Discovery and Scanning with Nmap
An attacker wants to learn your network layout, especially how it's connected to the internet and its internal parts. This info can show weaknesses or the location of devices. Nmap, a free tool for network mapping and port scanning, can help with this. It works on Windows, macOS, and Linux.
Sweeping for Network Mapping
To map a network, you first send packets to each address and check for responses. If you get a reply, it means the address is in use. Nmap usually pings each address before scanning its ports, but you can change this. Using the -Pn
flag makes Nmap skip the ping and start the port scan directly.
By default, Nmap sends four packets to each address: an ICMP Echo Request, a TCP SYN to port 443, a TCP ACK to port 80 (if running as root), and an ICMP Timestamp request. If Nmap isn’t running as root, it only sends TCP SYN packets to ports 80 and 443. If any packet gets a reply, Nmap considers the address active and proceeds with scanning.
Nmap can work without root access, but some features won’t be available. For the best results, run Nmap as root.
Nmap Host Discovery
The example here shows Nmap’s host discovery output. Using -sn
disables port scanning, focusing only on finding hosts. The results list hosts that responded to Nmap’s tests and their response times. For best results, run Nmap as root to perform all tests.
Port Scanning
IP moves data on the internet, including where it’s coming from and where it’s going. TCP and UDP use IP to send their messages. TCP ensures messages arrive in order and retries if needed. UDP tries its best to deliver messages but doesn’t guarantee order or delivery.
Ports are like doors to your system. Open ports show attackers where they can get in. Port scanners help attackers find these doors and see what services are available to target.
TCP and UDP Ports
There are 65,536 TCP and 65,536 UDP ports. Common services use specific port numbers, and IANA keeps the latest port list. For example:
TCP 80 usually indicates a web server
TCP 445 usually indicates Windows Server Message Block (SMB)
UDP 53 usually indicates a DNS server
Each open port offers a potential way into a system.
Traffic with port 0 is always invalid because TCP port 0 is not used. Packets with port 0 should be discarded.
Nmap Scan Types
Ping or ARP
-sn
Disable port scan for host discovery; use ARP if on same LAN
TCP connect
-sT
TCP port scan using conventional TCP connections
TCP SYN
-sS
TCP port scan using half-open TCP connections
UDP
-sU
UDP port scan (often unreliable)
Version
-sV
Combine with other scans to identify services through active probes
Nmap allows for conducting several types of scans:
Ping sweeps find hosts without checking their ports by using the
-sn
option. On the same LAN, Nmap uses ARP (for IPv4) or IP Neighbor Discovery (for IPv6) to find systems. If not on the same LAN, Nmap sends multiple packets for host discovery. Ping sweeps help list systems before doing more scans.TCP connect scans: Try to connect to a port using -sT, then close the connection if the port is open. This is the default scan used by Nmap without root access.
TCP SYN scans: Send a TCP packet with the SYN flag to check if a port is open (if you get an ACK) or closed (if you get an RST). This scan doesn’t close the connection properly, so it’s less likely to be logged or detected. It’s the default scan in Nmap when run as root.
UDP scanning: Scans UDP services with
-sU
. Nmap sends empty packets to most ports, but uses specific data for some, like ports 53 (DNS), 111 (portmapper), and 161 (SNMP). UDP scans can be unreliable and may misidentify the status of services.Version scanning: Nmap's
-sV
option does a version scan, giving details about the software version or extra info on a service running on a found port.
Nmap can scan IPv6 addresses too by using the -6 option. It works with all scan types like connect, SYN, and UDP.
Let's do the nmap exercise in Lightning Labs.
1) By default, Nmap will scan a target system using a list of the top 1000 most common ports. Let's take a look.
Scan the target system at 10.20.20.5 using Nmap: sudo nmap 10.20.20.5
.
Notice how Nmap indicates 998 closed tcp ports, showing two ports open. This is a clue that Nmap does not scan all 65,535 ports by default.
2) Nmap can specify a range of ports with the -p
argument, indicating the starting and ending ports, separated by a hyphen.
Return to the previous command and add -p 1-65535 to scan all TCP ports.
