Nmap is short for Network Mapper. It is one of the most widely used penetration testing scanning tools. It is an open-source Linux command-line tool that scans IP Addresses and ports on a network and detects installed applications (Shivanandhan, 2020). Nmap allows network administrators to identify devices on their network, discover open ports and services, and detect vulnerabilities (Shivanandhan, 2020). Various operating systems, including Unix, Windows, and Linux, support Nmap.
Nmap is a versatile tool that enables rapid network mapping without requiring advanced commands or configurations, and it supports the Nmap Scripting Engine (NSE) for more complex operations (Shivanandhan, 2020). Shivanandhan (2020) lists the following as some of the other key capabilities:
1. Quickly identifying all networked devices (servers, routers, switches, mobile devices, etc.) across single or multiple networks.
2. Discovering services (like web or DNS) running on a system and accurately determining their application versions, which aids in detecting existing vulnerabilities.
3. Gathering detailed information about the operating system running on devices, including OS versions, to help security auditors plan penetration testing strategies.
4. Facilitating security auditing and vulnerability scanning by allowing users to attack systems using pre-existing scripts from the NSE.
5. Providing a graphical interface called Zenmap to create visual network mappings, improving usability, and reporting.
The Nmap Scripting Engine (NSE) significantly extends Nmap's capabilities, allowing users to automate extensive tasks such as vulnerability testing and exploitation. Written in Lua, the NSE enables security professionals to develop and run custom scripts (Gangwar, 2023). Scripts are executed using the — script flag, specifying either a single script, multiple scripts separated by commas (e.g., — script=<script-name1>,<script-name2>), or an entire script category (Gangwar, 2023). Arguments required by certain scripts can be supplied using the — script-args <args> flag (Gangwar, 2023). Gangwar (2023) lists the following categories to classify a script's purpose and impact:
Category — Description — — Impact/Purpose
safe — Scripts that are guaranteed not to affect or compromise the stability of the target — — Passive information gathering.
intrusive — Scripts that are likely to affect the target, potentially consuming resources or causing instability — — Aggressive testing; non-safe operations.
zvuln — Scripts that scan services for specific, known security vulnerabilities — — Vulnerability identification.
exploit — Scripts that attempt to actively exploit a detected vulnerability to gain deeper access — — Active compromise/testing.
auth — Scripts that attempt to bypass authentication mechanisms for running services — — Authentication testing.
brute — Scripts that attempt to guess credentials for services through brute-force attacks — — Credential testing.
discovery — Scripts that query running services to gather further network or host information — — Network reconnaissance and enumeration.
Nmap is fundamentally built around three primary functions, forming the basis for comprehensive network assessment (Muhungu, 2023):
1. Host Discovery: The process of identifying every active device and its corresponding IP address on a network.
2. Port Scanning: The technique used to determine which ports are open, closed, or filtered on a target host, which ultimately helps identify potential security vulnerabilities.
3. Operating System (OS) Detection: The ability to determine the operating system and often the specific version running on each discovered host, aiding in targeted penetration testing and auditing.
Muhungu (2023) also states that Nmap utilizes various methods to gather information about target systems, and the following four techniques represent some of the most frequently used scan types:
1. TCP SYN Scan (Stealth Scan):
According to Muhungu (2023), the TCP SYN scan is a fast and stealthy technique used to determine the status of ports (open, closed, or filtered) on a target.
Action — Nmap sends a SYN (synchronize) packet to the target port.
Open Port — The target responds with a SYN/ACK (synchronize/acknowledge) packet, indicating it is ready to establish a connection. Nmap then sends an RST (reset) to tear down the half-open connection before it is logged by the application.
Closed Port — The target responds directly with an RST packet.
Due to this 'half-open' nature, this scan often avoids detection by basic logging mechanisms.
Command: sudo nmap -sS <Target_IP_Address>
According to Muhungu (2023), a version detection scan goes beyond identifying an open port; it actively interrogates the service running on that port to determine its type and version number.
Nmap sends various probes to open ports. The service's response allows Nmap to fingerprint the application, garnering crucial details about the specific software. This information is vital for identifying known vulnerabilities.
Command: sudo nmap -sV <Target_IP_Address>
Muhungu (2023) states that the OS detection scan is used during network reconnaissance to identify the operating system running on a target device. Nmap sends specially crafted TCP packets to the host. Based on how the host's TCP/IP stack responds to these unique probes (its 'fingerprint'), Nmap can accurately determine the OS, its specific version, and sometimes even the device type.
