Nmap

Introduction

  • Nmap is an industry-standard tool for mapping networks, identifying live hosts, and discovering running services.

  • In Nmap, you can provide targets in four different ways:

    • List: For example, <IP Address 1> <IP Address 2> <IP Address 3>

    • Range: For example, <IP Address Range> (i.e., 192.168.1.0-255)

    • Subnet: For example, <IP Address/Subnet Mask> (i.e., 192.168.1.0/24)

    • File: For example, -iL <File Name>

  • The command -sL <Target> Shows you the list of targets without scanning them.

Live Host Enumration

  • Nmap can discover live hosts in three ways:

    • Local Network (Ethernet): When a privileged user scans targets on a local network, Nmap uses ARP requests.

    • Outside the Local Network (Privileged User): When a privileged user scans targets outside the local network, Nmap uses:

      • ICMP echo requests

      • TCP ACK (acknowledge) packets to port 80

      • TCP SYN (synchronize) packets to port 443

      • ICMP timestamp requests

    • Outside the Local Network (Unprivileged User): When an unprivileged user scans targets outside the local network, Nmap resorts to a TCP three-way handshake by sending SYN packets to ports 80 and 443.

  • The command nmap -sn <Targets> is used to scan for live hosts without performing port scans.

ARP scan is possible only if you are on the same subnet as the target systems.

Port Scanning

  • A server provides network services and adheres to specific network protocols. For simplicity, ports can be classified into two basic states:

    • Open: A service is listening on the port.

    • Closed: No service is listening on the port.

  • Nmap defines the following six port states:

    • Open: A service is actively listening on the specified port.

    • Closed: No service is listening on the specified port, although the port is accessible (i.e., it is reachable and not blocked by a firewall or other security appliances).

    • Filtered: Nmap cannot determine if the port is open or closed because the port is not accessible. This is usually due to a firewall preventing Nmap from reaching the port or blocking the responses.

    • Unfiltered: The port is accessible, but Nmap cannot determine if it is open or closed. This state is often encountered when using an ACK scan (-sA).

    • Open|Filtered: Nmap cannot determine whether the port is open or filtered.

    • Closed|Filtered: Nmap cannot decide whether the port is closed or filtered.

sudo nmap -sC -sV -O -oA <Output Directory> <IP Address> - Start with this command to enumerate the first few ports. (-sC for default scripts, -sV for version enum, -O for OS enum)

sudo nmap -sC -sV -O -p- -oA <Output Directory> <IP Address> - Scan all the ports, run this command after the initial scan because it takes a long time.

nmap --script vuln -oA <Output Directory> <IP Address> - Runs vulnerability scripts.

nmap -sU -oA <Output Directory> <IP Address> - Scan for the top UDP ports only.

Last updated