What is Nmap?
Nmap is an abbreviation for Network Mapper – Network in an IT sense of the word. You can consider Nmap as being one of the best-known, and in fact, one of the most useful hacking tools out there. Period. If you are serious about pentesting, ethical hacking and IT Security in general, then learning Nmap is essential.
Is Nmap Free?
You betcha! In fact, a lot of other tools out there, Metasploit for example, pulls in Nmap for network discovery and security auditing. Many system admins will use Nmap along with other such tools as Wireshark (and perhaps even Network Miner) for a wide variety of port and network scanning. If you’re completely new to port and network scanning then we’d suggest this article here.
What is Network Scanning?
This concept refers to, somewhat obviously, scanning the network! ‘Ports’ on a network can be considered as being the entry points to a machine, or computer (box) that is connected to the Internet. An application or service that listens on a port functions by receiving data (bytes) from a client application, processing that data and then sending it back. If a network is hacked into, or compromosed, then a malicious client can be programmed to exploit vulnerabilities in the server code with the purpose of being able to gain access to sensitive data or execute malicious code remotely. The communication and commands would be administered through the implementation of a Remote Access Tool (RAT).
What is Port Scanning?
Network scanning and port scanning are often used interchangeably. Port scanners (of which there are several, such as Angry IP Scanner, NetScanTools, Unicornscan and NetworkMiner) are used by system and network administrators to verify security profiles of networks to prevent hackers from being able to identify services running on a host that have exploitable vulnerabilities. Of course, if a network admin (or any other IT professional) performing a scan discovers a vulnerability then there priority is to patch the hole without delay. Port scanning is a task performed in the initial phase of a penetration test (pentest) in order to establish all network entry points into the target system.
Why are there so many Network and Port Scanning tools?
At first it might seem that there are a ton of similar tools. However, most of them service a particular need, or said in a more technical way, the tools have an expertize with regards to certain protocol scanning, for example, some are better at TCP ports scanning rather than UDP ports scanning and vica versa.
How does Nmap Work?
Nmap tool works by inspecting raw IP packets in creative ways to understand what hosts (servers) are available on the network, what services (application name and version) those hosts are using, what operating systems (including Operating System versions and possible patches) and what type and version of packet filters/ firewalls are being used by the target. In summary you’ve got to learn Nmap and if want to work in Cyber Security as a practioner.
Does Nmap Work on all Operating Systems?
Yes, Nmap works on all major computer operating systems, and official binary packages are available for Linux, Windows, Mac OS X, IRIX, and AmigaOS. Of course, there’s a much easier way to install Nmap – just use Kali Linux or use BackBox since it ships with Nmap and you’ll be able to update the progam with ease.
Brief word about Zenmap
Zenmap is the GUI version of Nmap. Here’s our advice: learn how to use Nmap, but when you’re out in the field performing a penetration test etc., then fire-up Zenmap. The awesome thing about Zenmap is that it pre-loads all the command lines in one go so you don’t have to start tapping ‘nmap’ into the command terminal to load the command help prompts.
What are Typical Uses for Nmap?
The fundamental use of Nmap is that it can recognize and list, in a verbose format, open ports on a target host in preparation for security auditing. Specifically however, here are a bunch of uses for Nmap, including:
- Host discovery: being able to identify hosts on a network. For example, you’d be able to listen to how a server responds and reacts to TCP and/ or ICMP requests;
- Port scanning: enumerating possible open ports on target hosts (servers);
- OS detection: determining the hardware characteristics and operating system of network devices;
- Version detection: interrogating network services on remote devices to determine application name and version number;
- In-depth Information Gathering: Nmap can provide further information on targets which includes device types, reverse DNS names and MAC addresses;
- Scriptable interaction: accomplished via the Nmap Scripting Engine (NSE) and Lua programming language;
- Auditing: the security of a device or firewall by identifying the network connections which can be made to, or through it;
- Network inventory: network mapping, maintenance and asset management;
- Generating traffic: to hosts on a network to test the response time measurement and response analysis;
- Exploit vulnerabilities: Find the holes and patch them!
Scanning Examples
Nmap Target Selection
| Scan a single IP | nmap 192.168.1.1 |
| Scan a host | nmap www.who-ami.net |
| Scan a range of IPs | nmap 192.168.1.1-20 |
| Scan a subnet | nmap 192.168.1.0/24 |
| Scan targets from a text file | nmap -iL list-of-ips.txt |
These are all default scans, which will scan 1000 TCP ports. Host discovery will take place.
Nmap Port Selection
| Scan a single Port | nmap -p 22 192.168.1.1 |
| Scan a range of ports | nmap -p 1-100 192.168.1.1 |
| Scan 100 most common ports (Fast) | nmap -F 192.168.1.1 |
| Scan all 65535 ports | nmap -p- 192.168.1.1 |
Nmap Port Scan types
| Scan using TCP connect | nmap -sT 192.168.1.1 |
| Scan using TCP SYN scan (default) | nmap -sS 192.168.1.1 |
| Scan UDP ports | nmap -sU -p 123,161,162 192.168.1.1 |
| Scan selected ports – ignore discovery | nmap -Pn -F 192.168.1.1 |
Privileged access is required to perform the default SYN scans. If privileges are insufficient a TCP connect scan will be used. A TCP connect requires a full TCP connection to be established and therefore is a slower scan. Ignoring discovery is often required as many firewalls or hosts will not respond to PING, so could be missed unless you select the -Pn parameter. Of course this can make scan times much longer as you could end up sending scan probes to hosts that are not there.
