Nmap: The ultimate guide
The Network Mapper (Nmap) is a network scanning and hosting tool that is very useful during many steps for a complete penetration test.
Nmap is not limited to simple information gathering and enumeration, but it is also a powerful utility that can be used as a vulnerability detector or security scanner.
So Nmap is a versatile tool and can run on many different operating systems, including Windows, Linux, BSD and Mac.
Nmap is a very powerful utility that can be used to:
- Locate the active host on the network (host discovery)
- Locate open ports on the host (port discovery or enumeration)
- Locate the software and version on the corresponding port (service discovery)
- Locate the operating system, hardware address, and software version
- Identify vulnerabilities and security vulnerabilities (Nmap scripts)
Nmap is a simple tool and is available both as a command line tool and as a graphical interface, quite easy to use. The purpose of this article is to create a manual that will contain all the necessary information about Nmap and its use.
In this piece, we will see:
- Introduction to Nmap
- What are the important parameters and scanning techniques
- Introduction to operating system detection
- Nmap scripts
How to use Nmap?
You may have heard this question many times in the past, but in my opinion, it is not the right question. The best way to start exploring Nmap is to ask: How can I use Nmap effectively? This article was written in an attempt to answer this question.
Nmap uses different techniques to perform a scan, such as: TCP connect () scanning, TCP reverse ident scanning, FTP bounce scanning, and so on. All of these types of scanners have their advantages and disadvantages, and we will discuss them later.
How to use Nmap effectively
The use of Nmap depends on the destination machine because there is a difference between a simple (basic) scan and an advanced scan. We need to use some advanced techniques to bypass the firewall and intrusion detection / prevention software to get the right result.
The following are examples of some basic commands and how to use them.
If you want to scan a single system, then you can use a simple command:
# nmap target.com
# nmap 192.168.1.1
If you want to scan the entire subnet, then the command is:
nmap target / cdir
# nmap 192.168.1.1/24
It's very easy to scan multiple targets. All you have to do is separate each goal into a space:
nmap target target1 target2
# nmap 192.168.1.1 192.168.1.8
Suppose you want to scan a range of IP addresses, but not the entire subnet. In this case, use the following command:
# nmap 192.168.1.1-100
Suppose you have a list of machines you want to search. You can scan Nmap for the entire list:
# nmap -iL target.txt
Be sure to put the file in the same directory (folder).
If you want to see the list of all the servers you are scanning, use the command with the -sL parameter:
nmap -sL target / cdir
# nmap -sL 192.168.1.1/24
In some cases, we need to scan the entire subnet, but not a specific IP address, because it can be dangerous for us. In this case, use the Nmap command with the exception parameter:
# nmap 192.168.1.1/24 - -exclude 192.168.1.1
If you have a file that contains the list of IP addresses you want to exclude, then you can call the file in the exclude parameter:
# nmap 192.168.1.1/24 –exclude file target.txt
If you want to scan a specific port on the destination machines (for example, if you want to scan the HTTP, FTP and Telnet ports only on the destination computer), then you can use the Nmap command with the relevant parameter:
# nmap -p80,21,23 192.168.1.1
This scans the target for port numbers 80, 21 and 23.
You now have a basic list of Nmap scanning techniques, but for the purposes of this article, we need to explore in depth.
Nmap scanning techniques
There are many scanning techniques available in Nmap, including the TCP connect scanning method mentioned earlier. In this section, we will look in detail at the most popular scanning technique.
Scan TCP SYN (-sS)
It's a basic scan. It is also called half-open scanning because it allows Nmap to receive information from the remote host without the full TCP handshake process.
Nmap sends SYN packets to the destination, but does not create sessions. As a result, the target computer could not create any interaction logs because no session was started, making this feature an advantage of TCP SYN scanning.
If no scan type is specified in the command, then avTCP SYN scan is used by default, but requires root / administrator privileges.
# nmap -sS 192.168.1.1
TCP connection () scan (-sT)
This is the default scanning technique used - if and only if SYN scanning is not the default, because SYN scanning requires root privileges.
Unlike TCP SYN scanning, it completes the normal TCP handshake process and requires the system to call connect (), which is part of the operating system.
Note that this technique only applies to learning TCP ports and not UDP ports.
# nmap -sT 192.168.1.1
UDP Scan (-sU)
As the name implies, this technique is used to find an open UDP port on the destination machine. It does not require sending a SYN packet because it targets UDP ports.
We can make scanning more efficient by using -sS together with -sU.
UDP scans send UDP packets to the destination machine and wait for a response.
If an error message arrives saying ICMP is not accessible, it means the port is closed. but if it receives the appropriate answer, then it means that the door is open.
# nmap -sU 192.168.1.1
FIN Scan (-sF)
Sometimes a normal TCP SYN scan is not the best solution because of the firewall.
