Book Image

Nmap: Network Exploration and Security Auditing Cookbook - Second Edition

By : Paulino Calderon
Book Image

Nmap: Network Exploration and Security Auditing Cookbook - Second Edition

By: Paulino Calderon

Overview of this book

This is the second edition of ‘Nmap 6: Network Exploration and Security Auditing Cookbook’. A book aimed for anyone who wants to master Nmap and its scripting engine through practical tasks for system administrators and penetration testers. Besides introducing the most powerful features of Nmap and related tools, common security auditing tasks for local and remote networks, web applications, databases, mail servers, Microsoft Windows machines and even ICS SCADA systems are explained step by step with exact commands and argument explanations. The book starts with the basic usage of Nmap and related tools like Ncat, Ncrack, Ndiff and Zenmap. The Nmap Scripting Engine is thoroughly covered through security checks used commonly in real-life scenarios applied for different types of systems. New chapters for Microsoft Windows and ICS SCADA systems were added and every recipe was revised. This edition reflects the latest updates and hottest additions to the Nmap project to date. The book will also introduce you to Lua programming and NSE script development allowing you to extend further the power of Nmap.
Table of Contents (18 chapters)
13
Brute Force Password Auditing Options
17
References and Additional Reading

Listing open ports on a target host

This recipe describes how to use Nmap to determine the port states on a remote host, a process used to identify running services commonly referred to as port scanning. This is one of the tasks Nmap excels at, so it is important to learn the essential Nmap options related to port scanning.

How to do it...

To launch a default scan, the bare minimum you need is a target. A target can be an IP address, a host name, or a network range:

$nmap scanme.nmap.org  

The scan results will show all the host information obtained, such as IPv4 (and IPv6 if available) address, reverse DNS name, and interesting ports with service names. All listed ports have a state. Ports marked as opened are of special interest as they represent services running on the target host:

   Nmap scan report for scanme.nmap.org (45.33.32.156) 
Host is up (0.16s latency).
Other addresses for scanme.nmap.org (not scanned):
2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
9929/tcp open nping-echo
31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 333.35 seconds

How it works...

The basic default Nmap scan nmap <target> executes a simple port scan that returns a list of ports. In addition, it returns a service name from a database distributed with Nmap and the port state for each of the listed ports.

Nmap categorizes ports into the following states:

  • Open: Open indicates that a service is listening for connections on this port.
  • Closed: Closed indicates that the probes were received, but it was concluded that there was no service running on this port.
  • Filtered: Filtered indicates that there were no signs that the probes were received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering.
  • Unfiltered: Unfiltered indicates that the probes were received but a state could not be established.
  • Open/Filtered: This indicates that the port was filtered or open but the state could not be established.
  • Close/Filtered: This indicates that the port was filtered or closed but the state could not be established.

Even for this simplest port scan, Nmap does many things in the background that can be configured as well. Nmap begins by converting the hostname to an IPv4 address using DNS name resolution. If you wish to use a different DNS server, use --dns-servers <serv1[,serv2],...>, or use-n if you wish to skip this step, as follows:

$ nmap --dns-servers 8.8.8.8,8.8.4.4 scanme.nmap.org  

Afterward, it performs a host discovery process to check whether the host is alive (see the Finding live hosts in your network recipe). To skip this step, use -Pn as follows:

$ nmap -Pn scanme.nmap.org  

Nmap then converts the IPv4 or IPv6 address back to a hostname using a reverse DNS query. Use -n to skip this step, as follows:

$ nmap -n scanme.nmap.org  

Finally, it launches either a SYN stealth scan or TCP connect scan depending on the user privileges.

There's more...

Port scanning is one of the most powerful features available, and it is important that we understand the different techniques and Nmap options that affect the scan behavior.

Privileged versus unprivileged

Running the simplest port scan command, nmap <target>, as a privileged user by default launches a SYN Stealth Scan, whereas unprivileged users that cannot create raw packets use the TCP Connect Scan technique. The difference between these two techniques is that TCP Connect Scan uses the high-level connect() system call to obtain the port state information, meaning that each TCP connection is fully completed and therefore slower. SYN Stealth Scans use raw packets to send specially crafted TCP packets to detect port states with a technique known as half open.

Scanning specific port ranges

Setting port ranges correctly during your scans will be very handy. You might be looking for infected machines that use a specific port to communicate or a specific service and do not really care about the rest. Narrowing down the port list also optimizes performance, which is very important when scanning multiple targets.

There are several accepted formats for the argument -p:

  • Port list:
# nmap -p80,443 localhost 
  • Port range:
# nmap -p1-100 localhost  
  • All ports:
# nmap -p- localhost  
  • Specific ports by protocols:
# nmap -pT:25,U:53 <target>  
  • Service name:
# nmap -p smtp <target>  
  • Service name wildcards:
# nmap -p smtp* <target>  
  • Only ports registered in Nmap services:
# nmap -p[1-65535] <target> 

Selecting a network interface

Nmap attempts to automatically detect your active network interface; however, there are some situations where it will fail or perhaps we will need to select a different interface in order to test networking issues. To force Nmap to scan using a different network interface, use the argument -e:

#nmap -e <interface> <target>
#nmap -e eth2 scanme.nmap.org

You will need to set your network interface manually if you ever encounter the message WARNING: Unable to find appropriate interface for system route to.

More port scanning techniques

In this recipe, we talked about the two default scanning methods used in Nmap: SYN Stealth Scan and TCP Connect Scan. However, Nmap supports several more port scanning techniques. Use nmap -h or visit https://nmap.org/book/man-port-scanning-techniques.html to learn more about them.