Network mapper, also known as nmap, is an open-source network reconnaissance, port scanning, and security auditing tool. It is one of the most basic and widely used cybersecurity tools that has evolved from a simple port scanner to a multifunctional toolset. It is an ideal tool for security practitioners, network, IT, and system administrators to customize the open source code for specialized environments. Hence, it’s a Swiss Army knife for cybersecurity and IT professionals.
The article is a basic-intermediate level guide on analyzing networks using the Nmap utility. You will understand Nmap functionality to scan entire networks and check for available services and unpatched vulnerabilities to help you advance in the cyber kill chain process.
Types of Nmap Scan
Nmap offers multiple scanning techniques such that each method significantly contributes to the results after a port scan. However, it only allows one scan type at a time with a format of -s<scan_type>. Some of the most common nmap scan types are:
nmap -s<scan_type> <target_host>
- Ping Sweep (-sn): This type of nmap scan sends ICMP packets to discover the number of devices that respond to it. Ping sweep helps determine the number of available or active devices on the network. It is fast and hard to detect.
- TCP (-sT): TCP connect scan completes the three-way handshake between the scanning machine and the target host, such that it’s noisy and triggers the packet filtering platforms like firewalls and intrusion detection systems.
- UDP (-sU): The -sU option in nmap looks for the active UDP protocol ports listening for a connection. Nmap combines this scan with the TCP connect scan to check open ports for both protocols. However, its results can be falsely positive, and the response is slow as a precautionary measure by target machines to such packets.
- SYN (-sS): Also known as the half-open or stealth scan because the scanner immediately responds with the RST packet after receiving the SYN-ACK packet from the target host. Hence, it closes the connection before completing the handshake.
- FIN (-sF): It’s the same as the SYN scan except that Nmap sends the FIN flag instead of an RST in a packet for closing the connection.
- NULL (-sN): The target systems do not know how to respond to a Null scan as all the flags inside the TCP header are off or set to null.
- XMAS (-sX): XMAS is the same as the null scan, except that nmap turns on all the flags in the TCP header.
Specifying Targets for Nmap Scan
Anything that isn’t an option or a flag in nmap is dealt with as a target host. It allows us to specify a range of hosts in a single command. The most simple among them is the specification of a single hostname or the target host address.
sudo nmap <www.hostname.com>
On providing the hostname as a target, nmap uses DNS resolution to resolve the hostname to an IP address and perform the target discovery process to confirm its availability. The hostname may resolve to more than one IP address, in which case, by default, it considers the first one. You can use the –all-resolve option for nmap to scan all addresses.
sudo nmap --all-resolve <www.hostname.com>
Nmap allows you to specify targets in three various ways:
- Multiple Specifications: Nmap allows to specify multiple IP addresses at a time as follows:
sudo nmap X.X.X.21, X.X.X.28, X.X.X.45
- CIDR notation: The CIDR notation-based addressing allows scanning of a whole network or a range of adjacent IP addresses. All it requires is to append the IP address/hostname with the network suffix/bits as follows:
sudo nmap <X.X.X.0/24>
sudo nmap <www.hostname.com/24>
Hence, nmap will scan all the IP addresses from X.X.X.0 to X.X.X.255. Nmap also allows you to exclude an IP address with the help of the –exclude option as follows:
sudo nmap <X.X.X.0/24> --exclude X.X.X.25, X.X.X.35
However, it’s not flexible in a scenario when you want to exclude IPs including .0 and .255 for subnetworks and broadcast addresses, as in the case of X.X.0.0/16. Nmap resolves this issue by introducing octet-based addressing.
- Octet range: It allows you to use wild cards * and – for a comma-separated range of numbers for each octet. For instance, for the target address, X.X.0-255,1-254 nmap will skip all addresses that end in .0 and .255.
Similarly for the address range X.X.2-5,8.1 nmap will scan addresses X.X.2.1, X.X.3.1, X.X.4.1, X.X.5.1, and X.X.8.1.
Lastly, given the ip address of X.X.X.* nmap will scan all addresses from 0 to 255.
Input Target Address List to Nmap
Even though Nmap provides multiple ways to specify target host addresses, it’s infeasible to write down all of them in a single command. Specifically, in a scenario when a DHCP leases around 100 IPs that you wish to scan.
