top of page

Nmap: The Art and Science of Network Reconnaissance


In the ever-evolving world of cybersecurity, the first step in any successful cyber attack is laying the groundwork for a covert mission: reconnaissance. This initial phase involves gathering intelligence about the target, mapping its defenses, and identifying vulnerabilities. At the heart of this digital espionage lies Nmap, a Swiss Army knife of network scanning, a tool so versatile that both defenders and adversaries wield it in their digital tool boxes.


In the world of hacking and cybersecurity, Nmap serves as a double-edged sword, a duality that shows the relentless tug-of-war between those who protect and those who exploit. As we venture into the realm of cyber warfare, let's explore the critical role of reconnaissance, the inception of a cyber attack, and how Nmap emerges as the linchpin in the delicate dance between offense and defense in this digital age.


Let's get started! Step one, install Nmap

Nmap is available for free on their website at https://nmap.org/ is available for multiple operating systems and comes built in to Kali Linux. I'll be using Kali myself.


Before we explore the interface, let's take a moment to discover why Nmap might be a valuable tool for legitimate use.


Network Inventory: Nmap is an excellent tool for creating a comprehensive inventory of devices on your network, including servers, workstations, and IoT devices.


Security Auditing: It's widely used to assess the security of a network by identifying open ports and vulnerable services.


Penetration Testing: Ethical hackers and security professionals employ Nmap to find vulnerabilities in a network and assess its susceptibility to attacks.


Monitoring and Maintenance: System administrators use Nmap to monitor and maintain their networks, ensuring that only authorized services are running on specific ports.


Firewall Testing: Nmap can be used to test firewall rules and ensure they are correctly configured to filter network traffic.


As previously mentioned, Kali Linux comes with Nmap pre-installed. To explore the wide range of capabilities offered by Nmap, you can simply run 'nmap -help' to access a comprehensive list of its functions.









Nmap-help provides an excellent entry point to acquaint yourself with the rich array of Nmap features. Now, let's focus our attention on distilling these commands into their 'top 10' most prevalent and practical applications.


Top 10 most common Nmap commands and their uses.


Target Specification (<target>): This is the IP address or hostname of the target system you want to scan. You can specify a single target, multiple targets, or even entire subnets.


Port Specification (-p): This option allows you to specify the port or range of ports you want to scan. For example, -p 80 scans only port 80, and -p 1-100 scans ports from 1 to 100.


Scan Type (-sS, -sT, -sU, etc.): These options determine the scan type, such as SYN scan (-sS), TCP connect scan (-sT), UDP scan (-sU), and more. The choice depends on the type of scan you want to perform.


Output Options (-oN, -oX, -oA, etc.): These options control how the scan results are saved. For example, -oN saves results to a text file, -oX saves in XML format, and -oA saves in multiple formats.


Service and Version Detection (-sV): This option enables service and version detection, providing information about the services running on open ports.


Operating System Detection (-O): This option attempts to identify the target system's operating system based on characteristics observed during the scan.


Timing Options (-T0, -T3, -T4, etc.): Nmap offers timing templates that control the aggressiveness of the scan. -T0 is the slowest and -T5 is the fastest.


NSE Scripts (--script): The Nmap Scripting Engine (NSE) allows you to run custom scripts to perform various tasks during the scan, like vulnerability detection or service enumeration.


Verbose Output (-v, -vv, -vvv): These options control the level of verbosity in the scan output. Increasing verbosity provides more detailed information about the scan process.


Exclude Hosts (--exclude): You can exclude specific hosts or IP addresses from the scan by using the --exclude option, followed by the IP addresses or hostnames you want to skip.



Target Recon


Disclaimer: ONLY SCAN ENVIROMENTS YOU ARE AUTHORIZED TO SCAN. (ie: on you own, or one you have written consent to scan)


As part of their platform nmap provides a site for scanning at scanme.nmap.org they do request this site be use sparingly so no practicing DDoS.


Get the IP

To get the IP or scanme.nmap.org we are going to use nslookup. nslookup is separate from nmap and comes with your Windows or Linux OS, no need to go hunting for it.



Here you can see the command and results. The IP address for scanme.nmap.org is 45.33.32.156. Additionally, this works in reverse. You would search nslookup 45.33.32.156 and the output with correspond with what we already know.



Helpful tip: If you want to save your results to a file type our command followed by >> and then filename you want it to save as. It will save in the directory you are currently working from. example: nslookup 45.33.32.156 >> sample.txt


Let's get to scanning!

By default nmap will scan 1000 ports and this is what a simple scan looks like with no filters

The output shows 997 ports of the 1000 scanned were not responsive however 3 where. Port 22, 80, and 9929 are open. The scan did take 17.14 seconds which doesn't seem like a long time but this was just one scan the more targets we add the more time it will take. We can better allocate resources by using filters.


Simple scan parameters to get started...


Scan specific port use -p argument

Example: nmap 45.33.32.156 -p 22

will scan 45.33.32.156 port 22.


Scan the top 100 ports using -F

Example: nmap -F 45.33.32.156


Scan only open ports --open Example: nmap --open 45.33.32.156


Start here and explore different capabilities from the nmap -help list or top 10 favorites list above.


Tip: Always save the outputs to your scans. Scans can take hours and a simple mistake like closing the terminal with unsaved data means you're out of luck and will have to rescan.


Example nmap -oG 45.33.32.156 -vV > /home/username/Desktop/Results

break it down...

nmap: the command

-oG: output to grepable format

45.33.32.156: The IP

-vV: verbose scanning, meaning we will get all available information however it will use more resources and is noisey.

>: Indicates you would like to send to file

/home/username/Desktop/Results: the file path and name.


In addition to the stand alone functions under nmap -help you can also utilize NSE.


NSE (Nmap Scripting Engine): This is the default scripting engine that comes with Nmap. It's a highly flexible and extensible system that allows users to create and use their custom scripts for various purposes, including network discovery, vulnerability assessment, and more. Some scripts come with nmap and others can be downloaded from additional sources.


Example using NSE

nmap -p 5000 -sV 45.33.32.156 --script http-security-headers -oA target-host-secheaders.

Break it down...

nmap -p 5000 : scan port 5000

-sV: scan for the version

45.33.32.156: the target

--script http-securityheaders: the NSE script

-oA: saved output type

target-host-secheaders: the saved output name


 

Nmap is a powerful, versatile, and essential tool for network administrators, security professionals, and ethical hackers. Its capabilities in host discovery, port scanning, service detection, and more make it a valuable asset in assessing and safeguarding network security. However, always use Nmap responsibly and within the bounds of the law and ethical considerations. When used with care, Nmap can help you uncover and address vulnerabilities, ensuring the security and reliability of your network.















Comments


bottom of page