Post

Nmap

Posted Updated
Preview Image
By Tofig Orujov
9 min read

Nmap

Nmap is a free, open-source tool that helps you scan networks to discover devices, check for open ports, and identify potential security vulnerabilities.

Nmap, widely regarded as one of the most essential tools in network security, plays a crucial role in identifying vulnerabilities within systems. Originally created for network exploration, Nmap allows users to scan entire networks, uncover open ports, detect running services, and evaluate security risks. Whether you’re managing a small local network or overseeing a large-scale infrastructure, Nmap provides the insights necessary to understand your environment and protect it from potential threats.

In this article, we will take a closer look at Nmap and its various options, exploring how they can be used for network scanning and security analysis.

The tool is one of the most used tools by network administrators and IT security specialists. It is used to:

  • Audit the security aspects of networks
  • Simulate penetration tests
  • Check firewall and IDS settings and configurations
  • Types of possible connections
  • Network mapping
  • Response analysis
  • Identify open ports
  • Vulnerability assessment as well

The syntax of nmap is as follows:

1

[root@localhost ~]# nmap <scan types> <options> <target>

Nmap offers a variety of scan techniques to suit different needs and scenarios. Here’s a look at a few of the most common ones:

  • TCP SYN Scan (-sS)
  • TCP Connect Scan (-sT)
  • UDP Scan (-sU)
  • Version Detection (-sV)
  • OS Detection (-O)
  • NULL, FIN, and Xmas Scans (-sN, -sF, -sX)
  • Ping Scan (-sP).

For example, the TCP-SYN scan (-sS) is one of the default settings unless we have defined otherwise and is also one of the most popular scan methods. This scan method makes it possible to scan several thousand ports per second. The TCP-SYN scan sends one packet with the SYN flag and, therefore, never completes the three-way handshake, which results in not establishing a full TCP connection to the scanned port. If our target sends an SYN-ACK flagged packet back to the scanned port, Nmap detects that the port is open If the packet receives an RST flag, it is an indicator that the port is closed. If Nmap does not receive a packet back, it will display it as filtered. Depending on the firewall configuration, certain packets may be dropped or ignored by the firewall. Let us take an example of such a scan.

1
2
3
4
5
6
7
8
9
10
11

[root@localhost ~]# nmap -sS localhost
Starting Nmap 7.92 ( https://nmap.org ) at 2024-09-26 13:48 +04
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000050s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

In this example, we can see that we have two different TCP ports open. In the first column, we see the number of the port. Then, in the second column, we see the service’s status and then what kind of service it is.

How can we check all the devices that are up on the network:

1
2
3
4
5

[root@localhost ~]# sudo nmap 192.168.179.0/24 -sn -oN result | grep for | cut -d" " -f5
192.168.179.1
192.168.179.2
192.168.179.254
192.168.179.133
  • -sn disabled port scanning
  • -oN Stores the results in normal formats starting with the name ‘result’\

If we have a list of IPs to scan, we can provide it to nmap using the -iL option.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

[root@localhost ~]# nmap -sn -iL hosts
Starting Nmap 7.92 ( https://nmap.org ) at 2024-09-26 13:58 +04
Nmap scan report for 192.168.179.1
Host is up (0.00038s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.179.2
Host is up (0.00024s latency).
MAC Address: 00:50:56:FD:FE:3A (VMware)
Nmap scan report for 192.168.179.254
Host is up (0.00014s latency).
MAC Address: 00:50:56:E2:5A:84 (VMware)
Nmap scan report for 192.168.179.133
Host is up.
Nmap done: 4 IP addresses (4 hosts up) scanned in 0.19 seconds

If we want to scan multiple IPs or an IP range, nmap can still help us.

1
2
3
4
5
6
7
8

[root@localhost ~]# nmap -sn 192.168.179.130-255
Starting Nmap 7.92 ( https://nmap.org ) at 2024-09-26 14:00 +04
Nmap scan report for 192.168.179.254
Host is up (0.00031s latency).
MAC Address: 00:50:56:E2:5A:84 (VMware)
Nmap scan report for 192.168.179.133
Host is up.
Nmap done: 126 IP addresses (2 hosts up) scanned in 4.15 seconds

Discovering Open TCP Ports

By default, Nmap scans the top 1000 TCP ports with the SYN scan (-sS). This SYN scan is set only to default when we run it as root because of the socket permissions required to create raw TCP packets. Otherwise, the TCP scan (-sT) is performed by default. This means that if we do not define ports and scanning methods, these parameters are set automatically. We can define the ports one by one (-p 22,25,80,139,445), by range (-p 22-445), by top ports (–top-ports=10) from the Nmap database that have been signed as most frequent, by scanning all ports (-p-) but also by defining a fast port scan, which contains top 100 ports (-F).

Service and Version Detection\

Another handy method for scanning ports is the -sV option which is used to get additional available information from the open ports. This method can identify versions, service names, and details about our target.

