Nmap: Getting Started Guide

Nmap is a free utility tool for network discovery, port scanning and security auditing, even though we can use it for more than that but in this article we will learn how to do these three things with nmap.

The original author of nmap is Gordon Lyon (Fyodor). Nmap is licensed under GPL v2 and has available ports in many different languages. Nmap is available for Linux, Windows, and Mac OS X. You can download your copy of nmap from their website.

Lets get started with nmap.

When performing pentests we always look for networks we are going to attack. We need to identify live hosts on the network so that we can attack them. There are plenty of tools available for finding live hosts on a network but nmap is one of the best tools for doing this job.

Lets start with simple host (target) discovery scans i,e scans that will tell us which ip address is up on our target network. Those ip addresses which are up on our target network are the ones that are assigned to a device connected on our target network. Every device on the network is going to have a unique ip address.
To perform a simple host discovery scan we use the following command

nmap -v -sn 10.10.10.0/24

flags we used in the above command are
-v for verbose output
-sn to disable port scan (we don't want to scan for ports right now)

Following the flags is the ip address of the target network on which we want to look for live hosts. The /24 at the end of the ip address is the CIDR that specifies the subnet of the network on which we are looking for live hosts.

After running the above command you should get a list of live hosts on your target network.
If you just want to know the list of ip addresses your command is going to scan, you can use the -sL flag of the nmap like this.

nmap -sL 10.10.10.0/24

this command will simply output the list of ip addresses to scan.

We sometimes want to do dns resolution (resolving ip addresses to domain names) when performing our network scans and sometimes we don't want dns resolution. While performing a host discovery scan with nmap if we want to perform dns resolution we use -R flag in our command like this:

nmap -v -sn -R 10.10.10.0/24

And if we don't want to perform dns resolution of hosts during our scan we add the -n flag to our command like this:

nmap -v -sn -n 10.10.10.0/24

After we have discovered the hosts that are up on our target network, we usually put the ip addresses of these hosts into a file for further enumeration.

Next step in our enumeration would be to detect which operating system and which ports are running on these live hosts, for that we run this command:

nmap -O -v 10.10.10.119

here we use -O (capital o not zero) for operating system detection and by default nmap performs SYN Scan for port discovery. However nmap scans for 1000 ports only by default of a particular host.

To make nmap go over a list of ip addresses in a file we use -iL flag like this:

nmap -O -v -iL targetlist

where targetlist is the name of the file which contains ip addresses that we want to perform port scan on.

To make nmap scan all the ports of a target we use the -p flag like this:

nmap -p- -v 10.10.10.121

We can also specify a range of ports using the -p flag like this:

nmap -p1-500 -v 10.10.10.121

here 1-500 means scan all the ports from 1 to 500.

We can use a number of scan techniques to discover open ports on our network but I will only discuss some of them for brevity.

We can perform a TCP SYN scan using nmap with -sS flag like this:

nmap -sS -v 10.10.10.150

We have also flags for TCP connect and ACK scans which are -sT -sA

nmap -sT -v 10.10.10.150

nmap -sA -v 10.10.10.150

We can also perform UDP scan as well instead of TCP scan using -sU flag

nmap -sU -v 10.10.10.150

We can perform TCP Null, FIN, and Xmas scans using the flags -sN, -sF, -sX

nmap -sN -v 10.10.10.150

nmap -sF -v 10.10.10.150

nmap -sX -v 10.10.10.150

If you don't know what these scans are then please visit Port Scanning Techniques and Algorithms for explanation.

After discovering the open ports on our target host, we want to enumerate what services are running on those open ports. To enumerate services and versions information on open ports we use the -sV flag like this:

nmap -sV -v 10.10.10.118

This should give us information about what services are running on what ports and what versions of those services are running on the target host.

nmap has an interesting feature called NSE nmap scripting engine. It allows users to write their own scripts, using the Lua programming language, to automate a wide variety of networking tasks. nmap ships with a diverse set of scripts which are very helpful to enumerate a target. To use the nmap default set of scripts while enumerating the target, we use the -sC flag like this:

nmap -sC -sV -v 10.10.10.118

We can also save the results of our nmap scans to a file using the -o flag like this

nmap -sC -sV -v -oA defaultscan 10.10.10.119

here -oA tells the nmap to output results in the three major formats at once and defaultscan is the name of the file that will be prepended to all the three output files.

This is the end of this short tutorial see you next time.

