Kalanand's August 2016 Log

July 2016

September 2016

August 8th

Port scan using NMAP

Documentation: https://nmap.org/, https://nmap.org/bennieston-tutorial/
Slowest possible scan setting can be achieved by setting NMAP to paranoid mode (~5 minutes between each port + randomization timer and then adjusting the scan-delay settings to further increase the time between each scan). See https://nmap.org/book/man-performance.html
To run the following Nmap commands I needed to do 'sudo nmap' but maybe there is a way to do without sudo.
Nmap Port Scan options. These are all default scans, which will scan 1000 TCP ports. Host discovery will take place.
- Scan a single IP: nmap 192.168.1.1
- Scan a host: nmap www.testhostname.com
- Scan a range of IPs: nmap 192.168.1.1-20
- Scan a subnet: nmap 192.168.1.0/24
- Scan targets from a text file: nmap -iL list-of-ips.txt
- Scan using TCP connect: nmap -sT 192.168.1.1
- Scan using TCP SYN scan (default): nmap -sS 192.168.1.1
- Scan UDP ports: nmap -sU -p 123,161,162 192.168.1.1
Nmap with port selection
- Scan a single Port: nmap -p 22 192.168.1.1
- Scan a range of ports: nmap -p 1-100 192.168.1.1
- Scan 100 most common ports (Fast): nmap -F 192.168.1.1
- Scan all 65535 ports: nmap -p- 192.168.1.1
Popular options
- Scan using TCP connect: nmap -sT 192.168.1.1
- Scan using TCP SYN scan (default): nmap -sS 192.168.1.1
- Scan UDP ports: nmap -sU -p 123,161,162 192.168.1.1
- Scan selected ports, ignore discovery: nmap -Pn -F 192.168.1.1
Some quick favorite options:
- sudo nmap -Pn 192.168.1.1
- sudo nmap --script=ssl-cert.nse -p 192.168.1.1
The last one does scan with a set of scripts. There are currently ~500 NSE scripts. The scripts are able to perform a wide range of security related testing and discovery functions. Discover them using the command:
```
  nmap grab ssl-cert
  
```
Other services
- Gather page titles from HTTP: nmap --script=http-title 192.168.1.0/24
- Get HTTP headers of web services: nmap --script=http-headers 192.168.1.0/24
- Heartbleed Testing: nmap -sV -p 443 --script=ssl-heartbleed 192.168.1.0/24
- Find IP info nmap --script=asn-query,whois,ip-geolocation-maxmind 192.168.1.0/24

August 11th

Nmap time settings

Nmap adjusts its timings automatically depending on network speed and response times but these can be overridden.

The main timing option is set through the -T parameter. There are six predefined timing policies which can be specified by name or number: Paranoid (0), Sneaky (1), Polite (2), Normal (3), Aggressive (4), and Insane (5).

A -T Paranoid (or -T0) scan waits at least 5 minutes between each packet sent. This makes it almost impossible for a firewall to detect a port scan in progress (indistinguishable from random network traffic).

Timings for individual aspects of a scan can also be set using other options summarized in the following table.

Category Parallelism initial_rtt_timeout min_rtt_timeout max_rtt_timeout scan_delay

T0/Paranoid Serial 5 min Default (100 ms) Default (10 sec) 5 min

T1/Sneaky Serial 15 sec Default (100 ms) Default (10 sec) 15 sec

T2/Polite Serial Default (1 sec) Default (100 ms) Default (10 sec) 400 ms

T3/Normal Parallel Default (1 sec) Default (100 ms) Default (10 sec) Default (0 sec)

T4/Aggressive Parallel 500 ms Default (100 ms) 1250 ms Default (0 sec)

T5/Insane Parallel 250 ms 50 ms 300 ms Default (0 sec)

Category	Parallelism	initial_rtt_timeout	min_rtt_timeout	max_rtt_timeout	scan_delay
T0/Paranoid	Serial	5 min	Default (100 ms)	Default (10 sec)	5 min
T1/Sneaky	Serial	15 sec	Default (100 ms)	Default (10 sec)	15 sec
T2/Polite	Serial	Default (1 sec)	Default (100 ms)	Default (10 sec)	400 ms
T3/Normal	Parallel	Default (1 sec)	Default (100 ms)	Default (10 sec)	Default (0 sec)
T4/Aggressive	Parallel	500 ms	Default (100 ms)	1250 ms	Default (0 sec)
T5/Insane	Parallel	250 ms	50 ms	300 ms	Default (0 sec)

August 16th

I want to know the top 256 most common ports used by nmap. The easiest way is:


nmap -oX - --top-ports 256 x

output:

1,3,7,9,13,17,19-26,33,37,42,53,79-82,88,100,
106,110-111,113,119,135,139,143-144,161,179,199,
222,254-255,264,280,311,389,407,427,443-445,464-465,497,
500,512-515,543-544,548,554,563,587,593,625,631,636,646,
787,808,873,888,902,990,992-993,995,999-1000,
1022-1044,1048-1050,1053-1054,1056,1058-1059,1064-1066,1068-1069,1071,1074,1080,
1110-1111,1218,1234,1352,1433,1494,1521,1700,1717,1720,1723,1755,1761,1801,1900,1935,1998,
2000-2010,2049,2065,2103,2105,2107,2121,2161,2301,2383,2401,
2601-2602,2604,2701,2717,2869,2967,3000-3001,3052,3128,3260,3268-3269,
3306,3333,3389,3689-3690,3703,3986,4000-4002,4045,4444,4662,4899,
5000-5003,5009,5050-5051,5060,5100-5101,5120,5190,5357,5432,5550,5555,
5631,5666,5800-5801,5900-5901,6000-6002,6004,6112,6543,6646,6666,
7000-7001,7019,7070,7100,7937-7938,8000,8002,8008-8010,8031,8080-8082,8443,8888,
9000-9001,9090,9100,9102,9535,9999-10001,10010,15000,32768,32770-32772,
42510,49152-49157,50000-50001

This will print the XML output to the terminal which includes the exact ports. See here for more details.

August 31st

I need a functionality of std::set for each element in an array (e.g., set of port-scan ports for each of 20 time-bins). I can surely allocate my own memory then delete after I am done, e.g.,


#include <set>
#include <vector>

int main()
{
   std::set* entry = new set[32];
   entry[0].insert(23);
   // ....
   delete [] entries;
   return 0;
}

But usually it's better to use a container like std::vector to manage the memory for me:


#include <set>
#include <vector>

const int N = 32;

int main()
{
   std::vector> entry(N); 
   // std::vector constructor makes 32 calls to std::set constructor
   entry[0].insert(23);
   return 0; // std::vector destructor makes 32 calls to std::set destructor
}

Go to July's log

Last modified: Wed Aug 31 19:00:58 PDT 2016