The nmap utility ("Network Mapper") is the go-to tool for penetration testers to quickly scan large networks to find hosts and services. With advanced use, it can also be used detect and exploit vulnerabilities through its built-in scripting engine.
The most simple way to use nmap is by running
nmap <target specification>, for example:
Nmap scan report for scanme.nmap.org (18.104.22.168) Host is up (0.15s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 993 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 6881/tcp filtered bittorrent-tracker 6901/tcp filtered jetstream 6969/tcp filtered acmsoda 9929/tcp open nping-echo 31337/tcp open Elite Nmap done: 1 IP address (1 host up) scanned in 9.15 seconds
Conveniently, the maintainers of nmap provide a domain name to scan at
scanme.nmap.org for testing and understanding the tool - which you can scan for free with only a few, reasonable restrictions.
In this basic scan, nmap probes the most common 1000 ports and details the results in the "interesting ports" table output. We can see that scanme.nmap.org has 993 of the 1000 scanned ports closed and the 7 remaining ports not closed. These 7 ports are listed in the table with the port number, protocol, service name and state.
This scan is quite basic yet it still provides useful information to a penetration tester about the attack surface of the target. That is, each open port in the above output is a potential target that a penetration tester can probe to try to find vulnerabilities to exploit.
Aggressive Usage (-A flag)
Instead of manually researching each open port, it is easier and faster to run an "aggressive" scan with the
-A flag. The flag
- Detect operating systems in use
- Detect versions of services running
- Run the default set of scripts against any hosts and services found
- Output the traceroute to the host
nmap -A scanme.nmap.org
Nmap scan report for scanme.nmap.org (22.214.171.124) Host is up (0.029s latency). rDNS record for 126.96.36.199: li86-221.members.linode.com Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0) | ssh-hostkey: 1024 8d:60:f1:7c:ca:b7:3d:0a:d6:67:54:9d:69:d9:b9:dd (DSA) |_2048 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec (RSA) 80/tcp open http Apache httpd 2.2.14 ((Ubuntu)) |_http-title: Go ahead and ScanMe! 646/tcp filtered ldp 1720/tcp filtered H.323/Q.931 9929/tcp open nping-echo Nping echo Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6.39 OS details: Linux 2.6.39 Network Distance: 11 hops Service Info: OS: Linux; CPE: cpe:/o:linux:kernel TRACEROUTE (using port 53/tcp) HOP RTT ADDRESS [Cut first 10 hops for brevity] 11 17.65 ms li86-221.members.linode.com (188.8.131.52) Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds
This scan will take a little longer than the basic usage example but provides a lot more information, as shown.
Comparing the outputs, in the basic usage we saw there was an http service running on port 80, which would indicate the presence of a webserver like Tomcat, Apache, Jetty or many others. However, with the aggressive usage, we can see that the webserver running this service is Apache httpd 2.2.14. This is incredibly useful as a penetration tester can now search for known vulnerabilities with the specific scope of Apache httpd 2.2.14. Further, we can see that the operating system is Ubuntu, which is important information both for enumeration and privilege escalation down the line.
From the perspective of understanding the network, this additional information is also useful because a penetration tester can now make reasoned assumptions about the code behind any websites running. In this case, the penetration tester will know that the Apache webserver typically runs PHP applications and, for example, does not directly support running other languages like Java and Ruby. This helps to further narrow the scope of the vulnerabilities to research, saving plenty of time.
However, it is important to note the following:
- According to the docs, this type of aggressive scan is considered intrusive and should not be ran against a target without permission
- It is easier for hosts to detect this kind of heavy probing and react appropriately by blocking the scan completely
As we saw in the basic scan, by default nmap will only scan the most commonly used 1000 ports. However, you can override this in many ways:
nmap -p- <target>
This will scan each and every port of the target
nmap -p22,443 <target>
This will only scan ports 22 and 443 only of the target
nmap -p1-1000 <target>
This will scan port 1-1000, inclusive, of the target.
nmap -p U:53,111,T:21-25 <target>
This will scan ports 53 and 111 using only UDP protocol scans and ports 21-25, inclusive, using only TCP protocol scans of the target
In the above examples, nmap has been used to target a single domain at scanme.nmap.org. However, it is possible to use nmap to scan targets in many different ways.
This will use DNS to resolve the hostname scanme.nmap.org to an IP address and then scan the host at that IP address.
This will scan the unique machine at the IP address 192.168.0.1
This will scan all IP address from 10.0.0.1 to 10.0.0.254, inclusive.
This will scan the 256 hosts between 192.168.10.0 and 192.168.10.255, inclusive.
See the CIDR notation guide to understanding this addressing scheme.
