Nmap Cheatsheet

July 13, 2019

I don’t remember when I first picked up Nmap, but I definitely remember the moment I decided I needed to spend some time learning it. The moment occurred shortly after receiving an answer to: “Which Nmap settings do I use for IDS evasion?”

The answer looked like this:

nmap -iL /input/targets.txt -Pn -O --osscan-limit -sS -sV --top-ports 20 --defeat-rst-ratelimit -open -T3 --script=resolveall,reverse-index --script-args http.useragent="Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" --script-timeout 500m -oA output/client_TCP_Top200Ports_sS_sV --stats-every 240s --host-timeout 1080m --randomize-hosts

After spending some time researching what each setting meant, and then spending some more time trying to understand how that setting would apply to my situation, I realized that I’d stumbled upon another opportunity to write about another embarassing knowledge gap: Nmap.

A Better Question to Ask

There’s a non-zero chance that the above scan was a gentle “piss off and don’t be lazy” kind of answer. To be fair, I know know that I’d asked the wrong question. There is no one scan that is always right for a given scenario. Especially scenarios involving circumventing security controls.

And more to the point, it’s not about having the perfect scan for every occasion, it’s about knowing how to build the perfect scan for what you’re doing right now. Teaching people to fish, and all that.

Nmap does a good job of adapting to the condition of the network, but you cannot escape having to understand the plumbing. The following is a collection of starting points for specific scenarios. I’ll talk about the nuances of each and go over a few of the levers Nmap has that can address them.

IDS Evasion

This is where my Nmap rabbit hole began and this is where we’ll start as well. The main (only?) problem an IDS needs to solve is identifying suspicious needles in an otherwise innocent haystack. We need to find ways to make Nmap behave less like a needle and more like haystack. Capiche?

What does normal traffic look like? It looks a lot like a client connecting to a few ports on the server, and then having a fairly typical conversation. Nmap will typically talk to more ports in less time, often using traffic that is clearly abnormal.

How can we deal with this headache?

The above is a starting point. IDS vendors are in the business of preventing intrusions. If there was something that reliably bypassed their products, it’s probably not going to stay that way for long. Hopefully a slightly better understanding of the problem will unleash your creativity here :)

UDP Scans

UDP will always be a headache. The problem is that UDP is connectionless; no response is expected from the target. From Nmap’s site:

If an ICMP port unreachable error (type 3, code 3) is returned, the port is closed. Other ICMP unreachable errors (type 3, codes 0, 1, 2, 9, 10, or 13) mark the port as filtered. Occasionally, a service will respond with a UDP packet, proving that it is open. If no response is received after retransmissions, the port is classified as open|filtered. This means that the port could be open, or perhaps packet filters are blocking the communication.

The headache can be slightly reduced by the following:


The Mystery Scan, Explained

So what does the mystery scan actually do?