Posted on 02 Jun 2022 by Ray Heffer
Yes that’s right, the
Nmap command in my header image was the same as Trinity used in The Matrix Reloaded (2003). But have you wondered what
-sS does, or
-O? I thought I’d share my cheat sheet which may come in handy if you need a quick reference for TryHackMe or HackTheBox.
First, a quick breakdown on the command Trinity used:
nmap -v -sS -O 10.2.2.2
-v - Verbose mode. This provides additional information when verbose mode is used, such as the time of scans, and number of hosts and ports scanned.
-sS - This is the Scan Type. In this case a TCP SYN scan, also known as a Stealth Scan.
-O - Operating system detection. If you look closely at Trinity’s output, no OS was matched.
-s Scan Types
-P Ping Types
-sA TCP ACK Scan
-sT TCP scan
-sF FIN scan
-sI IDLE scan
-sL DNS scan (LIST scan)
-sN NULL scan
-sO Protocol scan
-sP Ping scan
-sR RPC scan
-sS TCP SYN scan
-sW Window scan
-sX XMAS scan
-PP ICMP Timestamp Ping
-PS TCP SYN Ping
-PT TCP Ping
-Po No Ping
-PI ICMP Ping
-D Decoy scan. This will make the scan appear that it’s coming from another IP, such as the sys admins host.
<IP> The IP address(es) you want to use as the decoy.
RND:# Number of random IP addresses to use.
nmap -D RND:10 [target]
nmap -D 10.0.3.24,10.0.3.25 [target]
Timing (How quickly it scans to avoid detection)
–F Scan fewer ports
nmap --script - Specify a script
nmap -sC - Use default scripts. Same as
ACK scan shows some ports as
filtered then it is likely a stateful firewall.
nmap -sN 10.2.2.2 - Send null TCP flag
nmap -sF 10.2.2.2 - Send FIN bit
nmap -sX 10.2.2.2 - Send XMAS scan bit
The first command sends a null TCP flag, the second one sets the FIN bit, and the last one sets FIN, PSH, and URG bits. This can trick non-stateful firewalls in giving up information about a ports’ state.
Sorry for the clickbait, but actually you can (most of the time) detect a remote OS with one simple trick, the
ping command. It’s all in the TLL (time-to-live) value, which indicates how many hops a packet can take before dying, hence ‘time-to-live’. The default TTL for Windows is
128, whereas Linux and Mac OS is
64. There are exceptions of course, so it’s not always accurate. Linux kernel 2.4 used a TTL of
255, or the sys admin may have changed it in
$ ping 10.2.2.2 PING 10.2.2.2 (10.2.2.2) 56(84) bytes of data. 64 bytes from 10.2.2.2: icmp_seq=1 ttl=64 time=0.049 ms 64 bytes from 10.2.2.2: icmp_seq=2 ttl=64 time=0.069 ms
Another way to detect the operating system of a remote host is using Nmap with the
Nmap detects the operating system using the TCP/IP stack. It will send up to 16 TCP, UDP, and ICMP probes, and depending on the response it will detect the OS ‘fingerprint’. You can read the official documentation on that here.
Comments are closed for this post.