Nmap

Introduction

• Nmap is an industry-standard tool for mapping networks, identifying live hosts, and discovering running services.

• In Nmap, you can provide targets in four different ways:

  • List: For example, <IP Address 1> <IP Address 2> <IP Address 3>

  • Range: For example, <IP Address Range> (i.e., 192.168.1.0-255)

  • Subnet: For example, <IP Address/Subnet Mask> (i.e., 192.168.1.0/24)

  • File: For example, -iL <File Name>

• The command -sL <Target> Shows you the list of targets without scanning them.

Live Host Enumration

• Nmap can discover live hosts in three ways:

  • Local Network (Ethernet): When a privileged user scans targets on a local network, Nmap uses ARP requests.

  • Outside the Local Network (Privileged User): When a privileged user scans targets outside the local network, Nmap uses:

    • ICMP echo requests

    • TCP ACK (acknowledge) packets to port 80

    • TCP SYN (synchronize) packets to port 443

    • ICMP timestamp requests

  • Outside the Local Network (Unprivileged User): When an unprivileged user scans targets outside the local network, Nmap resorts to a TCP three-way handshake by sending SYN packets to ports 80 and 443.

• The command nmap -sn <Targets> is used to scan for live hosts without performing port scans.

ARP scan is possible only if you are on the same subnet as the target systems.

Port Scanning

• A server provides network services and adheres to specific network protocols. For simplicity, ports can be classified into two basic states:

  • Open: A service is listening on the port.

  • Closed: No service is listening on the port.

• Nmap defines the following six port states:

  • Open: A service is actively listening on the specified port.

  • Closed: No service is listening on the specified port, although the port is accessible (i.e., it is reachable and not blocked by a firewall or other security appliances).

  • Filtered: Nmap cannot determine if the port is open or closed because the port is not accessible. This is usually due to a firewall preventing Nmap from reaching the port or blocking the responses.

  • Unfiltered: The port is accessible, but Nmap cannot determine if it is open or closed. This state is often encountered when using an ACK scan (-sA).

  • Open|Filtered: Nmap cannot determine whether the port is open or filtered.

  • Closed|Filtered: Nmap cannot decide whether the port is closed or filtered.

Commands Cheatsheet

sudo nmap -sC -sV -O -oA <Output Directory> <IP Address> - Start with this command to enumerate the first few ports. (-sC for default scripts, -sV for version enum, -O for OS enum)

sudo nmap -sC -sV -O -p- -oA <Output Directory> <IP Address> - Scan all the ports, run this command after the initial scan because it takes a long time.

nmap --script vuln -oA <Output Directory> <IP Address> - Runs vulnerability scripts.

nmap -sU -oA <Output Directory> <IP Address> - Scan for the top UDP ports only.