Nmap is an indispensable tool for cybersecurity and IT professionals. As an ethical hacker, I rely on it heavily in my daily work. Let’s dive into how I use Nmap to uncover the intricacies of network security.
This post is for educational purposes only, focusing on ethical and legal hacking to promote cybersecurity awareness. Please use this information responsibly and adhere to legal and ethical standards.
Related video:
What is Nmap?
Nmap, short for Network Mapper, helps you discover devices on a network and the services running on those devices. It can also identify vulnerabilities using the Nmap Scripting Engine.
Getting Started with Nmap
The simplest way to start using Nmap is by running:
nmap [IP Address]On many Windows machines, you might see a "Note, host seems down" message. This happens because Windows machines block ping requests by default. To bypass this, use the -Pn flag:
nmap -Pn [IP Address]Understanding Scan Results
A basic scan result shows open ports, their state, and the services running. For example, a scan might reveal:
Port 21 (FTP)
Port 22 (SSH)
Port 139, 445 (NetBIOS/SMB)
However, Nmap assumes services based on well-known ports, which might not always be accurate. We have to do deep scanning to confirm what is running on ports. The initial scan simply reveals what is open and what is closed.
Full Network Scan
A full scan is crucial for comprehensive network discovery. To perform a full scan, use:
nmap -p- [IP Address]This scans all 65,535 ports, which takes longer but ensures you don't miss any potential vulnerabilities.
You can also specify a specific range of ports like this:
nmap -p 1-86 [IP Address]Or select ports separated by commas like this:
nmap -p 80,443,8080,8443 [IP Address]Lastly, you can specify specific ports and ranges like this:
nmap -p 1-86,443,8080,8443 [IP Address]Advanced Scanning Techniques
To ensure I don't miss a single open port and to speed up my results, I use this scan just about every time I fire up nmap on a new engagement or CTF event:
sudo nmap -sS -T4 -Pn -p- [IP Address]-sS: SYN scan for speed and stealth.
-T4: Increases scan speed. (-T3 is the default scan speed, and speeds can be selected -T0 though -T5)
-Pn: Skips the ping check.
SYN Scan Explained
A SYN scan sends a SYN packet, receives a SYN-ACK, and then sends a reset (RST) instead of completing the handshake. This method is faster and less likely to be logged, although many modern detection tools can identify it.
Detailed Port Information
To gather detailed information about open ports, use:
sudo nmap -sT -A -Pn -p [Ports] [IP Address]-sT: Full connection scan (for more reliable results)
-A: Enables OS detection, version detection, script scanning, and traceroute.
--script vuln: Adds vulnerability detection scripts.
Example Scenario
In a scan, you might find ports 21, 22, 139, 445, and 3632 open. By using --script vuln, Nmap may identify vulnerabilities like CVE-2004-2687 on port 3632, which was the actual exploit vector in a Hack The Box machine I did one time.
Conclusion
Nmap is a powerful tool for network discovery and vulnerability assessment. The combination of SYN scans, full port scans, and detailed information scans are essential techniques in my penetration testing toolkit. Experiment with these commands and flags to get the most out of Nmap.
Comments