NMAP

Hello world, welcome to haxez where today I’m going to be talking about the network mapping tool Nmap. Nmap is a network scanner and was created by Gordon Lyon. It can be used to discover hosts on a network by sending packets to those hosts and then analyzing the responses. In other words, it can help you map out a target network. As a result, Nmap among other tools like Mass Scan is an essential tool for your ethical hacking tool kit. I use it on almost every engagement.

Nmap Host Discovery

As mentioned previously, Nmap can be used to discover hosts on a network. This can be done a number of ways but the most common is known as a ping sweep. A ping sweep does exactly that, it pings every host in the specified range and waits for a response to see if the host is online.

sudo nmap -sP 10.10.10.0-255

This can also be done without DNS resolution.

sudo nmap -sP 10.10.10.0-255 -n

However, this method isn’t full proof as hosts could have ICMP disabled meaning that they won’t respond to pings.

Ping Sweep
Nmap Ping Sweep

Nmap TCP Port Scan

The Nmap tool can also scan hosts and determine what TCP ports are open. This is done by initiating a three-way handshake with the host and analyzing the response. You can specify which ports or let it only scan the top 100 or 1000 ports. Additionally, you can also add service version detection to the scan by adding the ‘-sV’ argument.

sudo nmap -sT -sV -p0- 10.10.10.10
TCP Scan
Nmap TCP Scan

Nmap UDP Port Scan

Moreover, Nmap can also perform a UDP scan against the hosts. However, because UDP is a stateless protocol whereby the sending continues to send regardless of whether the host has responded, it can take time to determine whether a port is open.

sudo nmap -sU -p0- 10.10.10.10

Nmap Scripting Engine

One of the most powerful features of Nmap is its scripting engine. If you’re just starting out in computing or cyber, you could be forgiven for not knowing about it. Nmap is far more than a network scanner, it is a complete penetration testing framework. If you bring up your terminal and type in:

sudo locate *.nse
NSE Scripts
Nmap NSE Scripts

You can see the insane amount of scripts available for you to use against your targets. These scripts range from purely informational to exploitative. The scripts can be updated by running the following command.

sudo nmap --script-updatedb

SSL Scripts

One thing that I do frequently on an engagement is to test the configuration of the SSL certificate. This helps to ensure that all communication sent to and from the host is done so securely. Furthermore, it also helps to ensure that no specially crafted packets can be sent to the host to retrieve sensitive information.

sudo nmap --script ssl-cert -p 443 haxez.org

The command below can be used to enumerate the SSL ciphers and check for weak ones.

sudo nmap -sV --script ssl-enum-ciphers -p 443 haxez.org
Nmap SSL Scripts
Nmap SSL Scripts

DNS Zone Transfer Script

There is also a script that can perform DNS zone transfers. While there are other tools like dig and fierce that have a far less complex syntax, if you’re in a pinch and only have Nmap then it’s nice to know the option is there. This can be done by running the following command.

sudo nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=zonetransfer.me -p53 nsztm1.digi.ninja

So, if you’re on an engagement and you notice TCP port 53 is open. You could grab an absolute wealth of information by performing a DNS zone transfer.

Nmap DNS Zone Transfer
Nmap DNS Zone Transfer

SMB Share Enumeration

Imagine you’ve stumbled into a network and you’ve scanned a host and noticed that port 445 is open. You know that this is the port for Server Message Block or SMB for short. You also know that this port is used to share files and folders/directories across the network. Wouldn’t it be great if there was a way to see what shares were being shared? Well, there’s a script for that.

nmap --script smb-enum-shares.nse -p445 192.168.56.103

SMB User Enumeration

Ok so you now know what the shares are but you don’t know any users on the system that would have the privileges to access them. Well, there is a script for that which allows you to enumerate the users of the system via the SMB share.

nmap --script smb-enum-users.nse -p445 192.168.56.103
Nmap SMB User Enumeration
Nmap SMB User Enumeration

FTP Brute

So you now have a list of usernames but what do you do with them? Are there any other services that you can see? What’s that? Its running FTP? Why not brute force that service with Nmap’s FTP Brute force script.

sudo nmap --script ftp-brute -p21 192.168.56.103 --script-args userdb=ftp_defuser.lst,passdb=ftp_defuser.lst
Nmap FTP Brute Force
Nmap FTP Brute Force

SSH Brute

You notice another box or that the same box is running the remote management protocol SSH. You have a list of users and some passwords which you got from the FTP service. Why not use that wordlist to go attack the SSH login too.

sudo nmap -p 22 --script ssh-brute --script-args userdb=ssh-user.txt,passdb=password.txt 192.168.56.103
Nmap SSH Brute Force
Nmap SSH Brute Force

Increase Verbosity

There are some other arguments that could help you with your scans too. If you wanted to see exactly what Nmap is doing then you could increase the verbosity.

-v1 -v2 -v3

Increase Speed

Or if Nmap is running too slowly then you could increase the speed by adding a T4 argument to your scan. Be careful though as some systems with minimal resources might be offended by your scan and decided to crash due to resource exhaustion.

-T1 -T2 -T3 -T4

Conclusion

There are so many other types of scans like Syn scans, and Xmas scans that I could talk about. I could spend weeks talking about all the different scripts available. I don’t want to make this article too long though. Hopefully, I’ve covered enough to get you started with Nmap and to realize its enormous potential. I use it on almost every test that I do simply because it has almost everything I need. That isn’t to say I don’t verify the results with other tools, but it is usually my starting point on any engagement once the passive reconnaissance is out of the way.