Nmap • 0xnhl

Nmap ↗ (Network Mapper) is a powerful, open-source tool used for network discovery, security auditing, and network inventory. Nmap can be used to scan networks, discover hosts, identify open ports, detect operating systems, and even run scripts to automate tasks.

Usage#

nmap [Scan Type(s)] [Options] {target specification}

plaintext

Option	Description
-p <port ranges>	Allows for specific ports or port ranges to be scanned `-p-`: scan all ports `-p`: scan top 1000 ports `-F`: Fast mode (scan top 100 ports)
-sL	Lists the targets to scan without actually scanning them
-sn	Performs host discovery scan
-sS	Performs TCP SYN scan
-sT	Performs TCP Connect scan
-sU	Performs UDP scan
-sF	Performs TCP FIN scan
-T<0-5>	Sets the timing of the scan. Higher numbers produce results faster. Slower scans elude detection better.
-O	Enables OS detection
-sV	Probes open ports to determine service/version info
-A	Aggressive scan that enables OS detection, version detection, script scanning and traceroute
—open	Only reports open (or possibly open) ports
-Pn	Treat all hosts as online — skip host discovery (Scan hosts that appear to be down)
-v	Increases the verbosity of the output
-d	Debugging-level output
there are multiple ways to specify targets

IP range using -: If you want to scan all the IP addresses from 192.168.0.1 to 192.168.0.10, you can write 192.168.0.1-10
IP subnet using /: If you want to scan a subnet, you can express it as 192.168.0.1/24, and this would be equivalent to 192.168.0.0-255
Hostname: You can also specify your target by hostname

Nmap Scan Types#

Host Discovery Scan ( -sn )#

A host discovery scan (Ping Scan) is one of the most common types of scans used to enumerate hosts on a network because it can use different types of ICMP messages to determine whether a host is online and responding on a network.
It aims to discover live hosts without attempting to discover the services running on them. This scan might be helpful if you want to discover the devices on a network without causing much noise.

NOTE The default for the -sn scan option is to send an ICMP echo request packet to the target, a TCP SYN to port 443, a TCP ACK to port 80, and an ICMP timestamp request. This is documented at https://nmap.org/book/man-host-discovery.html ↗. If the target responds to the ICMP echo or the aforementioned packets, then it is considered alive.

TCP Connect Scan (-sT)#

A TCP connect scan actually makes use of the underlying operating system’s networking mechanism to establish a full TCP connection with the target device being scanned. Because it creates a full connection, it creates more traffic (and thus takes more time to run). This is the default scan type that is used if no scan type is specified with the nmap command. However, it should typically be used only when a SYN scan is not an option, such as when a user who is running the nmap command does not have raw packet privileges on the operating system because many of the Nmap scan types rely on writing raw packets.
TCP Connect Scan Responses

Nmap Port Status Reported	Response from Target	Nmap Analysis
Open	TCP SYN-ACK	The service is listening on the port.
Closed	TCP RST	The service is not listening on the port.
Filtered	No response from target	The port is firewalled.
A full TCP connect scan requires the scanner to send an additional packet per scan, which increases the amount of noise on the network and may trigger alarms that a half-open scan wouldn’t trigger. Security tools and the underlying targeted system are more likely to log a full TCP connection.

Nmap SYN scan (-sS)#

With an Nmap SYN scan, the tool sends a TCP SYN packet to the TCP port it is probing. This process is also referred to as half-open scanning because it does not open a full TCP connection since the TCP three-way handshake is never completed.
The advantage is that this is expected to lead to fewer logs as the connection is never established, and hence, it is considered a relatively stealthy scan.
SYN Scan Responses

Nmap Port Status Reported	Response from Target	Nmap Analysis
Open	TCP SYN-ACK	The service is listening on the port.
Closed	TCP RST	The service is not listening on the port.
Filtered	No response from target or ICMP destination unreachable	The port is firewalled.

UDP Scan ( -sU )#

The majority of the time, you will be scanning for TCP ports, as this is how you connect to most services running on target systems. However, you might encounter some instances in which you need to scan for UDP ports – for example, if you are trying to enumerate a DNS, SNMP, or DHCP server. These services all use UDP for communication between client and server. To scan UDP ports, Nmap sends a UDP packet to all ports specified in the command-line configuration. It waits to hear back from the target. If it receives an ICMP port unreachable message back from a target, that port is marked as closed. If it receives no response from the target UDP port, Nmap marks the port as open/filtered.
UDP Scan Responses

Nmap Port Status Reported	Response from Target	Nmap Analysis
Open	Data returned from port	The service is listening on the port.
Closed	ICMP error message received	The service is not listening on the port.
Open/filtered	No ICMP response from target	The port is firewalled or timed out.

