Introduction
In my post on my Nmap series "Nmap: Scan All the Things" epsisode 5, I am going to be reviewing Nmap Scripting Engine (NSE) and firewall/IDS evasion methods. I will explore NSE's types and phases. An interesting ability of Nmap is its firewall and IDS evasion techniques that I will also cover. Finally I will briefly go over Nmap output options. If you're interested in cybersecurity, please regularly check back on Cyb3r-S3c and check out my YouTube channel, Cyb3r_0verWatch where you can also view the video (https://youtu.be/yjFcplb2M_c) and for more informative content.
Nmap Scripting Engine
The Nmap Scripting Engine (NSE) is a versatile and powerful feature that allows users to write and share scripts for automating a wide range of networking tasks. With NSE, users can rely on the growing and diverse set of scripts that come with Nmap or write their own to meet their specific needs. NSE is designed to be flexible and can perform tasks such as network discovery, more sophisticated version detection, vulnerability detection, backdoor detection, and vulnerability exploitation.
Network discovery is one of the primary functions of Nmap. NSE can perform tasks such as looking up whois data based on the target domain, querying ARIN, RIPE, or APNIC for the target IP to determine ownership, performing identd lookups on open ports, SNMP queries, and listing available NFS/SMB/RPC shares and services. In addition to network discovery, NSE can perform more sophisticated version detection than Nmap's regular expression signature-based matching system. It can recognize services that Nmap's version detection cannot, such as the Skype v2 service, and can recognize more SNMP services by brute-forcing community names.
NSE is also powerful enough to handle demanding vulnerability checks, making it useful for quickly identifying vulnerable systems on networks. NSE has been used to detect vulnerabilities such as the Heartbleed bug and backdoors such as the Double Pulsar NSA backdoor in SMB, and backdoored versions of UnrealIRCd, vsftpd, and ProFTPd. As a general scripting language, NSE can even be used to exploit vulnerabilities rather than just find them. However, it is important to note that Nmap is not intended to be a comprehensive exploitation framework like Metasploit.
NSE Script Usage
To enable the most common scripts, simply specify -sC. If you prefer to choose your own scripts, use the --script option and provide categories, script file names, or the name of directories full of scripts. Customization is also possible by providing arguments to scripts via the --script-args and --script-args-file options. To better understand each selected script, use the --script-help option. While the --script-trace and --script-updatedb options are mainly used for script debugging and development, script scanning is included as part of the -A (aggressive scan) option.
When running a script scan, it's recommended to combine it with a port scan since scripts may or may not be run depending on the port states found by the scan. However, it's also possible to run a script scan without a port scan by using the -sn option for host discovery. In this case, only host scripts will be eligible to run. If you want to run a script scan with neither host discovery nor port scan, use the -Pn -sn options together with -sC or --script. Every host will be assumed up, and only host scripts will be run. This technique is useful for scripts like whois-ip that only use the remote system's address and don't require it to be up.
NSE CLI Arguments
-sC (Nmap will run the most common and useful NSE scripts against the target hosts, which can provide valuable information about open ports, running services, and potential vulnerabilities. These scripts are typically categorized as safe scripts that are not likely to cause disruption to the scanned systems.)
--script (It is used to specify Nmap scripts to be executed during the scan. You can specify one or more scripts to be executed during the scan. The option can be used with the script name, category name, or filename, and can be repeated multiple times for running several scripts.)
--script-args (This option is used to provide arguments to NSE scripts in Nmap. Many NSE scripts have customizable parameters that allow the you to specify certain values, such as a timeout or a specific target. These parameters can be passed using this argument.)
--script-args-file <filename> (It's used to specify a file containing a set of arguments to be passed to NSE scripts. Instead of specifying the arguments on the command line you can create a file that contains the arguments and pass the filename to Nmap)
--script-help <filename | directory | category | all> (It's used with the Nmap Scripting Engine (NSE) to display information about a specific script or a list of available scripts. When used with the name of a script, it displays a brief description of the script and the arguments it supports. This option is helpful when you need more information about a script's functionality, usage, and supported arguments.)
--script-trace (It's a command-line flag in Nmap that instructs Nmap to display detailed information about the execution of the NSE scripts being run. This option can be helpful for troubleshooting NSE script issues or for understanding the behavior of the scripts being run.)
