1. Performing Passive Reconnaissance
| Domain Name | IP Address | Location | Contact Person | Address and Phone Number |
|---|---|---|---|---|
| Redriff.com | 52.71.57.184 | USA | Rutgers University Computing Services | 2635 Walnut Street / +1.3038930552 |
| Examcram.com | 168.146.67.181 | USA , NJ, Old Tappan | Domain Administrator | 200 Old Tappan Road / +1.2017675000 |
| Rackspace | 72.3.246.59 | USA | Hansell, Chris | 1 Fanatical Place, Windcrest,TX / +1-210-312-4000 |
| Rutgers.edu | 128.6.46.111 | USA | Domain Admin | 96 Davidson Road Piscataway, NJ 08854 / +1.8484457541 |
2. Performing Active Reconnaissance
nmap -hfor nmap help
┌──(0xneobyte㉿0xNeoShell)-[~]
└─$ nmap -h
Nmap 7.95 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN, TCP ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports sequentially - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--noninteractive: Disable runtime interactions via keyboard
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES- You’ll notice that Nmap has many options. Review and find the option for a full connect scan.
- -sT
- Step 5. Review and find the option for a stealth scan.
- -sS
- Review and find the option for a UDP scan.
- -sU
- Review and find the option for a fingerprint scan.
- -O
- Perform a full connect scan on one of the local devices you have identified on your network. Find local device to scan using
AngryIpScanner
┌──(0xneobyte㉿0xNeoShell)-[~]
└─$ nmap -sT 10.19.6.108
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-21 15:19 +0530
Nmap scan report for 10.19.6.108
Host is up (0.021s latency).
Not shown: 994 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1935/tcp open rtmp
6646/tcp open unknown
49152/tcp open unknown
MAC Address: 50:C2:E8:91:B6:43 (Cloud Network Technology Singapore PTE.)
Nmap done: 1 IP address (1 host up) scanned in 12.39 seconds- Perform a stealth scan on one of the local devices you have identified on your network.
┌──(0xneobyte㉿0xNeoShell)-[~]
└─$ nmap -sS 10.19.6.108
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-21 15:20 +0530
Nmap scan report for 10.19.6.108
Host is up (0.0099s latency).
Not shown: 994 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1935/tcp open rtmp
6646/tcp open unknown
49152/tcp open unknown
MAC Address: 50:C2:E8:91:B6:43 (Cloud Network Technology Singapore PTE.)
Nmap done: 1 IP address (1 host up) scanned in 4.26 seconds- Perform a UDP scan on one of the local devices you have identified on your network.
┌──(0xneobyte㉿0xNeoShell)-[~]
└─$ nmap -sU 10.19.6.108
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-21 15:21 +0530
Nmap scan report for 10.19.6.108
Host is up (0.014s latency).
Not shown: 999 open|filtered udp ports (no-response)
PORT STATE SERVICE
137/udp open netbios-ns
MAC Address: 50:C2:E8:91:B6:43 (Cloud Network Technology Singapore PTE.)
Nmap done: 1 IP address (1 host up) scanned in 19.25 seconds- Perform a fingerprint scan on one of the local devices you have identified on your network.
┌──(0xneobyte㉿0xNeoShell)-[~]
└─$ nmap -O 10.19.6.108
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-21 15:22 +0530
Nmap scan report for 10.19.6.108
Host is up (0.016s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1935/tcp open rtmp
49152/tcp open unknown
MAC Address: 50:C2:E8:91:B6:43 (Cloud Network Technology Singapore PTE.)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone
Running (JUST GUESSING): Microsoft Windows 11|10|2022|Phone|2008 (97%)
OS CPE: cpe:/o:microsoft:windows_11 cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008::sp1
Aggressive OS guesses: Microsoft Windows 11 21H2 (97%), Microsoft Windows 10 (92%), Microsoft Windows Server 2022 (91%), Microsoft Windows 10 1607 (91%), Microsoft Windows Phone 7.5 or 8.0 (88%), Microsoft Windows Server 2008 SP1 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.10 seconds- Observe the results of each scan. Could Nmap successfully identify the system?
- I think yes, Nmap could successfully identify the system. By using a full connect scan (-sT), Nmap is able to complete the TCP handshake with the target, which provides reliable information about open ports and the services running on them. This information, combined with additional options like service version detection (-sV) or OS fingerprinting (-O), allows Nmap to accurately identify the target system in most cases.