Nmap

Live Host Enumration

  • Nmap is an industry-standard tool for mapping networks, identifying live hosts, and discovering running services.

  • In Nmap we can provide targets in 4 different ways:

    • List, for example, <IP Address 1> <IP Address 2> <IP Address 3>

    • Range, for example, <IP Address Range> (i.e. 192.168.1.0-255)

    • Subnet, for example, <IP Address/Subnet Mask> (i.e. 192.168.1.0/24)

    • File, for example, -iL <File Name>

  • -sL <Target> Shows you the list of targets without scanning them.

  • There are 3 ways Nmap can discover live hosts:

    • When a privileged user tries to scan targets on a local network (Ethernet), Nmap uses ARP requests. A privileged user is root or a user who belongs to sudoers and can run sudo.

    • When a privileged user tries to scan targets outside the local network, Nmap uses ICMP echo requests, TCP ACK (Acknowledge) to port 80, TCP SYN (Synchronize) to port 443, and ICMP timestamp request.

    • When an unprivileged user tries to scan targets outside the local network, Nmap resorts to a TCP 3-way handshake by sending SYN packets to ports 80 and 443.

  • nmap -sn <Targets> - is used to scan for live hosts without doing port scans.

ARP scan is possible only if you are on the same subnet as the target systems.

Port Scanning

  • A server provides the network service, and it adheres to a specific network protocol.

  • At the risk of oversimplification, we can classify ports in two states:

    1. Open port indicates that there is some service listening on that port.

    2. Closed port indicates that there is no service listening on that port.

  • Nmap considers the following six states for ports:

    • Open: indicates that a service is listening on the specified port.

    • Closed: indicates that no service is listening on the specified port, although the port is accessible. By accessible, we mean that it is reachable and is not blocked by a firewall or other security appliances/programs.

    • Filtered: means that Nmap cannot determine if the port is open or closed because the port is not accessible. This state is usually due to a firewall preventing Nmap from reaching that port. Nmap’s packets may be blocked from reaching the port; alternatively, the responses are blocked from reaching Nmap’s host.

    • Unfiltered: means that Nmap cannot determine if the port is open or closed, although the port is accessible. This state is encountered when using an ACK scan -sA.

    • Open|Filtered: This means that Nmap cannot determine whether the port is open or filtered.

    • Closed|Filtered: This means that Nmap cannot decide whether a port is closed or filtered.

sudo nmap -sC -sV -O -oA <Output Directory> <IP Address> - Scan for the top ports only. (-sC for default scripts, -sV for version enum, -O for OS enum) (Start with this, enumerate the first few ports while running the 2nd command)

sudo nmap -sC -sV -O -p- -oA <Output Directory> <IP Address> - Scan all the ports, run it after the first command as it takes long time.

nmap --script vuln -oA <Output Directory> <IP Address> - Runs vulnerability scripts.

nmap -sU -oA <Output Directory> <IP Address> - Scan for the top UDP ports only.

PreviousToolsNextNessus

Last updated