CyBerlog

ICS Pentest – Active Scan with Nmap

movie recommendation: Poor Things

ICS assets are more sensitive to Network Scans than IT assets. Because of this, We should move more slowly when we scan to ICS assets.
Pentesters use nmap for network scan the most. nmap is free and also there are a lot of documents about it’s usage . In this blog, I will describe how can use nmap during the ICS scan.

Actıve

Scan

may cause

your system

Stop or

act unusual

Parallelism

Nmap performs network scanning operations in parallel. However, if you want to set the number of parallel running threads to 1, you can use the –min-parallelism and –max-parallelism options. These options determine how many targets Nmap will connect to at the same time. Here’s an example:

nmap --min-parallelism 1 --max-parallelism 1 192.168.1.1

This command ensures that Nmap only connects to one target at a time. This can reduce network traffic but may increase scanning time. As always, the use of such options depends on the specific situation and target. You can learn more by checking Nmap’s documentation and help pages.

Scripts

It comes with the Nmap Scripting Engine (NSE), which allows users to customize their scans using pre-written or custom scripts. These scripts can be used to gather more information, detect specific vulnerabilities, or even perform more complex attacks against specific targets.

To use Nmap scripts, you can use the -script option. For example, discover a Modbus device with nmap by doing something like:

nmap -Pn -sT -p502 --script modbus-discover 192.168.1.1
More Scripts

Port Scan

It can be used to scan for open ports on a network. Here’s how you can use Nmap to perform different types of port scans:

  • Basic Scan for Open Ports: This is the simplest form of scanning where Nmap checks for open ports on a target system. The command for this is:
nmap 192.168.0.1
  • Scanning a Specific Port: If you want to scan a specific port, you can do so by specifying the target port number with the -p option. For example, to scan port 80, you can use:
nmap -p 80 192.168.0.1
  • Scanning Multiple Ports: To scan multiple ports, you need to separate them with commas. For example:
nmap -p 22,25,80 192.168.0.1
  • Scanning All Ports: To scan all ports (1 – 65535), you can use the -p- option. For example:
nmap -p- 192.168.0.1
  • Scanning Using TCP Connect: This scan is slower but is more likely to connect. The command for this is:
nmap -sT 192.168.0.1
  • Scanning UDP Ports: To scan UDP ports, you can use the -sU option. For example:
sudo nmap -sU 192.168.0.1