
- -sU (UDP scans)
- -sS (TCP SYN scan)
- -T <1-5> (paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template))
- -script=vuln
- -p (Only scan specified ports)
- Vulnerability testing tools that facilitate automation
- Credentialed:
- Uses a authorized user or admin account
- Closer to the system administrator perspective
- Finds more vulnerability
- Non-Credentialed:
- Doesn't have a user or admin admin account;
- Closer to hacker's perspective
-
The Nmap Scripting Engine (NSE) allows users to write (and share) simple scripts (using the Lua programming language ) to automate a wide variety of networking tasks.
Currently defined categories are: auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.
- --script-args =,={=},={,}
- --script-args-file
- --script-help ||||all[,...]
- --script-trace
- --script-updatedb
-
Enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute). This mode sends a lot more probes, and it is more likely to be detected, but provides a lot of valuable host information.
-
Enables version detection from open ports. The "-sR" flag is an alias for "-sV".
- --allports (Don't exclude any ports from version detection)
- --version-intensity <1-9> (Set version scan intensity)
- --version-light (same thata "--version-intensity 2")
- --version-all (Try every single probe, same that --version-intensity 9)
- --version-trace (Trace version scan activity, perform extensive debugging info)
-
TCP connect scan is the default TCP scan type, this perform when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call.
-
The -Pn option skip the Nmap discovery stage causing Nmap to attempt the requested scanning functions against every target IP address specified. The ping stage allows Nmap to gather RTT samples that can speed up the following port scan, particularly if the target host has strict firewall rules. While specifying -Pn is rarely helpful as a time saver, it is important if some of the machines on your list block all of the discovery techniques that would otherwise be specified. Users must strike a balance between scan speed and the possibility of missing heavily cloaked machines.
-
Enables OS detection, as discussed above. Alternatively, you can use -A to enable OS detection along with other things.
- --osscan-limit (Limit OS detection to promising targets)
- --osscan-guess; --fuzzy (Guess OS detection results)
- --max-os-tries (Set the maximum number of OS detection tries against a target)
-
UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run. UDP scan works by sending a UDP packet to every targeted port. For some common ports such as 53 and 161, a protocol-specific payload is sent to increase response rate, but for most ports the packet is empty unless the --data, --data-string, or --data-length options are specified. If an ICMP port unreachable error (type 3, code 3) is returned, the port is closed. Other ICMP unreachable errors (type 3, codes 0, 1, 2, 9, 10, or 13) mark the port as filtered. Occasionally, a service will respond with a UDP packet, proving that it is open. If no response is received after retransmissions, the port is classified as open|filtered. This means that the port could be open, or perhaps packet filters are blocking the communication. Version detection (-sV) can be used to help differentiate the truly open ports from the filtered ones.
A big challenge with UDP scanning is doing it quickly. Open and filtered ports rarely send any response, leaving Nmap to time out and then conduct retransmissions just in case the probe or response were lost. Closed ports are often an even bigger problem. They usually send back an ICMP port unreachable error. But unlike the RST packets sent by closed TCP ports in response to a SYN or connect scan, many hosts rate limit ICMP port unreachable messages by default. Linux and Solaris are particularly strict about this. For example, the Linux 2.4.20 kernel limits destination unreachable messages to one per second (in net/ipv4/icmp.c). Ideas for speeding up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using --host-timeout to skip slow hosts.
-
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap's FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states.
This technique is often referred to as half-open scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener. If no response is received after several retransmissions, the port is marked as filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. The port is also considered open if a SYN packet (without the ACK flag) is received in response. This can be due to an extremely rare TCP feature known as a simultaneous open or split handshake connection (see https://nmap.org/misc/split-handshake.pdf).
-
-T <1-5> (paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template)): Nmap offers a simpler approach, with six timing templates. You can specify them with the -T option and their number (0–5) or their name.
- paranoid (0): IDS evasion
- sneaky (1): IDS evasion
- polite (2): Use less bandwidth and target machine resources
- normal (3): Default
- aggressive (4): Speeds scans up by making the assumption that you are on a reasonably fast and reliable network.
- insane (5): Assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed.
-
-script=vuln: Runs relevant scripts in vuln category to detect know vulnerabilities in services.
-
-p (Only scan specified ports): This option specifies which ports you want to scan and overrides the default. Individual port numbers are OK, as are ranges separated by a hyphen (e.g. 1-1023). The beginning and/or end values of a range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify -p- to scan ports from 1 through 65535. Scanning port zero is allowed if you specify it explicitly. For IP protocol scanning (-sO), this option specifies the protocol numbers you wish to scan for (0–255).
When scanning a combination of protocols (e.g. TCP and UDP), you can specify a particular protocol by preceding the port numbers by T: for TCP, U: for UDP, S: for SCTP, or P: for IP Protocol. The qualifier lasts until you specify another qualifier. For example, the argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111,and 137, as well as the listed TCP ports. Note that to scan both UDP and TCP, you have to specify -sU and at least one TCP scan type (such as -sS, -sF, or -sT). If no protocol qualifier is given, the port numbers are added to all protocol lists.
Ports can also be specified by name according to what the port is referred to in the nmap-services. You can even use the wildcards _ and ? with the names. For example, to scan FTP and all ports whose names begin with “http”, use -p ftp,http_. Be careful about shell expansions and quote the argument to -p if unsure.
Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear in nmap-services. For example, the following will scan all ports in nmap-services equal to or below 1024: -p [-1024]. Be careful with shell expansions and quote the argument to -p if unsure.