Executing Scans
In the event that the nmap-scanner.sh script is taking too long when Performing DNS resolutions, this is likely due to DNS reverse lookups not being possible in the environment - causeing lookups to take a long time for each IP, only to end in failure. In these situations, the -n or --no-dns option can be passed to the nmap-scanner.sh script to skip reverse DNS resolution of IP addresses to hostnames.
The nmap-scanner.sh script performs the equivalent of the following nmap commands, but provides the benefit of CSV and JSON output:
nmap -v -sL(Reverse DNS lookup)nmap -v -n -sn --send-ip -PE(Ping sweep)nmap -v -n -Pn -sS(TCP port scan)nmap -v -n -Pn -sU(UDP port scan)nmap -v -n -Pn -sV(Service enumeration)nmap -v -n -Pn -O(OS enumeration)
Prepare the script and create a target listβ
-
Transfer the
//fileserver/share/SCRIPTS/262COS-Nmap_Scanner-SCRIPT-001/nmap-scanner.shscript to the RHEL host and give it executable permissionschmod +x ./nmap-scanner.shTIP: On MIPs deployed from a DIP built IAW 262COS-DIP-SOP-001, the
nmap-scanner.shis already available in the RHEL host's PATH variable - meaning you do not need to transfer the script and you can already executing it anywhere within your terminal -
Use nmap to generate a target list while filtering out No-Strike IPs:
nmap -n -sL -iL <FILE_CONTAINING_TARGET_IPS/NETWORKS> --excludefile /etc/exclude.hosts | grep 'report' | awk '{print $5}' > ./scan_targetsTIP: The
nmap-scanner.shalso has an-eoption to provide a list of IPs/networks to exclude (ex:-e=/etc/exclude.hosts), which is equivalent to to nmap's--excludefile- so you can either exclude them now or later
Execute scansβ
Unless otherwise directed by the tactical plan or CCL, perform SCAN OPTION 1
SCAN OPTION 1: Basic TCP port scanβ
Use this option to only scan the most common ports
Execute the nmap-scanner.sh script to perform automated network scans against the top 1000 TCP ports, and additionally WinRM:
./nmap-scanner.sh -s -o -i=./scan_targets
./nmap-scanner.sh -s -p=5985 -i=./scan_targets
SCAN OPTION 2: Remote management port scanβ
Use this option to provide useful targeting for host analysts to deploy agents/perform remote actions
Execute the nmap-scanner.sh script to perform automated network scans for FTP, SSH, Telnet, HTTP, RPC, NetBIOS, HTTPS, RDP, VNC, and WinRM:
./nmap-scanner.sh -s -o -i=./scan_targets -p=21,22,23,80,135,139,443,445,3389,5800,5900,5985,5986
SCAN OPTION 3: Comprehensive port scan (SLOW!)β
Use this option to obtain a complete view of all open TCP/UDP ports
Execute the nmap-scanner.sh script to perform automated network scans against all 0-65535 TCP and UDP ports:
./nmap-scanner.sh -s -o -p=- -i=./scan_targets
./nmap-scanner.sh -s -u -p=- -i=./scan_targets
Save Resultsβ
Save all scan results to the Fileserver's SMB Share under //fileserver/share/MISSION/03_EXECUTION/03_NETWORK_SCANS/