Hey,I have a question about using nmap tool when do I know what type of port scanning to use on a target to not cause suspicious activity to be caught ,because If I do too much "noise traffic" on a target the local admin can know that someone is trying to do malicious thing like gleaning open ports/services/OS and etc...Ronnie
-
Nmap tool
-
Hi Ronnie,
Great question – IMO this one is more of an art than a science, you have to recon the target organisation and tailor your approach based on your best estimation of the tech they’re going to have up against you!
Basically though, you’ve made the key point - less scanning = less noise… here’s some benefit of my experience, I'm sure Dan will also have some great ideas!I’m assuming you’re talking more about an internal assessment here, so - once you’re inside a target network, one of the best ways to minimise the number of actual connections we make is to thoroughly enumerate the hosts on the network before we start port scanning – by default Nmap will run a ping (ICMP) scan to determine which hosts exist on the network before starting a more intense port scan against the hosts which are then known to exist. If you don’t have nmap on the box (likely) or don’t want to put any of your own binaries on to the machine (sensible) you can also run a simple ping scan from within bash itself.
This does reduce the amount of “noise” on the network and gives you a lot of useful information, but it only works if the hosts respond to pings! By default, windows boxes don’t – but Linux ones do. If we happen to know the environment is all Nix it’s a fair guess that well get a response from most of the machines on the network (of course, they might be configured not to respond)… if it's a mixed or windows environment you could use a tool like hping3, or even better if we have access to a network device perhaps we can listen on the wire and see who’s “talking”. Checking the arp tables on any box you have compromised will also provide you with information on some “live” IP’s on the network. Gathering this information first helps you to establish possible targets, and then use more selective port scanning to reduce “noise” overall.
Once you are as far along as actually doing some port scanning, there’s a few options to make things less obvious – firstly, you can again use a targeted approach. By default, Nmap scans the top 1000 ports (that is to say the top 1000 most used ports, not ports 0-999) but we could be even more selective than this… which services are the most likely to provide an attack vector? HTTP(S)… SMB…FTP… and so on, so you can begin by running a small port scan against only those services – then broaden out from there.
Of course, there’s nothing to say a crafty admin did not bind FTP to another port… but let’s say he did, admins don’t want to make their life harder than it needs to be, so perhaps it’s not on 21… how about on 2121?... SSH on 222 ohhhh, I see what you did there
Working like this takes longer than just running a full blown -p – to scan every port on the machine but it’s also much stealthier.In theory, using a syn scan, rather than a connect scan is also stealthier (since the syn scan does not complete the TCP handshake, some (very crude) logging systems might not note the connection) – however today this isn’t really true anymore. You’ll also need sudo rights to run nmap in syn scan mode, so you’ll find that in practice you’re often forced into using a connect scan anyway. Options like the FIN scan could also work, perhaps some logging or monitoring software will miss that..might get through a simpler firewall… but against a half way modern IDS/IPS/SIEM system you need to assume the more you do, the greater your chance of getting noticed no matter how crafty you get with your nmap options.
Ultimately, if you have to scan off of a “normal” host inside a network which does not normally run those kinds of scans you are always going to be doing something unusual which should be picked up - simply keeping your scanning as minimal as possible, and going “low and slow” (so, let’s not use -T5) is your best bet of staying below the threshold at which some kind of alert triggers. Getting logged is not always a problem - getting logged enough that someone gets an alert is a problem.
It comes back to enumeration, enumeration and enumeration though because perhaps you aren’t operating from a “normal” workstation, web server etc… if you manage to compromise a system which is actually used for something like network administration, it might be totally normal for nmap to be run on that system – windows system with zenmap installed… non security focused linux distro with nmap installed – there’s a good chance that’s there for a reason and a good chance that scanning from that system won’t be unusual. Take it further - If nmap is there for a purpose there’s also a reasonable chance that there are copies of scans already stored on that host somewhere, so perhaps you don’t even need to scan now
Hope at least some of that is helpful – it’s a great question, keep hacking!