--script-updatedb (It's used to update the script database used by Nmap's scripting engine. This database includes information about all the scripts available to Nmap, as well as details about their arguments, categories, and dependencies.)
NSE Script Types and Phases
NSE scripts are classified into four types based on their target and the scanning phase in which they operate. Some scripts can even support multiple types of operation.
Prerule scripts: It runs before Nmap starts any scan phases. Since Nmap has not yet gathered any information about its targets, prerule scripts are useful for tasks that do not depend on specific scan targets. They can perform network broadcast requests to query DHCP and DNS SD servers. Some prerule scripts can even generate new targets for Nmap to scan if you specify the newtargets NSE argument. For example, the dns-zone-transfer script can obtain a list of IPs in a domain using a zone transfer request and add them to Nmap's scan target list. Prerule scripts contain a prerule function to be identified.
Host scripts: Operate during Nmap's normal scanning process after Nmap has performed host discovery, port scanning, version detection, and OS detection against the target host. Host scripts are invoked once against each target host that matches its hostrule function. Examples of host scripts include whois-ip, which looks up ownership information for a target IP, and path-mtu, which tries to determine the maximum IP packet size that can reach the target without fragmentation.
Service scripts: It runs against specific services listening on a target host. For instance, Nmap includes more than 15 HTTP service scripts to run against web servers. If a host has web servers running on multiple ports, these scripts may run multiple times (once for each port). Service scripts are identified by containing a portrule function that decides which detected services a script should run against.
Postrule scripts: It runs after Nmap has scanned all its targets. They can be useful for formatting and presenting Nmap output. For instance, ssh-hostkey is best known for its service (portrule) script that connects to SSH servers, discovers their public keys, and prints them. But it also includes a postrule that checks for duplicate keys among all the hosts scanned and then prints any found. Another potential use for a postrule script is printing a reverse-index of the Nmap output—showing which hosts run a particular service rather than just listing the services on each host. Postrule scripts contain a postrule function to be identified.
NSE Categories
The NSE script category system is an essential feature that allows users to choose which scripts to run based on their specific needs. Here's a more detailed description of each script category:
Auth: Scripts in this category perform authentication checks against remote services to determine if access is permitted. This can include checking for default or weak passwords, or identifying systems that do not require authentication.
Broadcast: Scripts in this category send or listen for broadcast traffic on the network to gather information about other hosts or services.
Brute: Scripts in this category perform brute force attacks against remote services to guess usernames and passwords, or other sensitive information.
Default: Scripts in this category are automatically run by default when the -sC option is specified. They are generally considered safe and provide useful information for most users.
Discovery: Scripts in this category are used for network discovery and mapping, including host and service identification, port scanning, and operating system detection.
Dos: Scripts in this category perform denial of service attacks against remote services, usually with the intent of disrupting or disabling them.
Exploit: Scripts in this category attempt to exploit vulnerabilities in remote services to gain unauthorized access or perform other malicious actions.
External: Scripts in this category interact with external services or resources, such as online databases or web services.
Fuzzer: Scripts in this category send invalid or unexpected input to remote services to identify vulnerabilities or unexpected behavior.
Intrusive: Scripts in this category may cause disruption or damage to remote services or systems, and should be used with caution. They may include exploits, denial of service attacks, or other intrusive techniques.
Malware: Scripts in this category detect or analyze malware on remote systems.
Safe: Scripts in this category are considered safe and non-intrusive, and are suitable for use in most situations. They may include information gathering or vulnerability detection scripts.
Version: Scripts in this category perform service and application version detection to identify installed software and their versions.
Vuln: Scripts in this category check for known vulnerabilities in remote services or software, and may attempt to exploit them to gain access or perform other actions.
Firewall/IDS Evasion
Nmap firewall and IDS evasion are techniques used to bypass network security measures such as firewalls and intrusion detection systems (IDS). Nmap offers many features that can be used to bypass poorly implemented network defenses. For example, Nmap can use a technique called fragmentation to evade IDS systems that rely on packet inspection to detect and block traffic. By fragmenting packets, Nmap can hide the true nature of the traffic and bypass IDS detection.