IDS and IPS scans may be deployed on the destination machine, but a firewall usually blocks SYN packets. FIN scanning sends the package defined only with FIN flag, so the completion of the TCP handshake is not required.
[email protected]: ~ # nmap -sF 192.168.1.8
Starting Nmap 5.51 (http://nmap.org) at 2012-07-08 19:21 PKT
Nmap scan report for 192.168.1.8
Host is up (latency 0.000026s).
Not shown: 999 closed ports
PORT STATE SERVICE
111 / tcp open | filtered rpcbind
The destination computer is unable to create a log of this scan (again, a FIN advantage). Just like a FIN scan, we can run an xmas scan (-sX) and a Null scan (-sN).
The idea is the same, but there is a difference between each type of scan. For example, the FIN scan sends packets that contain only the FIN flag, while the Null scan sends no tracks to the packet. Xmas send FIN, PSH and URG flags.
Ping Scan (-sP)
Ping Scan is only used to find out if the server is active or not, it is not used to detect open ports.
Ping scans require root access as ICMP packets can be sent, but if the user does not have administrator privileges, then the ping scan uses the connect () call.
# nmap -sP 192.168.1.1
Version detection (-sV)
Version detection is the technique used to find out which software version is running on the target computer and the corresponding ports.
Unlike other scanning techniques, it is not used to detect open ports, but requires open port information to detect the software version.
In the first step of this scan, the scan uses the TCP SYN scan to find out which ports are open.
# nmap -sV 192.168.1.1
Inactive scan (-sI)
Passive scanning is one of my favorite techniques. This is an advance scan that provides complete anonymity when scanning.
In an inactive scan, Nmap does not send packets from your actual IP address, and instead of creating packets from your computer, it uses another host from the destination network to send them.
Let's look at an example to understand the concept of inertial scanning:
nmap -sI zombie_host target_host
# nmap -sI 192.168.1.6 192.168.1.1
The inactive scan technique is used to detect open ports in 192.168.1.1, while using zombie_host (192.168.1.6) to communicate with the destination server. It is therefore an ideal technique for detecting a destination computer anonymously.
There are many other scanning techniques available, such as FTP bounce, hash scan, IP protocol scan. and so on. We have discussed the most important scanning techniques (although all scanning techniques can be important, depending on your situation).
In the next section, we will discuss the techniques of detecting and finding the operating system (OS) with Nmap.
Operating system detection in Nmap
One of the most important features of Nmap is the ability to detect remote operating systems and software.
During a pentest, it is very useful to know the operating system and software used by the remote computer. You can easily find known vulnerabilities with this information.
Nmap has a database called nmap-os-db . The database contains all the information for more than 2.600 operating systems. Nmap sends TCP and UDP packets to the destination machine and examines the response by comparing the result with the database.
The operating system detection technique with Nmap is slightly slower than the scanning techniques because operating system detection involves the process of finding open ports.
Initiating SYN Stealth Scan at 10:21
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 111 / tcp on 127.0.0.1
Completed SYN Stealth Scan at 10:21, 0.08s elapsed (1000 total ports)
Initiating OS detection (try # 1) against localhost (127.0.0.1)
Retrying OS detection (try # 2) against localhost (127.0.0.1)
The above example clearly shows that Nmap first discovers open ports and then sends packets to discover the remote operating system.
The operating system detection parameter is -O (Chapter O).
Nmap fingerprinting OS technique discovers the following:
- Device type (router, workstation and so on)
- The operating system that is running
- Operating system details (operating system name and version)
- Network distance (the distance between the target and the hacker)
Suppose the destination machine has a firewall, IDS and IPS all enabled. You can use the -PN command to make sure you do not ping to find the remote operating system. -PN tells Nmap not to ping the remote computer, as sometimes firewalls block the request.
# nmap -O -PN 192.168.1.1/24
The command informs the sender that every server on the network is active, so you do not need to send a ping request. In short, it bypasses the ping request and discovers the operating system.
The Nmap OS detection technique is based on an open and closed port. If Nmap does not detect the open and closed port, then it gives the error:
Warning: OSScan results may not be reliable because we could not find at least 1 open and 1 closed port
This is an unwanted situation and it is a good idea to limit operating system scans if Nmap is not safe for the operating system.
If Nmap is not safe for the operating system, then it does not need to be detected using -osscan_limit.
If it is very difficult for Nmap to accurately locate the remote operating system, you have the option of using the Nmap prediction feature: - osscan-kira finds the nearest target operating system mapping.
# nmap -O –osscan-kira 192.168.1.1
Nmap is a very powerful tool and has the ability to cover the first aspects of a pentest, which include gathering information and enumerating. There are so many other things you can do with Nmap and we will see them in future articles.