It’s important to note that some firewalls and WAFs may be configured to not give out any indication of their presence, so it’s always good to check with your cloud provider to see if they have any security measures in place.
Use a port scanner: Use a tool such as Nmap to scan the ports on your cloud server. If a firewall or WAF is in place, it will block or limit access to certain ports.
Check firewall rules: Check the firewall rules on your cloud server. If a firewall or WAF is in place, it will have specific rules and configurations that you can check.
Run a penetration test: Use a tool such as Nessus or Metasploit to perform a penetration test on your cloud server. A firewall or WAF will block or limit access to certain vulnerabilities.
Check for WAF-specific headers: Check the headers of your server’s responses. WAFs will often add specific headers to indicate their presence.
Check for error messages: Attempt to access a blocked resource or perform a blocked action and check for error messages. A firewall or WAF will often provide detailed error messages when access is blocked.
Check the logs: Check the logs of your cloud server for any firewall or WAF related events. This will give you an idea of how the firewall or WAF is configured and what actions it is taking.
What is Nmap?
Nmap (Network Mapper) is a free and open-source tool that is used for network exploration, management, and security auditing. It can be used to discover hosts and services on a computer network, and it can also be used to identify vulnerabilities and security issues on a network. Nmap can be run on a variety of operating systems, including Windows, Linux, and macOS.
Nmap can perform a variety of tasks, including:
Network mapping: Nmap can be used to map out the layout of a network, including the hosts and services that are running on it.
Port scanning: Nmap can be used to scan a network for open ports, which can help identify potential security vulnerabilities.
Version detection: Nmap can be used to determine the version of software that is running on a host or service.
OS detection: Nmap can be used to determine the operating system that is running on a host.
Scripting Engine: Nmap can be used to run scripts that automate tasks and gather additional information about a network.
Nmap can be run from the command line and can also be used with a GUI (graphical user interface) for easy usage. It is widely used by network administrators and security professionals to identify potential security issues and vulnerabilities on their networks.
How to Use Nmap?
Install Nmap: Nmap can be downloaded and installed on a variety of operating systems, including Windows, Linux, and macOS.
Open the command line: Open the command prompt or terminal on your computer.
Type in the command: To scan a host or IP address, you can use the command “nmap [hostname or IP address]”. For example, to scan the host “google.com”, you would use the command “nmap google.com”.
Customize the scan: Nmap has a variety of options that can be used to customize the scan. For example, you can use the “-p” option to specify a specific port to scan or the “-sS” option to perform a stealth scan. You can find the full list of options in the Nmap documentation.
Interpret the results: Once the scan is complete, Nmap will display the results in the terminal. The results will show the open ports and services that are running on the host, as well as any potential vulnerabilities or security issues.
Use the scripting engine: Nmap has a scripting engine that can be used to automate tasks and gather additional information about a network. For example, you can use the “nmap –script=http-title” command to check the title of a webpage.
Save the results: You can save the results of your scan by redirecting the output to a file, for example “nmap google.com > scan_results.txt” this command will save the scan results to a file named scan_results.txt
It’s important to note that running Nmap scans on networks or hosts that you do not own or have permission to scan is illegal and unethical. Always obtain the appropriate permissions before running a scan.
Nmap Targeting
Nmap targeting refers to the process of identifying the hosts and networks that will be scanned using Nmap. There are several ways to target hosts and networks with Nmap:
Single host: You can specify a single host or IP address to scan using the command “nmap [hostname or IP address]”. For example, “nmap google.com” will scan the host “google.com”.
Range of IP addresses: You can specify a range of IP addresses to scan using the command “nmap [start IP]-[end IP]”. For example, “nmap 192.168.1.1-192.168.1.255” will scan all IP addresses from 192.168.1.1 to 192.168.1.255.
List of IP addresses: You can specify a list of IP addresses to scan using the command “nmap [IP address 1] [IP address 2] [IP address 3]”. For example, “nmap 192.168.1.1 192.168.1.2 192.168.1.3” will scan the IP addresses 192.168.1.1, 192.168.1.2, and 192.168.1.3.
Subnet: You can specify a subnet to scan using the command “nmap [subnet]/[subnet mask]”. For example, “nmap 192.168.1.0/24” will scan all IP addresses in the subnet 192.168.1.0 with a subnet mask of 24.
File input: You can specify a list of IP addresses or hostnames to scan using the command “nmap -iL [file name]”. For example, “nmap -iL targetlist.txt” will scan the IP addresses or hostnames listed in the file “targetlist.txt”.
Resolve the hostname: You can resolve the hostname of an IP address by using the command “nmap -R [hostname or IP address]” this command will resolve the hostname for the given IP address
It’s important to note that when targeting a large range of IP addresses, it could take a long time for Nmap to complete the scan, and it can also cause a high load on the network. Be sure to use the appropriate options to avoid any network disruption or overloading.
Nmap Discovery Study
Nmap Discovery Study refers to the process of using Nmap to gather information about a network or system. This can include identifying open ports and services, discovering connected devices and their IP addresses, and identifying potential vulnerabilities or security issues.
Port scanning: Nmap can be used to scan for open ports on a network or system. This can be done using the command “nmap [hostname or IP address]” or “nmap [subnet]/[subnet mask]”. The results of the scan will show the open ports and the services that are running on those ports.
OS detection: Nmap can be used to detect the operating system of a host or device on a network. This can be done using the command “nmap -O [hostname or IP address]”. The results of the scan will show the detected operating system and the level of confidence in the detection.