Use the -iL argument to pass Nmap the .txt file containing a list of hosts for scan, such that each entry can be in any of the formats (discussed above) supported by the utility.
sudo nmap -iL <target_hosts.txt>
Specifying Ports for Nmap Scan
Port scanning is the heart of nmap as it helps to identify ports state and running services. Port scanning in nmap works by specifying targets to find information, but it isn’t necessary as mostly we don’t have a complete picture of the network. Nmap recognizes ports state based on six types:
- Open: the application or service is listening for tcp or udp connections.
- Filtered: nmap cannot determine the port state due to packet filtering via firewall or routing rules.
- Closed: the probes were successful, but no service is listening for a connection on this port.
- Unfiltered: the probes were successfully received, but nmap can not determine their state. In this scenario, the SYN and FIN scans may help determine if the port is open or not.
- Open|Filtered: nmap can not establish if the port state is listening for connections or filtered. It happens when the open port does not respond to the probe. It also occurs when a packet filter drops the nmap probes or any response sent by the target.
- Closed|Filtered: it is a state when it is unclear if the port is closed or filtered.
Nmap provides a list of essential options to perform a port scan. To begin with, the bare minimum, specify the target IP address, hostname, or network range as follows:
The above command performs a default scan that will probe 1000 TCP ports and provide all the host-related information, their states, and the services running. However, it takes a lot of time and may invoke firewall or intrusion detection systems. To avoid firewall or IDS detection, you can use the following nmap options:
To scan a single port:
sudo nmap -p 80 <hostname>
To scan a single port:
sudo nmap -p 1-100 <hostname>
To perform a fast scan on the 100 most common ports:
sudo nmap -F <hostname>
To scan port based on service:
sudo nmap -p smtp,https <hostname>
To find more about all available port scanning options via the nmap -h command.
Service and Host Discovery
Nmap offers various options to grab information about the operating system and the running services to determine open ports.
To detect the operating system alone:
nmap -O <target_host>
To detect the service and host machine:
nmap -A <target_host>
Service Version Discovery
Nmap allows you to find more details about the services running on the target machine ports. Add the -sV option to the nmap scan for a standard service version discovery:
nmap -sS -sV <target_host>
It also enables us to set the intensity of the scan with the help of a –version-intensity option for an aggressive and light service detection scan. High version intensity for service scanning provides more accurate results however, it takes more time, creates noise, and has high chances of detection.
nmap -sV --version-intensity 5 <target_host>
While the banner grabbing lightweight detection has more advantages in terms of staying undetected during services enumeration.
nmap -sV --version-intensity 0 <target_host>
Saving Nmap Output
Nmap offers various file formats to save its output. By default, nmap stores the scan output in .txt format with a simple redirect >.
nmap -sS -p 80,443 <target_host> > nmap_outputfile
Whereas the nmap -oN option stores the scan results and displays the output at the same time.
nmap -oN nmap_outputfile.txt <target_host>
For XML and grep formats use -oX and-oG options as follows:
nmap -sS -sV --version-intensity 5 -oX nmap_outputfile.xml <target_host> nmap -sS -sV --version-intensity 5 -oX nmap_outputfile.txt <target_host>
To save the results in all formats:
nmap -oA nmap_outputfile <target_host>
Nmap Scripting Engine (NSE)
NSE is a powerful nmap functionality that expands its features considerably. The NSE scripts are written in Lua language and help perform various tasks such as scanning for vulnerabilities (vuln), brute forcing credentials (brute), and bypassing authentication (auth) of running services. Use the –script option to activate the script as follows:
nmap -sV -p 80 --script=vuln <target_host>
To find more about the available database of NSE scripts, cd into the /usr/share/nmap/scripts/ directory:
cd /usr/share/nmap/scripts head scripts.db
Or grep all the available scripts for a particle protocol as follows:
grep "ftp" /usr/share/nmap/scripts/scripts.db
Nmap is a command-line utility with versions for both Windows and Linux. It’s a versatile tool for network administrators and security practitioners to resolve issues and find flaws. The article is a beginner’s guide for getting started with the Nmap tool, analyzing network services and their vulnerabilities.