Tag Archives: port scanning

Avoiding a Firewall with NMAP

Some Firewalls can block out port scanning, so you’ll often need to use the following techniques, or a combination of them, to get your scans past a firewall.
Avoiding a Firewall:
Skip host discovery (assume all are online):
nmap -Pn 192.168.1.7
Fragment packets:
nmap -f 192.168.1.7
Use random decoy IP addresses:
nmap -D RND:10 192.168.1.7
Spoof random MAC address: 
nmap -spoof-mac 0 192.168.1.7
Specify a port to tunnel your scan through (try 20,53,67; apparently most common left open for incoming):
nmap --source-port 20 192.168.1.7
A Nice Combination: (assume all are online, connect() scan, be verbose, scan ports 1-1000, scan quickly, output)
nmap -PN -sT -vv -p1-1000 -T4 -oX filename.xml 192.168.1.*
Note: this is a good initial scan – but keep in mind your only scanning the first 1000 ports. Common ports like 5900 (vnc), 8443 (https alt), and others will be missed!  Add in other option combinations to suit your needs.
 
Idle zombie host scan: This uses an idle host on the target network to pivot the scan from.  First we need to use metasploit to find an idle host on the network:
msfconsole
> use auxiliary/scanner/ip/ipidseq
> show options
> set RHOSTS 192.168.1.*
> run
Any IPs found with an IPID sequence listed as sequential are viable candidates for the zombie scan.  Say it was 192.168.1.14 – pull up another console and run:
nmap -sI 192.168.1.14 192.168.1.7

Basic NMAP

NMAP is a great tool to scan your IP range and see what information attackers can gather about your network.  This information can be which ports are open, what services are running, what version those services are, if you have a firewall, the operating systems being run on hosts, which hosts are up, reverse DNS, etc.  Below are the scans we’ve found most helpful.  For example purposes, we’ll use 192.168.1.7 as our example target host IP.
Generic NMAP scan – give you which ports are open, services running, resolve IP to domain name, whether hosts are up:
nmap 192.168.1.7
nmap scanme.nmap.org
Scanning multiple IPs:
nmap 192.168.1.0-255
nmap 192.168.1.*
nmap 192.168.1.7,192.168.1.4
nmap -iL List_Of_IPs.txt
Output results as XML:
nmap 192.168.1.7 -oX Output_file.xml
unix can then convert from xml to html:
xsltproc Output_file.xml > Output_html_file.html
Operating System Fingerprinting:
nmap -O 192.168.1.7
Generally more information scan – does version detection, OS fingerprinting, and tracerouting with verbose output:
nmap -v -A 192.168.1.7