Periodic Update

Author: gnebbia

sections/evading_firewalls_and_other_sneakiness.md

@@ -1,11 +1,11 @@
-
+# nmap: Evading Firewalls
 We are going to make assumptions which are very probable for many
 firewalls, but won't be accurate, because they can vary from
 firewall to firewall. We can list as anti-scanning technologies:
 
-* Firewall
-* NAT (Network Address Translation)
-* IDS (Intrusion Detection System)
+- Firewall
+- NAT (Network Address Translation)
+- IDS (Intrusion Detection System)
 
 We are going to discuss each and how they will affect the result.
 
@@ -25,9 +25,9 @@ Decisions are primarily made based on the socket which is the
 combination "SourceIP,SourcePort and DestIP,DestPort". There are
 generally three types of firewall:
 
-* Stateless Packet Filter Firewall
-* Stateful Packet Filter Firewall
-* Application (aka Proxy) Firewall
+- Stateless Packet Filter Firewall
+- Stateful Packet Filter Firewall
+- Application (aka Proxy) Firewall
 
 We are not interested in the normal scans done with -sS or with
 -sT because in these cases we simply receive a response (or the

sections/examples_of_nmap_usage.md

@@ -1,3 +1,4 @@
+# nmap: Usage Examples
 
 Let's see now a real case example of NMAP usage, the first thing
 we do is:
@@ -16,9 +17,10 @@ network:
 
 ```sh
  nmap -sn -n 192.168.25.0/24
- # in this case, we disabled port
- # scanning with "-sn" and we disabled host name resolution with "
- # -n", in this way we get quickly the list of live hosts on the
+ # in this case, we:
+ # disabled port scanning with "-sn";
+ # we disabled host name resolution with "-n", 
+ # in this way we get quickly the list of live hosts on the
  # network, we didn't specify any specific option for host
  # enumeration, since we are doing this operation in a local
  # network, so no matter which options we would have used, it

sections/host_enumeration_and_network_mapping.md

@@ -1,3 +1,4 @@
+# nmap: host enumeration
 
 Nmap works at the OSI Network layer and Transport layer. We have
 to remember that each layer has its own:

sections/icmp.md

@@ -1,3 +1,4 @@
+# nmap: ICMP
 
 ICMP is used to:
 
@@ -27,6 +28,29 @@ There are 3 types of request/response pairs:
 The -PP and -PM requests can be used with some machines where ICMP ping requests
 have been blocked only.
 
+For example we could perform a ping sweep similar to what the UNIX or Windows
+ping tool does to discover hosts on a network by doing:
+```sh
+nmap -sn -n -PE 172.28.128.0/24
+# -sn turns off the port scanning
+# -n does not resolve the IP addresses into domain names
+# -PE uses ICMP type 8 messages to ping hosts on the subnet
+```
+
+Note that if we are on a local segment, we may also only see ARP packets,
+and this happens since nmap does as little as possible it can do to discover
+hosts. However we can see the ping probes whenever we try to perform this
+on a host outside our local network segment.
+
+Whenever we want to force ping probes within our local network segment
+we can do:
+```sh
+sudo nmap -sO -p 1 -n -Pn <target>
+# in this case we:
+# `-Pn` disable the discovery phase (or "ping phase")
+# `-n` do not perform IP address resolution
+# `-sO -p 1` perform a raw IP scan where the -p1 indicates ICMP type 8 messages
+```
 
 ## One Flow Communication in ICMP
 

sections/nated_systems_and_load_balancers.md

@@ -1,3 +1,4 @@
+# nmap: NATed systems and Load Balancers
 
 Sometimes the IP address that we are scanning may be a firewall or a network
 device which is using NAT and behind this device there may be multiple systems.
@@ -10,11 +11,11 @@ with a NATed network.
 
 In this cases we can use TCP timestamps to infer what is the configuration:
 
-* if timestamps are significantly different(> 1s): It is very likely that timestamps
+- if timestamps are significantly different(`> 1s`): It is very likely that timestamps
  are coming from different systems
-* if timestamps are euql (<1s): It is likely that timestamps are coming from
+- if timestamps are equal (`<1s`): It is likely that timestamps are coming from
  the same system
-* If only one port responds without set TCP timestamp options, it is
+- If only one port responds without set TCP timestamp options, it is
  safe to assume that two different systems are responding. If TSopts
  are not included in the answer or TSval = 0 on both ports, then no
  knowledge can be gained, because it could be the same system having

sections/nmap.md

@@ -46,7 +46,8 @@ Another basic example could be:
 ```sh
  nmap -sn 192.168.1.0/24
  # in this case nmap just executes an enumeration of the
- # hosts on the network address
+ # hosts on the network address, it actually uses
+ # different techniques to understand if a host is alive or not
 ```
 Notice that Nmap has plenty of features, and can also integrate
 script capabilities.
@@ -80,3 +81,16 @@ divided in this way:
 * Script Scanning: execution of the user-mentioned scripts
 * Ouput: printing of the output on stdout or in files
 
+
+In addition, we may say that as a guideline an nmap operation
+can be subdivided into two major phases:
+- host discovery (or "ping phase"), controlled with the -P option
+- port scan, controlled with the -s option
+
+Also remember that the default behavior of nmap also depends on whether
+we are executing the command:
+- as root vs non-privileged user
+- on a local network segment vs to a remote host
+
+That's why sometimes using the same flags could lead to a slightly
+different network traffic.

sections/output.md

@@ -1,31 +1,27 @@
+# nmap Output
 
 Let's look at some way to obtain better output:
-
-* while in the interactive mode, if we are waiting for results we
+- while in the interactive mode, if we are waiting for results we
  can press "Enter" and get some lines describing what nmap is
  doing
-
-* if we append the --reason in any case nmap is doing a port scan,
+- if we append the --reason in any case nmap is doing a port scan,
  we'll notice the reason why nmap determined that the examined
  ports were closed or opened
-
-* if we are only interested in the open ports, and not even the
+- if we are only interested in the open ports, and not even the
  filtered ones, so we must append --open
-* we can output the results in a file with: "-o", we can save
+- we can output the results in a file with: "-o", we can save
  results into different formats:
+ - N, normal format
+ - X, XML format
+ - G, grepable format
+ - A, all formats
 
- * N, normal format
- * X, XML format
- * G, grepable format
- * A, all formats
-
-an example of these could be:
+An example of these could be:
 ```sh
 nmap -oN fileName.txt
 ```
 
 What I personally prefer in scanning activities is:
-
 ```sh
 nmap -oA filename_prefix
 ```

sections/port_scanning.md

@@ -1,8 +1,8 @@
+# nmap Port Scanning
 
 There are two technique to "Port Specification" in nmap:
 
 1. Explicitly using the "-p" flag
-
 2. By reference using nmap-services
 
 ## The "-p" flag