Scanning a Network with Nmap
Nmap is a great tool to learn, the application have the ability to scan and map networks and much more, it is a great tool for everybody that works in IT, it is the first tool i use when i want troubleshot. We can do regular ping or a ping sweeps that scans a range of the subnet or the whole subnet, the application also offers host discovery, port discovery, operating system version discovery, MAC address, services, exploit and vulnerability detection.
Another great tool to use while learning nmap is Wireshark, It is highly recommended to run wireshark wile using nmap , following the flow of network traffic will help you analyse and visuals the scans.
We will try some of the popular scanning method that can be used with nmap. This guide is just meant to give you high level understanding on how to use the different scanning techniques. Please don’t scan networks or host you are not authorized to do. The networks and hosts scanned in the guide is my home lab.
If you want a more in-depth explanation on how you can use nmap and the switches, i recommend that you read “The Official Nmap Project Guide to Network Discovery and Security Scanning”.
Save Output To Txt/Xml File
| Description | Command | Example |
|---|---|---|
| Save output to file | nmap -oN [file.txt] [Target] | nmap -oN file.txt 192.168.100.11 |
| Save output as XML | nmap -oX [file.xml] [Target] | nmap -oX file.xml192.168.100.11 |
| Save in all formats | nmap -oA [file] [Target] | nmap -oA file 192.168.100.11 |
Basic Scanning
| Description | Command | Example |
|---|---|---|
| Scan a single host | nmap [Target] | nmap 192.168.100.100 |
| Scan multiple targets | nmap [Target1, Target2] | nmap 192.168.100.10,192.168.100.100 |
| Scan a range of IP address | nmap [IP Range] | nmap 192.168.100.10-99 |
| Scan a Class C subnet | nmap [IP/CDIR] | nmap 192.168.100.0/24 |
| Resolve FQDN | nmap [FQDN] | nmap www.eaxmple.com |
Quick Scans
| Description | Command | Example |
|---|---|---|
| Ping scan | nmap -sP [Target] | nmap -sP 192.168.100.11 |
| Ping Scan – disable port scanining | nmap -sn [Target] | nmap -sn 192.168.100.0/24 |
The -sP switch can be used when you want to make a quick ping, the host or hosts will replay to ICMP ping packets.
nmap -sP 192.168.100.11 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-26 21:05 W. Europe Daylight Time Nmap scan report for 192.168.100.11 Host is up (0.0010s latency). Nmap done: 1 IP address (1 host up) scanned in 5.84 seconds
The -sn switch is used to to sweep a network without doing any port scans.
nmap -sn 192.168.100.0/24 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-02 00:02 W. Europe Daylight Time Nmap scan report for 192.168.100.1 Host is up (0.0010s latency). Nmap scan report for srv1.online-it.nu (192.168.100.11) Host is up (0.0020s latency). Nmap scan report for 192.168.100.13 Host is up (0.0010s latency). Nmap scan report for srv7.home.local (192.168.100.17) Host is up (0.0011s latency). Nmap scan report for 192.168.100.100 Host is up (0.0013s latency). Nmap done: 256 IP addresses (5 hosts up) scanned in 10.82 seconds
Banner Grabbing & Service Detection
| Description | Command | Example |
|---|---|---|
| Detect OS | nmap -O [Target] | nmap -O 192.168.100.11 |
| Detect OS & Services | nmap -A [Target] | nmap -A 192.168.100.11 |
| Detect Services | nmap -sV [Target] | nmap -sV 192.168.100.11 |
The -O switch scans for operating system details. This type of scan can be used to identify the operating system of the scanned host and the services the host is running.
nmap -O 192.168.100.11 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-26 21:12 W. Europe Daylight Time Nmap scan report for 192.168.100.11 Host is up (0.00032s latency). Not shown: 988 closed ports PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server Device type: general purpose Running: Microsoft Windows 2016 OS CPE: cpe:/o:microsoft:windows_server_2016 OS details: Microsoft Windows Server 2016 build 10586 - 14393 Network Distance: 2 hops OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.96 seconds
Port Scans Types
| Description | Command | Example |
|---|---|---|
| Scan a single Port | nmap -p [Port] [Target] | nmap -p 80 192.168.100.11 |
| Scan a range of ports | nmap -p [Port-Port] [Target] | nmap -p 20-99 192.168.100.11 |
| Scan the first 100 ports | nmap -F [Port] [Target] | nmap -F 192.168.100.11 |
| Scan using TCP Handshake | nmap -sT [Target] | nmap -sT 192.168.100.11 |
| Scan using TCP SYN (Stealth) | nmap -sS [Target] | nmap -sS 192.168.100.11 |
| Scan UDP port | nmap -sU [Target] | nmap -sU 192.168.100.11 |
The -sT switch creates a full TCP handshake with the target. This is considered more accurate than SYN scan but is slower and can be easy detected by firewalls and IDS.
nmap -sT 192.168.100.11 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-26 21:18 W. Europe Daylight Time Nmap scan report for 192.168.100.11 Host is up (1.0s latency). Not shown: 986 closed ports PORT STATE SERVICE 25/tcp filtered smtp 53/tcp open domain 88/tcp open kerberos-sec 110/tcp filtered pop3 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server Nmap done: 1 IP address (1 host up) scanned in 219.83 seconds
Analysing the scan in wireshark we can see that the open port is responding to the handshake.
