NMAP
Nmap Network Scanner Introduction
Nmap (network mapper) is an open-source tool for network discovery and security auditing. Nmap was written and maintained by Gordon Lyon, otherwise known by his online alias as Fyodor. It is the most famous port scanner to date and was first released in September 1997.
This useful network discovery tool is known as the sysadmin's Swiss army knife as it has many useful purposes; discovering hosts on a network, port discovery on hosts, service discovery, MAC detection, OS detection. This is very handy when mapping out your network if you are wanting to know what type of device is using a certain IP or if you want to secure your infrastructure by closing potentially vulnerable ports. It is also incredibly useful in the information gathering stages of a penetration test.
However, this swiss army knife is highly dangerous when in the wrong hands. Hackers will use the recognisance features of Nmap to their advantage by finding weaknesses in your infrastructure and then exploiting them, quite often with premade scripts using the Nmap Scripting Engine (NSE) which I will talk about later.
Nmap is command line however if you want to use the GUI interface then start Zenmap from the command line.
Port scan type options are of the form -s<x>, where <x> is a prominent character in the scan name, usually the first. For example the Ping scan, the prominent character is P. We replace <x> with P making the command -sP
First, I want to talk about host discovery.
For host discovery a Ping scan is effective. However, many organisations enable host-based firewalls which may drop the probe packets.
Ping Scan
Ping scans are used for discovering if a host is alive or not, however, ping scans cannot be used for finding open ports on a target. This type of scan is useful for mapping out a network by finding alive hosts.
Method:
Nmap -sP x.x.x.x/CIDR
Port scanning
After you have discovered what is on the network you can now start to find out what ports are open and what services are running on them.
Before I explain port scanning techniques, I am going to explain the three-way handshake.
The three-way handshake is how TCP connections are established. There are three stages to establishing a TCP connection.
Step 1: A host wants to establish a connection with a server so it sends a SYN (synchronize sequence number) packet which tells the server it would like to start communication and with the sequence number it will start its segments with.
Step 2: The server replies to the SYN packet with a SYN-ACK packet, this is a packet containing an acknowledgement of the connection request and a SYN number it is likely to start its segments with.
Step 3: The final stage is the host will reply to the server’s response with an ACK (acknowledgement) packet. From here they establish a reliable connection that they can now start transferring data.
There are various techniques used to scan host using Nmap. I am going to discuss the various techniques available and the best uses for them.
TCP SYN Scanning
This is a basic scan which allows Nmap to gather information of a target without the complete TCP handshake. This is where Nmap will send a SYN packet to the host but won't complete the 3-way handshake and instead it will send an RST packet to drop the connection and stop the target from resending the SYN/ACK packet. This method requires administrative privilege as it requires raw-packet privileges. If a port is open the host will respond with a TCP SYN/ACK response the port is open, if the response is TCP RST then the port is closed and finally if there is no response or an ICMP unreachable error then the port is filtered.
Method:
Nmap -sS x.x.x.x
TCP connect scan
Unlike the SYN scan this scan does not use administrative privilege as it does not require raw packet privilege, so it is the default scan if that privilege isn’t available. This scan completes the 3-way handshake so the target will log the interaction. So, if you don’t have the required privilege and need to scan for TCP ports use this. The responses are the same as TCP SYN scanning for discovering if ports are open, closed or filtered but if it will complete the 3-way handshake if it receives a TCP SYN/ACK response from the host.
Method:
Nmap -sT x.x.x.x
UDP Scan
This is used to find open UDP ports on the target host. This method Nmap sends a UDP packet to the host and waits for a response, this does not require any SYN packets because UDP is a connectionless protocol meaning it is unidirectional. Depending on the response received it will determine if the port is open or closed. If a port is open the response will be a UDP response back. If the port is closed it will get an ICMP port unreachable error. If the port is open but being filtered, then no response will be given and finally, if the port is just being filtered then it will give other ICMP unreachable errors.
Method:
Nmap -sU x.x.x.x
TCP FIN scan
The issue with some hosts are quite often there is a firewall that will usually block SYN packets, so if this is the case a FIN scan is useful in discovering open and closed TCP ports.
To get a blocked port to communicate, we have to trick it into sending a response, this can be done by adding the FIN TCP flag to the packets making the host believe it had already been communicating with the Nmap host. If the port is closed, then the target will send an RST TCP packet back. If the port is open it will discard the packet and not send a response. This scan is an advantage for its ability to scan through stateless firewalls, however with a stateful firewall then it might be set to drop the response from the target, this makes the Nmap scanner think all ports are open.
Method:
Nmap -sF x.x.x.x
OS Detection
This feature of Nmap can detect operating systems and software on a remote host, this is arguably the most important feature of Nmap. Nmap has a database of overt 2600 operation systems. Nmap will observe the response from TCP and UDP packets and compares it to the results in the database. This is a very useful during Penetration testing because If you can identify the operating systems that run on specific target machines, they can then learn which exact vulnerabilities to exploit. Each OS in deployment has unique bugs and vulnerabilities. When an exact OS is determined, it’s easy to research what they are.
Method:
Nmap -O x.x.x.x
Nmap’s OS fingerprinting technique also discovers the device type, Running OS, OS version and how many hops away the target is. This is very useful when mapping a network and you want to map the infrastructure in place on a network.
Now on to the collaborative part of Nmap, the NSE.
The Nmap Scripting engine (NSE) allows users to write and share scripts to automate varies networking tasks, this is the most powerful and flexible features. This can save a lot of time as most likely someone will have already created a script to fit your need, so you don’t have to spend valuable time creating one yourself. Hackers and sysadmin will use the NSE in their tasks and activities a lot due to some script abilities to carry out network discovery all the way to backdoor detection and vulnerability detection and exploitation.
One example would be a script for brute-forcing SSH servers. This performs password guessing against an SSH server, that you potentially found will doing reconnaissance, and try gain access to it.
So, whether you’re a good or a bad guy, you are bound to have used this tool to find weaknesses in security. I have just gone over the basic tools of Nmap but there are a lot of more advanced tools Nmap has to offer. What will you use Nmap for next?