References:
https://nmap.org/book/scan-methods-null-fin-xmas-scan.html

Related word

1. Hacking Tools Name
2. Pentest Automation Tools
3. Pentest Tools Github
4. Hacking Tools For Windows
5. Pentest Tools For Android
6. Top Pentest Tools
7. Hack Tools 2019
8. Pentest Tools Alternative
9. Hacker Tools Apk
10. How To Make Hacking Tools
11. Ethical Hacker Tools
12. Hacker
13. Hacker Tools For Mac
14. Install Pentest Tools Ubuntu
15. Pentest Tools Free
16. Best Pentesting Tools 2018
17. Hack Tools Download
18. Pentest Tools Website Vulnerability
19. Hacker Search Tools
20. Hack Tools For Games
21. Hacker Tools Github
22. Hacking Tools Download
23. Hackrf Tools
24. New Hacker Tools
25. Pentest Tools Alternative
26. Pentest Tools Windows
27. Hacker Tools 2019
28. Pentest Tools For Windows
29. Pentest Tools Website
30. Hacker Hardware Tools
31. Nsa Hack Tools
32. Hacker
33. Top Pentest Tools
34. Hacker Tools Free Download
35. Free Pentest Tools For Windows
36. New Hacker Tools
37. Hacking Tools And Software
38. Game Hacking
39. Best Pentesting Tools 2018
40. Hacker
41. Pentest Recon Tools
42. Hacker Hardware Tools
43. Hacking Tools Online
44. Hacker Tools Software
45. Hacking Tools Online
46. Hacking Tools For Kali Linux
47. Hacker Tools Github
48. Pentest Automation Tools
49. Hacking Tools For Beginners
50. Hacking Tools Pc
51. Pentest Tools Website
52. Hacker Tools Mac
53. Best Hacking Tools 2020
54. Hacker
55. Hacking Tools
56. Usb Pentest Tools
57. Pentest Tools
58. Blackhat Hacker Tools
59. Best Hacking Tools 2019
60. Hack Tools Mac
61. Pentest Tools
62. Kik Hack Tools
63. Pentest Tools Linux
64. Pentest Tools Port Scanner
65. Hack Apps
66. Hacker Tools Windows
67. Hacking Tools Pc
68. Pentest Recon Tools
69. Hacking Tools For Windows 7
70. Hak5 Tools
71. Pentest Tools Review
72. Computer Hacker
73. Hacker Tools For Windows
74. Pentest Tools Review
75. Hacker Tools Software
76. Hacking Tools Free Download
77. Pentest Tools Android
78. Hacker Tools Windows
79. New Hack Tools
80. Hacking Tools Windows
81. Pentest Tools Review
82. Hacker Tools
83. Pentest Tools Url Fuzzer
84. Underground Hacker Sites
85. New Hack Tools
86. Pentest Tools Tcp Port Scanner
87. Hack Tool Apk
88. Hacking Tools
89. Hack Tools For Mac
90. Hacking Tools For Games
91. Hack Tools Mac
92. Kik Hack Tools
93. Hackrf Tools
94. Usb Pentest Tools
95. Android Hack Tools Github
96. Hacking Tools Windows
97. Hacker Tools Free Download
98. Hacking Tools For Beginners
99. Hacker Tools Mac
100. Hacking Tools For Windows 7
101. Hacking Tools For Windows

歡迎蒞臨：https://ofa588.com/

娛樂推薦：https://www.ofa86.com/

C++ Std::String Buffer Overflow And Integer Overflow

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?

If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:

No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:

I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.

So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]

In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538


The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.

0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)


What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:

The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.

Note that gdb displays by default with at&t asm format wich the operands are in oposite order:

And having a string that is in the stack, controlling the index we can perform a write on the stack.

To make sure we are writing outside the string, I'm gonna do 3 writes:

 See below the command "i r rax" to view the address where the write will be performed.

The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.