In addition to fragmentation, Nmap offers several other techniques for bypassing firewalls and IDS systems, including IP spoofing, TCP evasion, and using non-standard ports. Network administrators can use Nmap to test their network security posture by attempting to bypass their own defenses. This can help identify weaknesses in the security infrastructure that need to be addressed.
Firewall Evasion Methods
Fragmentation - Some packet filters struggle with IP packet fragments, which can result in interesting outcomes if the first fragment is not long enough to contain the entire TCP header, or if the second packet partially overwrites it. While the number of filters with this vulnerability is decreasing, Nmap offers the -f option to send tiny IP fragments with up to eight bytes of data in each. The --mtu option allows you to specify the maximum data bytes as an argument. However, fragmentation is only supported for Nmap's raw packet features and not for higher-level features like version detection and Nmap Scripting Engine. It's worth noting that out-of-order and partially overlapping IP fragments can be useful for network research and exploitation, but require even lower-level networking tools than Nmap.
MAC Address Spoofing - Network devices are identified by a unique MAC address consisting of six bytes. The first three bytes represent the organizationally unique identifier (OUI), assigned to a vendor by IEEE, and the remaining three bytes are assigned uniquely by the vendor. Nmap provides a database that maps OUIs to vendor names. While MAC addresses can be changed with a driver, few people change them, making them vulnerable to unauthorized network access, as many networks use MAC addresses for identification and authorization. Sniffing MAC addresses is easy, and spoofing them to gain unauthorized access is also simple. MAC addresses are also used for accountability purposes, but MAC address spoofing undermines this approach. Nmap supports MAC address spoofing with the --spoof-mac option, which can take several forms, including a completely random MAC address, a string of even hex digits, a vendor name, or a mix of hex digits and vendor names. This option is only effective for raw packet scans, such as SYN scan or OS detection, and does not affect connection-oriented features such as version detection or the Nmap Scripting Engine. Even when MAC address spoofing isn't necessary for network access, it can be used for deception.
Source Routing - It's an old but still effective technique in some cases. If a router on the path is causing trouble, try to find a route around it. However, its effectiveness is limited as packet filtering issues often occur on or near the target network. Nmap supports loose and strict source routing via the --ip-options option. For example, use --ip-options "L 192.168.1.7 192.168.1.9" for loose source routing or S for strict source routing. If using strict source routing, you need to specify every hop along the path. IPv4 source routing is typically blocked, but IPv6 source routing is more pervasive.
FTP Bounce Scan - can be used to exploit vulnerable FTP servers and allow outside attackers to scan other parties. In some configurations, attackers can even bypass an organization's firewall using this technique. A printer can be used to relay a port scan, allowing the attacker to scan normally inaccessible internal addresses if the printer is located behind the organization's firewall.
IDS Evasion Methods
Scan Speed Reduction - Avoiding IDS alerts when conducting port scans requires patience since port scan detection is usually threshold-based. IDS systems monitor the number of probes sent within a specific time frame, preventing false positives from innocent users and conserving system resources. You can avoid detection by keeping scan rates below the threshold. Nmap provides various canned timing modes, like -T paranoid and -T sneaky, that can be used to mitigate the risk of detection. The paranoid option sends one probe at a time, waiting five minutes between them, while the sneaky option waits only 15 seconds. Instead of using canned timing modes, you can customize timing variables precisely by using options like:
Max Parallelism (--max-parallelism) - set the maximum number of probes that can be sent at any given time during a scan. This option can be useful for evading firewall and IDS detection as it allows the scan to appear less suspicious by limiting the number of probes sent simultaneously. By reducing the number of simultaneous probes, the scan appears less like an automated attack and more like legitimate traffic.
Min RTT Timeout (--min-rtt-timeout) - It's used to set the minimum round-trip time (RTT) that Nmap should expect when scanning a target. This option can be helpful in evading firewall and IDS detection because some devices may trigger alerts based on the number of packets received in a certain time period, or on RTT values that are outside of the expected range. By setting a minimum RTT value, Nmap can delay its scan if it encounters a slow or unresponsive target, which can help avoid triggering these types of detections.