TCP FIN Scan ( -sF )#

There are times when a SYN scan might be picked up by a network filter or firewall. In such a case, you need to employ a different type of packet in a port scan. With the TCP FIN scan, a FIN packet is sent to a target port. If the port is actually closed, the target system sends back an RST packet. If nothing is received from the target port, you can consider the port open because the normal behavior would be to ignore the FIN packet.

NOTE A TCP FIN scan is not useful when scanning Windows-based systems, as they respond with RST packets, regardless of the port state.

TCP FIN Scan Responses

Nmap Port Status Reported	Response from Target	Nmap Analysis
Filtered	ICMP unreachable error received	Closed port should respond with RST.
Closed	RST packet received	Closed port should respond with RST.
Open/Filtered	No response received	Open port should drop FIN.

Timing Options ( -T 0-5 )#

The Nmap scanner provides six timing templates that can be specified with the -T option and the template number (0 through 5) or name. Nmap timing templates enable you to dictate how aggressive a scan will be, while leaving Nmap to pick the exact timing values. These are the timing options:

-T0 (Paranoid) : Very slow, used for IDS evasion
-T1 (Sneaky) : Quite slow, used for IDS evasion
-T2 (Polite) : Slows down to consume less bandwidth, runs about 10 times slower than the default
-T3 (Normal) : Default, a dynamic timing model based on target responsiveness
-T4 (Aggressive) : Assumes a fast and reliable network and may overwhelm targets
-T5 (Insane) : Very aggressive; will likely overwhelm targets or miss open ports

Option	Explanation
`--min-parallelism <numprobes>` and `--max-parallelism <numprobes>`	Minimum and maximum number of parallel probes. By default, `nmap` will automatically control the number of parallel probes. If the network is performing poorly, i.e., dropping packets, the number of parallel probes might fall to one; furthermore, if the network performs flawlessly, the number of parallel probes can reach several hundred.
`--min-rate <number>` and `--max-rate <number>`	Minimum and maximum rate (packets/second)
`--host-timeout`	Maximum amount of time to wait for a target host

Saving Scan Report#

Nmap gives us various formats to save the scan results. The three most useful are normal (human-friendly) output, XML output, and grepable output, in reference to the grep command. You can select the scan report format as follows:

-oN <filename> - Normal output
-oX <filename> - XML output
-oG <filename> - grep-able output (useful for grep and awk)
-oA <basename> - Output in all major formats

Nmap Scripting Engine#

Nmap contains the powerful Nmap Scripting Engine (NSE), which enables the programming of various Nmap options and conditional actions to be taken as a result of the responses. NSE has built-in scripts that enumerate users, groups, and network shares.

In Kali Linux, the NSE scripts are located at /usr/share/nmap/scripts by default.
One of the more commonly used scripts for SMB discovery is the smb-enum-users.nse script.
You can enumerate the network shares using another NSE script, smb-enum-shares.nse. To discover shared directories on the target computer. nmap --script smb-enum-shares.nse -p445 [ip]
Examine the output created by the smb-enum-shares script. In the output, share names that end with a “$” character represent hidden shares that include system and administrative shares.

Nmap Vulners script to scan for vulnerabilities.#

The Vulners script displays known vulnerabilities and the corresponding CVE. The Vulners script uses the open port and software version information to search for common platform enumeration (CPE) names that relate to the identified service. It then makes a request to a remote server to find out if any known vulnerabilities exist for that CPE.

Use the nmap –script command to launch the vulners script. The syntax for the command is nmap -sV --script vulners [--script-args mincvss=<arg_val>] <target> where the script argument mincvss restricts the output to only those CVEs that have a higher CVSS score than the one specified in the argument.

eg:

There are multiple scripts available to find valid usernames using Nmap. One of the most common is the SMB username script. It is a common practice to synchronize OS Users with SMB (Samba or Windows) users. Use the Nmap script smb-brute to find users and to attempt to brute force passwords.
sudo nmap -sV -p 445 -script smb-brute 172.17.0.2
- Locate the Host script results section in the command output. Username and password combinations that were uncovered with the Nmap script are listed in this section.

Scan for ips#

to scan for ip’s in the network, we can use
- arp-scan -l
- netdiscover -r [ip range (eg: 192.168.57.0/24)]