Aggressive Network Scanning Techniques Using NMAP and Introduction to Netcat
NMAP and netcat, two of the most widely used tools in security engagements for various reasons ranging from port scanning to vulnerability assessment. Both of these tools carry a very strong element and can be used in many ways, this article highly focuses on the aggressive uses of these tools and how this can support the phase of enumeration in a penetration test.
It goes without saying: All the contents of this article should be implemented in ethical means without attempting to breach or misuse to any networks which you are unauthorised to do so. As being the author of this article, I take no responsibility for unethical use of these tools; the purpose of this article is to spread knowledge amongst aspiring and current security analysts/engineers. With the serious stuff out of the way, I hope you enjoy this article.
Aggressive NMAP scanning techniques
NMAP is a popular reconnaissance tool used for many types of security activities such as port scanning, version detection of services, OS, port states, enumeration of services and even use of attacking services. You can read more on the basics of NMAP in my first blog of this "Using NMAP" series which you can find at: https://linuxalldayeveryday.blogspot.com/2019/06/using-nmap.html
In this article I will be covering the main methods of using NMAP in an aggressive manner, how you can make the most out of this tool in any kind of CTF (Capture the flag) or even penetration test. Of course, the factor of penetration test can be both legally approved and illegally performed so to be very clear of the intention of releasing this information, refer to my disclaimer.
NMAP NSE Scripts
NSE Source page: https://nmap.org/book/nse.html
As part of using NMAP, there is an extension of the program which is named as NSE (NMAP Scripting Engine). This specific component of NMAP is a collection of scripts which are all written in the Lua programming language and can prove to be extremely useful when used in certain circumstances. There are different types of NMAP scripts which you can use and they're all designed for their own purposes. If we were to break down the category of NMAP scripts in terms of what they're used for then it would be the following:
- Network Discovery
- Vulnerability Detection
- Advanced Version/Service Detection
- Exploitation
So anyone who turns around and tells you the following: "NMAP is not an attacking tool, it is a reconnaissance tool" False, simply false. And you can prove that this statement is false once you've read this entire article and tried out some of the things for yourself.
NMAP scripts can be used in the standard options of an NMAP scan by using the following syntax:
- nmap -sCVT (IP address)
Alternatively we can do separate switches such as -C -V -T because of the way NMAP is coded, the code uses a convenient technique which is known as "Parsing Program Arguments". This certain technique allows command line programs such as NMAP to have a flexible method of calling arguments such as shortened switches such as -C or even long names, for example: --connect
Argument parsing is a very powerful technique and has several built functions within programming languages such as C or Python, since it's a programming technique and a detailed discussion will mean getting into programming talk; please consult this link if you want to know more: https://www.gnu.org/software/libc/manual/html_node/Parsing-Program-Arguments.html
To further explain the command syntax of my NMAP call:
- C - Standard scripts to load up and assist the scanning process for any ports which are detected as part of the scanning process
- V - Version detection of the ports which are determined to be open
- T - TCP standard connect scan to the server
Aggressive scanning methods
Usually I'd add a lot more switches to an aggressive NMAP scan to make it more efficient and to make it faster. The scan above would be using average timing and will only scan the first 1,000 ports because you didn't specify a custom port range, as part of enumerating a target it's vital to scan every single port (If you can and the engagement is not focused upon stealth). Anyway, enough of the chit-chat here's the improved scan with explained switch options.
Example scan and use of aggressive switches
- nmap -sCVT -Pn -T5 -p- -vv -A (IP address)
Pn - Skip host discovery. (NMAP performs a procedure during a default scan where it will perform certain actions of trying to discover if a host is actually up or not to consider scanning it, of course if you're sure the host is active or if you just want to scan it regardless then this is the best option. There may even be some advantage of scanning speed however this isn't something I can accurately speak upon since I've never tested it with reliable data.
T5 - NMAP has timing switches which begin from -T0 (Slowest scan, designed for stealth and evading trigger of network defences all the way to T5. T5 is simply the fastest) if you were to run T5 on a network then a live capture would see several packets going to the port, this is where network defences such as PSAD (Port Scanning Attack Detector) if installed will shut off the port due to attempts being made to scan the port from an unauthorised IP or device. It could even be a live administrator on the other side of the network that would shut you down instantly. Aggressive port scanning is not only a form of information gathering but it's also a form of DOS (Denial of Service) Other than the fact that network defences don't like T5 option, it is great for a speedy scan.
Personal story about DoS (Denial of Service) : Whilst messing with Metasploitable (A vulnerable virtual machine available for testing security techniques) I was performing a SYN flood upon the server. A SYN flood is to send TCP packets which consist of the SYN flag only and are sent to the target to fill up their network traffic essentially causing a disruption of service. whilst running the attack I somehow not only knocked out the target but knocked out from network access due to performing a DOS attack on the server. By performing a T5 scan this is considered a service disruption because it has potential to knock out a server that can't take so much network traffic at once.
