← Back Published on

NMAP

What is nmap?

It is A network mapper

We will cover the basic Types of scans and switches associated with this tool

we are using a Kali Linux virtual machine, and executing with root access on the terminal. let's start with a simple command of nmap to see what possibilities we have,

And a lot more!

Here you can see the terminal display information about this specific program. We have tools such as

-Target specifications

-host discovery

-scan techniques Port specifications and scan order

-service and version detection

-Script scanning firewalls and IDs evasion and spoofing

-OS detection

-timing and performance

-options for output

-and miscellaneous information

nmap is extremely important and used on a day-to-day basis with any penetration tester, cybersecurity personnel, Network administrator, or simply troubleshooting anything involving connection issues.

If we are friendly and do not have to worry about specific commands to remain stealthy or evade firewalls and detection a plain nmap command would due just fine. Remember tho, if you are attacking a target a simple nmap only command will cause possible flag alerts to the user.

So we run a simple nmap command on the host of 10.10.224.0

-we can see the attack IP address

-and the time and date this scan was conducted

-We see that the host is up

-followed by the number of ports scanned.

-with this scan result, we can see that ports 21, 53, 80, 135, and 3389 are open.

-And displayed is also a MAC address.

this is tremendously useful. not only on the offensive side but the defensive. if a network administrator is configuring a network or modifying firewalls this could be a troubleshooting technique that will save lots of time

Let's go into switches!

switches are the commands we want to happen with a nmap scan. we can simply have one, or many

When we type all this info in a terminal, it looks like this…

The nmap command is followed by switches a port in this case, and lastly the target

let's look at some important switches.. again, a full list can be found by simply typing in >nmap to the terminal.

-sS This is an SYN scan

-sU this is a UDP scan

-O this is information about the operating system

-sV this is to get information on the version of the service running on the target

-v This is verbosity. explaining how detailed you want to scan to be. there is a more aggressive version than simple verbosity. and that is going to be -vv verbosity doubled!


If you wanted to change the speed of the nmap scan, we will be using the Timing template command it looks like this

-T(number) for example -T3. this would be faster than let's say a template level of five. the higher speeds at that we conduct a scan, the more noise we make and this can cause errors along with possible flaggings on the system.

If we wanted to run a scan on a specific port we would indicate this with -p(number).

Such as the previous nmap scan we did, we saw that Port 80 was open. we can follow suit with a command that looks like this

The command indicated a nmap scan on our target, with an aggressive scan, I also followed suit with a Secret scan (more on that later) just to help with evading detection, and I also wanted to know the operating system followed by a specific scan on Port 80 as well.

our results show at the host is up

our information on Port 80 which is hosted on a Microsoft server and uses HTTP

we also have the MAC address listed I attempted an operating system scan as well, with the results being Microsoft Windows XP With the current update being a version sp3

We see information regarding how the server is being run. we can see that there is an avtech room alert 26w environmental monitor which is equipment found where the servers are hosted. interesting…..

we also have one-hop results that came back with an associated IP address. because we are using a kali linux machine, and I am using tryhack me as the service so, there is listed the VPN as displayed within traceroute.

That was just a simple exercise to see how we add switches to our scan. let's go into 3 major scan types


we have TCP connection scans used with the switch of -sT

we have SYN or half-open scans used with the switch of -sS

we have UDP scans used with the switch of -sU


-sT

When we are using TCP it's very important to note that this is involving the three-way handshake as mentioned in previous articles.

When we are using this type of scan, nmap tries to connect to each TCP port and relays information back to us if that service is open.

Such as reaching your hand out for a handshake to a stranger and receiving a handshake in return or not.

In this case, if there is no connection and the port is closed. nmap receives a TCP packet with a reset flag response. this now tells the nmap that the port is closed. this is useful because simultaneously, it shows that the port exists.

And if the port is open, we will get our SYN/ACK Flags sent and nmap marks that port open

-sU

The last main type of scan I want to talk about is UDP scans. Remember, TCP is connection-full and UDP is connectionless. The command itself sends a packet to the UDP ports with no expectation of a reply. If we do get a reply, it will look something like this open/filtered. What does this mean? this can be a sign of a firewall in place. For example, it's like being in a grocery store and yelling hello firewall! no reply is good, if we get a reply we should be more cautious and determine our way through the grocery store to the coffee section carefully :)

Below, you will see an example of the reports being filtered

nmap scans the entire network and relays information back to the host requesting the information. this can take a very long time, if we simply want to scan a certain number of ports we can! by using the command --top-ports (number)

This indicates running a nmap scan with the top 20 most commonly used ports. here's an example.

If the target has ports configured with firewalls, the firewall itself will simply stop incoming packets. This is what we call a filtered port

-sS


SYN scans are also used to scan TCP ports. SYN scans are also known as half-open scans or stealth scans. if we are conducting hacking activities or penetration tests, it can be used to bypass specific detection systems

Why is that? because many detection systems are looking for a full three-way handshake.

For example, We are sending a SYN packet to the target.

The target responds with a SYN/ACK in response.

Instead of us responding with further information, nmap sends a reset TCP packet, indicating that the connection has not been completed. When in reality, nmap is keeping secret and tracking what ports are open.

As you can see, it ran the top 20 ports. but what do we receive here in response? a lot of filtered traffic. what does this mean? it means it is open but protected. the packets itself is hitting those ports but information has not been transmitted back to us. we can see however that port 53 is open. A simple domain service.