What is Nmap
Nmap is a widely used port scanner, as well as one of the main tools in a penetration testers toolkit. Learning how to use nmap is one of the early steps in a penetration test and it greatly aids in the drawing of a more thorough picture of an organization’s network. Running an nmap scan is regarded as active reconnaissance and should not be performed on an organization’s network without express permission.
Although it is a fairly simple command-line tool to use, there are a number of options and customizations to apply to scans to ensure all ports and potential holes in the network are detected. Additionally, certain options can result in scan times that are much longer and therefore a balance of speed/verbosity is necessary. In this blog you will learn how to use nmap as we will go over nmap parameters/flags Packetlabs ethical hackers commonly use, specifically when specifying ports, looking for more detailed scans, reporting and tuning.
How to Use Nmap for Network Scans: Specifying Ports and Hosts
To run the most basic nmap command, the only input required is either an ip address, a hostname or a network (CIDR notation).
For example, the following will scan the machine 127.0.0.1:
By default, this scan will check the most common 1000 ports of the 127.0.0.1 machine and determine if the ports are either open, closed or filtered.
To customize the exact ports to be scanned the -p flag can be used with specific ports as arguments:
-Nmap 127.0.0.1 -p 22,80,443
This will result in only scanning the ssh, http and https ports on the 127.0.0.1 machine.
If all ports from 1-65535 need to be scanned a dash can be added to the end of the -p flag.
How to Use Nmap: Running more in-Depth Scans
The nmap -A option is a very helpful flag for maximizing the information gained from a basic nmap scan. This flag actually combines different checks into one flag including OS detection, version detection, script scanning, and traceroute.
Nmap’s OS detection will attempt to determine the operating system on the computer. This is done by considering a number of factors during the port scan based on the packet responses. Nmap will then compare this data with its own database of OS fingerprints, to determine the best match. To make an accurate OS guess, at least one open and one closed port must exist on the system. By itself, the -O option scans for OS detection.
The service detection in nmap will attempt to fingerprint a service or application based upon its responses. The fingerprint is then compared to the fingerprints in Nmap’s database to see if there is a match. The identification and elimination of operating system, application, or service problems is an essential component of a penetration test. Once the precise version of a service or program is known, it may be determined whether any vulnerabilities exist in that software/service. To enable service detection on its own use the -sV flag.
Script scanning will allow selected scripts to be run against the target hosts that normally specifically check for certain vulnerabilities. Only the default scripts will be executed if the -A flag is used; ftp, samba, and http checks are examples of the default scripts. To run other scripts besides the default, use the – – script flag. Many different scripts may be added in one scan, as well as particular ones like the “ssl-enum-ciphers” script, which examines the versions of TLS and whether SSL is being utilized.
Lastly, nmap will run the traceroute command on the target host.
The following is nmap command will show all ports being probed for OS detection, service detection, default scripts, and traceroute on the 127.0.0.1 host.
-Nmap 127.0.0.1 -p- -A
Reporting and Tuning Tips
The below provides a few tips to enable simpler host entry and add reporting, as well as modify the scan’s precision and speed.
· The -iL flag allows for inputting a list of IP addresses or networks, it takes the filename as an argument
· The -oA flag allows for outputting the nmap scan results into an nmap, gnmap, and xml file, it takes the desired file output name as an argument. The nmap file is the full scan output, the gnmap file is less detailed only highlighting the open ports associated with each host.
· The -T flag allows for controlling how much time is spent on each scan, a number from 0-5 can be used.The higher the number, the quicker the scan is, but accuracy and stealth are lost.
· The -Pn flag allows for skipping host scanning. This can greatly increase the accuracy of your scan by avoiding missing hosts that are active, as nmaps host scan can be inaccurate. Using the -Pn flag can greatly increase the scan runtime.
Using nmap with the features mentioned above, a thorough scan of your network is feasible. However, it’s worth noting that nmap can perform much more than just network scans. Since nmap is one of the easier penetration testing tools widely used, almost any IT professional can run it. Running an nmap scan is a great way to begin assessing the security of your organization’s infrastructure. Although nmap is an extremely useful tool, it can have its limitations and therefore suspected vulnerabilities or security holes found with nmap should be validated by an experienced penetration tester.