This time Nmap scanned all 65,535 ports, revealing an open port we didn't see before: 5301.
3) We can use a port range shorthand to specify all ports: -p-
.
4) Nmap can also use a list of ports with -p, separated by commas. Return to the previous command and change the previous -p argument to indicate the three open TCP ports -p 22,53,5301.
5) The previous port range didn't reveal anything new, but it's useful to explicitly specify target ports when adding other scan types.
We don't know what service is listening on TCP/5301 other than hacl-gs which is the registered service name high availability cluster services. However, we an use a Nmap version scan to interrogate the service further.
Repeat the previous command, this time adding -sV
to perform a version scan.
The version scan reveals additional information about each service in a new Nmap output column labeled VERSION.
Here we learn that TCP/5301 is actually a nginx web server, not hacl-gs. An admin is running the web server on a non-standard port, maybe to evade detection.
6) Nmap's output is displayed on your console, but you can also save the results to a file.
Scan all ports on the target system 10.20.20.5, using -oN scanresult.txt
to save the scan results: sudo nmap -p- 10.20.20.5 -oN scanresult.txt
.
7) Nmap supports other output file formats as well. Return to the previous Nmap command then add -oG scanresult.gnmap
to the command line.
Nmap's grepable output is intended for use when scanning lots of systems, allowing you to search for listening ports quickly.
8) Consider a case where you scan lots of hosts, and you want to find out which ones listen on TCP port 5301. Run grep 5301 scanresult.gnmap.
Nmap's output isn't pretty here, but it identifies the host where port 5301 is listening quickly.
9) Nmap supports saving the scan results in an XML file format as well. Add -oX scanresult.xml
to the previous command line.
10) You can save the Nmap output in all three file formats automatically. Run sudo nmap -p- 10.20.20.5 -oA scanresultall
.
Nmap makes it easy to save the scan results in several file formats. It's often easier to run Nmap with -oA instead of choosing one or more output file types, and you can remove the files you don't want to save later.
Nmap NSE Scripts
Nmap Scripting Engine: Identify Host Information, Vulnerabilities
-sC
Use default scripts to evaluate the target
--script all
Run all scripts against target (can lead to DoS)
--script-updatedb
Update the NSE scripts (requires internet access)
--script banner
Run the named script (banner) against the target(s)
--script-help "http*"
Get help for the named script(s) (use wildcard * alone for all scripts)
--script "http*"
Run all the scripts beginning with http against the target(s)
--script "smb*"
Run all the scripts beginning with smb against the target(s)
Nmap also supports the Nmap Scripting Engine (NSE), which uses Lua scripts to analyze scan results and find more info or vulnerabilities on a target. Using the -sC
option runs default scripts for extra details, and other script categories include auth, discovery, safe, and vuln.
Some NSE scripts need arguments, which you can find in the script's help info. Use --script-args
with the argument name, an equal sign, and the value. Separate multiple arguments with commas.
When using Nmap NSE scripts, always include the -sV
option for version scanning. Without it, Nmap might misidentify services, like thinking port 5301 is hacl-gs instead of HTTP, and skip the right script. Using -sV
helps run the correct script.
Lab 2.2: Nmap
Let's start by runing nmap scan as an Uprivileged User without any extra options.
The output shows three open TCP ports, with Nmap listing the port numbers, their status, and a short description of the service. Nmap scans the 1,000 most common ports instead of all 65,535 ports.
By default, Nmap does a full TCP connect scan when not run as root, completing the three-way handshake for each open port.
Nmap shows why it thinks a port is open. In UDP scans, if no response is received, it labels the port as "Open|Filtered," meaning it could be open or filtered. If a firewall blocks a packet, Nmap marks the port as "Filtered."
Let's check why Nmap gave its results by running the scan again with nmap --reason
.
In this output, we see that Nmap discloses that it received a SYN/ACK for each of the open TCP ports.
Next, let's use sudo
to run Nmap as root and scan again.
When we run Nmap as root, it uses a different scan method called TCP SYN instead of TCP connect. This method sends a half-open connection. Both methods show similar results, but root access allows Nmap to perform an initial ping test that non-root can't do.
