I'm trying to follow along in the nmap book and the author uses a couple of switches -sSU and -sSV, but never explains them. They are in these two search strings:
nmap -F -A -sSU ultra
nmap -PN -sSV -T4 -F www.amazon.com
Does -sSU and -sSV stand for another scan type? I couldn't find these switches in their documentation. I'm guess -sSV has something to do with version detection, but on the -sSU scan, it returned both TCP and UDP ports so I know that one's not just UDP. Any help would be appreciated, thanks.
Nmap's -s* options are all "scan types," which basically means features that can be turned on. Any that are not mutually exclusive can be combined. So when you specify -sSV you are combining -sS (TCP SYN scan) with -sV (service and application version detection). You can even combine more than two: -sSUV will do TCP and UDP port scans and follow them up with version probing.
EDITED TO ADD: "Mutually exclusive" scan types are those that scan the same transport protocol. So all TCP scan types (-sS, -sT, and the odd -sAMWFXNI types) have to be scanned separately. Also, IP Protocol scan (-sO) isn't allowed with any other scan types. Some of the odder features like FTP bounce (-b) are also probably not able to combine with the others.
Related
I'm trying to understand the basics of nmap and its functionality. I am using wireshark to check the network flow. I have a question regarding the following option.
What is the difference between the following commands. Is it recommended to use the -P0 option or not?
nmap -p113 scanme.nmap.org
nmap -p113 -P0 scanme.nmap.org
I have been trying to find what the -P0 option does but i can't find it in any nmap options cheat sheet.
From the nmap manual we learn:
In previous versions of Nmap, -Pn was -P0. and -PN..
Therefore, -P0 is now -Pn.
Now what is -Pn?
This option skips the Nmap discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning. By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with -Pn causes Nmap to attempt the requested scanning functions against every target IP address specified. [...]
I am setting up some iptables to help protect against DDos attacks for a university assignment. Im using the OWASP broken wep application and i have found some rules that work and ive figured out majority of the rules i just cant find out what the -t means. for example:
Iptables -t mangle -A PREROUTING -m conntack –ctstate INVALID -j DROP
This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there.
The tables are as follows:
filter:
This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).
nat:
This table is consulted when a packet that creates a new connection is encountered. It consists of four built-ins: PREROUTING (for altering packets as soon as they come in), INPUT (for altering packets destined for local sockets), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7.
mangle:
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).
raw:
This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)
security:
This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets. Mandatory Access Control is implemented by Linux Security Modules such as SELinux. The security table is called after the filter table, allowing any Discretionary Access Control (DAC) rules in the filter table to take effect before MAC rules. This table provides the following built-in chains: INPUT (for packets coming into the box itself), OUTPUT (for altering locally-generated packets before routing), and FORWARD (for altering packets being routed through the box).
scan types, begin with -s, such as nmap -s* target_host
ping options, begin with -P, such as nmap -P* target_host
I have used wireshark and nmap to see underlying actions options -P*.
When I run both command
nmap -p9527 target_host
and
nmap -sP target_host
I found that the only distinction is that -sP cannot be used with port scan option, such as -p9525.
I wanna to clarify, whether both of two option -s* and -P* are used to detect the liveness of target host.
By the way, my environment is on kali which is running on virtual host. I used tcpdump to catch packets and wireshark to analyze.And I run commands as root user.
There are many phases to an Nmap scan, and the two that these options refer to are host discovery and port or protocol scan.
The -P* family of options are all different ways to do host discovery. The default scan (if none of these is chosen) performs host discovery using the best method available. The -Pn option tells Nmap to skip this phase altogether. It used to be documented as -PN, but we changed it to conform with the other "turn this feature off" options. Before that, it was -P0, but there was confusion between that and -PO.
The -s* family of options are all different types of port and protocol scans. The default scan is a TCP port scan with either -sS or -sT, depending on privilege level. The -sn option tells Nmap to skip this phase altogether. It used to be documented as -sP (for "Ping scan"), but that caused the kind of confusion that you and others have reported.