If the port is closed on the host, then the target host will respond with a RST+ACK packets.
The -sS switch sends only a TCP SYN packet and waits for a TCP ACK. If it receives an ACK on the specific probed port then it response with a RST packet, in this way the scan can be undetected by the firewall. If the scanned port is closed on the target host, then target will only respond with a RST packet.
nmap -sS 192.168.100.11 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-26 21:24 W. Europe Daylight Time Nmap scan report for 192.168.100.11 Host is up (0.0013s latency). Not shown: 988 closed ports PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server Nmap done: 1 IP address (1 host up) scanned in 6.31 seconds
Analysing the packets in wireshark we can see that we first send a SYN packet to the scanned port on the target host, if it port is opened the target will response wit a SYN+ACK packet and we respond back with a RST packet.
If the port is closed on the scanned target the we will get a RST+ACK back.
The -sU switch will scan after UDP ports, UDP is a connectionless protocol, UDP packets dose not have any ACK flag set, the UDP protocol don’t require the reviser to confirm that he revised a UDP packet.
If the there is a firewall enabled on the host or on the network you will get a response back “open|filtered ports” and a list of ports that are blocked by the firewall.
nmap -sU 192.168.100.11 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 19:58 W. Europe Daylight Time Nmap scan report for 192.168.100.11 Host is up (0.0016s latency). Not shown: 997 open|filtered ports PORT STATE SERVICE 53/udp open domain 123/udp open ntp 389/udp open ldap Nmap done: 1 IP address (1 host up) scanned in 17.27 seconds
If the firewall is disabled then they will be no response back.
Inverse Scans
| Description | Command | Example |
|---|---|---|
| Xmas scan | nmap -sX [Target] | nmap -sX 192.168.100.11 |
| FIN scan | nmap -sF [Target] | nmap -sF 192.168.100.11 |
| TCP Null scan | nmap -sN [Target] | nmap -sN 192.168.100.11 |
| ACK scan | nmap -sA [Target] | nmap -sA 192.168.100.11 |
The -sX switch is called a Xmas Scan, when you scan a network or a target host with Xmax scan, the xmas scan sends a packet that contains multiple flags, the packet contains the URG, PSH & FIN flags. If the host have closed ports, it will respond with a single RST packet. If the ports are open on the host, then the host will respond as an open ports. Modern operating systems, firewalls and IDS drops this kind of packets if they are properly configured.
We will run the xmax scan against a windows server with firewall enabled.
nmap -sX 192.168.100.11 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 17:07 W. Europe Daylight Time Nmap scan report for 192.168.100.11 Host is up (0.0010s latency). All 1000 scanned ports on 192.168.100.11 are open|filtered Nmap done: 1 IP address (1 host up) scanned in 27.62 seconds
Observe the line “All 1000 scanned ports on 192.168.100.11 are open|filtered” the output is showing that all scanned ports are “open|filtered”. This means that the firewall are enabled on the target host.
Lets try the same scan but this time we will disable the firewall on our target host.
nmap -sX 192.168.100.11 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 17:13 W. Europe Daylight Time Nmap scan report for 192.168.100.11 Host is up (0.0012s latency). All 1000 scanned ports on 192.168.100.11 are closed Nmap done: 1 IP address (1 host up) scanned in 6.78 seconds
Now we get “All 1000 scanned ports on 192.168.100.11 are closed” this indicates that the firewall disabled.
The -sF switch scans the the host with a FIN scan, a FIN scan sends a packet with only the FIN flag set, this allows the packet to pass the firewall. If the port is open you will not get any respond, if the port is closed the target will respond with a RST packet.
If the firewall is enabled on the target the output will have a “open|filtered” response.
nmap -sF 192.168.100.11 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 17:51 W. Europe Daylight Time Nmap scan report for 192.168.100.11 Host is up (0.0010s latency). All 1000 scanned ports on 192.168.100.11 are open|filtered Nmap done: 1 IP address (1 host up) scanned in 27.19 seconds
If the firewall is disabled on the target the output will have a “are closed” response.
nmap -sF 192.168.100.11 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 18:06 W. Europe Daylight Time Nmap scan report for 192.168.100.11 Host is up (0.0019s latency). All 1000 scanned ports on 192.168.100.11 are closed Nmap done: 1 IP address (1 host up) scanned in 6.29 seconds
The -sN switch will scan the target with a NULL scan, the scan sends a packet without any flags set. if the NULL packet is sent to an open port, the will be no response back. If the NULL packet is sent to a close port, it will respond with a RST packet. This type of scan is easy to detect due that there are no reason to send a TCP packet without a flag.
