Skip to main content

Executing Scans


Slow Scan Troubleshooting

In the event that the nmap-scanner.sh script is taking too long when Performing DNS resolutions, this is likely due to DNS reverse lookups not being possible in the environment - causeing lookups to take a long time for each IP, only to end in failure. In these situations, the -n or --no-dns option can be passed to the nmap-scanner.sh script to skip reverse DNS resolution of IP addresses to hostnames.

info

The nmap-scanner.sh script performs the equivalent of the following nmap commands, but provides the benefit of CSV and JSON output:

  • nmap -v -sL (Reverse DNS lookup)
  • nmap -v -n -sn --send-ip -PE (Ping sweep)
  • nmap -v -n -Pn -sS (TCP port scan)
  • nmap -v -n -Pn -sU (UDP port scan)
  • nmap -v -n -Pn -sV (Service enumeration)
  • nmap -v -n -Pn -O (OS enumeration)

Prepare the script and create a target list​

  1. Transfer the //fileserver/share/SCRIPTS/262COS-Nmap_Scanner-SCRIPT-001/nmap-scanner.sh script to the RHEL host and give it executable permissions

    chmod +x ./nmap-scanner.sh

    TIP: On MIPs deployed from a DIP built IAW 262COS-DIP-SOP-001, the nmap-scanner.sh is already available in the RHEL host's PATH variable - meaning you do not need to transfer the script and you can already executing it anywhere within your terminal

  2. Use nmap to generate a target list while filtering out No-Strike IPs:

    nmap -n -sL -iL <FILE_CONTAINING_TARGET_IPS/NETWORKS> --excludefile /etc/exclude.hosts | grep 'report' | awk '{print $5}' > ./scan_targets

    TIP: The nmap-scanner.sh also has an -e option to provide a list of IPs/networks to exclude (ex: -e=/etc/exclude.hosts), which is equivalent to to nmap's --excludefile - so you can either exclude them now or later


Execute scans​

note

Unless otherwise directed by the tactical plan or CCL, perform SCAN OPTION 1

SCAN OPTION 1: Basic TCP port scan​

note

Use this option to only scan the most common ports

Execute the nmap-scanner.sh script to perform automated network scans against the top 1000 TCP ports, and additionally WinRM:

./nmap-scanner.sh -s -o -i=./scan_targets
./nmap-scanner.sh -s -p=5985 -i=./scan_targets

SCAN OPTION 2: Remote management port scan​

note

Use this option to provide useful targeting for host analysts to deploy agents/perform remote actions

Execute the nmap-scanner.sh script to perform automated network scans for FTP, SSH, Telnet, HTTP, RPC, NetBIOS, HTTPS, RDP, VNC, and WinRM:

./nmap-scanner.sh -s -o -i=./scan_targets -p=21,22,23,80,135,139,443,445,3389,5800,5900,5985,5986

SCAN OPTION 3: Comprehensive port scan (SLOW!)​

note

Use this option to obtain a complete view of all open TCP/UDP ports

Execute the nmap-scanner.sh script to perform automated network scans against all 0-65535 TCP and UDP ports:

./nmap-scanner.sh -s -o -p=- -i=./scan_targets
./nmap-scanner.sh -s -u -p=- -i=./scan_targets

Save Results​

Save all scan results to the Fileserver's SMB Share under //fileserver/share/MISSION/03_EXECUTION/03_NETWORK_SCANS/