Version detection: Nmap can be used to detect the version of a service running on a host or device on a network. This can be done using the command “nmap -sV [hostname or IP address]”. The results of the scan will show the detected version of the service and the level of confidence in the detection.
Script scanning: Nmap has a scripting engine that can be used to automate tasks and gather additional information about a network. For example, you can use the “nmap –script=http-title” command to check the title of a webpage.
Vulnerability scan: Nmap can be used to scan for known vulnerabilities on a network or system. This can be done using the command “nmap –script vuln [hostname or IP address]”. The results of the scan will show any potential vulnerabilities and the severity of the vulnerability.
Saving the results: You can save the results of your scan by redirecting the output to a file, for example “nmap google.com > scan_results.txt” this command will save the scan results to a file named scan_results.txt
It’s important to note that when running Nmap scans on networks or hosts that you do not own or have permission to scan is illegal and unethical. Always obtain the appropriate permissions before running a scan. Also, the results of the Nmap scan should be used as a starting point for further analysis and should not be used as the sole source of information about a network or system.
Port Scanning Techniques
Nmap offers several different techniques for port scanning, each with their own advantages and disadvantages. Some of the most commonly used port scanning techniques include:
TCP Connect: This is the most basic and widely used port scanning technique. It attempts to establish a full TCP connection to the target host on a specified port. It is the most accurate method of port scanning, but it also generates the most traffic and is the easiest to detect.
TCP SYN: Also known as “half-open scanning,” this technique sends a SYN packet to the target host on a specified port. If the host responds with a SYN-ACK packet, it is considered open. If it responds with a RST packet, it is considered closed. This technique is less detectable than a full TCP connect scan but still generates more traffic than other techniques.
TCP ACK: This technique sends an ACK packet to the target host on a specified port. It is used to determine if a host is behind a firewall and to identify open ports on the firewall itself. This technique generates the least amount of traffic but is the least accurate.
UDP: This technique sends a UDP packet to the target host on a specified port. If the host responds with an ICMP port unreachable message, it is considered closed. If it does not respond, it is considered open. This technique is used to identify open UDP ports, but it is not as accurate as the other techniques.
FIN, Xmas tree: These techniques are used to check if a firewall is blocking certain types of traffic, the firewall may drop or reject the packets with certain flag combinations.
Stealth scan: This is a type of scan that is designed to be less detectible, it is used to evade firewalls and intrusion detection systems.
It’s important to note that the choice of port scanning technique will depend on the specific requirements of the scan and the network environment. In some cases, it may be necessary to use multiple techniques to ensure accurate results.
Nmap Port Detection and Discovery Scans
Nmap (Network Mapper) is a popular open-source tool for network discovery and security auditing. It can perform several types of scans to detect open ports and gather information about network devices. Some common Nmap scans include:
TCP Connect Scan: A basic and straightforward scan that sends a SYN packet to each target port and waits for a response to determine if the port is open.
SYN Scan (Stealth Scan): A more advanced and faster scan that sends a SYN packet to each target port and waits for a response. It does not establish a full connection, making it more difficult for firewalls to detect.
UDP Scan: A scan that sends an empty UDP packet to each target port and waits for an ICMP Port Unreachable message to determine if the port is open or closed.
ACK Scan: A scan that sends an ACK packet to each target port and waits for a response to determine if the port is filtered (firewalled) or unfiltered (accessible).
Xmas Scan: A type of FIN, PSH, and URG scan that sets the FIN, PSH, and URG flags in a TCP packet and waits for a response to determine if the port is open or closed.
Version Detection Scan: A scan that gathers information about the software and versions running on the target host’s open ports.
These are just a few examples of the many scans that Nmap can perform. Nmap is highly customizable, allowing you to perform scans tailored to your specific needs.
Nmap Script Engine
Nmap Script Engine (NSE) is a feature of the Nmap security scanner that enables users to write and share scripts to automate various tasks. The NSE scripts are written in the Lua programming language and can perform tasks such as:
Version detection: Retrieving information about the operating system, application server, and software versions running on a target host.
Vulnerability detection: Scanning for known vulnerabilities and exploits in the target’s software and operating system.
Information gathering: Collecting information about target hosts, such as DNS names, IP addresses, and open ports.
Service detection: Identifying the type of service running on an open port.
Brute-forcing: Automatically trying different username and password combinations to gain access to a target service.
NSE scripts can be run individually or as part of a larger scan, providing a flexible and powerful way to automate various tasks.
The Nmap community has created a large library of NSE scripts that can be used for various purposes, including vulnerability detection, network discovery, and information gathering.
Nmap Output Adjustments
Nmap has several options for adjusting the output format to suit your needs. Some common output format options include:
Normal output: The default output format, which provides a simple and easy-to-read summary of the scan results.
Greppable output: A machine-readable format that makes it easy to parse the output with other tools.
XML output: A format that provides detailed information about the scan results in XML format, making it easy to process with other tools.
Verbose output: A more detailed output format that provides additional information about the scan process and results.
All port output: An output format that shows detailed information about all scanned ports, including open, closed, and filtered ports.
No output: A silent mode that suppresses all output, useful when you only want to save the scan results to a file.
These are just a few examples of the many output format options available in Nmap. You can adjust the output format to suit your needs, whether you want to view the results in a human-readable format, process the results with other tools, or save the results for future reference.