When using the NULL scan the target will respond similar to the FIN and Xmaz scans.
The -sA switch send a packet with the ACK flag set when scanning a host, when the target receive the ACK packet it will replay with a RST packet. if the port is closed and the firewall is enabled the firewall will block the target host response and there will be no response back.
Observe the output in namp when the firewall is enabled.
nmap -sA 192.168.100.11 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 19:36 W. Europe Daylight Time Nmap scan report for 192.168.100.11 Host is up (0.0010s latency). All 1000 scanned ports on 192.168.100.11 are filtered Nmap done: 1 IP address (1 host up) scanned in 27.58 seconds
If the firewall is enabled the “All 1000 scanned ports on 192.168.100.11 are filtered” line will comeback with the “filtered” value. The “filtered” response shows that a firewall is enabled in the system.
Running the same command against a target with a disabled firewall, the output will have a different value.
nmap -sA 192.168.100.11 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 19:39 W. Europe Daylight Time Nmap scan report for 192.168.100.11 Host is up (0.0013s latency). All 1000 scanned ports on 192.168.100.11 are unfiltered Nmap done: 1 IP address (1 host up) scanned in 7.23 seconds
The response back on the “All 1000 scanned ports on 192.168.100.11 are unfiltered” is coming back with the “unfiltered” value. The response back means that there are no firewall enabled on the target.
Firewall Evasion
| Description | Command |
|---|---|
| Idle zombie scan | nmap -sI [zombie] [target] |
| Use a decoy | nmap -D RND: [number] [target] |
| Fragment packets | nmap -f [target] |
| Specify MTU | nmap –mtu [MTU] [target] |
| Randomize scan order | nmap –randomize-hosts [target] |
| Send bad checksums | nmap –badsum [target] |
| Specify source port | nmap –source-port [port] [target] |
| Spoof MAC Address | nmap –spoof-mac [MAC|0|vendor] [target] |
The -sI is called a Idle scan or a zombie scan is a stealth technique, when using the a zombie scan packets revised on the scanned host cant be traced back the sender, all network traffic to the target host are going trough a second host on the network called “zombie”.
“This scan type works by exploiting “predictable IP fragmentation ID” sequence generation on the zombie host, to determine open ports on the target. The scan checks the IPID on the zombie, then spoofs a connection request to the target machine, making it appear to come from the zombie. If the target port is open, a SYN/ACK session acknowledgement will be sent from the target machine back to the zombie, which will RST the connection since it has no record of having opened such a connection. If the port on the target is closed, an RST will be sent to the zombie, and no further packets will be sent. The attacker then checks the IPID on the zombie again. If it has incremented by 2 (or changed by two steps in its sequence), this corresponds to the packet received from the target, plus the RST from the zombie, which equates to an open port on the target. If the IPID has changed by one step, an RST was received from the target and no further packets were sent”
For a more detail explanation on how the idle scan work i recommend to read the official nmap documentation at https://nmap.org/book/idlescan.html
The -f switch is used to fragment probes into 8-byte packets, the scan will split the TCP header up to several packet, it is a very effective way to hide thee and make it harder for intrusion detection systems to the detect the scans.
The -D switch is used to hide port scans by using one or more decoys IP address,the network traffic on the scanned host will appear coming from the decoys IP address.
The –source-port switch is used to manually specify the source port number of a probe.
The –-randomize-hosts switch is used to randomize the scanning order of the specified ping sweap or a range scan.
Script Engines
| Description | Command |
|---|---|
| Run script | nmap –script [script.nse] [target] |
| Run scripts | nmap –script [expression] [target |
| Run scripts by category | nmap –script [cat] [target] |
| Run multiple scripts categories | nmap –script [cat1,cat2,cat3] [target] |
| Update script database | nmap –script-updatedb |
| Script categories | all |
| discovery | |
| default | |
| auth | |
| external | |
| malware | |
| vuln | |
| intrusive | |
| safe | |
Useful scans
Find Information about IP address
nmap --script=asn-query,whois,ip-geolocation-maxmind [target]
Detect Heart bleed SSL vulnerability
nmap -sV -p 443 --script=ssl-heartbleed [target]
Scan for DDOS reflection UDP services
nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr [target]
Scan HTTP Service
Get page titles
nmap --script=http-title [target]
Get HTTP headers
nmap --script=http-headers [target]