Before Trinity could take down the electric grid, she had to find an attack vector. Her hack started with… nmap!
How
List all bells & whistles:
nmap --help
Fast Scan
+/- 10s
nmap -sT -T4 -Pn 10.23.10.2
This lists all ports that have something running.
The service name displayed is the default port of a known service for the port but there is no telling if that is actually the case.
Flags used:
-sT: Scan Technique: TCP connect scan, will show up in server logs.-sS: Quick (thousands/sec), unobtrusive and stealthy with clear, reliable differentiation between the open, closed, and filtered states. The default and most popular.-sU: UDP scans
-T<0-5>: Set timing template (higher is faster)- paranoid (0) & sneaky (1): Enable IDS (Intrusion Detection System) evasion
- polite (2): Don’t overload to the target machine
- normal (3): (default)
- aggressive (4): for fast and reliable networks
- insane (5): for extraordinarily fast networks
-Pn: Treat all hosts as online – skip host discovery
Slow Scan
+/- 10m
nmap -sT -T4 -Pn -sV -O -p- 10.23.10.2
Flags used:
-sV: Probe open ports to determine service/version info-O: Enable OS detection-p <port ranges>: Only scan specified ports
Docker
There is an Docker image for that…
docker run --rm -it instrumentisto/nmap -A -T4 scanme.nmap.org
Flags used:
-A: Enable OS detection, version detection, script scanning, and traceroute
When
At the start of the itenium Security Bootcamp at least one player per team should do an nmap scan to discover services that are not (yet) available directly from the Portal.
Also in this series
- This Part: Hacking Tool: nmap
- Part 2: Hacking Tool: hydra
- Part 3: Hacking Tool: sqlmap
- Part 4: The Security Bootcamp
- Part 5: Security Bootcamp Prep
Package Versions
nmap: v5.2