Nmap: 'The' Reconnaissance Tool

 

Introduction

The first step of penetration testing is the reconnaissance phase (recon) where you get to know your target better, and one of the most famous ways if not the best way to do that is using Nmap.

Nmap or Network Mapper is a free (open-source) network exploration and security investigating tool. It can be also beneficial for jobs like network inventory, coordinating application update plans, and tracking host or service uptime.  Nmap analyzes raw IP packets in unique ways to figure out what hosts are on the network, what services they offer (giving names and versions), what operating systems (names and versions) they're using, what kind of packet filters/firewalls they're using, and lots of other information. you can find more details here.

Disclaimer:  This thread is for educational purposes only, same as all other information available on this site.

Installation

If you're using Kali then you'll find Nmap pre-installed, otherwise, you can install Nmap using apt-get:

  • Update package list: sudo apt-get update
  • Install Nmap: sudo apt-get install nmap -y

  • Verify version: nmap --version

The output provides detailed information about Nmap. In this example, the version installed on my machine is 7.92, and it's indeed the latest available version, you can check it here.
 

Switches (most used arguments)

After installation, you can start Nmap directly from the Linux terminal by taping the word nmap followed by some of the arguments to specify the method by which the command is interpreted, a very common one is the -sS option which allows Nmap to perform a Syn Scan (more on this later).

Since there is a lot, we'll address only common switches for the Nmap command in this article, but you can always use the help nmap -h and the manual page man nmap to list them all.
(in fact, you must always take advantage of the -h, and the man with all Linux commands because remembering arguments is not the solution when using the terminal).

  • Host discovery

In the target section as you can see above, you can pass hostnames, IP addresses, networks, etc.
-sn (no port scan/ping scan): In case you don't have the target's specific IP address or if you want to discover all hosts in a specific range of IPs then the fastest way to do it is using the -sn argument since this switch disables the port scanning.
Ex: nmap google.com, 192.168.1.0/24, 172.20.0-1.1-255 (scan for hosts from 172.20.0.1 to 172.20.1.255)



-Pn (no ping): By default, Nmap does host discovery and then performs a port scan against each host it determines is online, and since the ping scan uses ICMP, Windows hosts will not appear with the default scan because Windows Firewall blocks ICMP echo requests from the network (more on this later), you can use the -Pn option to skip host discovery and port scan all target addresses. this option will take more time as it performs port scanning on all hosts even the down ones.

As you can see above the ping scan took about 2 seconds whereas the no-ping scan took more than one minute, so a good practice is to start with the ping sweep first to enumerate up hosts, then go ahead to port scanning.

--exclude: if you have a host that you don't want to scan you can use this option 
Ex: nmap 192.168.1.0/24 --exclude 192.168.1.1 (exclude the default gateway scanning)

  • Scan types

There are many scan types in nmap, however, these are the major types you'll need to grasp first:

    • TCP Connect Scans (-sT): when this argument is used, nmap will try to perform a three-way handshake with each target's ports, this scan is the default scan when you do not have raw socket privileges.

      by the response it receives from each port nmap will conclude whether the port is open or not, there are three possibilities: 
      A- Open port: when receiving a SYN/ACK packet.
      B- Closed port: when receiving a RST (reset) packet.
      C- Filtered port: when not receiving anything (the port is hidden behind a firewall).

      this scan takes more time to complete and it is more detectable than the other types of scans because it establishes a full TCP connection with the target.
    • TCP SYN Scan (-sS): usually known as Half-open or Stealth scan, this scan is a little different from the TCP Connect scan as it responds to the SYN/ACK packet with a RST flag packet, meaning that the client initiates the connection then he runs away from it. 
      this scan is the default scan when the privileges are available and can't be launched without permissions, it can perform fast port scanning without being restrained by firewalls and old IDSs. The Stealth scan has the same rules (Open|Closed|Filtered) as the TCP Connect scan.

    •  UDP Scan (-sU): this scan is significantly slower and more difficult to scan, because UDP is connectionless protocol as it keep sending packets without any type of verification and hope that they arrive to the destination, there are two possible results with this scan:

    A- Open|Filterd port: when a packet arrive to an open UDP port, no response is expected. in this case nmap mark this port as open|filtered meaning that there's also a possibility that the port is hidden behinf a firewall.

    B- Close port: this happens when the target respond with ICMP "unreachable". 

    Because it's so difficult to tell whether a UDP port is open, these scanners are very slow compared to TCP scans (more than 15 minutes for 1000 ports). So it's good practice to run nmap on the most used UDP ports.
    Ex: nmap -sU --top-ports 10 2.0.0.2 (scan the top 10 most used UDP ports)

     

     



    Comments

    Post a Comment

    Popular posts from this blog

    OpenVas: Vulnerability Scanning | Installation Guide

    Image
      Introduction: OpenVAS is a vulnerability scanner that analyzes endpoints and web apps to uncover and detect flaws. Corporations frequently employ it as part of their mitigation strategies to initially identify any weaknesses in their operational or testing servers and apps. This isn't an ultimate solution, but it can assist in the elimination of any common weaknesses that may have sneaked through the gaps. Installation: There are three methods to install GreenBone openVas: 1- Install from Kali/OpenVas repositories:  This way varies in difficulty because of the needed configurations, you can simply install it with apt. sudo apt-get update -y &&  sudo apt-get upgrade -y &&  sudo apt-get dist-upgrade -y sudo apt-get install openvas sudo gvm-setup sudo gvm-check-setup 2- Install from source (Manually): This way is not the best for beginners due to prerequisite installations and error handling can be challenging. github.com/greenbone/openvas-scanner 3- Run from docker:
    Read more

    Nmap | TryHackMe Walkthrough

    Image
      An in-depth look at scanning with Nmap, a powerful network scanning tool. This room was created by DarkStar  and  MuirlandOracle , as it provides a great way to learn and start practicing nmap. I encourage you to give it a try by yourself since the hands-on practice will give you more understanding of the topic (take advantage of the manual page man nmap ). Task2: What networking constructs are used to direct traffic to the right application on a server? Ports How many of these are available on any network-enabled computer? 65535 [Research] How many of these are considered "well-known"? (These are the "standard" numbers mentioned in the task) 1024 Task3: What is the first switch listed in the help menu for a 'Syn Scan' (more on this later!)? -sS Which switch would you use for a "UDP scan"? -sU If you wanted to detect which operating system the target is running on, which switch would you use? -O Nmap provides a switch to detect the version of the
    Read more

    Azure Sentinel: Use Microsoft's SIEM to map global attacks

    Image
     in this tutorial, we will display attacks from all over the globe on a world map using Microsoft cloud SIEM (Security Information and Event Management) this is a step-by-step guided lab so it will be a long tutorial. Project steps this project needs multiple stages to be completed, when you finish this guide you will be able to: create and configure a Virtual Machine using Azure configure a cloud network security group and create firewall rules create and configure a Logs Analytics Workspace collect data from Virtual Machines into Azure get familiar with PowerShell scripting and APIs use (KQL) Kusto Query Language (the Azure data exporter language)  Let's get started First of all, go ahead and create a free Azure account at  https://azure.microsoft.com/en-us/free/   When you're done with that go to your dashboard at  https://portal.azure.com/ Ps: Just a quick note before we begin, you will notice in Azure as in GCP or AWS that the search bar is your b
    Read more