NMAP is also known as Network-Mapper which is used for network discovery and security auditing.
Nmap can also detect :
- Running Operating Systems
- Open Ports (UDP/TCP)
- Identify Number of Devices in Networks
- Versions of Software Running on the target
- Scripts for Network Discovery and Vulnerability detection
- Scan targets which have ICMP (ping) disabled (generally windows dont respond to pings).
- IPv6 networks
Please Note : Do NOT run nmap against anything you do not have permission to. You can get into serious trouble.
Basic Usage
The most common flags for scanning are-
-sn
: Disable Port scan.-Pn
: Disable Ping scan. (Treat all hosts as online -- skip host discovery)-sU
: UDP Scans-sS
: Syn Scan-O
: OS detection-oG
: Save the output in Grepable output-oN
: Save the output in Normal output-6
: Enable IPv6 scanning-T<0-5>
: Make the scan faster.-sC
: Equivalent to --script=default-sV
: Version detection-v
: Increase verbosity level-n
: Never do DNS resolution-R
: Do DNS resolution (NMAP resolves DNS sometimes)-A
: Aggressive mode (Enable OS detection, version detection, script scanning, and traceroute)-p
: Specify particular port/s to scan nmap -p 21
or nmap -p min-max
- Specify range of ports to scan nmap -p 100-200
: Scan all ports. (By default nmap scans first common 1000 ports for each protocol)
-p---script vuln
: Very useful. Activates all of the scripts in the vuln category (Very helpful command. Really helped me during my eJPT)
Practical Usage
Basic nmap command nmap IP
Let’s try a simple -p
to scan a particular port.
Let’s scan the version of the port using the -sV
(I have added the -T4
flag to make the scan faster).
Let’s do an OS detection scan -O
(It requires root permission)
Let’s do an aggressive scan using the -A
switch
Importance of Service Detection
The service detection is very useful. It can tell you the version of software running on the system. With this info we can search google for that specific version and find a vulnerability.
MiniServ 1.890 seems like an outdated version. We can search for a exploit using metasploit
After booting metasploit with msfconsole
we can search for webmin 1.890
We can see that there is an exploit available. We can type use 0
(as the index number for the exploit is 0) or use exploit/linux/http/webmin_backdoor
( as it is the full path for the exploit)
Then set these options required
I just demonstrated how we can use Nmap’s version detection to gain root (highest authority) on the target system. Hope you had fun
Personal Experience
I like to use RustScan a tool for scanning open ports, then going back to nmap and scanning those specific ports together instead of scanning all. It can save a lot of time as nmap takes a lot of time to scan all the 65535 ports.
I would recommend to use RustScan only during THM boxes.
You can also use nmap inside rustscan using the --
feature
example: rustscan -a IP -- -sV
This command will scan all ports on the target IP and then do a service detection (-sV
)on them using nmap