Service and OS Detection
| Detect OS and Services | nmap -A 192.168.1.1 |
| Standard service detection | nmap -sV 192.168.1.1 |
| More aggressive Service Detection | nmap -sV –version-intensity 5 192.168.1.1 |
| Lighter banner grabbing detection | nmap -sV –version-intensity 0 192.168.1.1 |
Service and OS detection rely on different methods to determine the operating system or service running on a particular port. The more aggressive service detection is often helpful if there are services running on unusual ports. On the other hand the lighter version of the service will be much faster as it does not really attempt to detect the service simply grabbing the banner of the open service.
Nmap Output Formats
| Save default output to file | nmap -oN outputfile.txt 192.168.1.1 |
| Save results as XML | nmap -oX outputfile.xml 192.168.1.1 |
| Save results in a format for grep | nmap -oG outputfile.txt 192.168.1.1 |
| Save in all formats | nmap -oA outputfile 192.168.1.1 |
The default format could also be saved to a file using a simple file redirect command > file. Using the -oN option allows the results to be saved but also can be monitored in the terminal as the scan is under way.
Digging deeper with NSE Scripts
| Scan using default safe scripts | nmap -sV -sC 192.168.1.1 |
| Get help for a script | nmap –script-help=ssl-heartbleed |
| Scan using a specific NSE script | nmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.1.1 |
| Scan with a set of scripts | nmap -sV –script=smb* 192.168.1.1 |
According to my Nmap install there are currently 471 NSE scripts. The scripts are able to perform a wide range of security related testing and discovery functions. If you are serious about your network scanning you really should take the time to get familiar with some of them.
The option --script-help=$scriptname will display help for the individual scripts. To get an easy list of the installed scripts try locate nse | grep script.
You will notice I have used the -sV service detection parameter. Generally most NSE scripts will be more effective and you will get better coverage by including service detection.
A scan to search for DDOS reflection UDP services
| Scan for UDP DDOS reflectors | nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr 192.168.1.0/24 |
UDP based DDOS reflection attacks are a common problem that network defenders come up against. This is a handy Nmap command that will scan a target list for systems with open UDP services that allow these attacks to take place.
HTTP Service Information
| Gather page titles from HTTP services | nmap –script=http-title 192.168.1.0/24 |
| Get HTTP headers of web services | nmap –script=http-headers 192.168.1.0/24 |
| Find web apps from known paths | nmap –script=http-enum 192.168.1.0/24 |
There are many HTTP information gathering scripts, here are a few that are simple but helpful when examining larger networks. Helps in quickly identifying what the HTTP service is that is running on the open port. Note the http-enum script is particularly noisy. It is similar to Nikto in that it will attempt to enumerate known paths of web applications and scripts. This will inevitably generated hundreds of 404 HTTP responses in the web server error and access logs.
Detect Heartbleed SSL Vulnerability
| Heartbleed Testing | nmap -sV -p 443 –script=ssl-heartbleed 192.168.1.0/24 |
Heartbleed detection is one of the available SSL scripts. It will detect the presence of the well known Heartbleed vulnerability in SSL services. Specify alternative ports to test SSL on mail and other protocols (Requires Nmap 6.46).
IP Address information
| Find Information about IP address | nmap –script=asn-query,whois,ip-geolocation-maxmind 192.168.1.0/24 |
Gather information related to the IP address and netblock owner of the IP address. Uses ASN, whois and geoip location lookups.
Nmap Installation from source
Ubuntu comes with Nmap in the repositories or software library, however this is not the one we want. In most cases I suggest sticking with the software from the Software Center but in this case there are many benefits you will get from running the latest version of Nmap.
On the download page http://nmap.org/download.html you will see the bzip2 version (you can get the stable or development).
To get the latest feature packed development version, start a terminal (type terminal in the menu of Ubuntu and it will show as an option):
wget https://nmap.org/dist/nmap-7.40.tar.bz2
Hopefully Internet access from your virtual machine is working, if it is you will soon have the latest in your home directory.
You may need to install g++ in order to compile, you should also install the libssl-dev package as this will enable the SSL testing NSE scripts to work.
sudo apt-get install g++
Now unpack, compile and install. Use the standard configure and make commands when building software from source.
tar jxvf nmap-7.40.tar.bz2 cd nmap-7.40 ./configure make su root make install
Running the nmap commmand should will show the available command line options if the installation has been successful.
user@ubuntu:/~$nmap
Nmap 7.40 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL : Input from list of hosts/networks
-iR : Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile : Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags : Customize TCP scan flags
-sI : Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b : FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p : Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports : Scan most common ports
--port-ratio : Scan ports more common than
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity : Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=: is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=: Show help about scripts.
is a comma separted list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take
