What is Nmap?
Nmap, an abbreviation for "Network Mapper," is a robust open-source network scanning tool utilized for network exploration and security assessment. It is designed to help network administrators and security professionals identify hosts, services, operating systems, and vulnerabilities within a computer network.
Nmap works by sending packets to the target network and analyzing the responses to determine which hosts are online, what services they are running, and which ports are open. It can also perform more advanced tasks such as OS fingerprinting, version detection, and vulnerability scanning.
Some key features of Nmap include:
Host discovery: Uncovering active hosts within a network.
Port scanning: Identifying open ports on target hosts.
Service detection: Determining what services are running on open ports.
Operating system detection: Attempting to identify the operating system of the target hosts.
Scriptable interaction: Nmap provides a scripting engine (Nmap Scripting Engine, or NSE) that allows users to write and execute scripts to automate various tasks.
Nmap is widely used in both offensive and defensive security operations. Network administrators use it to maintain the security of their networks by identifying potential vulnerabilities, while security professionals and hackers use it to find weaknesses in systems that could be exploited maliciously.
Why use Nmap?
Nmap is used for a variety of reasons in the realm of network security and administration:
Network Discovery : Nmap helps in discovering hosts and services on a computer network, making it useful for network inventory and mapping.
Security Auditing : It allows security professionals to assess the security posture of a network by identifying open ports, running services, and potential vulnerabilities.
Vulnerability Assessment : Nmap can be used to scan for known vulnerabilities in network services and operating systems, aiding in prioritizing security efforts.
Penetration Testing : Security professionals use Nmap to simulate attacks on their own networks, identifying weaknesses and improving defenses.
Forensics and Incident Response : After a security incident, Nmap can be used to analyze network traffic, identify compromised hosts, and assess the extent of the breach.
Network Monitoring : It can be used as part of a network monitoring system to periodically check the availability and status of network services.
Compliance Checking : Nmap can assist in ensuring compliance with security standards and regulations by identifying potential security weaknesses.
Scriptable Automation : Its scripting engine allows for the automation of various tasks, making it adaptable to a wide range of security and network management needs.
Basic scans
Here are some basic scans commonly used in Nmap:
TCP SYN Scan ( -sS ) : This scan uses TCP SYN packets to probe the target ports. It's a stealthy scan because it doesn't establish a complete TCP connection, only sends SYN packets. This can bypass some firewalls and intrusion detection systems.
TCP Connect Scan ( -sT ) : This scan establishes a full TCP connection to each port to check its status. It's more aggressive as it completes the TCP handshake.
UDP Scan ( -sU ) : Nmap sends UDP packets to target ports in this scan. UDP scanning consumes more time and resources due to UDP's connectionless nature.
ACK Scan ( -sA ) : In an ACK scan, Nmap sends ACK packets to target ports. It's used to test firewall rules and filtering systems.
TCP NULL, FIN, XMAS Scans (-sN, -sF, -sX) : These scans manipulate TCP header flags and probe target ports. They're stealthy scans and can confuse some firewalls and security devices.
Basic Scans:
-sP : Ping scan (Discover hosts)
-sT : TCP connect scan (Complete TCP connection)
-sS : SYN scan (Stealthy, sends SYN packets)
-sU : UDP scan (Scan UDP ports)
Port Specification:
-p : Specify ports to scan
-F : Fast scan, scans most common ports
-p- : Scan all ports
Service and Version Detection:
-sV : Version detection
--version-intensity <level>: Adjust detection intensity
Operating System Detection:
-O : Enable OS detection
Scripting Engine:
--script <name>: Run specific NSE script
--script-args <args>: Pass arguments to NSE scripts
Output Options:
-oX : Output in XML format
-oN : Output in normal (text) format
-oG : Output in grepable format
Timing and Performance:
-T<0-5> : Set timing template
--min-rate, --max-rate : Control scan speed
Firewall Evasion:
-f : Fragment packets
--mtu <val> : Set MTU value
Aggressive Scans:
-A : Enable aggressive scan options (OS detection, version detection, script scanning, and traceroute)
Miscellaneous:
-v : Increase verbosity
-h : Display help message
--reason : Show the reason behind port status
--traceroute : Perform traceroute to target
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Ping scan : Identifies active devices within a specified subnet by sending ICMP Echo Request packets.
➡️ nmap -sp 192.168.1.1/24
Scan a single host : Scans a single host for 1000 commonly used ports, including those utilized by popular services like SQL, SNTP, Apache, and others.
➡️ nmap scanme.nmap.org
Version detection
Identifying application versions is a critical aspect of penetration testing.
This simplifies your task, allowing you to search for known vulnerabilities in the Common Vulnerabilities and Exposures (CVE) database associated with a specific service version. Subsequently, you can utilize this information to target a system using exploitation tools such as Metasploit.
➡️ nmap -sV scanme.nmap.org
To conduct a version scan, utilize the '-sV' command. Nmap will furnish a catalog of services along with their respective versions. Bear in mind that while version scans may not always be entirely accurate, they do bring you closer to penetrating a system successfully.
