The nmap utility ("Network Mapper") is the go-to tool for penetration testers to quickly scan large networks to find hosts and services. With advanced use, it can also be used detect and exploit vulnerabilities through its built-in scripting engine.

Basic Usage

The most simple way to use nmap is by running nmap <target specification>, for example:

nmap scanme.nmap.org
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.15s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 993 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
6881/tcp  filtered bittorrent-tracker
6901/tcp  filtered jetstream
6969/tcp  filtered acmsoda
9929/tcp  open     nping-echo
31337/tcp open     Elite

Nmap done: 1 IP address (1 host up) scanned in 9.15 seconds

Conveniently, the maintainers of nmap provide a domain name to scan at scanme.nmap.org for testing and understanding the tool - which you can scan for free with only a few, reasonable restrictions.

In this basic scan, nmap probes the most common 1000 ports and details the results in the "interesting ports" table output. We can see that scanme.nmap.org has 993 of the 1000 scanned ports closed and the 7 remaining ports not closed. These 7 ports are listed in the table with the port number, protocol, service name and state.

This scan is quite basic yet it still provides useful information to a penetration tester about the attack surface of the target. That is, each open port in the above output is a potential target that a penetration tester can probe to try to find vulnerabilities to exploit.

Aggressive Usage (-A flag)

Instead of manually researching each open port, it is easier and faster to run an "aggressive" scan with the -A flag. The flag -A will:

  • Detect operating systems in use
  • Detect versions of services running
  • Run the default set of scripts against any hosts and services found
  • Output the traceroute to the host
nmap -A scanme.nmap.org
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.029s latency).
rDNS record for 74.207.244.221: li86-221.members.linode.com
Not shown: 995 closed ports
PORT     STATE    SERVICE     VERSION
22/tcp   open     ssh         OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)
| ssh-hostkey: 1024 8d:60:f1:7c:ca:b7:3d:0a:d6:67:54:9d:69:d9:b9:dd (DSA)
|_2048 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec (RSA)
80/tcp   open     http        Apache httpd 2.2.14 ((Ubuntu))
|_http-title: Go ahead and ScanMe!
646/tcp  filtered ldp
1720/tcp filtered H.323/Q.931
9929/tcp open     nping-echo  Nping echo
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.39
OS details: Linux 2.6.39
Network Distance: 11 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

TRACEROUTE (using port 53/tcp)
HOP RTT      ADDRESS
[Cut first 10 hops for brevity]
11  17.65 ms li86-221.members.linode.com (74.207.244.221)

Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds

This scan will take a little longer than the basic usage example but provides a lot more information, as shown.

Comparing the outputs, in the basic usage we saw there was an http service running on port 80, which would indicate the presence of a webserver like Tomcat, Apache, Jetty or many others. However, with the aggressive usage, we can see that the webserver running this service is Apache httpd 2.2.14. This is incredibly useful as a penetration tester can now search for known vulnerabilities with the specific scope of Apache httpd 2.2.14. Further, we can see that the operating system is Ubuntu, which is important information both for enumeration and privilege escalation down the line.

From the perspective of understanding the network, this additional information is also useful because a penetration tester can now make reasoned assumptions about the code behind any websites running. In this case, the penetration tester will know that the Apache webserver typically runs PHP applications and, for example, does not directly support running other languages like Java and Ruby. This helps to further narrow the scope of the vulnerabilities to research, saving plenty of time.

However, it is important to note the following:

  1. According to the docs, this type of aggressive scan is considered intrusive and should not be ran against a target without permission
  2. It is easier for hosts to detect this kind of heavy probing and react appropriately by blocking the scan completely

Port Specification

As we saw in the basic scan, by default nmap will only scan the most commonly used 1000 ports. However, you can override this in many ways:

nmap -p- <target>

This will scan each and every port of the target

nmap -p22,443 <target>

This will only scan ports 22 and 443 only of the target

nmap -p1-1000 <target>

This will scan port 1-1000, inclusive, of the target.

nmap -p U:53,111,T:21-25 <target>

This will scan ports 53 and 111 using only UDP protocol scans and ports 21-25, inclusive, using only TCP protocol scans of the target

Target Specifications

In the above examples, nmap has been used to target a single domain at scanme.nmap.org. However, it is possible to use nmap to scan targets in many different ways.

nmap scanme.nmap.org

This will use DNS to resolve the hostname scanme.nmap.org to an IP address and then scan the host at that IP address.

nmap 192.168.0.1

This will scan the unique machine at the IP address 192.168.0.1

nmap 10.0.0.1-254

This will scan all IP address from 10.0.0.1 to 10.0.0.254, inclusive.

nmap 192.168.10.0/24

This will scan the 256 hosts between 192.168.10.0 and 192.168.10.255, inclusive.

See the CIDR notation guide to understanding this addressing scheme.