Command: sudo nmap -O <Target_IP_Address>
A vulnerability scan is an automated auditing process that attempts to detect known security weaknesses, specifically Common Vulnerabilities and Exposures (CVEs), on a target host (Muhungu 2023). This type of scan leverages the Nmap Scripting Engine (NSE), specifically by using the built-in vulnerability scripts.
Command: nmap -PN — script vuln <Target_IP_Address>
The -PN flag is included to skip the host discovery (ping) phase, ensuring the scan proceeds even if the host doesn't respond to ICMP requests.
The — script vuln flag instructs Nmap to execute all scripts categorized for vulnerability detection.
Using Nmap in Metasploitable:
Here, we will use Kali to attack Metasploitable as the target network.
Performing some Basic Scans, such as ping scans and port scans:
Ping Scan: Scans the list of devices up and running on a given subnet (Shivanandhan, 2020).
Command: nmap -sP <Target_IP_Address>
nmap -sP 10.10.1.12
Result:
1 IP address (1 host up) scanned.
Port Scanning:
Port scanning is one of the most fundamental features of Nmap.
Command: nmap -p <Target_IP_Address>
nmap -p 10.10.1.12
Scanning Port 80 on a localhost:
Command: nmap -p 80 10.10.1.12
Result:
Port — State — — Service
80/tcp — open — — http
Scanning Ports from 1 to 100 on a localhost:
Command: nmap -p 1–100 10.10.1.12
Result: The following Five Ports were discovered:
Port — State — — Service
21/tcp — open — — ftp
22/tcp — open — — ssh
23/tcp — open — — telnet
25/tcp — open — — smtp
53/tcp — open — — domain
80/tcp — open — — http
Scanning all Ports on a localhost:
Command: nmap -p- 10.10.1.12
Result:
Multiple Ports were discovered.
TCP SYN Scan (Stealth Scan):
Stealth scanning is performed by sending a SYN packet and analyzing the response (Shivanandhan, 2020). If SYN/ACK is received, it means the port is open, and you can open a TCP connection.
Command: sudo nmap -sS 10.10.1.12
Result: Discovered and displayed multiple open Ports.
Version Detection Scan:
Finding application versions is a crucial part of penetration testing — it makes your life easier since one can find an existing vulnerability from the Common Vulnerabilities and Exploits (CVE) for a particular version of the service (Shivanandhan, 2020).
Command: sudo nmap -sV 10.10.1.12
Result:
OS Scanning:
Nmap can provide information about the underlying operating system using TCP/IP fingerprinting, and Nmap will also try to find the system uptime during an OS scan (Shivanandhan, 2020).
Command: sudo nmap -O 10.10.1.12
Aggressive Scanning Command: nmap -A 10.10.1.12
Result for Command: sudo nmap -O 10.10.1.12
"No exact OS matches for host…"
Result for Command: nmap -A 10.10.1.12
OS details of Metasploitable as per the command: nmap -A 10.10.1.12
OS Details: Linux 2.6.17–2.6.18(x86)
Network Distance: 0 hops
Vulnerability Scan:
Command: nmap -PN — script vuln 10.10.1.12
Nmap -sV –script vuln 10.10.1.12
Result for nmap -PN — script vuln 10.10.1.12
Discover and displays all the Ports
Additional Info:
Comparing Results from the Metasploitable box and one from kali box:
Result for nmap -PN — script vuln 10.10.1.12 on kali box
Discovers and displays all Ports and mentions whether or not they are vulnerable and exploitable in nature.
References:
Gangwar, M. (2022, August 03). Nmap — Switches and Scan Types in Nmap. Digital Ocean. Retrieved from https://www.digitalocean.com/community/tutorials/nmap-switches-scan-types#n-map-s-cripting-e-ngine
Muhugu, V. (2023, August 09). Types of Nmap scans and best practices. Tech Target. Retrieved from https://www.techtarget.com/searchnetworking/tip/Types-of-Nmap-scans-and-best-practices
Shivanandhan, M. (2022, October 02). What is Nmap and How to Use it — A Tutorial for the Greatest Scanning Tool of All Time. Free Code Camp. Retrieved from https://www.freecodecamp.org/news/what-is-nmap-and-how-to-use-it-a-tutorial-for-the-greatest-scanning-tool-of-all-time/