Nmap's half-open scan creates fewer logs but is more noticeable on the network. To make Nmap use a full TCP connect scan as root, use the -sT
option.
Let's run the scan again, but this time we will use the -p argument to check ports from 1 to 1024.
The scan shows no open ports, which matches the earlier result. We can use the -p
option to scan specific ports, like web servers (80, 443, 8000, 8080) or SMB servers (135, 139, 445), to focus our scan.
To scan all TCP ports, let's use -p 1-65535
or -p-
in Nmap. This will check all 65535 ports on the Slingshot Linux host.
When scanning all TCP ports, we found two extra services on ports TCP/5433 and TCP/5443 that earlier scans missed because Nmap only checks the top 1000 ports by default.
Nmap uses its own list to match ports with services, but this can be inaccurate. To get better details about what's running on a port, we can use a version detection scan (Banner Grabbing). Nmap connects to each service and tries to gather more information by interacting with it.
Adding version detection to the Nmap scan changes how it identifies open port services:
TCP/5433 is characterizes as a PostgreSQL database server version 9.6.0
TCP/5443 is characterized as a SSL/HTTP service running Thin httpd (a lightweight web server)
TCP/9001 is characterized as an nginx web server version 1.14.0 running on Ubuntu
TCP/9002 is also characterized as an nginx web server version 1.14.0 running on Ubuntu
The version scan helps us identify TCP/5443, TCP/9001, and TCP/9002 as web servers. We can then use Nmap to run web enumeration scripts on these servers.
We can obtain help information for a specific category of scripts using the --script-help command line argument.
To get help for a script,we can use --script-help
and then the script name.
The Nmap http-git
script looks for Git info on a web server, which might show old passwords or other sensitive details about the web app.
Let's run the http-git
script on the Slingshot Linux port 9001 web server using the Nmap --script
argument.
Nmap doesn’t show results from the http-git script because it doesn’t recognize web servers on non-standard ports.
NOTE: It is essential for Nmap to properly characterize the target service to apply the correct scripts.
Let's repeat the scan again, this time adding the -sV argument:
The http-git
script shows that the Nginx server on TCP/9001 has a Git repo at ssh://git@github.com-wiki/joswr1ght/SANS-504-Student-Wiki.
Nmap's -A
option provides detailed info by detecting the OS, versions, running scripts, and traceroute results. It’s more informative than basic scans. Let’s use it now.
Nmap gives port info, service versions (like Nginx 1.14.0), and checks which commands and details (like HTTP page titles) the services support.
In this lab, we saw how Nmap helps find active devices and services on a network. It also lets users gather more details with version scanning and NSE scripts. These features help understand the network setup and prepare for attacks.
Nmap is a strong tool but can be confusing at first. It only scans the top 1000 ports by default and doesn’t do much to find hosts before scanning. Learning how Nmap works helps us get better scan results and find vulnerabilities. By practicing with Nmap, we get better at using it effectively.
Bonus Lab
We have another Linux machine on the local 172.30.0.0 network. The Slingshot Linux VM is at 172.30.0.1, and the target is in the range 172.30.0.2-254.
1) What is the IP address of the target system?
Let's run Nmap with the -sn option to check which hosts are reachable.
Answer: 172.30.0.20
2) Which TCP ports listening on the target system using a TCP connect scan?
Let's scan all TCP ports on host 172.30.0.20 using the -sT argument (connect scan).
Answer: 21, 80, 38080, 38081, and 55558
Let's run nmap on open ports, but add the -sV option.
Comparing Nmap Scan Results with ndiff
Let's use ndiff
from Nmap to quickly compare scan results. It's useful for spotting new services or hosts by comparing different scans, like a baseline with daily or weekly scans.
First, let's run an Nmap scan, saving the results in an XML.
Let's start the SSH service, run the scan again, and save the results as newscan.xml.
Finally, let's compare the two XML using the ndiff utility:
ndiff shows the second scan has an extra TCP port (port 22 for SSH). This means there's a new service running, so analysts need to check why this port was added.
Last updated