Usually aping scan of some sort is done first, and then the hosts that have been found to be up are scanned for open ports.
You can turn the ping scan off (-Pn). There are also many types of ping scans, including TCP on an optionally specified port. Which varieties of scan are availabledepends on whether you have root privileges. IF you are not root, then ICMP echo ping is not available.
nmap -p9527 target_host with no other options will first ping the target, and then scan TCP port 9527.
A ping scan with sP (i.e. ping only) is only for testing which hosts are up. The port scan is omitted. So yeah, it's incompatible with specifying which ports should be scanned.
I am building a web app that uses some nmap flags, such as -O, which require a root user to run. Since I'm running this through a Java application, I don't want to run everything as root to accomplish this. Is it possible to change the nmap privs to all be non-root? Alternatively, what other options are there?
Nmap requires root privileges for some operations because the underlying OS requires them for the kinds of behavior Nmap uses: raw sockets and network sniffing, primarily. It's not something you can just change.
One option would be to only use the features of Nmap that do not require root. These features include:
Reverse name resolution
TCP host discovery (e.g. not ICMP ping or ARP)
TCP Connect scan (-sT)
Service version scan (-sV)
Most NSE scripts (e.g. not the broadcast or sniffer scripts)
The features that require root are:
ICMP and UDP host discovery
TCP SYN, FIN, NULL, XMAS, and other scan modes
UDP scan
OS fingerprinting
Traceroute
A few NSE scripts
It's important to note that Nmap doesn't have protections to prevent a root user from executing arbitrary code. This means that it is very unsafe to use it as a setuid program or to allow a non-admin user to run it with sudo.
A little research has been done into running Nmap with Linux file capabilities. You can see how to do this on the Running nmap as an unprivileged user page on SecWiki.org.
So basically I'm trying to scan web servers that run for example version apache 2.2.4 on their web server, what's the best way of doing this?
Scan for IP's range from blah blah to blah blah, with port 80 open + web server enabled then just make a script that loads ips and checks to see if they have the server banner i want.
Or what's an alternative faster way?
Basically I'm trying to make a script like ShodanHQ.
I'm trying to get a large amount of web servers running a certain version, can anybody give me a direction, thanks hope i was clear.
For doing Internet-wide surveys like Shodan or Scans.io, you need very-high-bandwidth access, legal approval (or at least a blind eye turned) from your ISP, and likely an asynchronous scanner like Zmap or masscan. Nmap is a decent alternative with the --min-rate argument. Anything using the default TCP stack on your OS (e.g. curl, netcat, or Perl solutions) will not be able to keep up with the high packet volume and number of targets required.
If, however, you want to scan a smaller network (say a /16 with 65K addresses), then Nmap is up to the job, requires less setup than the asynchronous scanners (since they require firewall settings to prevent the native TCP stack from responding to returned probes), and is widely available. You could get reasonable performance with this command:
sudo nmap -v -T5 -PS80 -p80 -sS --script http-server-header -oA scan-results-%D%T 10.10.0.0/16
This breaks down to:
-v - verbose output
-T5 - Fastest timing options. This may be too much for some networks; try -T4 if you suspect lost results.
-PS80 - Only consider hosts that respond on port 80 (open or closed).
-p80 - Scan port 80 on alive hosts
-sS - Use Nmap's half-open SYN scan, which has the best timing performance
--script http-server-header - This script will grab the Server header from a basic GET request. Alternatively you could use http-headers to get all headers, or use -sV --version-light to do basic version detection from probe responses.
-oA scan-results-%D%T - Output 3 formats into separate timestamped files. You can process results with one of the many tools that imports Nmap XML output.
You could use curl and sed:
curl -sI 'http://192.0.2.1' | sed -n 's/^Server:[[:blank:]]*//p'
Call it from perl with:
perl -e '$server=`curl -sI 'http://192.0.2.1' | sed -n 's/^Server:[[:blank:]]*//p'`; print $server'
The -I option in curl prints the http headers using a HEAD request.