Getting started with nmap

CaffeineFueled

2022/12/12

Disclaimer: Only scan networks you have permission for. Many VPS providers do not allow the scanning of other networks and can cause you trouble. Please be aware of it.

Installation

I won’t cover the installation of nmap in this blog post. It is available for many OSs, and a simple lookup with your favorite search engine will give you enough results to get it done.

What is nmap?

Nmap (Network mapper) is an open-source network and security auditing tool. It is used for network host and service discovery and has a wide range of use cases. It can scan ports, discover live hosts, detect service and OS versions, run vulnerability scans, and be used with many scripts.

I’ll show you the basics of nmap in this post. This is more than enough to get started.

Important: I recommend using nmap as root since not all scans are available for non-root users. The kernel constrain standard users from using all functions of the NIC.

Specify the hosts or networks to scan #

You’ll start by defining the range of the scan. This is mandatory and there are multiple ways to do it.

Single address / host name:
nmap 10.10.20.1
nmap scanme.nmap.org # You have permission to scan this domain / host. Visit this page for more information. As mentioned before, be aware that many server providers prohibit the scan of other networks.
There are several ways to define a range of targets:
nmap 10.10.10.1 10.10.10.2 10.10.10.3
nmap 10.10.10.1,2,3
nmap 10.10.10.1-50
nmap 10.10.10.0/24
Use a file with a list of targets (hosts/network):
nmap -iL /path/to/file.txt

Side note: The list can have various formats. All hosts in one single line, separated by spaces, or you can put every host in a separate line or even combine it like this:

10.10.10.1 10.10.20.2
10.10.30.3

Nmap would scan 3 hosts.

Choose a random number of hosts within a chosen range:
nmap 10.10.10.0/24 -iR 5

Exclude hosts and networks from scans #

Choose hosts or networks that should be excluded:
nmap 192.168.0.0/24 --exclude 192.168.0.2
Use a file with a list of exclusions:
nmap 10.10.10.0/24 --excludefile /path/to/file.txt

SPECIFIC PORT RANGES #

Side note: Without a flag, it runs the 1000 common TCP ports by default. Source

For a quick scan that only scans the first 100 ports, use the -F flag:
nmap 10.10.10.1 -F
Scan of a single port:
nmap 10.10.10.0/24 -p 22
Scan of several ports:
nmap 10.10.10.0/24 -p 22,80
nmap 10.10.10.0/24 -p 1-100
nmap 10.10.10.0/24 -p 80,90-100
-p- would scan ALL ports (0 to 65535):
nmap 10.10.10.0/24 -p-

TCP is the default protocol. You can specifically choose TCP or UDP like this:

TCP (default):
nmap 10.10.10.0/24 -p T:53
UDP:
nmap 10.10.10.0/24 -p U:53
Combine both:
nmap 10.10.10.0/24 -p T:53,U:53

Important: the T: and U: must be capitalized since it is case-sensitive.

If you only want to scan UDP ports, use the -sU flag to do so.

I am not familiar with it, but you can work with protocol names like this:
nmap 10.10.10.0/24 -p smtp # Thanks to k3vinw

Exlude ports from scan #

Simply us the --exlude-ports option and the ports / port range:
nmap 10.10.10.1 -p 1-100 --exlude-ports 22,53

Set the source port

Use the -g flag to specify the source port of the scan:
nmap 10.10.10.1 -g 12345

Save output to file #

There are 3 formats you can pick between:

Console output:
-oN results.txt
‘Grepable’ console output:
-oG results.txt
XML format:
-oX results.txt
Saves output of ALL 3 formats:
-oA results.txt

If you want to append the results to a file, simply add the --append-output option to the command.

Port states #

Nmap distinguishes the state of the port in six categories. This section is copied from the official documentation since it is explained really well.

open

An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Finding these is often the primary goal of port scanning. Security-minded people know that each open port is an avenue for attack. Attackers and pen-testers want to exploit the open ports, while administrators try to close or protect them with firewalls without thwarting legitimate users. Open ports are also interesting for non-security scans because they show services available for use on the network.

closed

A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up. Administrators may want to consider blocking such ports with a firewall. Then they would appear in the filtered state, discussed next.

filtered

Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.

unfiltered

The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.

open|filtered

map places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.

closed|filtered

This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.

