Introduction: In the realm of red teaming, the ability to navigate through a digital landscape undetected is paramount. Tools like Nmap are invaluable for penetration testers, yet their default settings can sometimes raise red flags. Therefore it is important to get a good understanding of the used tool prior to using it in these attack scenarios.

In this blog post we gonna analyze what is sent by Nmap to the client for port 80,443. and how we could be detected. Trying to identify how we can operate with increased stealth and precision.

Nmap is a powerful network scanning tool and is used all the time. However, it can give away your position by making use of its defaults. For example, an user agent will automatically be added when doing a port scan while running default scripts. These Default scripts will perform various GET/HEAD/OPTIONS/POST commands to retrieve information about the host. However, when doing so it sets a user agent that clearly showcases that they are scannend by someone running Nmap:

We can simply set a script argument that forces the user-agent to be changed to our provided input. Use something that blends in with the normal user pool.

nmap -p 80,443 --script-args http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" -A <domain>

Now every request that uses the http.useragent will be changed to a more stealthy string. This could limit the detection if it was just based on the Nmap user agent header. (Which of course is not the case, the amount of requests in a short time are also clear indicators)

There are other methods however to be detected and to detect possible Nmap scans. While checking the results in Wireshark. I found out that Nmap also performs a call to nmaplowercheck with an epoch time string behind it. Which clearly shows I need to investigate more what my tools do.

According to the code which can be found at: https://svn.nmap.org/nmap/nselib/http.lua

it is used to check the URLs for proper 404 responses. Interestingly there are even 3 checks defined, one for NmapUpperCheck and a folder /Nmap/folder/check. However, these are only performed when the status code from nmaplowecheck ( the first code ) results in a 200 HTTP response.

Apparently, sometimes there was a different response based on the 3 scenarios.

Let us investigate some other requests sent by Nmap:

PROPFIND / HTTP/1.1

There is a request which is performed with the PROPFIND HTTP method.

Apparently, according to Microsoft it is no longer actively maintained. and is revering to webDAV. where it is used to retrieve properties in XML format. Nmap uses this method in the request to detect Webdav installations. Although webDAV is rarely used. It is not something that will indicate on its own that a Nmap scan is performed.

This request is sent by “http-webdav-scan” script

GET /HNAP1 HTTP/1.1

Home Network Administration Protocol (HNAP) protocol by Cisco Systems allows you to identify configure and manage network devices. It is based on SOAP requests. The GET request to /HNAP1 is used to check if the protocol is being used on the host/router.

This request is from the “hnap-info” script

Also this on its own will not indicate an attack vector.

Preflight requests:

Nmap sends a bunch of preflight requests, which use OPTIONS method to check if some methods are allowed in the requests before actually using the method.

This is one request from Nmap to check if PUT method is allowed before using it.

POST / HTTP/1.1

Following is a POST call with a body request to list system.listMethods. This code is used to enumerate methods implemented by the XML-RPC server. A popular example of this is in WordPress websites. It then will return an array of possible executable methods.

POST /sdk HTTP/1.1

Apparently, this is a SOAP request which is used to identify vmware vcenters servers and retrieve their version information.

The code can be found at vmware-version.nse

• GET /evox/about HTTP/1.1 I couldn’t really find good information about this subject.

.Git/Head

GET request to .git/HEADIs performed to validate if a website has his git repository accessible in the root root directory of the website. If it finds a HEAD file (which basically contains the git branch of the repo), it sends more of these requests.

But this also is a regular request which is more common to be seen in tools and attack lists.

So in general it is best to not use -sC and -sV for ports 80 and 443 and perform only the required steps manually. The requests that are performed can easily be done in other methods without the chance of leaking information.

Otherwise, it would be advisable to change the user agent and change the code to not use the nmaplowercheck. Because these two (next to the high amounts of requests which you should limit with the T value.) It is a clear indicator that a Nmap scan has been performed.

However, because nmaplowercheck is not inside a script but is built inside the http.identify_404 function inside nselib/http.lua multiple scripts are prone to give away this information.

The following default scripts contain that function are the following.

So you need to be sure none of these are sent out or you need to rebuild Nmap manually with the change made in the http.lua to not execute these calls.

Interestingly how much you can learn if you sit and watch what your tool is doing. In this case, Nmap gives much more information away than I originally thought.

By getting a better understanding of my regular tools like Nmap I now can better understand what is happening reduce the risk of triggering security alarms and advise the Blue team on better signalation.

Happy testing!

If you want to discuss anything related to infosec I’m on LinkedIn: https://www.linkedin.com/in/bobvanderstaak/

https://miloserdov.org/?p=5256

https://svn.nmap.org/nmap/nselib/http.lua

https://www.pwndefend.com/2021/09/23/exposed-vmware-vcenter-servers-around-the-world-cve-2021-22005/