I don't remember when I first picked up Nmap, but I definitely remember the moment I decided I needed to spend some time learning it. The moment occurred shortly after receiving an answer to: "Which Nmap settings do I use for IDS evasion?"
The answer looked like this:
After spending some time researching what each setting meant, and then spending some more time trying to understand how that setting would apply to my situation, I realized that I'd stumbled upon another opportunity to write about another embarassing knowledge gap: Nmap.
A Better Question to Ask
There's a non-zero chance that the above scan was a gentle "piss off and don't be lazy" kind of answer. To be fair, I know know that I'd asked the wrong question. There is no one scan that is always right for a given scenario. Especially scenarios involving circumventing security controls.
And more to the point, it's not about having the perfect scan for every occasion, it's about knowing how to build the perfect scan for what you're doing right now. Teaching people to fish, and all that.
Nmap does a good job of adapting to the condition of the network, but you cannot escape having to understand the plumbing. The following is a collection of starting points for specific scenarios. I'll talk about the nuances of each and go over a few of the levers Nmap has that can address them.
This is where my Nmap rabbit hole began and this is where we'll start as well. The main (only?) problem an IDS needs to solve is identifying suspicious needles in an otherwise innocent haystack. We need to find ways to make Nmap behave less like a needle and more like haystack. Capiche?
What does normal traffic look like? It looks a lot like a client connecting to a few ports on the server, and then having a fairly typical conversation. Nmap will typically talk to more ports in less time, often using traffic that is clearly abnormal.
How can we deal with this headache?
- Research your target - Some vendors post their default port scan detection settings, allowing you to tune your scan accordingly.
- Slow things down - Look at
-T2. If you're in a rush, you're going to need to reduce the number of ports you're scanning to compensate. If using these options, consider setting
- Reduce the number of ports you're scanning - Scan the most useful ports first and work on those while your low and slow full scan runs in the background.
- Reduce the number of scripts -
--version-intensityreduces the number of probes Nmap will send before giving up.
0does banner grabbing.
- Add User Agents - When scanning HTTP, add a valid user agent
nmap -p 80,443 --script http-waf-detect,http-waf-fingerprint --http.useragent "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
- Ditch the -sS - Nmap's default scan uses this, which is faster but is not stealty. Use
-sT, which performs the full TCP handshake and looks less shady.
- Avoid scripts, OS detection - Scripts are just basically out.
The above is a starting point. IDS vendors are in the business of preventing intrusions. If there was something that reliably bypassed their products, it's probably not going to stay that way for long. Hopefully a slightly better understanding of the problem will unleash your creativity here :)
UDP will always be a headache. The problem is that UDP is connectionless; no response is expected from the target. From Nmap's site:
If an ICMP port unreachable error (type 3, code 3) is returned, the port is closed. Other ICMP unreachable errors (type 3, codes 0, 1, 2, 9, 10, or 13) mark the port as filtered. Occasionally, a service will respond with a UDP packet, proving that it is open. If no response is received after retransmissions, the port is classified as
open|filtered. This means that the port could be open, or perhaps packet filters are blocking the communication.
The headache can be slightly reduced by the following:
-sUVto perform version detection on any potentially open UDP ports.
- Determine ports likely to be open on your target and use
-PUto find live hosts. Avoid
--host-timeoutto 30m to skip slow hosts. A Linux host will take 18 hours to scan UDP ports 1-65535 due to a rate limit imposed on ICMP unreachable messages.
The Mystery Scan, Explained
So what does the mystery scan actually do?
-iL- Load targets from file
-Pn- Treat all hosts as online
-O- Enable OS detection
--osscan-limit- Only OS scan promising targets
-sS- SYN scan, half TCP handshake. Default option.
-sV- Service detection
--top-ports 20- Only scan the top 20 ports
--defeat-rst-ratelimit- Ignore rate limits
-open- Only show open ports
-T3- Normal speed. Default option.
--script- Use scripts
resolveall- Add all IPs associated with a host, not just the first
reverse-index- Sort by port, not by host
--script-args- Script arguments to use
http.useragent- Provide a non-Nmap user agent
--script-timeout- Kill scripts after n minutes.
-oA- Output all formats
--stats-every- Print stats regularly
--host-timeout- Abandon hosts after n minutes.
--randomize-hosts- All over the place, not sequential.