So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()

Related articles

1. Nsa Hack Tools Download
2. Pentest Tools Android
3. Hacker Tools 2020
4. Best Pentesting Tools 2018
5. Hacking App
6. Nsa Hack Tools
7. Hacker Tools
8. Hackrf Tools
9. What Is Hacking Tools
10. Hacking Tools Download
11. Game Hacking
12. Hack Tools
13. Hacking Tools Usb
14. Pentest Tools Online
15. Pentest Tools List
16. Top Pentest Tools
17. Hack Apps
18. Hacker Tools Github
19. Pentest Tools Android
20. Hacking Tools Online
21. Hacking App
22. Pentest Tools Tcp Port Scanner
23. Easy Hack Tools
24. Hack Tools Pc
25. Hacking App
26. Pentest Tools Tcp Port Scanner
27. Pentest Tools Kali Linux
28. Hacking Tools For Pc
29. Hacking Tools 2020
30. Hacker Tools For Windows
31. Pentest Tools Windows
32. Hacking Tools Free Download
33. Growth Hacker Tools
34. Pentest Tools For Mac
35. Best Pentesting Tools 2018
36. Pentest Tools
37. Computer Hacker
38. Pentest Tools Github
39. Usb Pentest Tools
40. Hacking Tools Kit
41. Hacker Tool Kit
42. Tools For Hacker
43. Hack Tools For Ubuntu
44. Hacker Tools Linux
45. Hacking Tools Online
46. Pentest Tools Alternative
47. Hacker Tools List
48. Termux Hacking Tools 2019
49. Hacking Tools Windows 10
50. Pentest Tools Review
51. Easy Hack Tools
52. Pentest Reporting Tools
53. Hacker Tools Software
54. Pentest Tools Linux
55. Pentest Tools Linux
56. Termux Hacking Tools 2019
57. Hacker Tools Linux
58. Hack Tools For Games
59. Hacking Tools Windows 10
60. Pentest Tools Framework
61. Hak5 Tools
62. Hack Tools Download
63. Hacking Tools Windows
64. Hacking Tools For Windows 7
65. Hacker Tools Hardware
66. Nsa Hacker Tools
67. Pentest Tools Framework
68. Pentest Tools Free
69. Hacking Tools For Windows Free Download
70. Install Pentest Tools Ubuntu
71. Hack Tools For Pc
72. Hacking Tools Software
73. Hacker Tools 2020
74. Hacking Tools Windows 10
75. Tools Used For Hacking
76. Black Hat Hacker Tools
77. Hack App
78. Tools Used For Hacking
79. Hacker Tools Hardware
80. Pentest Tools For Mac
81. Hacking Tools
82. Hacking Tools For Windows Free Download
83. Hacker
84. Hacker Tools For Windows
85. Pentest Tools Framework
86. Termux Hacking Tools 2019
87. Ethical Hacker Tools
88. Wifi Hacker Tools For Windows
89. Hacker Tools Free Download
90. Top Pentest Tools
91. Hack Tools For Ubuntu
92. Computer Hacker
93. Pentest Tools Framework
94. Github Hacking Tools
95. Pentest Tools Android
96. Hacker Tools 2020
97. Hacker Tools Mac
98. Hacks And Tools
99. Hack Tool Apk
100. Hacking Tools Software
101. How To Hack
102. Pentest Tools Bluekeep
103. Hack Website Online Tool
104. Hacking Tools For Games
105. Pentest Tools Tcp Port Scanner
106. Hack Tool Apk No Root
107. Free Pentest Tools For Windows
108. New Hack Tools
109. Game Hacking
110. What Are Hacking Tools
111. Nsa Hack Tools Download
112. Tools 4 Hack
113. Hack Tools Online
114. Hacking Tools Windows
115. Hacker Tool Kit
116. Pentest Tools For Windows
117. Hacking Tools Online
118. Pentest Tools Tcp Port Scanner
119. Pentest Tools Website Vulnerability
120. Hacker Tools Online
121. Hacking Apps
122. Hack Tools For Pc
123. Hacker Tools Mac
124. Pentest Tools Review
125. Hack Tool Apk
126. Hacking Tools
127. Beginner Hacker Tools
128. Hacker Tools Online
129. Usb Pentest Tools
130. Pentest Tools Nmap
131. Black Hat Hacker Tools

歡迎蒞臨：https://ofa588.com/

娛樂推薦：https://www.ofa86.com/

Backtrack4

The Remote Exploit Development Team has just announced BackTrack 4 Beta. BackTrack is a Linux based LiveCD intended for security testing and we've been watching the project since the very early days. They say this new beta is both stable and usable. They've moved towards behaving like an actual distribution: it's based on Debian core, they use Ubuntu software, and they're running their own BackTrack repositories for future updates. There are a lot of new features, but the one we're most interested in is the built in Pico card support. You can use the FPGAs to generate rainbow tables and do lookups for things like WPA, GSM, and Bluetooth cracking. BackTrack ISO and VMWare images are available here.