Scripting Engine

The scripting engine is arguably the most powerful and flexible part of the nmap utility. Many developers have written and shared simple scripts (written in Lua) for network discovery, version detection, vulnerability detection, backdoor detection and vulnerability exploitation.

Each script is labelled with one or more of the following categories: auth, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln.

There are many available scripts to look through and they can all be started with the "--script" argument. For example, the following script named "dns-brute.nse" will use brute-force to scan for available subdomains on the domain vulnweb.com:

nmap -p 80 --script dns-brute.nse vulnweb.com
Nmap scan report for vulnweb.com (176.28.50.165)
Host is up (0.34s latency).
rDNS record for 176.28.50.165: rs202995.rs.hosteurope.de
PORT   STATE SERVICE
80/tcp open  http

Host script results:
| dns-brute: 
|   DNS Brute-force hostnames: 
|     admin.vulnweb.com - 176.28.50.165
|     firewall.vulnweb.com - 176.28.50.165
|_    dev.vulnweb.com - 176.28.50.165

Nmap done: 1 IP address (1 host up) scanned in 28.41 seconds

The output shows 3 unique subdomains were found, each with the associated IP address. Scripts like this can help a penetration tester to find additional hosts and services within a network as part of the information gathering stage to define the attack surface.

As another example, the following example will find all hosts associated to an IP address by querying a third-party service:

nmap -p 80 --script hostmap-bfk.nse nmap.org
Nmap scan report for nmap.org (173.255.243.189)
Host is up (0.19s latency).
PORT   STATE SERVICE
80/tcp open  http

Host script results:
| hostmap-bfk: 
|   hosts: 
|     www.nmap.org
|     173.255.243.189
|     seclists.org
|     sectools.org
|     svn.nmap.org
|     nmap.org
|     hb.insecure.org
|     insecure.org
|     images.insecure.org
|     189.243.255.173.in-addr.arpa
|_    www.insecure.org

Nmap done: 1 IP address (1 host up) scanned in 2.10 seconds

In this case, the domain nmap.org was resolved to the IP address 173.255.243.189 and then this script associated that IP address to the additional 11 domains, above.

It is not feasible to go through each and every script but knowledge of many of the scripts will help a penetration to automate many tasks to better understand networks and then detect and exploit potential vulnerabilities.

All of the scripts with the category "default" will run when running an aggressive scan with the -A flag, of which there are currently over 100.

Evading Detection

Many companies restrict network activity and increasingly monitor traffic with intrusion detection systems (IDS). Many of these systems even have settings in place to detect "default" nmap scans and have morphed into intrusion prevention systems (IPS). Fortunately, nmap comes with an extensive set of ways to evade such detection.

nmap -f <target>

Using the -f flag, nmap will fragment the packets sent as part of a scan. The fragmentation will split the TCP headers of a request over several packets instead of just one. This can work because packet reassembly is processor intensive for a firewall system and will have it for performance reasons. As such, the traffic is not dropped as the scan works as expected.

nmap -D <ip1, ip2,...,ME> <target>

Using the -D flag will cause a "decoy" scan to be performed. From the perspective of the hosts being scanned, they will see traffic as if it is coming from multiple machines instead of just the penetration tester's machine. Because of this, it is less likely that scanning will be detected and blocked automatically and manual assessment of traffic will be more difficult in firewall logs. As can be expected, it is possible for the target networks to detect the use of decoy IP addresses but it is often an effective technique.

nmap -S <spoof address> <target>

Using the -S flag will spoof the source address - usually as an IP address in the target subnet - so that is will appear to the IDS/firewall that the traffic is legitimate. However, in most cases this scan will not receive reply packets as they will instead be sent to the spoof IP address.

nmap -g <port> <target>

Using the -g flag will send packets from the port specified wherever possible. This is useful because many network administrators and software products will often trust traffic solely based on the source port number. Common port numbers used with this flag would be 20 (ftp), 53 (dns), 67 (DHCP) and 88 (kerberos). Secure solutions exist to handle traffic correctly from these source ports but are commonly not configured, so the scan works instead.

nmap -T<0-5> <target>

Using the -T<0-5> flags sets the timing template of the scan where T0 is usually not detected by IDS/IPS systems and T5 is easily detected. Using T0, only one port is scanned at a time and 5 minutes is elapsed between sending each probe but usually T3 is sufficient to evade firewalls. The full list is defined as:

  • T0 paranoid
  • T1 sneaky
  • T2 polite
  • T3 normal
  • T4 Aggressive
  • T5 Insane

Of course, T5 will flood a target with traffic that will be flagged in most firewall systems.

Summary

Overall, we can see nmap is an incredibly powerful tool for scanning networks to find hosts and services, as well as to perform additional information gathering and vulnerability detection. With advanced use, the scans can often bypass firewalls and intrusion systems and be undetected by the targets.