The scripting engine is arguably the most powerful and flexible part of the nmap utility. Many developers have written and shared simple scripts (written in Lua) for network discovery, version detection, vulnerability detection, backdoor detection and vulnerability exploitation.
Each script is labelled with one or more of the following categories: auth, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln.
There are many available scripts to look through and they can all be started with the "--script" argument. For example, the following script named "dns-brute.nse" will use brute-force to scan for available subdomains on the domain
nmap -p 80 --script dns-brute.nse vulnweb.com
Nmap scan report for vulnweb.com (184.108.40.206) Host is up (0.34s latency). rDNS record for 220.127.116.11: rs202995.rs.hosteurope.de PORT STATE SERVICE 80/tcp open http Host script results: | dns-brute: | DNS Brute-force hostnames: | admin.vulnweb.com - 18.104.22.168 | firewall.vulnweb.com - 22.214.171.124 |_ dev.vulnweb.com - 126.96.36.199 Nmap done: 1 IP address (1 host up) scanned in 28.41 seconds
The output shows 3 unique subdomains were found, each with the associated IP address. Scripts like this can help a penetration tester to find additional hosts and services within a network as part of the information gathering stage to define the attack surface.
As another example, the following example will find all hosts associated to an IP address by querying a third-party service:
nmap -p 80 --script hostmap-bfk.nse nmap.org
Nmap scan report for nmap.org (188.8.131.52) Host is up (0.19s latency). PORT STATE SERVICE 80/tcp open http Host script results: | hostmap-bfk: | hosts: | www.nmap.org | 184.108.40.206 | seclists.org | sectools.org | svn.nmap.org | nmap.org | hb.insecure.org | insecure.org | images.insecure.org | 220.127.116.11.in-addr.arpa |_ www.insecure.org Nmap done: 1 IP address (1 host up) scanned in 2.10 seconds
In this case, the domain nmap.org was resolved to the IP address 18.104.22.168 and then this script associated that IP address to the additional 11 domains, above.
It is not feasible to go through each and every script but knowledge of many of the scripts will help a penetration to automate many tasks to better understand networks and then detect and exploit potential vulnerabilities.
All of the scripts with the category "default" will run when running an aggressive scan with the
-A flag, of which there are currently over 100.
Many companies restrict network activity and increasingly monitor traffic with intrusion detection systems (IDS). Many of these systems even have settings in place to detect "default" nmap scans and have morphed into intrusion prevention systems (IPS). Fortunately, nmap comes with an extensive set of ways to evade such detection.
nmap -f <target>
-f flag, nmap will fragment the packets sent as part of a scan. The fragmentation will split the TCP headers of a request over several packets instead of just one. This can work because packet reassembly is processor intensive for a firewall system and will have it for performance reasons. As such, the traffic is not dropped as the scan works as expected.
nmap -D <ip1, ip2,...,ME> <target>
-D flag will cause a "decoy" scan to be performed. From the perspective of the hosts being scanned, they will see traffic as if it is coming from multiple machines instead of just the penetration tester's machine. Because of this, it is less likely that scanning will be detected and blocked automatically and manual assessment of traffic will be more difficult in firewall logs. As can be expected, it is possible for the target networks to detect the use of decoy IP addresses but it is often an effective technique.
nmap -S <spoof address> <target>
-S flag will spoof the source address - usually as an IP address in the target subnet - so that is will appear to the IDS/firewall that the traffic is legitimate. However, in most cases this scan will not receive reply packets as they will instead be sent to the spoof IP address.
nmap -g <port> <target>
-g flag will send packets from the port specified wherever possible. This is useful because many network administrators and software products will often trust traffic solely based on the source port number. Common port numbers used with this flag would be 20 (ftp), 53 (dns), 67 (DHCP) and 88 (kerberos). Secure solutions exist to handle traffic correctly from these source ports but are commonly not configured, so the scan works instead.
nmap -T<0-5> <target>
-T<0-5> flags sets the timing template of the scan where T0 is usually not detected by IDS/IPS systems and T5 is easily detected. Using T0, only one port is scanned at a time and 5 minutes is elapsed between sending each probe but usually T3 is sufficient to evade firewalls. The full list is defined as:
- T0 paranoid
- T1 sneaky
- T2 polite
- T3 normal
- T4 Aggressive
- T5 Insane
Of course, T5 will flood a target with traffic that will be flagged in most firewall systems.
Overall, we can see nmap is an incredibly powerful tool for scanning networks to find hosts and services, as well as to perform additional information gathering and vulnerability detection. With advanced use, the scans can often bypass firewalls and intrusion systems and be undetected by the targets.