Nmap is an essential open-source tool for Ethical Hackers and Penetration testers. It was initially created by Gordon Lyon (aka Fyodor).
Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
Lets decryptinfo about nmap
Nmap is an interesting tool that can be used in various ways. You can scan one single target or multiple targets. Here is a list of examples, showing the ways you can target something:
1. nmap 192.168.1.1
Description: Scanning a single IP
2. nmap www.domain.com
Description: Scanning a hostname
3. nmap 192.168.1.1-100
Description: Scanning an IP range
4. nmap 192.168.1.1/24
Description: Scanning a subnet
5. nmap -iL list.txt
Description: Scanning from a predefined list
NMAP SCAN TYPES
Besides the basic nmap < target > , we can also use various scanning types in Nmap. Each of them has their own unique capabilities, but also often come with the downside of one being noisier than the other. Let us see which types we have:
1. nmap -sS <_target>
Description: This is a TCP SYN SCAN, also known as a stealth scan. This scan only sends a SYN packet and awaits a SYN/ACK response. When nmap receives a SYN/ACK on a specific probed port, it means the port exists on the machine and is open. This is a fast and pretty accurate scan, which you will use most of the time.
2. nmap -sT <_target>
Description: The -sT scan is more accurate than a -sS scan, but the downside is that it is slower, makes more noise and easily detected by well set-up firewalls. This is because it makes a full three-way handshake (or better said, a full TCP connection) with the host.
3. nmap -sU <_target>
Description: This scan is used to scan for UDP ports. This is typically a slower and more difficult scan. Though most services use TCP, there are also services that use UDP, such as: DNS, SNMP, DHCP. So this scan is still useful as there are still exploitable UDP services. So don’t make the mistake of skipping this scan, you might find something!
4. nmap -sn <_target(s)>
Description: This is a simple and fast ping scan to see which hosts reply to ICMP ping packets. This is useful if you are on the same (sub)network as the IP range you are scanning and if you only want to know which devices are live. You can also get the same result by using -Pn.
5. nmap -sV <_target>
Description: This is a service version scan. In order to know what exploits will work, it is very helpful to know the service version behind an open port. It might be that a certain exploit only works in one specific version of a certain service, as it might be patched in a new version.
6. nmap -O <_target>
Description: This is a remote OS detection scan. We use this scan to learn what OS the target runs on. This is very useful as it gives an idea of what kind of exploits might work on the target, and which exploits won’t work. Note that this scan only works if there is at least 1 open port and 1 closed port.
7. nmap -A <_target>
Description: This is an aggressive scan. This scan performs an OS detection, version detection, script scanning, and traceroute. Though it returns a lot of information, you will be alarming the target as this is probably the noisiest scan
NMAP PORT SCANNING
Sometimes you want to know if a certain port is open on a target, or perhaps you want to know ALL open ports on the target. Luckily, Nmap provides its users with ways to specify this:
1. nmap -p <_port> <_target>
Description: Use -p <_port> to scan for one specific port on the target.
2. nmap -p <_port_range_begin><_port_range_end> <_target>
Description: You can also use -p to scan for a range of ports, -p 1-20 <_target> would scan for the ports 1 to 20 on the target.
3. nmap -p <_port_a>, <_port_n> <_port_c> <_target>
Description: There is also the possibility to specify multiple specific ports by separating them with a comma
4. nmap -p U:<_udp_port>, T: <_tcp_port> <_target>
Description: There is also the possibility to specify multiple specific ports by separating them with a comma.
5. nmap -F <_target>
Description: The -F tells Nmap to scan for the 100 most common ports that can be open on a target.
6. nmap -top-ports <_amount <_target>
Description: With this option, you scan for the top # ports, depending on what amount you provide.
7. nmap -p- <_target>
Description: This option tells Nmap to scan the target for all the known ports there are in the world… there are 655,355 ports in total. This will clearly make the scan take longer to finish.
NMAP TIMING OPTIONS
Nmap allows for the use of “timing templates”, which allows the user to specify how aggressive they wish to be with their scans, while leaving Nmap to pick the exact timing values. There are 6 timing templates:
1. nmap -T0 <_target>
Description: T0 is the slowest scan, also referred to as the “Paranoid” scan. This option is good for IDS evasion.
2. nmap -T1 <_target>
Description: T1 is an option faster then T0, but is still referred to as the “Sneaky” template. This timing option is also a good choice for IDS evasion.
3. nmap -T2 <_target>
Description: The T2 option is for a timely scan and is also known as the “Polite” timing option. This one slows the scan, which results in less bandwidth usage and less target machine resources
4. nmap -T3 <_target>
Description: T3 is also known as the default scan timer. Using this template would be the same as not using it at all. This is what Nmap uses by default when there is no template selected.
5. nmap -T4 <_target>
Description: T4 is an option to speed up scans by making the assumption that you are on a reasonably fast and reliable network. This time template is also referred to as the “Aggressive” template.
6. nmap -T5 <_target>
Description: T5 is an insanely fast mode, assuming that you are on an extraordinarily fast network… or if you are willing to sacrifice some accuracy for speed. That is why it is also referred to as the “Insane” mode.
Last but not least. Nmap provides us with scripts. These scripts come in categories:
• default. discovery
We run a script in the following way:
nmap –script <_script/_script_group> <_taget>
Some scripts are very noisy, some not at all. Therefore, it is important to read what each script does and if it is easily detectable by the target or not. Do note that you need to run –script scans as root/sudo.
EXTRAS & ADDITIONAL RESOURCES
When you are doing a pentest, it is useful to use the -oN option to output your scan to a text file. This way, you can copy-paste it later into your pentest report. Here is how to do it:
nmap -oN <_filename.txt> <_target>
You can also use multiple options in one scan. For example, this is probably the most common scan you will perform: sudo nmap -sS <_target> -oN <_filename.txt>