Posts Understanding Nmap
Post
Cancel

Understanding Nmap

Posted Mar 24, 2022 2022-03-24T21:40:10+03:00 by peter chin

Introduction

Nmap tool

Is a network scanning tool that uses IP packets to identify all the devices connected to a network and to provide information on the services and operating systems they are running, also scan through thousands of connected devices to provide information that might be usefull for next stages of penetration testing.

Phases performed by Nmap tool

1. Target enumeration/Specification

Nmap provides different ways of specifying targets to scan. In this phase, Nmap researches the host specifiers provided by the user, which may be a combination of host DNS names, IP addresses, CIDR network notations, and more. Examples.

  • Single Host Address
    1

    nmap 192.168.20.100
  • Dns Name Nmap can use DNS names as targets. It will resolve DNS addresses into ip addresses. Be sure that DNS is working in the system.
    1

    nmap example.com
  • Multiple DNS names
    1

    Nmap google.com microsoft.com
  • Multiple Host Address, 192.168.1.* is network address.
    * means possible all values which mean from 0 to 255
    1

    nmap 192.168.*.*
  • We can provide targets with CIDR mask, Here it Scans class C whole network
    1

    nmap 192.168.1.0/24
  • Scans between 192.168.0.0 – 192.168.15.255,
    - A hyphen is used to define range of ip addresses or range of ports.
    1

    nmap 192.168.0.0-192.168.15.255
  • Reading From File Line By Line
    1
2
3

    10.0.0.10 
10.0.0.11
10.0.1.0/24

    Example

    1

    nmap -iL targets.txt
2. Host discovery (ping scanning).

Nmap usually begin by discovering which targets on the network are online and thus worth deeper investigation. This process is called host discovery or ping scanning. It uses various techniques like ARP requests to elaborate combinations of TCP, ICMP, and other types of probes.

Note: Host Discovery IS Very important as it helps to know live hosts in the network that may be reachable for further Enumerations

1

Example of nmap live host discovery

click here to see the source

  • To run a Ping Scan - It disable port scan
    1

    nmap -sp 192.100.1.1/24
  • Tracing routes,to trace the route from the scanning machine to the target host
    1

    nmap -sp --traceroute 192.100.1.1
  • To prevent Host discovery with Nmap, Because of restriction by some firewall rules
    1

    nmap -Pn 192.100.1.1
3. Reverse-DNS resolution

Once Nmap has determined which hosts to scan, it looks up the reverse-DNS names of all hosts found online by the ping scan. Sometimes a host’s name provides clues to its function, and names make reports more readable than providing only IP numbers. This step may be skipped with the -n (no resolution) option, or expanded to cover all target IPs (even down ones) with -R (resolve all)

  • To restrict Nmap reverse-DNS resolution, Never do DNS resolution
    1

    nmap -n 192.100.1.1
  • To allow nmap resolve-DNS
    1

    nmap -R 192.100.1.1
    4. Port scanning

    First of all What is port in networking?🤔
    In computer networking, a port is a communication endpoint. At the software level, within an operating system, a port is a logical construct that identifies a specific process or a type of network service running

Why it is very important??
Ports provide entry point in a computer and that’s what a hacker wants. Discover the application listening on that port and find ways to exploit it.
Understanding port states

  • Open — An open port is one that is actively accepting TCP, UDP or SCTP
  • Closed — A port that receives and responds to Nmap probe packets but there is no application listening on that port
  • Filtered — Nmap can’t determine whether the port is open because packet filtering prevents its probes from reaching the port. Filtering could come from firewalls or router rules.
  • Open/filtered — Nmap is unable to determine between open and filtered. This happens when an open port gives no response
  • Closed/filtered — Nmap is unable to determine whether port is closed or filtered. Only used in the IP ID idle scan.
    1
2
3
4
5

    nmap -sS 192.168.1.1 => SYN scan
nmap -sT 192.168.1.1 => TCP scan
nmap -sU 192.168.1.1 => UDP scan
nmap -sY 192.168.1.1 => SCTP scan
nmap -A 192.168.1.1 => Aggressive scan

Advanced Nmap scanning techniques and Tricks using other tools like nmap

Commands with descriptions

1

nmap -vv -Pn -sV -sC -R -F -T4 -O --open 192.168.1.1 -oN nmap_scan.txt
  • -vv To tell nmap to prints many extra informational notes, Help you to know what Nmap is doing
  • -Pn To tell nmap to skip ping scans to avoid restriction by some firews, So host discovery will b skipped
  • -sV Probe open ports to determine service/version info
  • sC Tells Nmap to use default script to identify some vulnerabilities,It is equivalent to –script=default
  • -R To tell nmap resolve-DNS
  • -F To tell nmap scan in Fast mode
  • -T4 Set timing template to be faster
  • -O Tells nmap to determine the operating system running on a remote host.
  • --open Only show open (or possibly open) ports
  • -oN Save output of Nmap scan in a file called nmap_scan.txt

Nmap scripting engine (NSE)

The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.

usage

1

nmap --script filename|category|directory|expression,...   target

Example of types of NSE are:
auth,broadcast,default.discovery,dos,exploit,external,fuzzer,intrusive,malware ,safe,version,and vuln More details click here

  • Default script
nmap -sC 192.168.100.0/24

  • Check HTTP supported methods

    1

    nmap -p80 --script http-methods 127.0.0.1
  • Perform lightweight vulnerability finding
1

nmap --script = vulnerability 192.168.100.3
  • Execute the promiscuous.nse script to look for Ethernet cards in promiscuous mode. In the enterprise, this is something worth investigating for security auditing, because it will discover systems that are running sniffers
    1

    nmap --script = promiscuous.nse 192.168.100.0/24
  • Using all nmap scripts 🤣
    1

    nmap --script = all 192.168.100.4
  • Passing some arguments to nmap scan
    1

    nmap -p 22 -n -v -sV  -sC -Pn --script ssh-auth-methods --script-args ssh.user=root 192.168.1.10
    Alternative tool for nmap
    1. masscan
      It scans All ports, UDP and TCP Example
      1

      sudo masscan 192.168.100.4 -p1-65535,U:1-65535 --rate=1000 -e tun0 |tee masscan.port

      How works

      1
2
3

       -p1-65535,U:1-65535 tells masscan to scan all TCP/UDP ports
 --rate=1000 scan rate = 1000 packets per second
 -e tun0 tells masscan to listen on the VPN network interface for responses
    2. rustscan
      It a fast tool to scan ports and services usage
      1

      rustscan -a 192.168.100.4 --unlimit 5000

notfinished

Hacking Tools, Enumeration
ctf nmap
This post is licensed under CC BY 4.0 by the author.

Trending Tags

nmap urchin hackthebox ctf

Contents

Oh My WebServer machine

Penetration Testing

Comments powered by Disqus.

© 2023 Peter Chin. Some rights reserved.

Realm of Knowledge

Trending Tags

nmap urchin hackthebox ctf