Scan Delay (--scan-delay) - This option allows the user to add a delay between packets sent during a scan. This can be useful for evading time-based firewall and IDS triggers that may be in place. By adding a delay, Nmap can avoid sending packets too quickly and triggering alarms on the network. It's beneficial for stabilizing a network and avoiding time-based firewall and IDS triggers.).
Fragmentation - IP fragments can be problematic for intrusion detection systems as they have to guess how the remote system will interpret a packet, which can differ between platforms. Fragment assembly can also be resource intensive. Thus, some IDS still do not support fragmentation well. To overcome this, specify the -f option to use tiny IP fragments (8 data bytes or fewer) when performing a port scan.
Decoys - The -D option is used to add decoys to the scan. The argument for this option is a comma-separated list of hosts. To indicate the true source host in the scan order, use the string ME. If not specified, the true source host will be placed randomly in the list. To avoid detection by common port scan detectors, include ME in the 6th position or later. Scanlogd, a popular port scan detector, only logs the first five scan sources to prevent its logs from being flooded with decoys.
Spoofing - The -S option in Nmap allows you to spoof a port scan from a single source IP, which can be a more subtle approach compared to using a large group of decoys. However, this method has limitations because no useful Nmap results will be available since the target will respond to the spoofed IP, which Nmap will not see. Additionally, IDS alerts will be triggered, but will blame the spoofed source for the scan. To use the -S option, simply follow it with the desired source IP address. You may also need to specify the proper interface name using the -e option. This technique can be used for framing innocent parties, casting doubt on the accuracy of IDS, and even for denial-of-service attacks.
Nmap Output
Security tools can have disorganized and cluttered output, making it difficult for users to identify important information from the noise. The output may contain irrelevant debugging information, and the results may be poorly organized and documented, which can lead to confusion and frustration.
Interactive mode - Nmap doesn't have a specific command-line option and sends output to the standard output stream (stdout) by default. This mode is designed for human users who read the results directly, and displays a table of noteworthy ports.
sCRiPt KiDDi3 0utPU+ (-oS) - Is a format used by Nmap to create output that is formatted to look like it was generated by a script kiddie or an inexperienced hacker. The output is designed to be somewhat cryptic and misleading, with exaggerated "hacker" language and fake error messages to make it seem like a real attack is occurring.
Grepable output (-oG) - Is a simple format that can be easily processed using Unix tools such as grep, awk, cut, and diff. Each host is listed on one line with fields separated by tab, slash, and comma characters. While useful for quick analysis, XML format is recommended for more complex tasks as it provides more information and is more stable.
XML output (-oX) - Is a format that is easily parsed by software and is preferred when a non-trivial application interfaces with Nmap. It is a stable format and free XML parsers are available for all major computer languages.
Normal output (-oN) - Is similar to interactive output, but is intended for analysis after the scan is complete. It is written to a file specified by the user and does not include unnecessary messages such as completion time estimates and open port alerts. The output also includes the Nmap command-line used and execution time and date on its first line.
Conclusion
I want to thank you for reading my blog on Cyb3r-S3c.com. If you find this content informative and you are interested in cybersecurity, please check Cyb3r-S3c.com regularly for new content. Also like and subscribe to the Cyb3r-0verwatch channel. Nmap is a powerful and versatile network scanner that can provide a lot of useful information about network hosts and their services. However, like any tool, it is important to understand how to use it properly before diving in. In this video, I provided an overview of the various aspects of Nmap. When using Nmap, it is important to start with a basic understanding of the tool and its capabilities, and to gradually build on that knowledge. Reading the documentation and tutorials provided on Nmap.org, as well as practicing on test networks, can help you gain the knowledge and experience needed to use Nmap effectively and responsibly.
Additionally, it is important to note that Nmap should only be used on networks that you have permission to scan. Unauthorized scanning of networks can be illegal and can result in serious consequences. The information discussed in this video is gathered from my experience and research. Use this information I've provided in a way that it can best assist you. If you have any questions or would like guidance, please feel free to leave a question in the comments or you can send me a message on the contact form on the Cyb3r-S3c website listed in the description. See you next, until then keep learning, only way to improve is to keep learning.
/Signing Off,
Pragmat1c_0n3
Kommentare