0x4: Network Mapping With Nmap

Peeking On Your Ports

Reconnaissance is one of the first steps involved in hacking or penetration testing a computer network, and one of the most popular and prominent tools for performing that first network analysis is Nmap (or Network Map). A powerful tool used by system administrators, security professionals, network researchers and hackers, Nmap is considered the de facto industry standard in network analysis and vulnerability detection.

trinityusesnmap
Hollywood hacking: Trinity used nmap to discover ssh running on.. port 22.

In this article we will talk about the what, the who and the how of Nmap. Additionally we will also be demonstrating the use of the tool in the context of an offensive information gathering exercise in the Kali Linux environment.

What Is Nmap?

Nmap is a free, open source network scanner that is used to discover hosts and the services those hosts are running. It provides a wide range of features and functionality, from operating system discovery and vulnerability detection to simple port scanning and enumeration. Although it was designed to rapidly scan large networks, it works fine on single hosts.

Fundamentally it is an advanced network scanning tool, that uses specially crafted IP packets to identify devices and services running on a host or selection of hosts, with a wide range of specialized features.

A more in depth look at these features:

  • Host discovery: identifies hosts on a network and tries to resolve the hosts name and physical address
  • Port scanning: detects and enumerates open ports
  • Version detection: advanced identification of network services and applications including the name and version
  • OS detection: attempts to detect a hosts operating system by analyzing it’s fingerprint
  • Scriptable interaction with a target: using the builtin Nmap scripting engine or the Lua programming language enabling more refined scan results with scripts

Some typical uses of Nmap include:

  • Auditing the security of a network by identifying network connections that can be made to a host
  • Generating traffic to hosts, response analysis and response time measurement
  • Discovery of open ports on a host
  • Identifying and exploiting vulnerabilities

Nmap started as a Linux utility, but now has several ports to all the main operating systems in use, however it is most popular on Linux. Typically used entirely from the command line, several GUI interfaces exist for Nmap, the most notable being Zenmap. It is also an included module in the Metasploit Framework (msfconsole) for vulnerability identification and immediate exploitation.

Who Made Nmap?

First released September 1997 as source code in Phrack Magazine, Nmap was written in C++ by Gordon Lydon. Since then it has grown from a huge community of developers and enthusiasts.

Different Scan Types

Nmap has a wide range of different scan types, for a wide variety of different situations and environments. Your scan type is dependent on your target system, or the type of results you are after and how they are acquired. Let’s discuss some of the common scan types and how they work in further detail.

TCP

One of the “nosiest” scan types, TCP scans are generally used to see if you can complete what’s known as a “three way handshake” between you and a target. This scan type is considered noisy as it can be detected fairly easily, as services may log the sender of the scan packets which could potentially trigger an Intrusion Detection System (IDS) on the target.

UDP

These scans are used to check whether there is any UDP ports up and listening for incoming requests on a target. As UDP has no mechanism to respond with a positive acknowledgment, there is always a chance for a false positive in the scan results. UDP scans can also be used to reveal Trojan horses that might be running on UDP ports or even reveal hidden RPC services.

SYN

Basically another form of TCP scan, the main difference being Nmap creates a synchronize packet, which is the initial packet sent to establish a TCP connection. During a SYN scan the connection is never actually formed, instead the responses to these created packets that are sent to the target are analyzed by Nmap to produce the scan results. Considered to be far more “stealthy” of a scan than a TCP scan.

ACK

This scan type determines whether a port is filtered by a firewall. Simple packet filtering will allow established connections (packets with the ACK bit set), whereas a more sophisticated firewall might not.

FIN

Much like a SYN scan, but instead of Nmap sending a specially crafted TCP SYN packet, it sends a TCP FIN packet. Most but not all computers will send an RST packet (reset packet) back if they get this packet, so the FIN scan can show false positives and negatives — but it may get under the radar of some IDS programs and other countermeasures.

IDLE

This is the stealthiest of all scans discussed, as the packets are bounced off an external host. Control over the host is generally not necessary, but the host needs to meet a specific set of conditions. This scan is entirely used for malicious attacks.

Command Flags

Nmap has a variety of flags (or switches) that you can use to perform the various scan types, format the output into a particular type or for selecting specific ports for scanning. Here are the most common ones:

nmapscancheatsheet
My Nmap cheat sheet, there are several available elsewhere.

Demonstration

Now we know what Nmap is and how it generally works, let’s put this knowledge into use. In future ‘TryHackMe‘ write-ups, we will be using Nmap for offensive information gathering on a target machine. This is an important and vital first step in compromising a remote target, as it allows us to assess, plan and map our point of entry or vector of attack.

The box we will be targeting for the purposes of demonstration is Blue on TryHackMe, however you could perform this scan on your own virtual machine or one from VulnHub.

Important note: if you aren’t scanning a box that is yours, ensure you have the correct permission to do so. Although using Nmap is not illegal, you shouldn’t scan boxes that aren’t yours as it probably will be perceived as an attempt at intrusion.

Let’s start with a basic port scan to see which ports are open by issuing:

nmap -Pn <targetIP>

nmapportscan

As we can see from the results, there are nine ports open on the host we scanned and Nmap has attempted to enumerate some of the service names. To demonstrate using a different scan technique and to get even more information on the services running on the ports, issue the following:

nmap -sS -sV <targetIP>

nmapserviceversion

Pretty much the same as the last scan, only this time we used the more stealthy scan technique (TCP SYN) and a more intrusive port scan which enumerated all the services and their versions. The output seems to suggest that the host is running a Windows OS version between 7 and 10, based on what appears to be running on port 445. Let’s try and identify exactly which version of Windows it is by performing an OS detection scan by issuing:

nmap -sS -O <targetIP>

nmaposdetection

Again we used the TCP SYN scan technique for a more quiet scan and we also used the OS identification flag, however Nmap couldn’t identify exactly what OS the host is using. So let’s perform a far more aggressive scan by issuing:

nmap -A -T 5 <targetIP> -vv

nmaposdiscovery

Because we used the ‘very verbose’ flag, Nmap outputted a lot more information. Not only did this scan validate the information we gathered on the service versions, we also now know the host is definitely running Windows 7. Finally let’s wrap up and scan the host for vulnerabilities using the vulnerability script by issuing:

nmap –script vuln <targetIP>

nmapvulnscan

We will continue with the exploitation of this vulnerability in the next article on the Metasploit Framework.

Final Thoughts

In this article we have demonstrated how to use a variety of scan techniques, the successful enumeration of ports on a host, the services and the versions running on those ports, how to discover a hosts physical address (MAC), how to ascertain a hosts operating system and how to detect vulnerable services running on a host.

 

2 thoughts on “0x4: Network Mapping With Nmap

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s