Scan timing / timing templates #

With these timing templates, you can decide how aggressively and fast you want to scan your targets. The lower the number, the slower scan and vice versa. You can choose them with the -T flag like this:
-T0 paranoid
-T1 sneaky
-T2 polite
-T3 normal (default)
-T4 aggressive
-T5 insane

-T0 and -T1, for example, are used for IDS evasion. The scans are less aggressive, have more delay, look more random, and so on. -T5 is really aggressive, fast and rather unreliable due loss of packets.

A detailed table of differences can be found in the official documentation

Scripts #

Disclaimer + Important: Scripts are not run in a sandbox and thus could accidentally or maliciously damage your system or invade your privacy. Never run scripts from third parties unless you trust the authors or have carefully audited the scripts yourself.

The Nmap Scripting Engine (NSE) allows you to use, and share various scripts. The scripts are written in Lua.

There are different categories of scripts. The current categories are: auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.

Run a script:
--script filename / category / directory
all scripts in the category or directory would be loaded

Nmap scripting is way beyond the scope of this post, and since I am not too familiar, I rather keep it short. I mostly use scripts for finding SMBv1 servers (smb-os-discovery), display of SSH authentication information (ssh-auth-methods) or all available DHCP server (broadcast-dhcp-discover). The last one is great for debug DHCP problems or find rogue DHCP servers.

Often enough scripts are used to find vulnerabilities. One example can be found on Github. A helpful script to check against log4shell or LogJam vulnerabilities (CVE-2021-44228).

For more information about scripts for nmap, check out the following blog post: Getting started with nmap scripts

Helpful additional scan options #

Verbosity of the scan:
-v / -vv / -vvv
Increase verbosity on debug level:
-d / -dd / … or -d1 to -d9
often used if a bug in nmap is suspected
Choose the interface for the scan:
-e interfacename
skip reverse DNS look-up:
-n
force reverse DNS, even when host is offine:
-R
use the DNS resolver of the system:
--system-dns
use a specific DNS server for requests:
--dns-servers <server1>[,<server2>[,...]]
show the results every X seconds/minutes:
--stats-every 1m / 10s
really great for long scans to check the progress
Scan IPv6 addresses:
-6 ::ffff:1234:abcd
detecting the version of services running on the target:
-sV
detecting operating system of the target by fingerprinting:
-O
TCP Syn scan - Stealth mode:
-sS
sending TCP/SYN packet, waits for TCP/ACK. Slower, but less aggressive
TCP full connect - 3-way-handshake:
-sT
it is more acurate, but slower and noisier:
ICMP echo request / ping for a quick scan:
-sP
No ICMP echo request / ping, nmap assumes the host is up:
-Pn
ICMP echo request:
-PE
ICMP Timestamp request:
-PP
ICMP netmask request:
-PM
TCP SYN ping:
-PS PORTNUMBER
Port 40125 is the default, if no port entered
TCP ACK Ping use
-PA PORTNUMBER
Port 40125 is the default, if no port entered

IDS/ FW Evasion #

This is a topic for another time and unnecessary for beginners, but just some IDS/FW evasion methods.

Decoy mode - tries to hide your IP in a pool of other IPs
nmap -D 10.10.10.22,10.10.10.44,10.10.10.66 10.10.10.1
10.10.10.22 # your own IP
10.10.10.44 # decoy IP
10.10.10.66 # decoy IP
10.10.10.1 # IP of target
Change the source IP:
-S
Spoof another MAC address:
--spoof-mac MAC-ADDRESS / prefix / vendor name
Using a HTTP/SOCKS4 proxy:
--proxies URL,[url2],...

Conclusion

Nmap is unbelievably powerful and invaluable for my day-to-day work. I hope I could provide you some insight into the possibilities of nmap. If you think I forgot something, feel free to reach out.




Most recent Articles:
  • Notice Board 003: Progress is Progress
  • How to: Cisco ISE backup to SFTP repository with public key authentication
  • Dummy IP & MAC Addresses for Documentation & Sanitization
  • Deploying ISSO Commenting System for Static Content using Docker
  • Generate a Vanity v3 Hidden Service Onion Address with mkp224o