-p- - This particular option is an abbreviation of (-p 1-65535) 1 being the lowest port and 65535 being the highest port number available on any network capable device. This particular option scans every port on the server you've targeted and you don't miss any hidden services on the server (Provided they're open)
vv - This option is for verbosity. Verbosity in any program is just additional information of what's actually happening during the scan. As mentioned before we can have the issue of pesky defences preventing us from doing scans (PSAD) or something else going on, with the use of verbosity we can easily determine further information about our scan. There are also other options such as --packet-trace which is explained in a great level of detail at this site: https://www.hackingarticles.in/understanding-nmap-packet-trace/
You generally would not need to go to source code level or to enable any debugging switches in NMAP unless of course you are planning to go full ninja with your scanning phase and would like to minimise detection/optimise performance during the scan.
A - Aggressive detection using several techniques in one wrapper such as OS detection, version detection, trace route and including scripts to aid with the scan, we didn't really need to include this switch alongside the rest of them. Instead we probably could've replaced the majority of switches with this one, so that's another example that higher amount of data means nothing.
The thing about NMAP and any other tool is that it's not about the quantity of the switches you add, sometimes the switches you add and the combination which you add them in can have a negative performance impact on your attacking workstation.
A clear example is the command above, I added in -A alongside -V. If the device does not have enough processing power to deal with the scan then you risk crashing your system, just a side note for anyone who has a small laptop or even desktop which is considered legacy; heavy NMAP scans do not play well with it. Just to answer the unspoken question of: How does you know this? Experience, therefore I know that doing heavy scans on a device which has limited processing power will not go down well; just a friendly warning.
For those who understand the TCP 3-way handshake and have performed penetration tests may be questioning my choice of syntax because it completely destroys any hopes of being stealthy, you're right; it is an extremely loud scan and any live data captures, network defences such as PSAD and definitely log captures would mean our activity is detected. The main focus of this blog is to demonstrate the practical capabilities of NMAP which is performed more simply without having any concerns of detection.
Netcat
As I mentioned earlier, an aggressive scan doesn't always help with defences in place. In fact, it can give you false negatives and sometimes even a custom TCP fingerprint which isn't exactly helpful if you can't decode the fingerprint by identifying the data. So instead of using NMAP and the timing switches to check if a port is open, you can use another tool which is known in many forms but I will refer to it as netcat.
What is netcat
Netcat is known as the swiss army knife for all of us system/network administrators. Netcat is a tcp connection program allowing many different operations to be carried out such as bind shells, reverse shells, file transfers, port scans, debugging socket connections, the list goes on...
Netcat is a pretty good tool and is most commonly used in penetration testing situations which involve direct engagement with the target machines. Usually to create reverse shells or bind shells, both are dependant on the situation at hand. For example you could be in a situation which involves you to be executing a reverse shell and netcat is the listening point which catches this shell for you to make use of. Or, you make use of a bind shell on a service which allows bind connections due to poorly configured firewalls; not the most encouraging of things to see in an engagement however it's a plus point for those who are in the attacking perspective of things.
Types of shells in netcat
There are two kinds of shells which netcat manages to handle called a reverse shell and a bind shell. A reverse shell is a reversed connection from a destination machine leading back to the source machine, it is essentially very useful for situations which involve connecting to a host which is backed up by a firewall which disallows you from connecting to it directly using a bind connection. In such situations tools such as python, perl, powershell, bash can be used to send a reverse shell to the source machine.
Of course there are uses of this in security situations. Let's take the same perspective of a machine being backed up by a firewall and we wanna connect to it, now let's assume that machine is a target with a vulnerable application allowing code execution. If we issue the appropriate reverse shell and execute this accordingly we can catch the reverse shell on our side and gain access into the machine.
Moving onto a bind shell. A bind shell is a direct connection from a source machine to a destination machine. As mentioned earlier this is good for connecting to services directly or even gaining shell access to machines if the ports are open to connect via the firewall. However bind shells also have their own legal uses such as connecting to services like telnet, SMTP, POP3 to login to the services and carry out tasks. Of course there is also the security focus of bind shells as they allow us to banner grab versions of applications installed on machine, this is very useful for the enumeration phase of an attack.
Syntax for netcat:
nc = Name of netcat (There is also the updated version called "netcat")
-n = No DNS resolution
-z = Zero input/output mode allowing a port scan (This is good for evading port scan detection since there are less packets sent compared to an NMAP scan which can trigger off these defences)
-l = Listening mode of the netcat
-p = Source port of the machine, this option is mainly combined with verbose output and no DNS resolution when catching a reverse shell
-w (Integer value) = Timeout value. This option is good for when files are transferred in netcat because once the transaction is done the timeout value allows the netcat tool to successfully exit, rather than having to cancel the connection without actually knowing if the file successfully transferred.
File transfer in netcat: nc -w (value of timeout) (source IP address) (destination IP address)
For more information on netcat: https://linux.die.net/man/1/nc
Final thoughts
This article was mainly just a taster of some aggressive methods with making use of NMAP and using netcat. Both tools are extremely powerful and useful in their own respected ways, it all depends on the situation that dictates their usage. This article was very focused on aggressive methods since they allow the most information to be retrieved from a target scan, however there is also the flip side of the coin which is the appliance of stealth in NMAP. Stealth is a very important and rather overlooked component in most penetration testing blogs which I have come across. However in real life engagements, the idea of stealth and the methods in remaining hidden give us the ability to firstly conduct strong red team tests for clients and give us the ability to keep up with attacking entities.
Thank you for reading, please feel free to drop any feedback, comments or suggestions for further posts it would be much appreciated.
Aqeeb Hussain