1
2
3
4
5
6
7
8
9
10
11

[root@localhost ~]# nmap -sV 127.0.0.1
Starting Nmap 7.92 ( https://nmap.org ) at 2024-09-26 14:06 +04
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000070s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.0 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.37 ((Oracle Linux Server))

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds

Saving Result

While we run various scans, we should always save the results. We can use these later to examine the differences between the different scanning methods we have used. Nmap can save the results in 3 different formats.

  • Normal output (-oN) with the .nmap file extension
  • Grepable output (-oG) with the .gnmap file extension
  • XML output (-oX) with the .xml file extension
  • We can also specify the option (-oA) to save the results in all formats.

The command could look like this:

1
2
3
4
5
6
7
8
9
10
11
12

[root@localhost ~]# nmap -p- -oA scan.txt 127.0.0.1
Starting Nmap 7.92 ( https://nmap.org ) at 2024-09-26 14:09 +04
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000050s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds
[root@localhost ~]# ls
anaconda-ks.cfg  hosts  scan.txt.gnmap  scan.txt.nmap  scan.txt.xml

Style sheets

With the XML output, we can easily create HTML reports that are easy to read, even for non-technical people. This is later very useful for documentation, as it presents our results in a detailed and clear way. To convert the stored results from XML format to HTML, we can use the tool xsltproc.

1

[root@localhost ~]# xsltproc target.xml -o target.html

If we now open the HTML file in our browser, we see a clear and structured presentation of our results.

Nmap Scripting Engine

Nmap Scripting Engine (NSE) is another handy feature of Nmap. It provides us with the possibility to create scripts in Lua for interaction with certain services.

There are a total of 14 categories into which these scripts.

Default Scripts

1

[root@localhost ~]# sudo nmap <target> -sC

Specific Script Catergory

1

[root@localhost ~]# sudo nmap <target> --script <category>

For example, let us keep working with the target SMTP port and see the results we get with two defined scripts.

1
2
3
4
5
6
7
8
9
10

[root@localhost ~]# nmap 10.129.2.28 -p 25 --script banner,smtp-commands
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 23:21 CEST
Nmap scan report for 10.129.2.28
Host is up (0.050s latency).

PORT   STATE SERVICE
25/tcp open  smtp
|_banner: 220 inlane ESMTP Postfix (Ubuntu)
|_smtp-commands: inlane, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

If you are looking for a comprehensive article about Nmap scripts, you can visit this link.

DECOY

There are cases in which administrators block specific subnets from different regions in principle. This prevents any access to the target network. Another example is when IPS should block us. For this reason, the Decoy scanning method (-D) is the right choice. With this method, Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet sent. With this method, we can generate random (RND) a specific number (for example: 5) of IP addresses separated by a colon (:). Our real IP address is then randomly placed between the generated IP addresses. In the next example, our real IP address is therefore placed in the second position. Another critical point is that the decoys must be alive. Otherwise, the service on the target may be unreachable due to SYN-flooding security mechanisms.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

[root@localhost ~]#  nmap 127.0.0.1 -p 80 -sS -Pn --packet-trace -D RND:5
Starting Nmap 7.92 ( https://nmap.org ) at 2024-09-26 14:32 +04
SENT (0.0493s) TCP 77.199.250.124:54649 > 127.0.0.1:80 S ttl=42 id=53552 iplen=44  seq=3877487995 win=1024 <mss 1460>
SENT (0.0493s) TCP 143.208.231.179:54649 > 127.0.0.1:80 S ttl=53 id=53552 iplen=44  seq=3877487995 win=1024 <mss 1460>
SENT (0.0494s) TCP 127.0.0.1:54649 > 127.0.0.1:80 S ttl=39 id=53552 iplen=44  seq=3877487995 win=1024 <mss 1460>
SENT (0.0602s) TCP 73.152.157.105:54649 > 127.0.0.1:80 S ttl=41 id=53552 iplen=44  seq=3877487995 win=1024 <mss 1460>
SENT (0.0603s) TCP 113.238.51.143:54649 > 127.0.0.1:80 S ttl=59 id=53552 iplen=44  seq=3877487995 win=1024 <mss 1460>
SENT (0.0608s) TCP 201.112.113.170:54649 > 127.0.0.1:80 S ttl=43 id=53552 iplen=44  seq=3877487995 win=1024 <mss 1460>
RCVD (0.0494s) TCP 127.0.0.1:54649 > 127.0.0.1:80 S ttl=39 id=53552 iplen=44  seq=3877487995 win=1024 <mss 1460>
RCVD (0.0494s) TCP 127.0.0.1:80 > 127.0.0.1:54649 SA ttl=64 id=0 iplen=44  seq=2859944267 win=65495 <mss 65495>
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00019s latency).

PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

Of course, Nmap’s features don’t end here. There are many more features that we haven’t discussed in this article. I just tried to compile the ones I use the most and find interesting.

That’s it!

Toolset & Technique
nmap enum service tcp udp firewall
This post is licensed under CC BY 4.0 by the author.