Website: http://www.remote-exploit.org

Related word

1. Hacking Tools Download
2. Easy Hack Tools
3. Hacking Tools
4. Hacking App
5. Hack Tools Pc
6. Hacking Tools Name
7. Hacking Tools Download
8. Pentest Tools Subdomain
9. Hacking Tools Name
10. Hacker Tool Kit
11. Pentest Tools Review
12. Hacking Tools Online
13. Growth Hacker Tools
14. Hacking Apps
15. Hacking Tools For Games
16. Pentest Tools Apk
17. What Is Hacking Tools
18. Hacking Tools For Windows
19. Hacker Hardware Tools
20. Kik Hack Tools
21. Hacks And Tools
22. Hacking Tools Hardware
23. Hacking Tools For Windows 7
24. Hack Tools
25. Computer Hacker
26. Hack Tools
27. Easy Hack Tools
28. Hacker Tools Apk
29. Hack Tools Pc
30. Free Pentest Tools For Windows
31. Physical Pentest Tools
32. Hacking Tools Kit
33. Tools For Hacker
34. Pentest Tools Apk
35. Nsa Hack Tools
36. Hacking Apps
37. Pentest Tools Find Subdomains
38. Pentest Tools Url Fuzzer
39. Hacker Security Tools
40. Blackhat Hacker Tools
41. Hacker Tools List
42. New Hacker Tools
43. Hacker Tools List
44. Hacker Tools Github
45. Hacking Tools Usb
46. Hacking Tools For Windows Free Download
47. How To Hack
48. Hacking Tools For Beginners
49. Hacker Tools For Pc
50. How To Hack
51. Hackrf Tools
52. Hack Tools Download
53. Hacking Tools For Kali Linux
54. Kik Hack Tools
55. Hack Apps
56. Blackhat Hacker Tools
57. Pentest Tools Windows
58. Beginner Hacker Tools
59. Hacking Tools 2020
60. Best Hacking Tools 2020
61. Hacking Tools Free Download
62. Pentest Tools
63. Pentest Reporting Tools
64. Pentest Tools
65. Hack Tools For Mac
66. Pentest Tools For Mac
67. Pentest Tools Subdomain
68. Pentest Tools Bluekeep
69. Hacking Tools Windows
70. Pentest Tools Port Scanner
71. Wifi Hacker Tools For Windows
72. Best Pentesting Tools 2018
73. Hacking Apps
74. Pentest Box Tools Download
75. Nsa Hack Tools Download
76. Game Hacking
77. Pentest Tools Find Subdomains
78. Pentest Tools Review
79. Pentest Tools Github
80. Hacker Tools For Ios
81. Github Hacking Tools
82. Nsa Hacker Tools
83. Pentest Tools Framework
84. Pentest Tools Find Subdomains
85. What Is Hacking Tools
86. Pentest Tools Alternative
87. Pentest Tools Bluekeep
88. Best Pentesting Tools 2018
89. Pentest Tools Free
90. Hacking Tools Windows
91. Physical Pentest Tools
92. Hacking App
93. Github Hacking Tools
94. Hack Tools Download
95. Hack Tool Apk
96. Pentest Tools Tcp Port Scanner
97. Computer Hacker
98. Pentest Tools Framework
99. Hacking Tools Windows
100. Physical Pentest Tools
101. Hacking Tools 2019
102. Hack Tools For Mac
103. Termux Hacking Tools 2019
104. Hacking Tools Download
105. Hack Website Online Tool
106. World No 1 Hacker Software
107. Hacker Tools Online
108. How To Make Hacking Tools
109. Hacker Tools Github
110. Termux Hacking Tools 2019
111. Easy Hack Tools
112. Pentest Tools Bluekeep
113. Hacking Tools For Windows Free Download
114. Nsa Hack Tools Download
115. Hacker Tools Free
116. Hacking Tools Usb
117. Hacking Tools For Games
118. Pentest Tools Website Vulnerability
119. Hack Website Online Tool
120. Hacker Hardware Tools
121. Pentest Tools Website
122. How To Hack
123. Pentest Tools Free
124. Hack Tools Online
125. Pentest Tools Website Vulnerability
126. Hack Tools For Windows
127. Hack Tools For Windows
128. World No 1 Hacker Software
129. Hacker Tools Online
130. Hack Tools
131. Pentest Recon Tools
132. New Hack Tools
133. Hacking Tools And Software
134. Hack Tools
135. Hack Tools For Windows
136. Computer Hacker

歡迎蒞臨：https://ofa588.com/

娛樂推薦：https://www.ofa86.com/